The team behind the liquid-staking protocol Lido Finance assured users that assets in the LDO and stETH tokens remain safe, despite a vulnerability in the smart contract.
This behaviour is expected and conforms to the ERC20 token standard (see tweet below). Both LDO and stETH (and Lido governance) remain safe.
Lido token integration guides will be updated with LDO specifics to make this more visible shortly.
— Lido (@LidoFinance) September 10, 2023
Developers did not confirm any exploits related to the bug highlighted by SlowMist experts.
Security researchers said that there is an ‘operational issue’ in the LDO contract, which attackers recently exploited to attack exchanges using ‘fake deposits’.
The vulnerability allows transferring tokens in excess of the user’s actual assets. In this case the LDO contract does not perform the usual transaction revert, but simply returns the value ‘false’ as the result. Experts noted that the code deviates from the ERC-20 standard.
Lido dismissed their claim. The developers noted that the functions ‘transfer’ and ‘transferFrom’ are necessary to determine the transaction status and are recommended to revert only in exceptional cases. At the same time, the rules require the caller to check the returned status, they added.
ERC20 token standard: https://t.co/YlrS1ZN6Fd
1) Both transfer and transferFrom are required to return transfer status and are only recommended to revert a tx in exceptional cases.
2) The standard says that a caller is obliged to check the return status (see ‘Token methods’). pic.twitter.com/6KTcIyxo2F
— Lido (@LidoFinance) September 10, 2023
The DeFi project team intends to update the Lido tokens’ integration guide to reflect the specifics of LDO.
SlowMist noted that there are many tokens on the market that diverge from ERC-20 requirements. Accordingly, experts recommended not to rely solely on whether a transaction succeeds or fails, but also on the values actually returned by the contract. They stressed the importance of understanding the code, thorough testing before integration, and regular cybersecurity audits.
As of writing, the total value of funds locked in the protocol at Lido stands at about $14 billion, according to DeFi Llama.
In July, the figure surpassed $15 billion, and the team noted ‘impressive growth of the platform and market demand’.