Ethereum staking protocol, Lido Finance, has recently responded to allegations of hackers exploiting a known security flaw in the Lido DAO (LDO) token contract. While Lido did not confirm any specific exploits, it acknowledged the existence of the security flaw and reassured users that their LDO and stETH funds remain safe. SlowMist, a prominent blockchain security firm, raised concerns about the flaw in a post on September 10.
According to SlowMist, the LDO token contract allows bad actors to carry out “fake deposit” attacks on exchanges. This flaw is due to LDO’s token contract enabling users to execute transactions even if they do not have sufficient funds. SlowMist claimed that this deviates from the Ethereum Request for Comment 20 (ERC-20) token standard. However, Lido Finance argued that this flaw is not limited to Lido’s LDO token but is inherent in all ERC-20 tokens.
The “fake deposit” attacks involve executing transfers in LDO’s token contract with a larger value than what the user actually owns. This triggers a false return instead of reverting the transaction. SlowMist alleged that Lido’s token contract has recently been exploited through this attack, although no on-chain evidence was provided to support this claim. Cointelegraph reached out to SlowMist for comment but did not receive an immediate response.
On-chain analyst “Hercules” highlighted on September 10 that this security flaw may go unnoticed by cryptocurrency exchanges. SlowMist recommended LDO holders to carefully check the return values of token contract transfers in addition to the success or failure of a transaction. They emphasized the need for comprehensive testing before integrating any new tokens, as token contract implementations and behaviors can vary by project.
Lido Finance, however, pointed out that the official Ethereum Improvement Proposal document, co-authored by Vitalik Buterin in 2015, states that the “transfer” and “transferFrom” functions should return the transfer status and are only recommended to revert a transaction in exceptional cases. In order to address this security flaw, Lido confirmed that they will update the LDO token integration guides.
Lido Finance has promptly responded to concerns about a security flaw in the LDO token contract. While the alleged exploits were not confirmed, Lido assured users that their funds are safe. The security flaw, which allows for “fake deposit” attacks, is not specific to Lido’s LDO token but affects all ERC-20 tokens. As a precautionary measure, LDO holders are advised to check the return values of token contract transfers and conduct comprehensive testing before integrating new tokens. Lido Finance plans to update the LDO token integration guides to address the security flaw.