StakeHound Got FireBlocked
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
StakeHound gave all their money to FireBlock, and FireBlock lost the private key.
FireBlock is saying that StakeHound should have kept a backup of the private key.
In any case, $75m of user funds appears to have been permanently lost.
This exchange or platform is based in Switzerland, or the incident targeted people primarily in Switzerland.[1][2][3][4][5][6][7][8][9][10][11][12]
About StakeHound
"StakeHound [is] a firm that enables staking." "StakeHound allow[s] you to stake and wrap your tokens into stETH without a minimum required amount and lock-up period." "StakeHound claims that it has developed “stake-backed” tokens so that digital currency traders can enjoy “the best of both worlds: liquidity and yield.”" "stETH is a wrapped token with a 1:1 representation of the user’s underlying ETH. After a user onboards their ETH, StakeHound stakes those ETH for the users and redistributes the rewards to stETH." "stETH is a wrapped token offered by StakeHound that allows users to wrap their assets as a 1:1 peg with the underlying asset. This permits users to participate in DeFi while still receiving staking rewards."
"Here’s how StakeHound works: users send their chosen Proof of Stake tokens, such as RADIX, XZC, XTZ, ATOM, ALGO, ADA or DOT, to one of StakeHound’s institutional-grade custodian partners. StakeHound then instantly generates and sends the user a one-to-one representation of their original token on their chosen DeFi ledger (Ethereum now, Radix once launched next year)."
"Access DeFi with liquid staked tokens. Earn staking rewards without lock-ups." "All assets are stored under institutional grade custody solutions, insured and can be audited in real-time on ledger."
"Step 1: Send StakeHound unstaked tokens from your favorite PoS crypto holdings. Step 2: Receive staked ERC20 tokens from StakeHound. Watch your balance receive staking rewards. Step 3: Trade, leverage and lend your staked tokens in the Ethereum DeFi ecosystem instantly."
“Staking is a critical part of network security, but it currently creates illiquid positions,” said Albert Castellana, CEO of StakeHound. “On some networks, there are also large minimum stake requirements, putting it out of reach for many small holders. StakeHound removes both of these problems for the user, allowing anyone to support the security of the networks they care about, while giving them liquid access to the best DeFi products the market can offer. It allows even the smallest token holder to earn staking rewards.”
"As noted in the announcement, all major proof-of-stake virtual currencies [are] supported, so that their holders can earn staking rewards while being able to access “instant” liquidity."
"On the 2nd of May 2021, [StakeHound was] informed by one of [their] custody providers, Fireblocks, that 38,178 of [their] staked Ethereum may have been rendered inaccessible because of a failure by Fireblocks to secure the cryptographic keys as they were required to do."
"In short, a series of errors by Fireblocks caused the loss of 2 keys that are part of the 3-of-4 threshold signature for the shards that form the withdrawal key. Fireblocks (1) did not generate their private keys in a production environment, (2) did not include the private keys required to decrypt their 2 key shares in the backup, and (3) lost both keys."
"Effective 23:00 CET 10/05/2021 we have temporarily paused all token transfers for stETH, which will result in users being unable to trade stETH or provide/remove liquidity for stETH pools. We will provide further updates in the coming days."
StakeHound "is suing custody service Fireblocks for allegedly contributing to the loss of private keys that accessed [the] ~$75M worth of crypto." "StakeHound has filed [the] lawsuit against Israeli company Fireblocks, claiming that it lost NIS 245.5 million (approximately $75 million) worth of cryptocurrencies it was entrusted with. StakeHound claims that Fireblocks, a developer of secure cross-enterprise asset transfer infrastructure, was negligent and as a result the funds have been lost and can not be recovered. The lawsuit was filed today at the Tel Aviv District Court by attorneys Eli Cohen, Alex Feldsher, and Nuna Lerner of Gornitzky & Co law firm."
According to the lawsuit, negligence by a Fireblocks employee led to the crypto assets being lost without any backup being available. "This is a human error committed by an employee of the defendants, who worked in an unsuitable work environment, did not protect or back up the defendant’s private keys needed to open the relevant digital wallet, and for no apparent reason, the keys were deleted, preventing the plaintiff’s digital assets from being accessed.”
Fireblocks has denied any wrongdoing, claiming that: "The keys were generated by the client and stored outside the Fireblocks platform," and that "the customer did not store the backup with a third-party service provider per our guidelines."
"Coincover, the company trusted with backing up the private keys, received the keys, but could not check if they could open the digital wallet due to a confidentiality agreement. In order to recover the keys through the backup made by Coincover, a copy of it must be kept at Fireblocks, so that at the time of recovery, it can be verified."
"Regrettably, because of the severity of the recent events, we have decided to discontinue our liquid staking activities, i.e. the purchase of native tokens in exchange for staked tokens, with immediate effect. This will allow us to devote our full attention to the recovery of the loss."
"We will also discontinue the distribution of staking rewards, except for stETH, starting on the 2nd of August 2021. You might want to approach us to sell your stTokens in exchange for native tokens, to which we might agree subject to availability and in accordance with our terms and conditions."
"Please, note that all staked ETH are locked in the ETH2.0 staking contract for the time being and the possibility to sell stTokens does not apply to stETH. An upcoming update to the protocol by the Ethereum development team will allow the unstaking of the ETH, at which point you may approach us to sell your stETH in exchange for ETH to which we might agree subject to availability at our sole and full discretion. The possibility to exchange stETH for ETH will be reviewed upon the outcome of the unlock process as well as the legal proceedings."
This exchange or platform is based in Switzerland, or the incident targeted people primarily in Switzerland.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| June 22nd, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $75,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
The better arrangement for securing these funds would have been a multi-signature wallet held by multiple trusted and trained individuals, which would have had redundancy and personal accountability. In such a setup, each key holder can keep backups in multiple locations, providing even further protection against key loss.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Staking company serves Fireblocks with a lawsuit over private keys to over $75 million in ETH (Jun 25, 2021)
- ↑ Cryptocurrency security company Fireblocks sued for losing $75 million worth of ETH - CTech (Jul 30, 2021)
- ↑ StakeHound | Liquid Staking Enabler (Jul 31, 2021)
- ↑ Stakehound Services Terms and Conditions (Jul 31, 2021)
- ↑ StakeHound Next Steps | StakeHound (Jul 31, 2021)
- ↑ Fireblocks ETH 2.0 Key Management Incident | StakeHound (Jul 31, 2021)
- ↑ @stakedTokens Twitter (Jul 31, 2021)
- ↑ @stakedTokens Twitter (Jul 31, 2021)
- ↑ Morioh (Aug 1, 2021)
- ↑ StakeHound Launches to Unlock $20 Billion in Liquidity for (Aug 1, 2021)
- ↑ StakeHound Introduces the "Best of Both Worlds" by Issuing "Stake-backed" DeFi Tokens for Generating Liquidity and Yield (Aug 1, 2021)
- ↑ Why Celsius Fell Apart - YouTube (Jul 12, 2022)