Lido: The platform vulnerability of InfStones node operators has been resolved, and there are no signs of key leakage
ChainCatcher news, Lido officials stated that in the past 24 hours, contributors to Lido DAO were informed of a platform vulnerability affecting the active node operator (InfStones) of Lido on Ethereum, which had been exploited at some point over the past few months. This vulnerability was disclosed to InfStones by security researchers dWallet Labs in July 2023. The node operator announced that the vulnerability has been resolved.
The vulnerability involved the potential exposure of root-level access to 25 validator servers to external attackers who may not be related to the Lido protocol, which could include critical materials. It is currently unclear whether contributors included servers and/or keys related to Lido validators within the scope of the affected systems.
Contributors to Lido DAO have drawn the following conclusions regarding the aforementioned vulnerability: there is no indication that any keys were leaked due to this vulnerability; however, as a precaution, InfStones voluntarily withdrew all validators and rotated to new keys, awaiting DAO voting. All ETH from the withdrawn validators will flow back to the Lido protocol through the withdrawal process and will subsequently be re-staked into available keys in the buffer.