{"id":84262,"date":"2023-09-11T12:27:17","date_gmt":"2023-09-11T09:27:17","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=84262"},"modified":"2025-09-12T16:19:27","modified_gmt":"2025-09-12T13:19:27","slug":"lido-finance-did-not-confirm-an-exploit-of-ldo-tokens","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/lido-finance-did-not-confirm-an-exploit-of-ldo-tokens\/","title":{"rendered":"Lido Finance did not confirm an exploit of LDO tokens"},"content":{"rendered":"<p>The team behind the liquid-staking protocol <a href=\"https:\/\/forklog.com\/en\/news\/what-is-lido\">Lido Finance<\/a> assured users that assets in the LDO and stETH tokens remain safe, despite a vulnerability in the smart contract.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">This behaviour is expected and conforms to the ERC20 token standard (see tweet below). Both LDO and stETH (and Lido governance) remain safe. <\/p>\n<p>Lido token integration guides will be updated with LDO specifics to make this more visible shortly.<\/p>\n<p>\u2014 Lido (@LidoFinance) <a href=\"https:\/\/twitter.com\/LidoFinance\/status\/1700888072299462895?ref_src=twsrc%5Etfw\">September 10, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Developers did not confirm any exploits related to the bug highlighted by SlowMist experts.<\/p>\n<p>Security researchers said that there is an &#8216;operational issue&#8217; in the LDO contract, which attackers recently exploited to attack exchanges <a href=\"https:\/\/forklog.com\/en\/news\/slowmist-identifies-new-type-of-attacks-on-bitcoin-exchanges\">using &#8216;fake deposits&#8217;<\/a>.<\/p>\n<p>The vulnerability allows transferring tokens in excess of the user&#8217;s actual assets. In this case the LDO contract does not perform the usual transaction revert, but simply returns the value &#8216;false&#8217; as the result. Experts noted that the code deviates from the ERC-20 standard.<\/p>\n<p>Lido dismissed their claim. The developers noted that the functions &#8216;transfer&#8217; and &#8216;transferFrom&#8217; are necessary to determine the transaction status and are recommended to revert only in exceptional cases. At the same time, the rules require the caller to check the returned status, they added.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">ERC20 token standard: <a href=\"https:\/\/t.co\/YlrS1ZN6Fd\">https:\/\/t.co\/YlrS1ZN6Fd<\/a><\/p>\n<p>1) Both transfer and transferFrom are required to return transfer status and are only recommended to revert a tx in exceptional cases.<\/p>\n<p>2) The standard says that a caller is obliged to check the return status (see &#8216;Token methods&#8217;). <a href=\"https:\/\/t.co\/6KTcIyxo2F\">pic.twitter.com\/6KTcIyxo2F<\/a><\/p>\n<p>\u2014 Lido (@LidoFinance) <a href=\"https:\/\/twitter.com\/LidoFinance\/status\/1700888476571611139?ref_src=twsrc%5Etfw\">September 10, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The DeFi project team intends to update the Lido tokens&#8217; integration guide to reflect the specifics of LDO.<\/p>\n<p>SlowMist noted that there are many tokens on the market that diverge from ERC-20 requirements. Accordingly, experts recommended not to rely solely on whether a transaction succeeds or fails, but also on the values actually returned by the contract. They stressed the importance of understanding the code, thorough testing before integration, and regular cybersecurity audits.<\/p>\n<p>As of writing, the total value of funds locked in the protocol at Lido stands at about $14 billion, according to <a href=\"https:\/\/defillama.com\/\">DeFi Llama<\/a>.<\/p>\n<p>In July, the figure surpassed $15 billion, and the team noted &#8216;impressive growth of the platform and market demand&#8217;.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The team behind the liquid-staking protocol Lido Finance assured users that assets in LDO and stETH tokens remain safe, despite a vulnerability in the smart contract.<\/p>\n","protected":false},"author":1,"featured_media":84263,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1093,1387],"class_list":["post-84262","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-defi","tag-lido"],"aioseo_notices":[],"amp_enabled":true,"views":"32","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/84262","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=84262"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/84262\/revisions"}],"predecessor-version":[{"id":84264,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/84262\/revisions\/84264"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/84263"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=84262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=84262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=84262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}