StakeHound Got FireBlocked

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

StakeHound

StakeHound gave all their money to FireBlock, and FireBlock lost the private key.

FireBlock is saying that StakeHound should have kept a backup of the private key.

In any case, $75m of user funds appears to have been permanently lost.

This exchange or platform is based in Switzerland, or the incident targeted people primarily in Switzerland.

About StakeHound

"StakeHound [is] a firm that enables staking." "StakeHound allow[s] you to stake and wrap your tokens into stETH without a minimum required amount and lock-up period." "StakeHound claims that it has developed “stake-backed” tokens so that digital currency traders can enjoy “the best of both worlds: liquidity and yield.”" "stETH is a wrapped token with a 1:1 representation of the user’s underlying ETH. After a user onboards their ETH, StakeHound stakes those ETH for the users and redistributes the rewards to stETH." "stETH is a wrapped token offered by StakeHound that allows users to wrap their assets as a 1:1 peg with the underlying asset. This permits users to participate in DeFi while still receiving staking rewards."

"Here’s how StakeHound works: users send their chosen Proof of Stake tokens, such as RADIX, XZC, XTZ, ATOM, ALGO, ADA or DOT, to one of StakeHound’s institutional-grade custodian partners. StakeHound then instantly generates and sends the user a one-to-one representation of their original token on their chosen DeFi ledger (Ethereum now, Radix once launched next year)."

"Access DeFi with liquid staked tokens. Earn staking rewards without lock-ups." "All assets are stored under institutional grade custody solutions, insured and can be audited in real-time on ledger."

"Step 1: Send StakeHound unstaked tokens from your favorite PoS crypto holdings. Step 2: Receive staked ERC20 tokens from StakeHound. Watch your balance receive staking rewards. Step 3: Trade, leverage and lend your staked tokens in the Ethereum DeFi ecosystem instantly."

“Staking is a critical part of network security, but it currently creates illiquid positions,” said Albert Castellana, CEO of StakeHound. “On some networks, there are also large minimum stake requirements, putting it out of reach for many small holders. StakeHound removes both of these problems for the user, allowing anyone to support the security of the networks they care about, while giving them liquid access to the best DeFi products the market can offer. It allows even the smallest token holder to earn staking rewards.”

"As noted in the announcement, all major proof-of-stake virtual currencies [are] supported, so that their holders can earn staking rewards while being able to access “instant” liquidity."

"On the 2nd of May 2021, [StakeHound was] informed by one of [their] custody providers, Fireblocks, that 38,178 of [their] staked Ethereum may have been rendered inaccessible because of a failure by Fireblocks to secure the cryptographic keys as they were required to do."

"In short, a series of errors by Fireblocks caused the loss of 2 keys that are part of the 3-of-4 threshold signature for the shards that form the withdrawal key. Fireblocks (1) did not generate their private keys in a production environment, (2) did not include the private keys required to decrypt their 2 key shares in the backup, and (3) lost both keys."

"Effective 23:00 CET 10/05/2021 we have temporarily paused all token transfers for stETH, which will result in users being unable to trade stETH or provide/remove liquidity for stETH pools. We will provide further updates in the coming days."

StakeHound "is suing custody service Fireblocks for allegedly contributing to the loss of private keys that accessed [the] ~$75M worth of crypto." "StakeHound has filed [the] lawsuit against Israeli company Fireblocks, claiming that it lost NIS 245.5 million (approximately $75 million) worth of cryptocurrencies it was entrusted with. StakeHound claims that Fireblocks, a developer of secure cross-enterprise asset transfer infrastructure, was negligent and as a result the funds have been lost and can not be recovered. The lawsuit was filed today at the Tel Aviv District Court by attorneys Eli Cohen, Alex Feldsher, and Nuna Lerner of Gornitzky & Co law firm."

According to the lawsuit, negligence by a Fireblocks employee led to the crypto assets being lost without any backup being available. "This is a human error committed by an employee of the defendants, who worked in an unsuitable work environment, did not protect or back up the defendant’s private keys needed to open the relevant digital wallet, and for no apparent reason, the keys were deleted, preventing the plaintiff’s digital assets from being accessed.”

Fireblocks has denied any wrongdoing, claiming that: "The keys were generated by the client and stored outside the Fireblocks platform," and that "the customer did not store the backup with a third-party service provider per our guidelines."

"Coincover, the company trusted with backing up the private keys, received the keys, but could not check if they could open the digital wallet due to a confidentiality agreement. In order to recover the keys through the backup made by Coincover, a copy of it must be kept at Fireblocks, so that at the time of recovery, it can be verified."

"Regrettably, because of the severity of the recent events, we have decided to discontinue our liquid staking activities, i.e. the purchase of native tokens in exchange for staked tokens, with immediate effect. This will allow us to devote our full attention to the recovery of the loss."

"We will also discontinue the distribution of staking rewards, except for stETH, starting on the 2nd of August 2021. You might want to approach us to sell your stTokens in exchange for native tokens, to which we might agree subject to availability and in accordance with our terms and conditions."

"Please, note that all staked ETH are locked in the ETH2.0 staking contract for the time being and the possibility to sell stTokens does not apply to stETH. An upcoming update to the protocol by the Ethereum development team will allow the unstaking of the ETH, at which point you may approach us to sell your stETH in exchange for ETH to which we might agree subject to availability at our sole and full discretion. The possibility to exchange stETH for ETH will be reviewed upon the outcome of the unlock process as well as the legal proceedings."

This exchange or platform is based in Switzerland, or the incident targeted people primarily in Switzerland.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - StakeHound Got FireBlocked
Date	Event	Description
June 22nd, 2021 12:00:00 AM	Main Event	Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $75,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

The better arrangement for securing these funds would have been a multi-signature wallet held by multiple trusted and trained individuals, which would have had redundancy and personal accountability. In such a setup, each key holder can keep backups in multiple locations, providing even further protection against key loss.