Lido's Oracle Key Compromised, 1.46 ETH Stolen, No User Funds Affected

Lido, the largest liquid staking protocol on Ethereum, recently faced a security incident when one of its nine
keys was compromised. This breach, involving validator operator Chorus One, resulted in the theft of 1.46 ETH, equivalent to approximately $4,200 in gas fees. Fortunately, no user funds were affected, and no broader compromise was detected. The compromised key was linked to a hot wallet used for oracle reporting, highlighting the importance of robust security measures in the blockchain ecosystem.Lido's oracle system is a critical component of the Ethereum ecosystem, securing over 25% of all ETH staked on the network. This system uses a 5-of-9 quorum mechanism, which ensures that even if one or two keys are compromised, the system can continue to function securely. This mechanism played a crucial role in mitigating the impact of the recent breach.
The suspicious activity was first detected early Sunday after a low-balance alert triggered a closer examination of the address. This investigation revealed unauthorized access to an oracle private key used by Chorus One. The key, originally created in 2021, was not secured to the same standards as newer keys, making it vulnerable to the breach. In response, Lido has initiated an emergency DAO vote to rotate the compromised oracle key across three contracts: the Accounting Oracle, the Validators Exit Bus Oracle, and the CS Fee Oracle. A new key has been generated with enhanced security controls to prevent any future incidents.
The hack occurred amidst other unrelated node issues experienced by several oracle operators. These issues included a minor Prysm bug introduced by Ethereum’s recent Pectra upgrade, which briefly delayed oracle reports on May 10. Despite these challenges, Lido's response to the breach demonstrates its commitment to maintaining the security and integrity of the Ethereum ecosystem.
The compromised address (0x140B) is being replaced by a new secure address (0x285f). The on-chain vote for this replacement has already been approved and is currently in its 48-hour objection period as of Monday morning. This swift action underscores Lido's proactive approach to addressing security vulnerabilities and ensuring the safety of its users' assets.

Comments
No comments yet