Eyebrows were raised across the crypto community yesterday following Lido’s announcement of a compromised oracle key and the emergency vote to replace it.
While some commentators called the incident “alarming,” especially given recent, high-profile hacks, others stressed that fears were overblown.
Lido’s message reassured users that it “remains secure and fully operational” whilst underlining that all other signers of the “five of nine” oracle were secure.
Read more: Radiant Capital’s $50M crypto hack underlines DeFi’s multisig dependence
Lido is the decentralized finance (DeFi) sector’s second-largest protocol, worth $23 billion, according to DeFiLlama data.
It allows users to deposit ether (ETH) to earn proof-of-stake yields, issuing a liquid wrapper for use elsewhere, e.g., as collateral to borrow other crypto assets.
The realization that one of the keyholders to an important part of Lido’s infrastructure led to worries over the security underlying the protocol.
This hacker was also ridiculed for blowing their opportunity, giving the game away by draining a mere 1.46 ETH (around $3,800 at the time) sitting in the address to be used for gas fees.
Well-organized and long-running multisig compromise efforts have led to enormous heists in recent months.
Indeed, the largest ever crypto hack hit ByBit for $1.5 billion in February, and $50 million was stolen from Radiant Capital in October.
Both incidents have been linked to North Korea’s Lazarus Group via the TraderTraitor malware used, and an undercover security researcher who blew his own cover in March.
Read more: Crypto exchange Bybit hacked for over $1.4 billion
Lido contributors say fears may have been overblown
Strategic Advisor Hasu posted a rebuttal to those speculating on the danger posed by the compromised key, explaining that “The oracle isn’t a multi-sig. It doesn’t custody funds and cannot drain the protocol. No user deposits were ever at risk.”
The oracle reports raw data from Ethereum’s underlying Beacon Chain, and requires a threshold of five of nine participants to make any changes.
Even if five addresses were compromised, would-be attackers would only be able to make minimal changes to certain parameters thanks to Lido’s so-called “sanity checks.”
Lido co-founder Vasiliy Shapovalov pointed to incremental changes that were made to limit the potential impact of this scenario in 2022 and 2024, adding, “Risk mitigation is not an afterthought or reaction but part of the design process.”
While the address in this case wasn’t on a traditional multi-sig with access to underlying funds, it still serves as a wake-up call for a sector that should already be well aware of the threats lurking around every corner.
A Lido forum post outlined the immediate security checks that were carried out in response, confirming that no other compromises had been found in oracle addresses or the underlying software.
The operator of the compromised address, Chorus One, is reviewing its infrastructure for further signs of compromise and has promised to share a post-mortem report once the investigation is complete.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
Source: https://protos.com/lido-oracle-key-compromise-was-23b-really-at-risk/