1.4 Behind the ETH small theft case: Analysis of how Lido can achieve risk isolation through decentralized design

Author: @IsdrsP (Lido Verification Node Supervisor)

Compiled by: Nicky, Foresight News

In the early morning of May 10, the oracle service provider Chorus One disclosed that a hot wallet of the Lido oracle was hacked, resulting in 1.46 ETH being stolen. However, according to security audits, the impact of this isolated incident is limited, and the wallet design involved is only for lightweight operational purposes.

It does sound bad to be attacked by an oracle. However, Lido’s architectural design, stakeholder values, and a security-oriented contributor culture mean that the impact of such events is extremely limited—even if the oracle is completely breached, there will be no catastrophic consequences.

So, what is unique about Lido?

Deliberate design and layered protection mechanism

Lido's oracle is responsible for passing information from the consensus layer to the execution layer and reporting protocol dynamics. They do not control user funds. A single fault oracle will only cause minor trouble, and even if the arbitration procedure (quorum) is broken, there will be no catastrophic consequences.

What malicious behaviors may a single compromised oracle try?

A) Submit a malicious report (but will be ignored by honest oracles);

B) Exhaust the ETH balance of that particular oracle address (this address is used only to operate the transaction and does not deposit the staked funds).

What responsibilities does the oracle bear?

Lido's oracle is essentially a distributed mechanism composed of nine independent participants (consensus needs to be reached on 5/9), mainly responsible for the status reporting of agreements. The current core functions include:

• Token inflation rewards are issued (rebase)

• Withdrawal process processing

• Verify node exit and performance monitoring for CSM (Community Security Module) reference

These prophetic opportunities to submit their observed status "report" to the agreement. These reports are used to calculate daily cumulative rewards or penalties, update stETH balances, process and finalize withdrawal requests, calculate validator exit requests, and measure validator performance.

In essence, Lido oracle is different from what people usually understand as "multiple signs". The oracle cannot access the stakeholder and the agreement's funds, nor can it control the upgrade of any agreement contract, nor can it upgrade itself or manage membership. Instead, Lido DAO maintains the oracle list by voting.

The oracle has extremely limited functionality—can only perform the following operations: submit reports that strictly follow deterministic, audited, and open source algorithms designed for different protocol objectives; and execute transactions under certain circumstances to implement report results (such as the daily rebase operation of the protocol).

What will happen if 5 of the 9 oracles are compromised? In this case, the breached oracle may conspire to submit a malicious report, but any report must pass a protocol rationality check enforced on-chain.

If a report violates these reasonableness checks, its processing time will be extended (or even never) "settlement" because the values ​​in the report must meet the range of numerical variations allowed within a specific period of time (days or weeks).

In the worst case, this could mean that a stETH-like rebase (both positive or negative) takes longer to take effect, which will have an impact on stETH holders, but will have little impact on most holders unless someone uses stETH in DeFi in a leveraged way.

There are other possibilities: if malicious oracles and their accomplices have certain information, or have the ability to impose large penalties (such as large-scale confiscations) at the consensus level, they may use the execution layer stETH update delay to seek economic benefits.

For example, if a large-scale confiscation occurs, some people may sell some of the stETH through a decentralized exchange (DEX) before the negative rebase takes effect. However, this will not affect the withdrawal operations initiated by the user directly through Lido, because the "bunker mode" of the agreement will be initiated to ensure that the withdrawal process is implemented fairly.

Instant and thorough transparency

From beginning to end, all participants in the Lido ecosystem—whether they are contributors, node operators, or oracle operators, always put transparency and goodwill first, giving priority to protecting the rights and interests of stakeholders and the healthy development of the entire ecosystem.

Whether it is proactively publishing detailed post-event analysis reports, compensating for pledge losses caused by infrastructure downtime, voluntarily exiting the verification node for preventive considerations, or quickly publishing a comprehensive accident report, these participants always regard transparency as a top priority.

Continuous iteration and upgrade

Lido has always been at the forefront of technological research and development, and is committed to using zero-knowledge proof (ZK) technology to improve the security and trustworthiness level of oracle mechanisms. As early as the early stages, the team invested more than $200,000 in special funds to support the implementation of trustless verification of consensus-level data through zero-knowledge proof technology.

These explorations of technology ultimately led to the official launch of the SP1 zero-knowledge oracle "dual verification" mechanism developed by the SuccinctLabs team. This mechanism provides an additional layer of security verification for potential negative rebase operations through verifiable consensus layer data.

At present, this type of zero-knowledge technology is still in the development stage. The related zero-knowledge virtual machines (zkVMs) not only need to undergo practical testing, but also have the limitations of slow computing speed and high computing costs, and cannot completely replace trusted oracles. But in the long run, such solutions are expected to be an alternative to existing oracles’ trust minimization.

Oracle technology is very complex and has different application scenarios in the DeFi field. In the Lido protocol, the oracle is carefully designed as a core component, and the scope of impact of potential risks is significantly reduced through an effective decentralized architecture, separation of responsibilities and a multi-layer verification system.

Content source: https://x.com/IsdrsP/status/1921616790599135318