Written by: @IsdrsP (Lido Validator Node Director)
Compiled by Nicky, Foresight News
In the early morning of May 10, oracle service provider Chorus One disclosed that a hot wallet of Lido Oracle was hacked and 1.46 ETH was stolen. However, according to the security audit, this isolated incident had limited impact, and the wallet involved was designed for lightweight operations only.
An oracle attack sounds bad. However, Lido’s architectural design, stakeholder values, and security-oriented contributor culture mean that the impact of such an incident is extremely limited — even if the oracle is completely compromised, it will not be catastrophic.
So, what is so unique about Lido?
Well-thought-out design and layers of protection
Lido’s oracles are responsible for passing information from the consensus layer to the execution layer and reporting protocol dynamics. They do not control user funds. A single faulty oracle will only cause minor troubles, and even if the arbitration process (quorum) is breached, it will not cause catastrophic consequences.
What malicious actions might a single compromised oracle attempt?
A) Submit a malicious report (which will be ignored by the honest oracle);
B) Drain the ETH balance of that specific oracle address (this address is only used for operational transactions and does not hold stakers’ funds).
What exactly are the responsibilities of an oracle?
Lido’s oracle is essentially a distributed mechanism consisting of 9 independent participants (5/9 consensus is required), which is mainly responsible for protocol status reporting. Its current core functions include:
• Token inflation reward issuance (rebase)
• Withdrawal process processing
• Verify node exit and performance monitoring for reference by CSM (Community Security Module)
These oracles submit “reports” of their observed states to the protocol. These reports are used to calculate daily accumulated rewards or penalties, update stETH balances, process and ultimately confirm withdrawal requests, calculate validator exit requests, and measure validator performance.
In essence, the Lido oracle is different from what people usually understand as multi-signature. The oracle can neither access the funds of the stakers and the protocol, nor control the upgrade of any protocol contract, nor can it upgrade itself or manage membership. Instead, the Lido DAO maintains the oracle list through voting.
Oracles have extremely limited functionality — they can only submit reports that strictly follow deterministic, audited, and open-source algorithms designed for different protocol goals; and execute transactions to implement reported results in specific circumstances (such as the protocols daily rebase operation).
What is the worst case scenario if 5 out of 9 oracles are compromised? In this case, the compromised oracles could collude to submit malicious reports, but any report would have to pass the protocol sanity checks enforced on-chain.
Reports that violate these plausibility checks will take longer to process (or may never be “settled”) because the values in the report must fit within a certain range of allowed values over a certain period of time (days or weeks).
In the worst case, this could mean that stETH-like rebases (whether positive or negative) take longer to take effect, which would impact stETH holders, but would have minimal impact on most holders unless someone is using stETH in a leveraged manner in DeFi.
There are other possibilities: if a malicious oracle and its accomplices have certain information or have the ability to impose large penalties (such as large-scale slashing) at the consensus layer, they may be able to use the delay in stETH updates at the execution layer to seek economic benefits.
For example, if a large-scale slashing occurs, some people may sell some stETH through decentralized exchanges (DEX) before the negative rebase takes effect. However, this will not affect withdrawals initiated directly by users through Lido, because the protocols bunker mode will be activated to ensure that the withdrawal process is executed fairly.
Instant and complete transparency
From the beginning to the end, all participants in the Lido ecosystem - whether contributors, node operators, or oracle operators, etc., always put transparency and goodwill first, and prioritize the rights of stakers and the healthy development of the entire ecosystem.
Whether it’s proactively publishing detailed post-mortems, compensating for stake losses due to infrastructure downtime, proactively exiting validation nodes as a precaution, or quickly publishing comprehensive incident reports, these participants always make transparency a top priority.
Continuous iterative upgrades
Lido has always been at the forefront of technology research and development, committed to using zero-knowledge proof (ZK) technology to improve the security and trustlessness of the oracle mechanism. As early as the early stages, the team invested more than $200,000 in special funds to support the trustless verification of consensus layer data through zero-knowledge proof technology.
These technical explorations ultimately led to the SP 1 zero-knowledge oracle double verification mechanism developed by the SuccinctLabs team, which will be officially launched this year. This mechanism provides an additional layer of security verification for potential negative rebase operations through verifiable consensus layer data.
At present, this type of zero-knowledge technology is still in the development stage. The related zero-knowledge virtual machine (zkVM) not only needs to undergo actual combat testing, but also has the limitations of slow computing speed and high computing cost, and cannot completely replace the trusted oracle. However, in the long run, this type of solution is expected to become a trust-minimized alternative to existing oracles.
Oracle technology is very complex and has different application scenarios in the DeFi field. In the Lido protocol, the oracle is carefully designed as a core component, which significantly reduces the scope of potential risks through an effective decentralized architecture, separation of duties mechanism and multi-layer verification system.
Content source: https://x.com/IsdrsP/status/1921616790599135318
