I would like to start off by apologising to everyone involved.
To the team, for not responsibly disclosing the potential grief exploit and publicly sharing it in #trading.
To all node operators, which are currently affected by this and can not withdraw their RPL stake until the fix has been deployed.
To Marceau, for a needlessly personal grief against his node.
I deeply regret the aftermath of this. This all could've been prevented if I just thought more before taking action, which I will focus on doing from now on.
This might be a bit technical, but I would like to explain my understanding of my own actions.
A while ago the team was in the progress of adding a stakeFor function that allowed anyone to mint rETH for a different address. This was needed because, at that time, there was still a 24 hour freeze after minting rETH. This freeze made it basically impossible to write proxy contracts, as the rETH would get stuck at said proxy after minting it.
The idea of the stakeFor function was that the proxy could simply mint the rETH to the user directly, skipping the impossible move from the proxy to the user.
Back then, I informed the team that this function would allow someone to freeze rETH hold of any user or contract, including liquidity pools. This function had the risk of temporarily freezing all rETH liquidity until a fix gets deployed. The stakeRPLFor function is basically a weaker version of the same issue.
After the team confirmed and resolved the stakeFor exploit, I considered issues of this type to be acknowledged and actively prevented by the team.
This is most likely the reason as to why the issue didn't cause any alerts to go of in my head - I thought that the team was aware of such issues and must have known of the stakeRPLFor side effect. I didn't think of it as an exploit to begin with. It seemed obvious that the stakeRPLFor function had to trigger the cooldown, or else every node operator could simply evade it by using the function.
I also never looked into the stakeFor or stakeRPLFor code, neither for exploits not for implementation details. I wasn't completely confident in my statement, it was just a random thing I threw out in the middle of the night because it sounded interesting. Overall reception to my inital statement at the time was low, limited to a few reactions, I assume because many thought what I said couldn't be the case.
I promise to responsibly disclose any future exploits, no matter the severity, should I find any. I would like to reiterate that I would've disclosed this responsibly if I considered it an exploit to begin with.
Mostly in an attempt to have something to talk about and to get #trading going again. I only noticed way too late that this grief exploit could actually have negative consequences to people. I would've never actually used it and the bounty was small at 3 RPL anyways - I just wanted to see a proof of concept. In my head the exploit was quite simple: Listen to large RPL withdrawals and frontrun the withdrawal with a miniscule RPL stake using a flashbots bundle.
I slowly started to realise that this was an actual exploit and that I just publicly exposed it. I wasn't actively panicking, maybe due to my tiredness. I thought to myself that it was now too late to try to cover it all up and that the only thing I can do now is to roll with it. Which in the end just caused me to do more stupid things.
There wasn't all that much thought behind this. I thought that it was too late and that it would only be a matter of time before someone used the exploit, so might as well do a proof of concept myself.
Marceau was the first name that came to my mind for a multitude of reasons, but mostly because he has already withdrawn large amounts of RPL and that he was big. We also didn't have the best kind of relationship.
All it took was signing 2 transactions, which took around a minute. And there was no going back after that.
I obviously should have never done this, no matter what my relationship is with the node operator in question. I promise that from now on, I will not take any action that may cause unintended side effects to node operators, especially Marceau.
It was getting very late and I didn't want to make things even worse. I suck at writing apologies and writing one at 5 or 6 am wouldn't have helped either. Leaving the server was the simplest way to stop myself from doing any of that.
Talking about https://etherscan.io/address/0x913a5270683446f4871907e498730ba1ed2921cd
None. I have never used Tornado Cash before and the withdrawal was made almost a year ago. All my funds are publicly visible at 0xinvis.eth, vault.0xinvis.eth and zkdoge.eth. I do not have the means necessary to make financial gain from preventing hundreds of node operators from withdrawing, my networth is at most 20 ETH. If my goal was simply to cause panic, there would've been better ways than talking about it in #trading and taking action almost 2 days later.
I'm sorry to everyone that is affected by this and needs the RPL. I never intended for this to happen.
