According to Cointelegraph, Ethereum staking protocol Lido Finance has ensured that both the Lido DAO (LDO) token and the Stakes-Ether (stETH) token remain safe despite hackers seizing security vulnerabilities in the LDO token contract and exploiting them. . Lido did not confirm any exploits but acknowledged the vulnerability and reassured that the LDO and stETH funds were safe, according to a September 10 post by blockchain security firm SlowMist.
SlowMist says LDO's flawed token contract allows bad actors to facilitate “fake deposit” attacks on exchanges because LDO's token contract allows users to make transactions without when they don't have enough money. According to SlowMist, the code is different from the Ethereum Request for Comment 20 (ERC-20) token standard. However, Lido Finance argues that this vulnerability is built into all ERC-20 tokens – not just Lido's LDO token.
SlowMist said the “fake deposit” attacks stem from LDO token contracts making transfers where the value is greater than what the user actually owns, causing false returns as opposed to reverting transaction. Although the company said Lido's token contract was recently exploited through this attack, no evidence was provided online. To address the security vulnerability, Lido confirmed that the LDO token integration guide will be updated soon.