1 year ago
The “fake deposit” onslaught enables atrocious actors to execute a transportation wherever the requested worth is larger than what the idiosyncratic really owns.
Ethereum staking protocol Lido Finance has assured some Lido DAO (LDO) and staked-Ether (stETH) tokens stay harmless contempt hackers allegedly exploiting a known information flaw successful LDO’s token contract.
Lido didn’t confirm immoderate exploits, but acknowledged the information flaw was known and reassured LDO and stETH funds stay safe successful effect to a Sept. 10 station by blockchain information steadfast SlowMist.
SlowMist said LDO’s flawed token declaration allows atrocious actors to facilitate “fake deposit” attacks connected exchanges due to the fact that LDO’s token declaration enables users to execute transactions adjacent wherever they don’t person capable funds. This codification deviates from the Ethereum Request for Comment 20 (ERC-20) token standard, according to SlowMist.
However, Lido Finance argued the flaw is built into each ERC-20 tokens — not conscionable Lido’s LDO token:
This behaviour is expected and conforms to the ERC20 token modular (see tweet below). Both LDO and stETH (and Lido governance) stay safe.
Lido token integration guides volition beryllium updated with LDO specifics to marque this much disposable shortly.
SlowMist said the “fake deposit” attacks came from LDO’s token declaration executing transfers wherever the worth is larger than what the idiosyncratic really owns, triggering a mendacious instrumentality arsenic opposed to reverting the transaction. While the steadfast said Lido's token declaration has precocious been exploited via this attack, nary on-chain grounds was provided.
Cointelegraph reached retired to SlowMist for remark but did not person an contiguous response.
Meanwhile, on-chain expert “Hercules” explained connected Sept. 10 that the information flaw whitethorn not beryllium picked up by cryptocurrency exchanges.
SlowMist recommends LDO holders to besides cheque the instrumentality values of the token declaration transfers successful summation to the occurrence oregon nonaccomplishment of a transaction.
The blockchain information steadfast concluded that token declaration implementations and behaviors alteration by task and to behaviour broad investigating earlier integrating immoderate caller tokens.
Related: Ethereum staking services hold to 22% bounds of each validators
However, Lido highlighted successful the authoritative Ethereum Improvement Proposal document — co-authored by Vitalik Buterin successful November 2015 — that some the “transfer” and “transferFrom” functions indispensable instrumentality the transportation presumption and are lone recommended to revert a transaction successful exceptional cases.
ERC20 token standard: https://t.co/YlrS1ZN6Fd
1) Both transportation and transferFrom are required to instrumentality transportation presumption and are lone recommended to revert a tx successful exceptional cases.
2) The modular says that a caller is obliged to cheque the instrumentality presumption (see 'Token methods'). pic.twitter.com/6KTcIyxo2F
To resoluteness the information flaw, Lido confirmed the LDO token integration guides volition soon beryllium updated.
Magazine: DeFi Dad, Hall of Flame: Ethereum is ‘woefully undervalued’ but increasing much powerful
English (US) 