Lido oracle key compromise — was $23B really at risk?

Eyebrows were raised across the crypto community yesterday following Lidos announcement of a compromised oracle key and the emergency vote to replace it.

While some commentators called the incident “alarming,” especially given recent, high-profile hacks, others stressed that fears were overblown.

Lidos message reassured users that it “remains secure and fully operational” whilst underlining that all other signers of the “five of nine” oracle were secure.

Lido is the decentralized finance (DeFi) sectors second-largest protocol, worth $23 billion, according to DeFiLlama data.

It allows users to deposit ether (ETH) to earn proof-of-stake yields, issuing a liquid wrapper for use elsewhere, e.g., as collateral to borrow other crypto assets.

The realization that one of the keyholders to an important part of Lidos infrastructure led to worries over the security underlying the protocol.

This hacker was also ridiculed for blowing their opportunity, giving the game away by draining a mere 1.46 ETH (around $3,800 at the time) sitting in the address to be used for gas fees.

Well-organized and long-running multisig compromise efforts have led to enormous heists in recent months.

Indeed, the largest ever crypto hack hit ByBit for $1.5 billion in February, and $50 million was stolen from Radiant Capital in October.

Both incidents have been linked to North Koreas Lazarus Group via the TraderTraitor malware used, and an undercover security researcher who blew his own cover in March.

Lido contributors say fears may have been overblown

Strategic Advisor Hasu posted a rebuttal to those speculating on the danger posed by the compromised key, explaining that “The oracle isn‘t a multi-sig. It doesn’t custody funds and cannot drain the protocol. No user deposits were ever at risk.”

The oracle reports raw data from Ethereums underlying Beacon Chain, and requires a threshold of five of nine participants to make any changes.

Even if five addresses were compromised, would-be attackers would only be able to make minimal changes to certain parameters thanks to Lidos so-called “sanity checks.”

Lido co-founder Vasiliy Shapovalov pointed to incremental changes that were made to limit the potential impact of this scenario in 2022 and 2024, adding, “Risk mitigation is not an afterthought or reaction but part of the design process.”

While the address in this case wasnt on a traditional multi-sig with access to underlying funds, it still serves as a wake-up call for a sector that should already be well aware of the threats lurking around every corner.

A Lido forum post outlined the immediate security checks that were carried out in response, confirming that no other compromises had been found in oracle addresses or the underlying software.

The operator of the compromised address, Chorus One, is reviewing its infrastructure for further signs of compromise and has promised to share a post-mortem report once the investigation is complete.