Lido Says LDO, stETH Tokens Remain Safe Despite ‘Fake Deposit’ Attacks

Blockchain security firm SlowMist identified an operational issue in the LDO Token contract that has allegedly been exploited by malicious actors.

Ethereum staking protocol Lido Finance claims that an apparent flaw in the logic of its token contract is not a cause for concern.

In an X post on Sept. 10, blockchain security firm SlowMist said it had identified an operational issue with the LDO Token contract, which it claims has been recently exploited by malicious actors for “fake deposit” attacks on exchanges.

2. Be aware that there are many token contracts in the market that do not adhere to the ERC20 standard. Before integrating new tokens, ensure a deep understanding and analysis of their contract code to ensure the correct deposit logic.

— SlowMist (@SlowMist_Team) September 10, 2023

“Specifically, when the LDO token contract executes a transfer operation with a quantity exceeding the user’s actual holdings, it doesn’t trigger the usual transaction rollback. Instead, it merely returns “false” as the outcome rather than indicating a failure,” wrote SlowMist on X.

The flawed contract supposedly allows a malicious actor to end more LDO tokens to an exchange than they actually hold – a discrepancy that may be overlooked by many exchanges.

Lido responded to SlowMist’s claims, saying that the contract’s behavior was nothing out of the ordinary and it conforms to the ERC-20 token standard. The staking platform assured users that both LDO and staked ETH (stETH) remained safe.

This behaviour is expected and conforms to the ERC20 token standard (see tweet below). Both LDO and stETH (and Lido governance) remain safe.

Lido token integration guides will be updated with LDO specifics to make this more visible shortly.

— Lido (@LidoFinance) September 10, 2023

Typically, the ERC-20 token standard calls for the transfer function to be reversed if the sender lacks sufficient funds. Although it would appear that Lido’s contract deviates from this standard, Lido claims that transfer functions are required to return transfer status and revert transactions in exceptional cases. 

However, one X user pointed out that the EIP documentation that Lido referred to stipulates that the transfer should be reversed if the transfer amount exceeds the user’s balance.

yes, but check below requirement when the transfer amount exceeds user balance. pic.twitter.com/JZTx7o8ucy

— 0xluckhu (@HUFAYU1985) September 11, 2023

“The exploitation of this security flaw raises broader questions about the reliability of token contracts and adherence to industry standards. With the growing complexity of token contracts, the risk of similar vulnerabilities is substantial,” said another user on X.