Lido Finance’s key node operator, InfStones, plans to introduce key rotations and temporarily remove its Ethereum validators from the liquid staking protocol in reaction to a serious flaw that dWallet Labs’ security researchers have discovered.
The open-source library Tailon was connected to the vulnerability, which was discovered and fixed in July 2023 after being reported to InfStones. However, as a result of this incident, precautionary security measures have been implemented.
Lido, the biggest Ethereum liquid staking protocol, is in charge of 9.23 million ether, which has a market value of more than $19 billion. Through validator nodes, the protocol allows users to stake their ETH deposits and participate in network staking. Users receive a derivative token as a representation of their staked deposit from these nodes. A group of participants, referred to as operators, are in charge of maintaining these ETH validator nodes and supplying the servers and IT infrastructure required for them to function.
Lido Finance verified that the vulnerability affected 25 of InfStones’ validator servers and was associated with possible root-level access. Lido clarified, though, that there isn’t any proof that this problem has led to any significant leaks or exploitation.
“To clarify: There is currently no indication of key leakage or compromise, and the vulnerability may not affect validators related the Lido protocol,” said the statement.
dWallet Labs claimed in its security report that the flaw might have led to a security breach that affected the ETH staked on Lido through InfStones’ nodes. As a result, the company advised rotating validator keys on all nodes that might have been exposed to the weakness.
The reaction of InfStones
Less than 0.1% of InfStones’ systems were impacted by the problem that dWallet reported, according to InfStones, and this was due to a particular network port on the company’s network. As a result, it suggested that there were not many validator nodes impacted.
“The production-identified instances (servers) represent less than 0.1 percent of the live nodes that we have launched thus far. We discovered that external traffic could mimic viewer privileges and access some of the development and testing data by using port 55555 that Tailon had opened, according to InfStones.
Lido Finance stated that InfStones has proactively agreed to stop using its validators and switch to new keys, pending governance approval, even though there hasn’t been a confirmed key compromise. The aether that was formerly staked on the validators who might have been impacted will be redirected into the Lido protocol for re-staking, guaranteeing its stability and continuity.