Ethereum staking protocol Lido Finance has ensured that Lido DAO (LDO) and staked Ethereum (stETH) tokens remain secure despite hackers allegedly exploiting known security flaws in the LDO token contract.
Lido does not have confirm Blockchain security company SlowMist responded to a post published on September 10, stating that the company admitted that the security vulnerability was known and assured that LDO and stETH funds remained safe.
SlowMist said LDO’s flawed token contract allowed bad actors to conduct “fake deposit” attacks on the exchange because LDO’s token contract allowed users to execute trades even without sufficient funds. According to SlowMist, the code deviates from the Ethereum Request for Comments 20 (ERC-20) token standard.
However, Lido Finance believes that the flaw exists in all ERC-20 tokens, not just Lido’s LDO token:
This behavior is expected and complies with ERC20 token standards (see tweet below). LDO and stETH (and Lido governance) remain secure.
The Lido Token integration guide will be updated with LDO details as they become more apparent soon.
— Lido (@LidoFinance) September 10, 2023
SlowMist said the “fake deposit” attack came from LDO’s token contract executing transfers worth more than the amount actually owned by the user, thereby triggering false returns instead of resuming transactions. While the company stated that Lido’s token contract had recently been exploited through this attack, it did not provide on-chain evidence.
Cointelegraph reached out to SlowMist for comment but did not immediately receive a reply.
At the same time, on-chain analyst “Hercules” explained Cryptocurrency exchanges may not have discovered the security flaw on September 10.
SlowMist recommends that LDO holders should check the return value of the token contract transfer in addition to checking the success or failure of the transaction.
Blockchain Security Company Summarize The implementation and behavior of token contracts vary from project to project and are thoroughly tested before integrating any new tokens.
related: Ethereum staking service agrees to 22% limit for all validators
However, Lido emphasized in the official Ethereum Improvement Proposal document (co-authored by Vitalik Buterin in November 2015) that both the “transfer” and “transferFrom” functions must return transfer status, and that resuming transactions is only recommended in special cases.
ERC20 token standard: https://t.co/YlrS1ZN6Fd
1) Both transfer and transferFrom need to return the transfer status, and it is only recommended to restore tx in special cases.
2) The standard imposes an obligation on the caller to check the return status (see “Token Methods”). pic.twitter.com/6KTcIyxo2F
— Lido (@LidoFinance) September 10, 2023
To address security holes, Lido comfirmed The LDO token integration guide will be updated soon.
Magazine: Father of DeFi, Hall of Fire: Ethereum is “seriously undervalued” but is becoming more powerful
Svlook
