Lido, one of the largest liquid staking protocols in the Ethereum 
$2,563 ecosystem, swiftly managed a significant security incident over the weekend. As a protocol that secures over 25% of all staked ETH on Ethereum, it plays a vital systemic role. The incident began with the compromise of one of the nine oracle keys within the protocol.
Incident Development
The breach resulted from unauthorized access to an oracle key linked to a validator operator managed by Chorus One. This key, created in 2021, had less protection compared to current security standards. It was reported to be part of a hot wallet associated with an oracle reporting process, with only 1.46 ETH (approximately $4,200) in gas fees stolen.
Chorus One revealed in a post that a “low balance alert prompted closer inspection, uncovering unauthorized access to an oracle private key created in 2021.”
User Funds Remain Safe
No user assets were affected following the incident, and no large-scale security breach was detected. Lido employs a 5-out-of-9 voting majority mechanism within its oracle system. This mechanism ensures the overall security of the system, even if one or two keys are compromised.
Lido and Chorus One announced on platform X that the incident did not threaten users or the overall security of the protocol. Timely detection of the breach prevented any potential larger damage.
Swift Actions and Technical Details
Following the breach, Lido promptly initiated an emergency DAO vote to replace the compromised oracle key. The key was used in three different contracts – the Accounting Oracle, the Validators Exit Bus Oracle, and the CS Fee Oracle. The vote ensured the implementation of a new, more secure key across these contracts.
During the incident, other oracle operators also faced unexpected node issues due to a minor Prysm bug related to Ethereum’s recent Pectra update, causing brief delays in oracle reports.
The compromised address 0x140B was replaced with the newly created 0x285f address. The on-chain vote was approved, entering a 48-hour contestation period.
The Lido team stated that post-incident, security protocols will be revisited, with additional measures implemented especially on older keys, and security standards will be elevated further.
This incident at Lido highlights the constant testing of security vulnerabilities in decentralized finance protocols. The quick detection by technical teams and the effectiveness of security processes limited the extent of the damage. The multi-signature mechanism, while some oracle keys were endangered, significantly contributed to the safety of user assets. Such incidents remind protocols of the necessity to continuously enhance their security structures.
