Lido ensures LDO and stETH tokens remain secure despite a flaw in the token contract
The “fake deposit” attack allows malicious actors to execute a transfer whose requested value is greater than what it actually has the user.
News
Join us on social media
Ethereum staking protocol Lido Finance has ensured that Lido DAO (LDO) and Staking-Ether (stETH) tokens remain safe despite hackers allegedly exploiting a known security flaw in LDO's token contract .
Lido did not confirm any exploits, but acknowledged that the security flaw was known and reassured that LDO and stETH funds remain safe in response to a September 10 post by blockchain security firm SlowMist.
SlowMist said LDO's flawed token contract allows bad actors to facilitate "false deposit" attacks on exchanges, as LDO's token contract allows users to execute trades even if they do not have sufficient funds. This code deviates from the Ethereum Request for Comment 20 (ERC-20) token standard, according to SlowMist.
However, Lido Finance argued that the flaw is built into all ERC-20 tokens, not just Lido's LDO token:
This behavior is expected and conforms to the ERC20 token standard (see tweet below). LDO and stETH (and Lido governance) remain secure.
The Lido token integration guides will be updated with LDO specifics to make this more visible soon.
— Lido (@LidoFinance) September 10, 2023SlowMist said the "fake deposit" attacks stem from LDO's token contract executing transfers that are worth more than what the user actually owns, triggering a fake return instead of reversing the transaction. Although the company stated that the Lido token contract was recently exploited via this attack, no on-chain evidence was provided.
Cointelegraph contacted SlowMist for comment but did not receive an immediate response.
...
The “fake deposit” attack allows malicious actors to execute a transfer whose requested value is greater than what it actually has the user.
News
Join us on social media
Ethereum staking protocol Lido Finance has ensured that Lido DAO (LDO) and Staking-Ether (stETH) tokens remain safe despite hackers allegedly exploiting a known security flaw in LDO's token contract .
Lido did not confirm any exploits, but acknowledged that the security flaw was known and reassured that LDO and stETH funds remain safe in response to a September 10 post by blockchain security firm SlowMist.
SlowMist said LDO's flawed token contract allows bad actors to facilitate "false deposit" attacks on exchanges, as LDO's token contract allows users to execute trades even if they do not have sufficient funds. This code deviates from the Ethereum Request for Comment 20 (ERC-20) token standard, according to SlowMist.
However, Lido Finance argued that the flaw is built into all ERC-20 tokens, not just Lido's LDO token:
This behavior is expected and conforms to the ERC20 token standard (see tweet below). LDO and stETH (and Lido governance) remain secure.
The Lido token integration guides will be updated with LDO specifics to make this more visible soon.
— Lido (@LidoFinance) September 10, 2023SlowMist said the "fake deposit" attacks stem from LDO's token contract executing transfers that are worth more than what the user actually owns, triggering a fake return instead of reversing the transaction. Although the company stated that the Lido token contract was recently exploited via this attack, no on-chain evidence was provided.
Cointelegraph contacted SlowMist for comment but did not receive an immediate response.
...What's Your Reaction?
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
