SHD Staking Bug - Post Mortem

On October 19th, Shade Protocol core contributors identified a smart contract bug in the SHD staking contract that affected users who were attempting to stake SHD and claim rewards without compounding them to their existing stake. The impact of the bug is as follows:

When claiming rewards (instead of auto compounding) and staking SHD in the same transactions, the staking contract used the msg sender (SHD contract during send and stake txs) instead of the funds sender as the recipient for the claimed rewards. As a result, instead of the users performing the transaction receiving the funds, the claimed rewards were sent to the SHD contract. The SHD that was sent to the SHD contract is not retrievable and can effectively be considered burned.

All users who were affected by this bug in the staking smart contract will be reimbursed in full from the allocation of SHD for the Bug Bounty program. We will share more information on the reimbursement process in the very near future.

As of 1:30 am UTC, a solution for the smart contract bug has been implemented, negating the possibility of it impacting funds in the future. The solution involves the usage of a multi-msg transaction that first claims SHD staking rewards (so that there are no possible rewards to be incorrectly sent during the staking transaction), and then stakes the users SHD.

To be clear, the staking contract bug only affected users who were staking SHD and claiming rewards without auto compounding in the same transaction. Users who auto compounded their SHD while also staking additional SHD, as well as users who were solely claiming rewards were unaffected by this bug. All users who were impacted by this bug in the SHD staking contract will be reimbursed in full. We will share steps for reimbursement in the very near future.

Thank you all for your patience as we worked to swiftly mitigate the possibility of this bug impacting user funds in the future and deploy a solution so staking activity can resume normally, and thank you to the user who reported this issue. We are incredibly thankful for the dedication from our community to continually help better the protocol, and we will continue to build ourselves up better and better day by day, together.

Best Regards,
Shade Contributors