Lido assures LDO, stETH tokens remain safe despite flaw in token contract

Lido assures LDO, stETH tokens remain safe despite flaw in token contract



Ethereum staking protocol Lido Finance has assured both Lido DAO (LDO) and staked-Ether (stETH) tokens remain safe despite hackers allegedly exploiting a known security flaw in LDO’s token contract.

Lido didn’t confirm any exploits, but acknowledged the security flaw was known and reassured LDO and stETH funds remain safe in response to a Sept. 10 post by blockchain security firm SlowMist.

SlowMist said LDO’s flawed token contract allows bad actors to facilitate “fake deposit” attacks on exchanges because LDO’s token contract enables users to execute transactions even where they don’t have sufficient funds. This code deviates from the Ethereum Request for Comment 20 (ERC-20) token standard, according to SlowMist.

However, Lido Finance argued the flaw is built into all ERC-20 tokens — not just Lido’s LDO token:

okex

SlowMist said the “fake deposit” attacks came from LDO’s token contract executing transfers where the value is larger than what the user actually owns, triggering a false return as opposed to reverting the transaction. While the firm said Lido’s token contract has recently been exploited via this attack, no on-chain evidence was provided.

Cointelegraph reached out to SlowMist for comment but did not receive an immediate response.

Meanwhile, on-chain analyst “Hercules” explained on Sept. 10 that the security flaw may not be picked up by cryptocurrency exchanges.

SlowMist recommends LDO holders to also check the return values of the token contract transfers in addition to the success or failure of a transaction.

The blockchain security firm concluded that token contract implementations and behaviors vary by project and to conduct comprehensive testing before integrating any new tokens.

Related: Ethereum staking services agree to 22% limit of all validators

However, Lido highlighted in the official Ethereum Improvement Proposal document — co-authored by Vitalik Buterin in November 2015 — that both the “transfer” and “transferFrom” functions must return the transfer status and are only recommended to revert a transaction in exceptional cases.

To resolve the security flaw, Lido confirmed the LDO token integration guides will soon be updated.

Magazine: DeFi Dad, Hall of Flame: Ethereum is ‘woefully undervalued’ but growing more powerful





Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

You have not selected any currency to display

Pin It on Pinterest

Crypto-Moon
Bybit
Crypto-Moon
Lido assures LDO, stETH tokens remain safe despite flaw in token contract
okex
Binance
Bubblemaps Flags ‘Rugproof’ Launchpad for Alleged Rug Pull
3 Altcoins at Risk of Major Liquidations in the Last Week of July
XRP 'Healthy Correction,' Ether Supply Decline: Hodler's Digest
Ether's Spike In Social Dominance Signals Potential Price Risk
Hyperlane’s Warp Routes 2.0 Sends HYPER to New All-Time High
Ripple Co-Founder Moves $175M XRP, Draws Criticism Over Timing
BillFodl
Changelly
RI Mining Free Cloud Mining App Is Officially Launched
Galaxy Digital moves $447M in Bitcoin to exchanges, sparking sell-off speculation
Bitcoin consolidates below $120K; Analysts say Ethereum flows will guide next market move
Bitcoin Mining Giant Mara Completes $950M Deal to Buy More BTC
Bitcoin Range Break Brewing, Which Altcoins Will Follow?
RI Mining Free Cloud Mining App Is Officially Launched
Galaxy Digital moves $447M in Bitcoin to exchanges, sparking sell-off speculation
Bitcoin consolidates below $120K; Analysts say Ethereum flows will guide next market move
Bitcoin Mining Giant Mara Completes $950M Deal to Buy More BTC