Lido DAO has discovered a security vulnerability on its Ethereum protocol in the last 24 hours, specifically involving one of its Node Operators, InfStones.
This issue, initially discovered a few months ago, was formally reported to InfStones in July 2023. InfStones has since confirmed that they have resolved the issue.
Over the course of the last 24 hours, Lido DAO contributors were made aware of an earlier platform vulnerability affecting an active Node Operator using the Lido on Ethereum protocol (InfStones).
More information here: https://t.co/WeIVeVBpCp
— Lido (@LidoFinance) November 22, 2023
The core of the concern was the potential unauthorized access to root-level privileges on up to 25 validator servers.
These servers, not necessarily linked to the Lido protocol, could have exposed sensitive information, including key materials, to external threats. It remains uncertain whether the servers or keys connected to Lido validators were compromised.
Currently, Lido DAO’s team is collaborating closely with InfStones to conduct a thorough investigation into the breach. This effort aims to ascertain the full extent and potential repercussions of the incident.
In the context of this incident, Web3 security experts at Holborn have observed a noticeable increase in the frequency and severity of off-chain attacks in recent times.
The experts emphasize that this latest incident underscores the need for continuous and comprehensive auditing of infrastructure to preemptively identify and mitigate such vulnerabilities.