Peace Of Mind: Lido Assurance On The Safety Of LDO & stETH Tokens

Lido Finance, an Ethereum staking protocol, ensures the security of both Lido DAO and staked-Ether (stETH) tokens. This assurance extends even when hackers attempt to exploit a known security vulner­ability in LDO’s token contr­act.

The “fake deposit” exploit allows nefarious individuals to execute transfers with a greater value than the actual funds the user holds.

Lido neither confirmed any exploits nor denied their existence, but they acknowledged a known security flaw. In response to a post by SlowMist, a block­chain security firm, on Sept 10, Lido assured that both LDO and stETH funds remain secure.

SlowMist reports that the token contract of LDO has a flaw, allowing malicious actors to execute “fake deposit” attacks on excha­nges. This issue arises because the token agreement of LDO permits users to carry out transa­ctions without the necessary funds, which deviates from the Ethereum Request for Comment 20 (ERC-20) token standard mentioned by SlowM­ist.

Nonetheless, Lido Finance contended that the vulnerability is inherent in all ERC-20 tokens, including Lido’s LDO token.

SlowMist reported that the “fake deposit” attacks origi­nated from the LDO token contract. In these attacks, transfers were executed with values exceeding the user’s owner­ship, deceiving them with a false return instead of reversing the transa­ction. While SlowMist mentioned an exploi­tation of Lido’s token contract using this method, they have not provided any on-chain evidence to support their claim.

Lido Commitment To Security: Addressing LDO Token Vulnerabilities

On Sept 10, the renowned on-chain analyst ‘Herc­ules’ highlighted that cryptoc­urrency exchanges might overlook this security vulner­ability during that time.

SlowMist suggests that individuals holding LDO should verify the return values of token contract trans­fers. It is important to confirm whether a trans­action has been successful or not.

A block­chain security company has disco­vered varia­tions in token contract impleme­ntations and behaviors across different projects. As a result, it is recommended to conduct compre­hensive testing before integ­rating any new tokens into the system.

However, in the official Ethereum Impro­vement Proposal document co-au­thored by Vitalik Buterin in Nov 2015, Lido emphasized that both the “tran­sfer” and “transf­erFrom” functions should provide the transfer status. Only under excep­tional circum­stances should they resort to reverting a transac­tion.

Lido has confirmed their commi­tment to update the LDO token integ­ration promptly guides to address the security vulnera­bility.

Related Reading | Ethereum Co-founder’s Twitter Hacked: $691,000 Losses in Deceptive Link

“The author’s views are for reference only and shall not constitute any investment advice. Please ensure you fully understand and assess the products and associated risks before purchasing.”

Comments (No)

Leave a Reply