Lido Finance, a prominent Ethereum staking protocol, has moved swiftly to address concerns regarding the security of its Lido DAO (LDO) and staked-Ether (stETH) tokens. Reports had surfaced alleging hackers had exploited a known security flaw in LDO’s token contract. While Lido did not confirm any specific exploits, it acknowledged the existence of the security flaw and assured the crypto community that LDO and stETH funds remained secure.
Blockchain security firm SlowMist brought the security concerns to light in a post on September 10. SlowMist pointed out that LDO’s flawed token contract could enable malicious actors to carry out “fake deposit” attacks on exchanges. This was due to LDO’s token contract allowing users to execute transactions even if they did not possess sufficient funds, a deviation from the Ethereum Request for Comment 20 (ERC-20) token standard.
Lido Finance, however, countered SlowMist’s claim by asserting that the identified flaw was not unique to LDO but somewhat inherent to all ERC-20 tokens. SlowMist had described how “fake deposit” attacks could occur when the token contract executed transfers with values exceeding the user’s actual holdings, resulting in a false return instead of a transaction reversal. Despite the claim of exploitation, SlowMist did not provide on-chain evidence to support its case.
Cointelegraph attempted to reach out to SlowMist for comment but did not receive an immediate response. Meanwhile, on-chain analyst “Hercules” suggested that cryptocurrency exchanges might not easily detect this security flaw.
SlowMist advised LDO holders to scrutinize the return values of token contract transfers alongside transaction success or failure in response to the situation. They also emphasised the importance of thorough testing before integrating new tokens, as token contract implementations can vary across projects.
Lido Finance took steps to address the issue by confirming that it would soon update the LDO token integration guides. In line with this, the project highlighted the Ethereum Improvement Proposal, co-authored by Vitalik Buterin in November 2015, which stipulates that both the “transfer” and “transferFrom” functions should return the transfer status and only revert a transaction in exceptional cases.
As the crypto community awaits further developments, Lido Finance’s commitment to addressing the security flaw underscores the importance of vigilance and continuous improvement in the ever-evolving blockchain landscape.