Lido UI Potential Malicious Code Injection - Bug Bounty Report
On 21.02.2022 Lido has received Immunefi report from the United Global Whitehat Security Team on a vulnerability affecting a number Lido UIs, including landing page lido.fi, Ethereum & Terra staking widgets stake.lido.fi & terra.lido.fi, Easy Track UI easytrack.lido.fi and two informational pages lego.lido.fi & careers.lido.fi. The vulnerability consisted in the way the nextjs’ 'image' module handles particular missing file edge-case, allowing for malicious code injection on lido.fi, stake.lido.fi, terra.lido.fi & easytrack.lido.fi and open redirect from lego.lido.fi & careers.lido.fi.
The vulnerability has been patched for all reported domains in 5.25 hours after receiving the report, and based on url access logs no user have been affected.
Malicious code injection potentially allowed attacker to change the page contents & hijack user input on Lido-owned domain. That makes the vulnerability of critical impact, as attacker could craft the specific link to, say, stake.lido.fi, so the users following that link would be sending funds to attacker’s wallet instead of Lido staking contracts. Another high-impact attack vector example would be preparing a link adding “share your seed phrase” form to lido.fi landing page.
Informational pages lego.lido.fi & careers.lido.fi weren’t vulnerable to malicious code injection, but allowed for open redirect: user following a specifically formatted link to lido to lego.lido.fi or careers.lido.fi could have been redirected to another web domain, allowing for making legit-looking phishing links, but not pages. Note that in this case the domain would be different from the Lido-owned one, decreasing the potential impact.
With the phishing being pervasive issue for web3 projects, such vulnerability could have significant impact. We’re very grateful to the United Global Whitehat Security Team for the report and all the effort went into preparation & checks, as well as to Immunefi for facilitating the communication. Two bounties for the vulnerabilities have been payed out, one for critical and one for low tiers on malicious code injection and open redirect respectively.
Stay safe out there!