User Lost $25M on Renzo Due To Wrong Transfer Address

Key Points:

• A crypto user accidentally sent $25 million worth of restaked ether tokens to the wrong address on the Renzo platform.
• The funds are likely lost forever unless Renzo upgrades its contract to enable recovery.

A user faces the potential permanent loss of their assets after mistakenly sending funds to an incorrect address on the Renzo restaking platform.

$25 million in restaking tokens lost due to copy-paste error

A cryptocurrency user accidentally lost $25 million by mistakenly sending their restaked Ether tokens on the Renzo platform to their safe module instead of their safe wallet.

Renzo is a liquid restaking platform built on EigenLayer’s restaking solution. The protocol allows users to easily access EigenLayer’s products while providing liquidity for LSTs participating in restaking.

The user encountered this issue while using a bot to withdraw funds from Renzo, and it appears to be a simple copy-paste error. Had the user sent the funds to the correct safe wallet, they would have retained control over their assets. Instead, the funds are now permanently locked in a contract that they cannot withdraw from—unless the project team intervenes to assist.

The founder of DefiLlama, known pseudonymously as 0xngmi, responded that they “don’t see any way for the user to recover their funds other than requesting Renzo to upgrade the contract and add a function to retrieve this amount.”

An anonymous developer from Yearn with the account @banteg also noted that these seemingly simple mistakes are quite common. A few days ago, the community recorded a similar situation.

Address Poisoning: A Growing Threat to Crypto Users

This is not a new occurrence in the crypto market. It frequently happens when users conduct multiple transactions and a series of copy-paste actions simultaneously, leading to confusion between deposit/withdrawal addresses.

Taking advantage of this seemingly “trivial” confusion, some malicious actors have cleverly tricked users into targeted attacks in the form of “address poisoning.” In this scheme, the attacker intentionally creates an address with the same beginning and ending characters as the target wallet the victim intends to use. They then send small-value transactions to the victim’s wallet, waiting for the victim to accidentally copy the wrong address.

This type of attack is possible because block explorers like Etherscan only display the first and last characters of the address string, hiding the middle part, and creating an opportunity for hackers to exploit.

In the past, there have been many incidents in the past where users lost money due to address poisoning. MetaMask also recommends that users be careful to avoid falling into the address poisoning trap.