Lido Finance Shares About The Safety of LDO and stETH Tokens

Recently, Lido Finance assured that both “Lido DAO (LDO) and staked-Ether (stETH) tokens remain safe despite hackers allegedly exploiting a known security flaw in LDO’s token contract.” It can be noted that the “fake deposit” attack enables bad actors to carry out a transfer where the requested value is larger than what the user actually owns.

Notably, Lido Finance has highlighted in the official Ethereum Improvement Proposal document that both the “transfer” and “transferFrom” functions must return the transfer status. Meanwhile it only recommended reverting a transaction in exceptional cases. To resolve the security flaw, it also confirmed that the LDO token integration guides will soon be updated.

Lido Finance Shares its Response

Lido Finance, the Ethereum staking protocol, did not confirm about any exploits, however, acknowledged the security flaw was known and reassured LDO and stETH funds remain safe. It made its response through a September 10, 2023 post by blockchain security firm SlowMist on X ( formerly Twitter).

This behaviour is expected and conforms to the ERC20 token standard (see tweet below). Both LDO and stETH (and Lido governance) remain safe.
Lido token integration guides will be updated with LDO specifics to make this more visible shortly.
— Lido (@LidoFinance) September 10, 2023

According to SlowMist’s X post, “LDO’s flawed token contract allows bad actors to facilitate “fake deposit” attacks on exchanges as LDO’s token contract enables users to execute transactions even where they don’t have sufficient funds. This code varies from the Ethereum Request for Comment 20 (ERC-20) token standard as SlowMist noted.

🚨SlowMist Security Alert🚨
There’s a known operational issue in the LDO Token contract that has recently been exploited by malicious actors for “fake deposit” attacks on exchanges. pic.twitter.com/uHxx89Oo1D
— SlowMist (@SlowMist_Team) September 10, 2023

On the other hand, Lido Finance kept the point that the flaw is built into all ERC-20 tokens — not just its LDO token. Meanwhile, the security firm stated that the “fake deposit” attacks came from LDO’s token contract executing transfers where the value is larger than what the user actually owns. It triggers a false return as opposed to reverting the transaction.

Meanwhile, the security firm said Lido’s token contract has recently been exploited via this attack, but no on-chain evidence was provided. An on-chain analyst “Hercules” further explained on September 10, 2023, that “the security flaw may not be picked up by cryptocurrency exchanges.”

Moreover, SlowMist suggests that LDO holders have a look at the return values of the token contract transfers in addition to the “success or failure of a transaction.” It concluded that “token contract implementations and behaviors vary by project and to conduct comprehensive testing before integrating any new tokens.”

LDO and StETH Price Performance

In the past week, both LDO and StETH have shown bearish market trends as LDO dropped nearly 6% while stETH declined over 2%. According to CoinMarketCap, at press time, LDO is trading at $1.46, with a 2.30% price drop and stETH is trading at $1,592.43 with a 1.70% price decline in the last 24 hours.

It must be noted that after September 10, 2023, the price decline was clearly seen in both LDO and stETH prices. This still keeps its price to trade downwards.