1.4 ETH Theft Incident: Lido's Security Mechanism Teaches a Lesson to the Encryption Industry

In the early hours of the morning, a hacker hacked an address in the Lido oracle multisig and exposed his whereabouts after stealing 1.4 ETH. Does the theft have a material impact on Lido? This article is from an article written by @IsdrsP (Lido Validation Node Supervisor) and is compiled, compiled and contributed by Nicky, Foresight News. (Synopsis: Give stETH holders "decision veto power"!) Lido's new proposal or refactoring the DeFi governance power structure) (background supplement: Aave and Lido's total TVL exceeded $70 billion for the first time, occupying half of the DeFi world) In the early morning of May 10, oracle service provider Chorus One disclosed that a hot wallet of Lido oracle was hacked, resulting in the theft of 1.46 ETH. However, according to security audits, the impact of this isolated incident was limited, and the wallets involved were designed for lightweight operations only. An attack on an oracle sounds bad indeed. However, Lido's architecture, stakeholder values, and security-oriented contributor culture mean that the impact of such an event is extremely limited—even if the oracle is completely breached, it will not have catastrophic consequences. So, what's so unique about Lido? Well-thought-out design and layers of protection Lido's oracle is responsible for passing information from the consensus layer to the execution layer and reporting protocol dynamics. They do not control user funds. A single-fault oracle can only cause minor troubles, and even if the quorum is breached, it will not have catastrophic consequences. What malicious actions might a single compromised oracle attempt? A) submit malicious reports (but will be ignored by honest oracles); B) Drain the ETH balance of that particular oracle address (which is only used to operate transactions and is not holding the staker's funds). What exactly is the responsibility of the oracle? Lido's oracle is essentially a distributed mechanism composed of 9 independent participants (5/9 consensus is required), mainly responsible for protocol status reporting, and the current core functions include: ・Token inflation reward distribution (rebase) ・Withdrawal process processing ・Verification node exit and performance monitoring for reference by CSM (Community Security Module) These oracles submit a "report" of their observed status to the protocol. These reports are used to calculate rewards or penalties accumulated daily, update stETH balances, process and finalize withdrawal requests, calculate validator exit requests, and measure validator performance. In essence, the Lido oracle is different from what is commonly understood as "multisig". Oracles have neither access to stakers and protocol funds, nor can they control the upgrade of any protocol contracts, nor can they upgrade themselves or manage memberships. Instead, the Lido DAO maintains a list of oracles by voting. The oracle's capabilities are extremely limited—it can only do the following: submit reports that strictly follow deterministic, audited, and open-source algorithms designed for different protocol goals; Execute transactions in specific situations to implement reported results (e.g. daily rebase operations of an agreement). What happens if 5 out of 9 oracles are breached? In this case, the breached oracle may conspire to submit malicious reports, but any report must pass an on-chain enforced protocol plausibility check. If a report violates these plausibility checks, the processing time will be extended (and may never be) "settled", because the values in the report must conform to the range of values allowed for a specific period of time (days or weeks). In the worst-case scenario, this could mean that stETH-like rebases (whether positive or negative) take longer to take effect, which affects stETH holders but has minimal impact on most holders, unless someone leverages stETH in DeFi. There are also other possibilities: if malicious oracles and their co-conspirators have some information, or have the ability to impose large penalties (such as large-scale forfeitures) at the consensus level, they may take advantage of the delay in the update of stETH at the execution layer for financial gain. For example, in the event of a large-scale forfeiture, some people may sell some of their stETH through a decentralized exchange (DEX) before the negative rebase takes effect. However, this will not affect withdrawals initiated directly by users through Lido, as the protocol's "bunker mode" will be activated to ensure that the withdrawal process is carried out fairly. Real-time and thorough transparency From start to finish, all participants in the Lido ecosystem, whether contributors, node operators, or oracle operators, have always put transparency and goodwill first, prioritizing the rights and interests of stakers and the health of the entire ecosystem. Whether it's proactively releasing detailed post-mortem reports, compensating for staking losses due to infrastructure downtime, proactively exiting validators for preventative reasons, or quickly releasing comprehensive incident reports, transparency has always been a top priority. Continuous iterative upgrades Lido has always been at the forefront of technology research and development, and is committed to using zero-knowledge proof (ZK) technology to improve the security and trustlessness of oracle mechanisms. As early as the initial stage, the team invested more than $200,000 in dedicated funds to support trustless verification of consensus layer data through zero-knowledge proof technology. These technical explorations eventually led to the SP1 zero-knowledge oracle "double verification" mechanism developed by the SuccinctLabs team, which will be officially launched within this year. This mechanism provides an additional layer of security validation for potentially negative rebase operations through verifiable consensus layer data. At present, this kind of zero-knowledge technology is still in the development stage, and the related zero-knowledge virtual machine (zkVM) not only needs to undergo actual combat testing, but also has the limitations of slow computing speed and high computing cost, and cannot completely replace trusted oracles. But in the long run, such solutions promise to be a trust-minimized alternative to existing oracles. Oracle technology is complex and has a variety of use cases in the DeFi space. In the Lido protocol, oracles are carefully designed as core components to significantly reduce the scope of potential risks through an effective decentralized architecture, separation of duties, and a multi-layer verification system. Related reports Polymarket is controlled by oracles! More than $7 million bet on "right and wrong" loser wins $Red listing Binance Launchpool new coin mining, what are the characteristics of modular oracle RedStone? Ethereum vs Solana: From Lido and Solayer, the difference between the two staking staker models [1.4 Behind the ETH theft: Lido's security mechanism has taught the crypto industry a lesson] This article was first published in BlockTempo's "Dynamic Trend - The Most Influential Blockchain News Media".