Ethereum protocol for holding Lido Finance has guaranteed the safety of both Lido DAO (LDO) and staked-Ether (stETH) tokens, despite hackers purportedly exploiting a known security flaw in the LDO token contract.
In response to a September 10 post by blockchain security firm SlowMist, Lido did not corroborate any exploits but did acknowledge the security flaw was known and assure LDO and STETH funds are safe. SlowMist stated that LDO’s defective token contract enables bad actors to execute “fake deposit” attacks on exchanges because it enables users to conduct transactions without sufficient funds.
According to SlowMist, this code deviates from the Ethereum Request for Comment 20 (ERC-20) token standard. However, Lido Finance argued that the vulnerability is inherent to all ERC-20 tokens, not just the LDO token:
According to SlowMist, the “fake deposit” attacks resulted from LDO’s token contract conducting transfers with a value greater than what the user possesses, producing a false return as opposed to reversing the transaction.
While the company claimed that Lido’s token contract was recently exploited through this assault, no on-chain evidence was presented. In the meantime, on-chain analyst “Hercules” explained on September 10 that cryptocurrency exchanges may miss the security vulnerability.
SlowMist advises LDO holders to examine the return values of the token contract transactions in addition to the transaction’s success or failure. Before integrating new tokens, the blockchain security firm determined that token contract implementations and behaviors vary by project and undertook exhaustive testing.
However, Lido emphasized in the official Ethereum Improvement Proposal document, co-authored by Vitalik Buterin in November 2015, that both the “transfer” and “transferFrom” functions must yield the transfer status and are only recommended for use in exceptional circumstances.
Lido confirmed the LDO token integration guides will be updated shortly to address the security flaw.