Lido Hack: The Worst Has Been Avoided for Ethereum

By From0To10K | Au Coin du Bloc - Crypto News | 14 May 2025

This weekend, the Ethereum staking giant Lido narrowly avoided disaster. A hacking attempt targeted the protocol, causing significant alarm in the crypto community. Fortunately, thanks to a swift response and robust security architecture, the incident resulted in minimal damage and general relief. Let’s take a detailed look at what happened, how Lido works, and why Ethereum got lucky but emerged unscathed.

Key Takeaways:

  • Hack contained: A private key from one of Lido’s oracles (operated by Chorus One) was compromised, leading to the minor theft of 1.46 ETH, but no user funds were lost.

  • Urgent response: Lido immediately triggered an emergency vote from its DAO to replace the compromised key, demonstrating the effectiveness of its decentralized governance and multisignature security system.

  • The worst avoided: Thanks to Lido’s architecture (a network of 9 oracles with a 5/9 quorum and built-in safeguards), the hack had almost no impact on the protocol. The worst was avoided, preserving trust in Ethereum’s staking system.

Security Incident: More Fear Than Harm

Lido, the largest liquid staking protocol on Ethereum, experienced a concerning but contained security incident. On May 10th, a wallet oracle controlled by Chorus One was compromised by a hacker. The attacker was able to transfer 1.46 ETH (approximately €4,000) from this wallet, which only contained this small amount dedicated to transaction fees. While the theft was minimal, the news sent shockwaves through the ecosystem: Lido manages more than 25% of all staked ETH on the Ethereum network, worth about $23 billion, making it a systemic protocol for Ethereum.

Lido’s reaction was immediate. By May 11th, the team announced an emergency vote from the DAO to replace the compromised oracle key. Essentially, this meant generating a new secure oracle key and integrating it into the protocol contracts in place of the old one. The community vote was quickly approved, showing the responsiveness of Lido’s decentralized governance. At the same time, Chorus One, the operator of the compromised node, conducted a thorough audit of its infrastructure to ensure that the breach was limited to this one wallet. According to their initial findings, it appears to have been a private key leak from one of their “hot” (internet-connected) wallets dating back to 2021. In short, an old, poorly secured key had been stolen by the hacker, without affecting the rest of the system.

a0ccca1159289f5796a1d65507a6445a6a8b28571c79da98c79e7c405d647385.png

Fortunately, no user funds were impacted, and no other part of the protocol showed signs of compromise. The platform confirmed it remained “fully secure and operational” despite the targeted attack. Within hours, the compromised wallet was replaced with a new one, the Chorus One oracle was restored on a brand-new machine, and the danger was averted. We dodged a bullet, and so did Ethereum.

How Does Lido Work?

To fully understand why the worst was avoided, it’s essential to explain how Lido works and its role in Ethereum. Lido is a liquid staking protocol: it allows users to participate in Ethereum staking without losing liquidity of their funds. In practice, when you deposit ETH into Lido, it is delegated to Ethereum’s validators, and in exchange, Lido issues you stETH – tokens that represent your staked ETH plus the accumulated rewards. These stETH tokens are like a “liquid” version of your staked ETH: you can hold them, trade them, or use them in DeFi (lending, yield farming, etc.) while still earning staking rewards. This gives flexibility and efficiency to staking: you don’t have to lock your ETH away for months without being able to use it elsewhere.

Now, let’s break down how Lido functions technically and economically:

  • Stakers (users): They deposit their ETH into the Lido contract and receive stETH in return. These stETH tokens gradually increase in value or quantity as Lido periodically distributes staking rewards via rebasing (adjusting the stETH balance). Users can at any time sell their stETH for ETH (for example, via DeFi pools) or use them as collateral on lending protocols.

  • Validators (node operators): These are specialized entities (like Chorus One, P2P, etc.) selected by the Lido DAO to run Ethereum’s nodes. They validate blocks on the Beacon Chain of Ethereum and generate rewards in ETH. Lido aggregates thousands of ETH among dozens of professional validators. In exchange for their services, the validators receive a portion of the staking rewards.

  • Lido DAO and the LDO token: Lido is governed by its community via a DAO (decentralized autonomous organization). LDO token holders can vote on protocol parameters (validator selection, fees, upgrades, etc.). Lido takes a commission (around 10%, for example) from the staking rewards generated, which is distributed among the node operators, the DAO’s treasury, and any insurance services. This economic model aligns incentives: stakers earn ~90% of rewards, while Lido/validators earn ~10%.

  • DeFi Integration: Lido has greatly expanded the reach of staking by integrating stETH into many DeFi protocols. For example, you can provide stETH as collateral on Aave to borrow, trade it on Curve for ETH, or use it in farming strategies. stETH has become one of the pillars of Ethereum’s DeFi. This further enhances Lido’s utility but also creates interdependencies: if stETH encountered a trust issue or a value problem, many protocols would be impacted in a domino effect.

Where do the oracles come in?

The security incident involved a compromised Lido oracle, so it’s important to understand the role of these oracles in the protocol’s architecture. Lido’s smart contracts on Ethereum cannot, on their own, know the exact status of staking on the Beacon Chain (the consensus layer). They need a bridge of information between the consensus layer (where Ethereum validators operate with deposits, rewards, and penalties) and the execution layer (the main Ethereum blockchain where tokens and smart contracts live). This bridge is the Lido oracles: distributed programs that periodically publish on-chain reports on staking status. For instance, oracles inform the Lido contract about the total balance of validated deposits, the rewards accumulated, or the number of validatorsthat have left the network, allowing Lido to update the total stETH in circulation, adjust the rebase rate, or allow withdrawals.

To ensure the reliability of this critical data, Lido uses a collective of 9 independent oracles, operated by different entities (often the same ones that operate Lido’s validators, for efficiency). Each report issued must be validated by at least 5 out of the 9 oracles before it is accepted by the Lido contract. In other words, Lido operates on a 5/9 quorum system: a majority of oracles must agree on the data being provided. This prevents a single malicious or hacked oracle from feeding false data to the protocol. If one oracle tries to submit misleading data (say, a hacker compromises one oracle and attempts to send fake reports), the other 8 honest oracles would ignore it, and the Lido contract would not consider it.

Moreover, the Lido protocol includes “sanity checks” – automatic safeguards at the smart contract level – which prevent drastic or inconsistent changes, even if, in the worst-case scenario, an attacker were to control up to 5 oracles out of 9. These on-chain validations limit the potential damage from a compromised group of oracles. For example, even if a majority of oracles claimed there was twice as much ETH as there really was and tried to inflate the supply of stETH, the contract would reject such an anomaly. Lido’s architecture thus relies on multi-layer security: decentralization of oracles and validators, a 5/9 multisignature system for updates, and consistency checks in the smart contract code. It is this robust design that protected Lido from disaster during the hacking attempt.

In this case, the compromise of one of the 9 oracle keys (Chorus One) had no serious impact on the protocol: the hacker could have submitted falsified data, but without the backing of other oracles, this fake information would have been ignored and not reached the required quorum. In practice, the only “damage” was the loss of 1.46 ETH from the Chorus One wallet – a loss limited by design, as these oracle addresses deliberately only hold a small balance dedicated to gas fees. Even if the attacker had compromised several oracles, Lido’s sanity checks would have prevented any truly catastrophic action. For example, millions of ETH could not have been stolen, nor could stETH have been created out of thin air by exploiting just the oracles. In short, user funds remained secure throughout the incident – a crucial point for trust.

Implications for Ethereum: Vigilance and Renewed Confidence

Beyond the incident itself, this event has significant implications for the Ethereum ecosystem and trust in decentralized staking. Lido plays a major role in Ethereum: it secures about a quarter of all staked ETH, making it the undisputed leader of the liquid staking market. A successful and devastating attack against Lido would have been a real earthquake for Ethereum. Just imagine the consequences of a worst-case scenario: loss or freezing of a massive amount of ETH, collapse in the value of stETH, panic from investors withdrawing their deposits in droves, and long-lasting damage to Ethereum’s credibility (which relies on the security of staking). That’s partly why the news of the compromised oracle caused such a stir: the crypto community held its breath fearing that the worst might occur.

On social media, many commentators initially feared the worst upon hearing about the hack. Some even imagined a “Luna-style scenario” or a cascading collapse if Lido were truly exploited. “$23 billion was potentially at risk,” people feared. It’s true that, with such importance, Lido is a bit of a potential weak link in the Ethereum ecosystem: a systemic vulnerability to keep an eye on. However, very quickly, expert voices rose to calm the situation. Members of the Lido team and analysts explained that no, the incident would not bring Ethereum to its knees. The compromised oracle couldn’t access users’ deposits, couldn’t “drain” the protocol, nor even significantly alter Lido’s operation. In short, “no user deposit was ever in danger”, summarized a Lido advisor. These explanations, combined with Lido’s transparent communications (official announcements, real-time updates), reassured the community. Within 24 hours, panic turned into a calm, rational analysis of the situation.

The overall reaction from the crypto community was thus mixed: initial fear, quickly replaced by a measured analysisof the situation. Many praised Lido’s responsiveness and the resilience of its decentralized design. The fact that the protocol continued to operate normally, that staking rewards were never interrupted, was a great sign. “The system worked as intended, our safeguards did their job,” many positive comments read. This kind of success reinforces confidence in decentralized staking: it shows that entrusting your ETH to a multi-actor protocol like Lido can be safer than putting it in a single centralized entity, because there is no single point of failure. In this sense, Ethereum got lucky in its misfortune: this episode proves the resilience of decentralization when well-implemented.

That said, not everything is perfect and some criticisms have emerged. Learning that one of the oracle keys was stored on a hot wallet from 2021 made some observers frown, seeing it as a security lapse on Chorus One’s part. “How can a protocol managing so much ETH still have critical keys unsecured online?” was the question. Lido and its operators will need to learn from this scare: bolster their procedures, perhaps require that all oracle keys be stored in hardware wallets or HSMs (secure hardware modules), conduct regular security reviews on each node operator’s infrastructure, etc. The good news is that Chorus One has indicated they’re taking action (new dedicated machine, internal audits), and a post-mortem report will be published once the investigation is completed. Transparency and continuous improvement will be essential to maintain user trust.

At the Ethereum community level, this incident also reignites the debate on staking centralization. While Lido is technically decentralized (DAO, multiple validators, distributed oracles...), its economic weight is such that its risk has essentially become the network’s risk. Some members of the crypto community see this as a call for diversification: it would be healthier not to put “all the ETH in the same Lido basket”. Alternative liquid staking solutions exist (such as Rocket Pool, Coinbase ETH, etc.), with their own models and guarantees. The Lido incident might encourage stakers and institutions to spread their deposits across multiple protocols to dilute systemic risk. Moreover, it calls for further efforts to decentralize Lido itself – for example, by adding more node operators, improving the geographical distribution of validators, or exploring innovations like Distributed Validator Technology (DVT) to reduce the impact of compromising a single operator.

Finally, this event is part of a larger context where DeFi hacks are on the rise. In the first few months of 2025 alone, more than $2 billion have been stolen in attacks linked to flaws or breaches in crypto systems. Each new attack, even a minor one, is a reminder that security must remain the top priority. In the case of Lido, the worst was avoided, but this is no reason to let the guard down. On the contrary, it’s an opportunity to strengthen the security of the Ethereum ecosystem. The crypto community seems to have understood this well: we’ve seen both congratulatory messages for Lido’s exemplary management and warnings not to underestimate the threats. It’s a bit of a paradox in this story: it was both reassuring (showing that the safeguards worked) and a wake-up call (exposing a potential Achilles’ heel to fix).

The “Lido Hack” of May 2025 will remain a big scare but also a victory for Ethereum. A scare because no one likes to discover that part of the infrastructure has been compromised, even if it’s minor. A victory because Lido’s rapid response and decentralized engineering prevented any catastrophe. Ethereum emerges unscathed, user trust intact, and even strengthened by the protocol’s demonstration of resilience. This incident serves as a reminder that staking security is a collective responsibility: validators, developers, DAOs, and users all need to stay vigilant to protect this shared asset, the blockchain. This time, the worst was avoided – and it’s the entire Ethereum community that breathes a sigh of relief. Let’s hope this remains the rule moving forward, as the lessons from this story will surely help make the ecosystem even more resilient and secure.

Resources

  1. https://www.coindesk.com/tech/2025/05/12/ethereum-staking-giant-lido-loses-just-14-eth-in-hacking-attempt
  2. https://journalducoin.com/defi/catastrophe-lido-oracle-compromis-sans-impact-majeur/
  3. https://cryptoast.fr/hack-lido-plus-grand-operateur-staking-ethereum-eth/

How do you rate this article?

17
From0To10K
From0To10K

Au Coin du Bloc - Crypto News
Au Coin du Bloc - Crypto News

News about cryptocurrencies translate from Au Coin du Bloc

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
Circle’s High-Wire Act: Big Valuation, Thin Margins, And Coinbase Dependence Circle’s High-Wire Act: Big Valuation, Thin Margins, And Coinbase Dependence
Myxoplixx

Myxoplixx

11 hours ago
1 minute read

Splinterlands: The Old Vs. The New Splinterlands: The Old Vs. The New
brando28

brando28

8 hours ago
5 minute read

Crypto Market And Trading Update - Buy Time Crypto Market And Trading Update - Buy Time
shohana1

shohana1

11 hours ago
1 minute read