Ethereum staking protocol Lido Finance has assured each Lido DAO (LDO) and staked-Ether (stETH) tokens remain safe despite hackers allegedly exploiting a identified safety flaw in LDO’s token contract.
Lido didn’t confirm any exploits, however acknowledged the safety flaw was identified and reassured LDO and stETH funds remain safe in response to a Sept. 10 put up by blockchain safety agency SlowMist.
SlowMist mentioned LDO’s flawed token contract permits unhealthy actors to facilitate “fake deposit” assaults on exchanges as a result of LDO’s token contract permits customers to execute transactions even the place they don’t have adequate funds. This code deviates from the Ethereum Request for Comment 20 (ERC-20) token normal, in keeping with SlowMist.
However, Lido Finance argued the flaw is constructed into all ERC-20 tokens — not simply Lido’s LDO token:
This behaviour is predicted and conforms to the ERC20 token normal (see tweet under). Both LDO and stETH (and Lido governance) remain safe.
Lido token integration guides will probably be up to date with LDO specifics to make this extra seen shortly.
— Lido (@LidoFinance) September 10, 2023
SlowMist mentioned the “fake deposit” assaults got here from LDO’s token contract executing transfers the place the worth is bigger than what the person really owns, triggering a false return versus reverting the transaction. While the agency mentioned Lido’s token contract has not too long ago been exploited through this assault, no on-chain proof was supplied.
Cointelegraph reached out to SlowMist for remark however didn’t obtain an instantaneous response.
Meanwhile, on-chain analyst “Hercules” explained on Sept. 10 that the safety flaw will not be picked up by cryptocurrency exchanges.
SlowMist recommends LDO holders to additionally test the return values of the token contract transfers in addition to the success or failure of a transaction.
The blockchain safety agency concluded that token contract implementations and behaviors differ by venture and to conduct complete testing earlier than integrating any new tokens.
Related: Ethereum staking services agree to 22% limit of all validators
However, Lido highlighted in the official Ethereum Improvement Proposal document — co-authored by Vitalik Buterin in November 2015 — that each the “transfer” and “transferFrom” capabilities should return the switch standing and are solely really useful to revert a transaction in distinctive circumstances.
ERC20 token normal: https://t.co/YlrS1ZN6Fd
1) Both switch and transferFrom are required to return switch standing and are solely really useful to revert a tx in distinctive circumstances.
2) The normal says {that a} caller is obliged to test the return standing (see ‘Token strategies’). pic.twitter.com/6KTcIyxo2F
— Lido (@LidoFinance) September 10, 2023
To resolve the safety flaw, Lido confirmed that the LDO token integration guides will quickly be up to date.
Collect this article as an NFT to protect this second in historical past and present your help for impartial journalism in the crypto area.
Magazine: DeFi Dad, Hall of Flame: Ethereum is ‘woefully undervalued’ but growing more powerful
