Lido has reassured its users that Lido DAO and staked-Ether tokens remain safe despite hackers exploiting a known security flaw. However, the platform did not come forward with any confirmation of the exploit but acknowledged the fact that the security flaw was already known and reassured that these tokens remained safe as per the post by the blockchain security firm, SlowMist.
This behaviour is expected and conforms to the ERC20 token standard (see tweet below). Both LDO and stETH (and Lido governance) remain safe.
Lido token integration guides will be updated with LDO specifics to make this more visible shortly.
— Lido (@LidoFinance) September 10, 2023
SlowMist highlighted that LDO’s flawed token contract allows bad actors to initiate fake deposit attacks on exchanges because the token’s smart contract enables users to carry out transactions even if they are low on funds. SlowMist continued to state that this code deviates from the ERC-20 token standard.
Lido’s Security Flaw and the Performance of LDO Token
Lido Finance argued that the flaw is present in all ERC-20 tokens and not just LDO tokens. The fake deposits attack resulted from LDO’s token contract executing transfers where the value is significantly larger than what someone owns, triggering a false return instead of fully reverting the transaction. The blockchain security firm highlighted that the token contract was recently exploited amid this hack, but no on-chain evidence surrounding this was provided.
Following the exploit, the native token of the platform, LDO, was seen to be trading in the red. At the time of writing, the token has plunged by almost 2.56% within the course of the previous 24 hours. The decline has pushed the trading price down to nearly $1.49, and the total market cap of the token currently stands at the $1.3 billion mark.
Lido is Expected to Strengthen Overall Security
Following the exploit of the security flaw, the on-chain analyst firm, Hercules, explained that it is highly unlikely that the flaw would be picked up by other cryptocurrency exchanges. SlowMist has suggested Lido check the return values of the token contract transfers along with the assessment of the success and failure of a transaction. The blockchain security firm concluded that the token contract implementation along with behaviors differ by project and it is necessary to conduct comprehensive testing before the integration of new tokens.
Lido highlighted the official Ethereum Improvement Proposal document and explained that both the transfer as well as the transferForm functions must return the transfer status. These are only recommended to revert a transaction in exceptional cases. In hopes of resolving the issue, Lido confirmed that the LDO token integration guides would soon be updated.
