Lido Finance, the Ethereum staking protocol, has responded to allegations that hackers exploited a security flaw in the token contract of Lido DAO (LDO). Despite the existence of the flaw, Lido Finance assures users that both the LDO and staked-Ether (stETH) tokens remain secure and unaffected.
While Lido Finance did not confirm any specific exploits, they acknowledged the existence of a known security flaw. In response to a post by blockchain security firm SlowMist, Lido Finance reassured users that their funds are safe. SlowMist claimed that LDO’s flawed token contract allowed bad actors to conduct “fake deposit” attacks on exchanges. This flaw enables users to execute transactions even without sufficient funds, deviating from the Ethereum Request for Comment 20 (ERC-20) token standard.
Lido Finance clarified that the identified flaw is not limited to Lido’s LDO token but is inherent in all ERC-20 tokens. SlowMist explained that the “fake deposit” attacks occurred when LDO’s token contract executed transfers with a value larger than what the user actually owned, resulting in a false return rather than reverting the transaction. However, SlowMist did not provide on-chain evidence of these attacks.
Reassurance from Lido Finance
Lido Finance reached out to SlowMist for comment but did not receive an immediate response. On-chain analyst “Hercules” pointed out that cryptocurrency exchanges may not detect this security flaw. SlowMist recommended LDO holders to check the return values of token contract transfers in addition to the success or failure of the transactions. They also emphasized the importance of comprehensive testing before integrating any new tokens due to variations in token contract implementations and behaviors across projects.
To address the security flaw, Lido Finance announced that they will update the LDO token integration guides. However, they highlighted that the official Ethereum Improvement Proposal document, co-authored by Vitalik Buterin in November 2015, mandates that both the “transfer” and “transferFrom” functions must provide the transfer status. Reverting a transaction is only recommended in exceptional cases.
Lido Finance, the Ethereum staking protocol, has taken immediate action to address concerns regarding a known security flaw in the token contract of Lido DAO (LDO). While acknowledging the flaw’s existence, Lido Finance reassures users that their funds are safe and unaffected. The protocol plans to update the LDO token integration guides to resolve the issue. As the cryptocurrency landscape evolves, it is crucial for projects to prioritize security and conduct thorough testing to ensure the integrity of their token contracts.