TechFlow reports that Astrid, an Ethereum liquid restaking pool, announced on X that its smart contract was attacked. Astrid has paused the contract, taken a snapshot of all holders, and will provide full compensation.
Subsequently, Astrid released a compensation statistics table for deposit users and liquidity providers (excluding internal team deposits). Liquidity providers will be compensated in the form of staked ETH tokens. Astrid later updated that all user losses have been compensated, and the smart contract will remain paused.
According to Phalcon's transaction explorer analysis, the attack on Astrid occurred due to a vulnerability in the withdrawal function. The parameters of the withdraw() function—namely the token address and amount—could be manipulated. The specific attack process is as follows:
- The attacker created three fake tokens: A, B, and C.
- Used fake token 1 to withdraw and obtain stETH.
- Used fake token 2 to withdraw and obtain rETH.
- Used fake token 3 to withdraw and obtain cbETH.
- The attacker then converted stETH, rETH, and cbETH into ETH.




