The Oracle Private Key Leak resulted in a loss of only 1.4 ETH, showcasing Lido's security mechanism as "textbook-level"?

Original Author: @IsdrsP, Lido Guardian Node Operator

Original Translation: Nicky, Foresight News

On the early morning of May 10th, the oracle service provider Chorus One disclosed that a hot wallet of the Lido Oracle was hacked, resulting in the theft of 1.46 ETH. However, according to security audits, this isolated incident had a limited impact as the affected wallet was designed for lightweight operational purposes.

An oracle being attacked may sound really bad. However, Lido's architectural design, stakeholder values, and security-oriented contributor culture mean that the impact of such events is minimal—even if the oracle were to be fully compromised, it would not have catastrophic consequences.

So, what makes Lido unique?

Thoughtful Design and Layered Defense Mechanisms

Lido's oracles are responsible for transmitting information from the consensus layer to the execution layer and reporting on protocol dynamics. They do not control user funds. A single oracle failure only leads to minor inconveniences, and even if the arbitration process (quorum) were breached, it would not have catastrophic consequences.

What malicious actions could a single compromised oracle attempt?

A) Submitting a malicious report (but this would be disregarded by honest oracles);

B) Draining the ETH balance of that specific oracle address (which is only used for operational transactions and does not hold stakers' funds).

What responsibilities do oracles bear?

Lido's oracles are essentially a distributed mechanism composed of 9 independent participants (requiring a 5/9 consensus) mainly responsible for protocol state reporting. Their current core functions include:

• Distributing token inflation rewards (rebase)

• Processing withdrawal flows

• Verifying node exits and performance monitoring for reference by the CSM (Community Staking Module)

These oracles submit their observed state "reports" to the protocol. These reports are used to calculate daily cumulative rewards or penalties, update stETH balances, process and ultimately confirm withdrawal requests, calculate validator exit applications, and measure validator performance.

Fundamentally, Lido's oracles are different from the typical understanding of a "multisig." Oracles cannot access staker or protocol funds, control any protocol contract upgrades, self-upgrade, or manage membership. Instead, the Lido DAO maintains the oracle list through voting.

The function of an oracle is extremely limited—it can only perform the following operations: submit reports that strictly adhere to deterministic, audited, and open-source algorithms designed for different protocol objectives; execute transactions under specific circumstances to finalize report results (e.g., the daily rebase operation of a protocol).

What would be the worst-case scenario if 5 out of 9 oracles were compromised? In this scenario, the compromised oracles could potentially collude to submit malicious reports, but any report must pass the on-chain enforced protocol sanity checks.

If a report fails these sanity checks, its settlement time will be extended (or even potentially never) due to the fact that the reported values must fall within a specific range of allowable value changes over a period of time (several days or weeks).

In the worst-case scenario, this could mean that a rebase event like that of stETH (whether positive or negative) would take longer to take effect, impacting stETH holders, although the impact on most holders would be minimal unless someone is using stETH in DeFi with leverage.

Other possibilities exist as well: if malicious oracles and their accomplices possess certain information or have the ability to enforce significant penalties (e.g., massive slashing) at the consensus layer, they could exploit the delayed execution of stETH updates for economic gain. For example, in the event of massive slashing, some individuals might sell off a portion of stETH on a decentralized exchange (DEX) before a negative rebase takes effect. However, this would not affect user-initiated withdrawals directly through Lido as the protocol's "bunker mode" would be triggered to ensure the fairness of the withdrawal process.

Real-Time and Thorough Transparency

Throughout, all participants in the Lido ecosystem—be it contributors, node operators, oracle operators, etc., have consistently prioritized transparency and good faith, safeguarding the interests of stakers and the overall ecosystem's healthy development. Whether through proactively releasing detailed post-mortem analysis reports, compensating for staking losses due to infrastructure downtime, preemptively exiting a validation node, or swiftly issuing comprehensive incident reports, these participants have always upheld transparency as paramount.

Continuous Iterative Upgrades

Lido always remains at the forefront of technical innovation, striving to enhance the security and trustlessness of the oracle mechanism through zero-knowledge proof (ZK) technology. In the early stages, the team allocated over $200,000 in dedicated funding to support the trustless validation of consensus layer data through zero-knowledge proof technology.

These explorations of technology have ultimately led to the SP1 Zero Knowledge Oracle "Dual Verification" mechanism developed by the SuccinctLabs team, which is scheduled to be officially launched later this year. This mechanism, through verifiable consensus layer data, provides an additional security verification layer for potential negative rebase operations.

Currently, such zero-knowledge technology is still in its early stages of development. The related zero-knowledge virtual machine (zkVM) not only needs real-world testing but also faces limitations such as slow computation speed and high computational costs, making it unable to fully replace trusted oracles. However, in the long run, these solutions are expected to become a trust-minimized alternative to existing oracles.

Oracle technology is highly complex and has different applications in the DeFi field. In the Lido protocol, the oracle, as a core component, has been carefully designed to significantly reduce the scope of potential risks through an efficient decentralized architecture, a separation of duties mechanism, and a multi-layer verification system.

Original Article Link