In the wake of allegations of vulnerabilities in its token contract, Lido Finance, the world’s first liquid Ethereum staking protocol, has firmly reaffirmed the security of its LDO and stETH tokens. The alert was raised by SlowMist, a blockchain security firm, which revealed that the flawed token contract of LDO could potentially pave the way for malicious actors to initiate “fake deposits” on platforms.
Unraveling the ‘Fake Deposit’ Flaw
The security firm identified that the flaw resided in the LDO token contract, allowing transactions even when users lacked sufficient funds – a deviation from the conventional Ethereum Request for Comment 20 (ERC-20) token standards. This divergence enables transfers where the entered value exceeds the actual amount held by the user, thereby generating a false return instead of canceling the transaction. SlowMist advised LDO holders to carefully examine return values of token contract transfers while evaluating transaction success or failure rates.
Lido’s Robust Refutation
In contrast to SlowMist’s claims, Lido staunchly defended the integrity of their protocol, arguing that such a flaw is inherently present in all ERC-20 tokens and not exclusive to Lido’s LDO token. To support their stance, the firm cited clauses from Ethereum’s official improvement proposal document co-authored by Vitalik Buterin in November 2015. This document emphasized that the “transfer” and “transferFrom” functionalities are necessary to return the transfer status, reserving the cancellation of the transaction for exceptional circumstances.