Behind the 1.4 ETH Theft: Lido's Security Mechanism Teaches the Industry a Lesson
Written by: @IsdrsP (Head of Lido Validators)
Compiler: Nicky, Foresight News
In the early morning of May 10, oracle service provider Chorus One disclosed that a hot wallet of Lido oracle was hacked, resulting in the theft of 1.46 ETH. However, according to the security audit, the impact of this isolated incident was limited, and the wallet involved was designed for lightweight operational purposes only.
An attack on an oracle does sound terrible. However, Lido's architectural design, stakeholder values, and security-oriented contributor culture mean that the impact of such an event is extremely limited—even if the oracle is fully compromised, it will not have catastrophic consequences.
So, what exactly is unique about Lido?
Well-thought-out design with layers of protection
Lido's oracle is responsible for passing information from the consensus layer to the execution layer and reporting on protocol developments. They do not control user funds. A single faulty oracle can only cause minor trouble, and even if the quorum is breached, it will not have catastrophic consequences.
What malicious actions might a single compromised oracle attempt?
a) file a malicious report (but will be ignored by an honest oracle);
B) Deplete the ETH balance of that particular oracle address (which is only used to operate transactions and does not hold the staker's funds).
What exactly is the role of an oracle?
Lido's oracle is essentially a distributed mechanism of 9 independent participants (5/9 consensus) that is primarily responsible for protocol status reporting, and its current core functions include:
• Token Inflation Reward Distribution (Rebase)
• Withdrawal process processing
• Validator exit and performance monitoring for CSM (Community Security Module) reference
These oracles will submit a "report" of the state they have observed. These reports are used to calculate the rewards or penalties accumulated on a daily basis, update the stETH balance, process and finalize withdrawal requests, calculate validator withdrawal requests, and measure validator performance.
Essentially, Lido oracles are different from what is commonly understood as "multisig". Oracles have no access to stakers and protocol funds, nor can they control any protocol contract upgrades, let alone upgrade themselves or manage membership. Instead, the Lido DAO maintains a list of oracles through voting.
Oracles are extremely limited in their capabilities—they can only do the following: submit reports that strictly follow deterministic, audited, open-source algorithms designed for different protocol goals; Execute transactions under specific circumstances to enforce the results of the report (e.g., daily rebase operations for protocols).
What happens if 5 out of 9 oracles are breached? In this case, the breached oracle may collude to submit malicious reports, but any reports must pass on-chain enforced protocol plausibility checks.
If a report violates these reasonableness checks, it will take longer (and may never be "settled" because the values in the report must conform to the allowable range of value variation over a specific period of time (days or weeks).
In the worst-case scenario, this could mean that a stETH-like rebase (whether positive or negative) will take longer to take effect, which will have an impact on stETH holders, but will have minimal impact on most holders, unless someone leverages stETH in DeFi.
There are other possibilities: malicious oracles and their accomplices may exploit the delay in the execution layer stETH update for financial gain if they have access to certain information, or have the ability to impose large penalties at the consensus layer (e.g., mass slashing).
For example, in the event of a large-scale slashing, some people may sell some of their stETH on a decentralized exchange (DEX) before the negative rebase takes effect. However, this will not affect withdrawals initiated directly by users through Lido, as the protocol's "bunker mode" will be activated to ensure that the withdrawal process is carried out fairly.
Instant and thorough transparency
From the beginning to the end, all participants in the Lido ecosystem—whether contributors, node operators, oracle operators, etc., have prioritized transparency and goodwill, prioritizing staker rights and the health of the ecosystem as a whole.
Whether it's proactively publishing a detailed post-mortem report, compensating for staking losses due to infrastructure downtime, proactively exiting validators for precautionary considerations, or quickly publishing a comprehensive incident report, transparency is always a top priority for these participants.
Continuous iterative upgrades
Lido has always been at the forefront of technology research and development, and is committed to using zero-knowledge proof (ZK) technology to improve the security and trustlessness of oracle mechanisms. In the early stages, the team invested more than $200,000 in funding to support trustless verification of consensus layer data through zero-knowledge proofs.
These technical explorations have led to the launch of the SP1 zero-knowledge oracle "double validation" mechanism developed by the SuccinctLabs team within the year. This mechanism provides an additional layer of security validation for potential negative rebase operations through verifiable consensus layer data.
At present, this kind of zero-knowledge technology is still in the development stage, and the related zero-knowledge virtual machine (zkVM) not only needs to undergo practical testing, but also has the limitations of slower computation speed and high computational cost, and cannot completely replace trusted oracles. But in the long run, such solutions are expected to be a trust-minimized alternative to existing oracles.
Oracle technology is complex and has a variety of use cases in the DeFi space. In the Lido protocol, oracles are designed as core components to significantly reduce the scope of potential risks through an effective decentralized architecture, segregation of duties, and multi-layered validation.
Content source: https://x.com/IsdrsP/status/1921616790599135318
This article is sourced from Foresight News:
https://foresightnews.pro/article/detail/84091
Respectfully submitted by the AIC Team
May19, 2025
