Vulnerability Response Update

in Post Mortem by Lido

On Oct 5, 2021, a vulnerability was reported via the Lido bug bounty program on Immunefi by an anonymous whitehat (who later turned out to be Dmitri Tsumak, the founder of StakeWise). The vulnerability could only be exploited by a whitelisted node operator and allowed stealing a small share of user funds.

 

Impact and risk

At the time of the report, the vulnerability’s potential impact was high as the whole undeposited Ether buffer was at risk (approximately 20k Ether at the moment of disclosure). The risk was proportional to the number of malicious node operators out of the recently added batch of five, about 4k ETH per operator. Potential impact for the protocol going forward given all node operators are compromised had been all future deposits.

The risk of the vulnerability being exploited was estimated to be low as it was only exploitable by the Lido node operators who are the DAO-whitelisted actors with reputation and skin in the game. Currently, the vulnerability is mitigated and the risk is zero.

A bounty of $100k (which is the current maximum payment of our bug bounty program) is expected to be paid via the next Lido DAO omnibus vote happening on Oct 7-8, 2021.

 

Mitigations

As a short-term mitigation, Lido DAO voted to temporarily lower staking limits for all node operators to the level of currently staked keys. This effectively prevents any deposits from happening while the team is implementing the mid-term mitigation. This doesn’t stop the protocol or any of the integrations but will lower the yield generated by the further deposits by a fraction of a percent.

The list of proposed mid- and long-term mitigations can be found and discussed in this Lido Research Forum thread.

 

Nature of the exploit

The exploit is based on the fact that, as per the Ethereum consensus layer specification, the validator public key is associated with the withdrawal credentials (WC) on the first valid deposit that uses the public key. Subsequent deposits will use the WC from the first deposit even if another WC are specified.

While this design choice is not an issue for self-stakers, it opens an attack vector for delegated staking, including liquid staking protocols. These protocols, Lido among them, use protocol-controlled WC to ensure only the protocol can withdraw users’ funds. In Lido’s case, WC point to a smart contract managed by the DAO. The current Ethereum consensus layer design allows a node operator to associate the validator’s public key with the validator-controlled WC by front-running a deposit transaction sent by a protocol with another deposit transaction specifying the same public key, validator-controlled WC, and 1 ETH amount. The end state is a validator managing 1 ETH of node operators’ funds and 32 ETH of users’ funds, fully controlled and withdrawable by the node operator.

The exploit was initially reported on Ethereum Research Forum a long time ago. The presence of this vulnerability in the Lido codebase is a long-term oversight.

 

Timeline (UTC timezone)

  • Oct 5, 03:32 AM: the vulnerability report submitted to Immunefi.
  • Oct 5, 03:59 AM: the vulnerability report escalated to the Lido team.
  • Oct 5, 04:49 AM: the probability of exploit estimated to be low, war room gathering scheduled.
  • Oct 5, 06:09 AM: the war room gathered.
  • Oct 5, 07:30 AM: historical protocol activity check finished, verifying that the vulnerability was never exploited previously.
  • Oct 5, 08:58 AM: the undeposited Ether buffer was flushed to lower the potential impact to single digits of Ether.
  • Oct 5, 09:20 AM: the short-term mitigation was designed.
  • Oct 5, 10:14 AM: the fact of vulnerability discovery was announced to the Lido node operators; a verbal confirmation was requested from node operators that they are not going to exploit any vulnerability they might find in the protocol.
  • Oct 5, 10:36 AM: a list of mid- to long-term mitigations was drafted.
  • Oct 5, 10:55 AM: the verbal confirmation was received from node operators.
  • Oct 5, 10:55 AM: the fact of vulnerability discovery was announced to the DAO members; a DAO vote implementing the short-term mitigation was started.
  • Oct 5, 11:13 AM: the fact of vulnerability discovery was announced to the general public via Twitter, Telegram, and Discord.
  • Oct 6, 10:55 AM: the DAO vote implementing the short-term mitigation passed and was enacted.
  • Oct 7, 10:22 AM: greenlight for exploit disclosure was received from all the affected parties.
  • Oct 7, 01:10 PM: the exploit mechanics and possible mitigations were published to the Lido Research Forum.

We want to thank Dmitri Tsumak for discovering and reporting the exploit, as well as Immunefi, StakeWise, and RocketPool teams for validating and escalating it to the Lido team.

 

Going forward

Despite the short-term mitigation being already in place, the proper long-term mitigation needs to be implemented. Currently, the optimal solution is being discussed by the Lido community, you can follow and participate in this process in this Lido Research Forum thread.