Lido Finance, an Ethereum staking protocol, ensures the security of both Lido DAO and staked-Ether (stETH) tokens. This assurance extends even when hackers attempt to exploit a known security vulnerability in LDO’s token contract.
The “fake deposit” exploit allows nefarious individuals to execute transfers with a greater value than the actual funds the user holds.
Lido neither confirmed any exploits nor denied their existence, but they acknowledged a known security flaw. In response to a post by SlowMist, a blockchain security firm, on Sept 10, Lido assured that both LDO and stETH funds remain secure.
SlowMist reports that the token contract of LDO has a flaw, allowing malicious actors to execute “fake deposit” attacks on exchanges. This issue arises because the token agreement of LDO permits users to carry out transactions without the necessary funds, which deviates from the Ethereum Request for Comment 20 (ERC-20) token standard mentioned by SlowMist.
Nonetheless, Lido Finance contended that the vulnerability is inherent in all ERC-20 tokens, including Lido’s LDO token.
SlowMist reported that the “fake deposit” attacks originated from the LDO token contract. In these attacks, transfers were executed with values exceeding the user’s ownership, deceiving them with a false return instead of reversing the transaction. While SlowMist mentioned an exploitation of Lido’s token contract using this method, they have not provided any on-chain evidence to support their claim.
Lido Commitment To Security: Addressing LDO Token Vulnerabilities
On Sept 10, the renowned on-chain analyst ‘Hercules’ highlighted that cryptocurrency exchanges might overlook this security vulnerability during that time.
SlowMist suggests that individuals holding LDO should verify the return values of token contract transfers. It is important to confirm whether a transaction has been successful or not.
A blockchain security company has discovered variations in token contract implementations and behaviors across different projects. As a result, it is recommended to conduct comprehensive testing before integrating any new tokens into the system.
However, in the official Ethereum Improvement Proposal document co-authored by Vitalik Buterin in Nov 2015, Lido emphasized that both the “transfer” and “transferFrom” functions should provide the transfer status. Only under exceptional circumstances should they resort to reverting a transaction.
Lido has confirmed their commitment to update the LDO token integration promptly guides to address the security vulnerability.
Related Reading | Ethereum Co-founder’s Twitter Hacked: $691,000 Losses in Deceptive Link
“The author’s views are for reference only and shall not constitute any investment advice. Please ensure you fully understand and assess the products and associated risks before purchasing.”
Comments (No)