Ethereum staking protocol Lido Finance has publicly acknowledged a known security flaw in its LDO token contract. The announcement came in response to a September 10 post by blockchain security firm SlowMist, which highlighted the vulnerability that could potentially enable “fake deposit” attacks on cryptocurrency exchanges, Cryptopolitan reported.
Despite the concerns, Lido Finance reassured investors that both Lido DAO LDO and staked-Ether (stETH) tokens remain secure.
Lido Finance counters SlowMist’s allegations
SlowMist’s analysis revealed that the flaw in the LDO token contract allows users to execute transactions even when they lack sufficient funds. This deviation from the Ethereum Request for Comment 20 (ERC-20) token standard could facilitate unauthorized transactions. SlowMist also claimed that the token contract had recently been exploited through this vulnerability, although no on-chain evidence was provided to substantiate the claim.
Lido Finance countered SlowMist’s allegations by citing the official Ethereum Improvement Proposal document, co-authored by Ethereum founder Vitalik Buterin. The document states that “both the “transfer” and “transferFrom” functions must return the transfer status and are only recommended to revert a transaction in exceptional cases.” Lido Finance argued that the flaw is inherent in all ERC-20 tokens, not just in Lido’s LDO token.
SlowMist has advised LDO token holders to check the return values of token contract transfers in addition to monitoring the success or failure of a transaction.
To mitigate the security risk, Lido Finance also confirmed that updates to the LDO token integration guides are imminent. The company said it is taking proactive steps to address any security flaws.
According to data from DeFiLlama, the total value locked (TVL) in Lido stands at over $14 billion as of September 11. It’s worth noting that LDO, an ERC20 governance token, is leveraged for voting on improvement proposals in the Lido DAO.
