The 1.4 ETH Heist Reveals: Lido's Security Mechanism Teaches the Industry a Lesson
TechFlow Selected TechFlow Selected
The 1.4 ETH Heist Reveals: Lido's Security Mechanism Teaches the Industry a Lesson
A hacker breached one of the addresses in Lido's oracle multisig early in the morning, stealing 1.4 ETH before exposing their trail.
Navigating Web3 tides with focused insightsAuthor: @IsdrsP, Head of Lido Validators
Translation: Nicky, Foresight News
In the early hours of May 10, oracle provider Chorus One disclosed that a hot wallet used by Lido's oracle had been compromised, resulting in the theft of 1.46 ETH. However, security audits indicate this isolated incident has limited impact, as the affected wallet was designed solely for lightweight operational use.
An oracle attack may sound alarming. Yet Lido’s architectural design, stakeholder values, and security-first contributor culture mean such events have minimal consequences—even if oracles were fully compromised, the outcome would not be catastrophic.
So what makes Lido unique?
Thoughtful Design and Multi-Layered Protection
Lido’s oracles are responsible for relaying information from the consensus layer to the execution layer and reporting protocol activity. They do not control user funds. A single faulty oracle causes only minor disruptions; even if the quorum is breached, the consequences remain non-catastrophic.
What malicious actions could a compromised oracle attempt?
A) Submitting malicious reports (which will be ignored by honest oracles);
B) Draining the ETH balance of that specific oracle address (an address used only for operational transactions and not holding staker funds).
What exactly do oracles do?
Lido’s oracles are essentially a distributed mechanism composed of nine independent participants (requiring 5/9 consensus), primarily responsible for reporting protocol status. Core functions currently include:
• Distributing token inflation rewards (rebase)
• Processing withdrawals
• Monitoring validator exits and performance for reference by the CSM (Community Security Module)
These oracles submit "reports" on observed states to the protocol. These reports are used to calculate daily cumulative rewards or penalties, update stETH balances, process and finalize withdrawal requests, compute validator exit applications, and measure validator performance.
Crucially, Lido oracles differ from what people typically think of as a "multisig." Oracles cannot access stakers’ or protocol funds, control upgrades of any protocol contracts, upgrade themselves, or manage membership. Instead, the Lido DAO maintains the oracle list through voting.
Oracle functionality is extremely limited—only able to: submit reports that strictly follow deterministic, audited, open-source algorithms designed for different protocol objectives; and execute transactions under specific conditions to implement report outcomes (e.g., the protocol's daily rebase operation).
If five out of nine oracles are compromised, how bad could it get? In this worst-case scenario, compromised oracles might collude to submit malicious reports. However, all reports must pass on-chain protocol sanity checks enforced by code.
If a report violates these sanity checks, its processing will be delayed (or possibly never finalized), because the reported values must fall within allowable ranges over specific time periods (days or weeks).
In the worst case, this could mean that an stETH rebase (positive or negative) takes longer to take effect, which impacts stETH holders—but the effect is negligible for most, unless someone uses stETH leveraged in DeFi.
Other possibilities exist: if malicious oracles and their accomplices possess certain information or the ability to trigger large-scale slashing on the consensus layer, they might exploit delays in stETH updates on the execution layer for economic gain.
For example, during mass slashing, some parties might dump portions of stETH on decentralized exchanges (DEXs) before a negative rebase takes effect. However, this does not affect user-initiated withdrawals via Lido, as the protocol’s “bunker mode” would activate to ensure fair execution of withdrawals.
Immediate and Complete Transparency
Throughout, all participants in the Lido ecosystem—including contributors, node operators, and oracle operators—prioritize transparency and good faith, placing staker interests and ecosystem health above all.
Whether proactively publishing detailed post-mortems, compensating for staking losses due to infrastructure downtime, preemptively exiting validators out of caution, or swiftly releasing comprehensive incident reports, these participants consistently treat transparency as paramount.
Ongoing Iteration and Upgrades
Lido remains at the forefront of technical research, actively pursuing zero-knowledge (ZK) proofs to enhance oracle security and trustlessness. As early as the initial stages, the team allocated over $200,000 in dedicated funding to support trustless verification of consensus-layer data using ZK technology.
These technical explorations ultimately led to the upcoming launch within the year of the SP1 ZK oracle “dual-check” mechanism developed by SuccinctLabs. This mechanism uses verifiable consensus-layer data to provide an additional security validation layer for potential negative rebase operations.
Currently, such ZK technologies are still evolving. The associated zero-knowledge virtual machines (zkVMs) require real-world testing and face limitations including slower computation speeds and higher costs, making them unable to fully replace trusted oracles today. Yet long-term, such solutions hold promise as trust-minimized alternatives to existing oracles.
Oracle technology is complex and varies widely across DeFi use cases. Within the Lido protocol, oracles are carefully designed core components, significantly limiting the scope of potential risks through effective decentralization, separation of duties, and multi-layer validation mechanisms.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@LidoFinance
