Lido node operator InfStones agrees to rotate validator keys after vulnerability disclosure
Quick Take Lido operator InfStones is expected to take precautionary measures after a vulnerability disclosure. The Tailon library-linked vulnerability, discovered in July 2023 by dWallet Labs, has been addressed. Lido Finance clarified there is no evidence of key leakage or exploit.
InfStones, a key node operator for Lido Finance, is set to temporarily withdraw its Ethereum validators from the liquid staking protocol and implement key rotations in response to a significant vulnerability revealed by dWallet Labs’ security researchers.
The vulnerability, linked to the open-source library Tailon, was reported to InfStones in July 2023 and has since been resolved. Nonetheless, this event has led to the adoption of preventative security measures.
As the largest liquid staking protocol on Ethereum, Lido oversees 9.23 million ether, with a market value exceeding $19 billion . The protocol enables users to deposit ETH and participate in network staking through validator nodes, which in turn issue a derivative token to users as a representation of their staked deposit. A network of contributors, known as operators, is responsible for running these ETH validator nodes, providing the requisite IT infrastructure and servers necessary for their operation.
Lido Finance confirmed the vulnerability was related to potential root-level access that impacted 25 of InfStones’ validator servers. Lido clarified, however, that there’s no evidence of any key leakage or exploitation as a result of this issue.
"To clarify: There is currently no indication of key leakage or compromise, and the vulnerability may not affect validators related the Lido protocol," it said .
InfStones' response
InfStones said the issue flagged by dWallet only affected a small part of its infrastructure, with less than 0.1% of its systems via a specific network port on its network that had the issue. As such it implied the affected validator nodes was a small number.
“The instances (servers) identified in production constitute a fraction below 0.1% of the live nodes we have launched to date. We found that outside traffic, through a port 55555 opened for Tailon, could imitate viewer privileges and access a portion of the development and testing data,” InfStones said.
Despite the absence of a confirmed key compromise, InfStones has proactively agreed to exit its validators and transition to new keys, pending governance’s approval, Lido Finance added . The ether that was previously staked on the potentially affected validators is planned to be redirected into the Lido protocol for re-staking, ensuring its continuity and stability.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
CFTC report endorses tokenizing trading collateral
Cboe set to launch first cash-settled options related to spot Bitcoin
Sui is growing due to great developer experience — Router CEO
Sui Partners with Franklin Templeton to Boost Blockchain Innovation and DeFi Growth