According to Cointelegraph, Ethereum staking protocol Lido Finance has assured that both Lido DAO (LDO) and staked-Ether (stETH) tokens remain safe despite hackers allegedly exploiting a known security flaw in LDOâs token contract. Lido did not confirm any exploits but acknowledged the security flaw and reassured LDO and stETH funds remain safe in response to a Sept. 10 post by blockchain security firm SlowMist.
SlowMist said LDOâs flawed token contract allows bad actors to facilitate âfake depositâ attacks on exchanges because LDOâs token contract enables users to execute transactions even where they donât have sufficient funds. This code deviates from the Ethereum Request for Comment 20 (ERC-20) token standard, according to SlowMist. However, Lido Finance argued the flaw is built into all ERC-20 tokens â not just Lidoâs LDO token.
SlowMist said the âfake depositâ attacks came from LDOâs token contract executing transfers where the value is larger than what the user actually owns, triggering a false return as opposed to reverting the transaction. While the firm said Lido's token contract has recently been exploited via this attack, no on-chain evidence was provided. To resolve the security flaw, Lido confirmed the LDO token integration guides will soon be updated.