In light of recent concerns, Lido Finance has swiftly addressed worries regarding a potential exploit in their Ethereum staking protocol. Despite rumors of a vulnerability in LDO’s token contract, Lido offers reassurances.
Background: Lido Concerns Raised by SlowMist
On September 10, blockchain security expert SlowMist pointed out an alleged flaw in Lido’s LDO token contract. Their findings suggested this issue could permit rogue players to engage in “fake deposit” attacks on exchanges. Intriguingly, the problematic code appeared to bypass the Ethereum Request for Comment 20 (ERC-20) token guidelines.
Lido, however, responded to SlowMist’s claim with clarity. Contrary to SlowMist’s observations, Lido emphasized that the flaw isn’t unique to their LDO token. Instead, it’s an inherent aspect of all ERC-20 tokens.
As highlighted by SlowMist, the core issue lies in LDO’s token contract. It allows transfers where the stated value exceeds the actual amount a user owns. This results in a false positive rather than a transaction reversal. Despite these allegations, SlowMist hasn’t furnished any on-chain evidence supporting their claims.
On the same day, on-chain analyst, “Hercules,” weighed in on the debate. He suggested that this specific security flaw might go unnoticed by cryptocurrency exchanges.
SlowMist’s Recommendations for LDO Holders
In light of these findings, SlowMist advises LDO holders to exercise caution. They urge users to scrutinize the return values of token contract transfers. Moreover, they should monitor both the success and failure outcomes of transactions. For projects, SlowMist advocates for comprehensive testing before token integration.
Drawing from the official Ethereum Improvement Proposal (co-penned by the renowned Vitalik Buterin in 2015), Lido defended its position. This document mentions that both “transfer” and “transferFrom” functions should only provide the transfer status. Reverting a transaction should be an exception, not the norm.
To further address these concerns, Lido announced forthcoming updates. The LDO token integration guides are set to receive revisions soon.
None of the information on this website is investment or financial advice. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website.