Lido – Security Review of Oracle V5 update

Lido partnered with Composable Security to conduct a thorough security review of the Oracle V5 update to prepare for upcoming Pectra hard fork.

Basic information

Project type: Liquid staking protocol

Service: Threat based security review, including retest and advisory support.

Results: Two medium-risk vulnerabilities were detected and fully remediated; three low-risk issues were acknowledged or fixed; recommendation was implemented and verified.

About the Lido

Lido is the biggest decentralized liquid staking protocol that enables users to stake digital assets, with Ethereum being its flagship network. The Oracle’s performance and security are critical – especially during major protocol upgrades such as Ethereum’s Pectra hardfork.

Visit website: https://lido.fi/

About the service scope

The Lido Oracle – Update V5 project is a core component of the Lido staking ecosystem, responsible for aggregating, verifying, and relaying critical operational data that supports the protocol’s decentralized staking mechanism.

The subjects of the test were selected files from the Lido repository:

GitHub repository: https://github.com/lidofinance/lido-oracle

CommitID: 0dbc1d8a2acf069075118e94770c20de2c1de3d7

Below is an overview of its key components:

• Accounting Oracle: Focuses on tracking staking rewards, fees, and other financial
  metrics. This module is crucial for ensuring that the economic aspects of the protocol
  remain consistent and transparent.

• Validators Exit Bus Oracle: VEBO is an oracle that ejects Lido validators when the
  protocol requires additional funds to process user withdrawals. This component en-
  sures that any changes in validator status are accurately reflected by generating re-
  quests to exit validators to fulfill the withdrawals demand.

• CSM Oracle: Integrates with Community Staking Module to report module-specific
  metrics, that is the rewards generated by CSM validators.

The Oracle V5 has been engineered to ensure that the Oracle continues to operate as intended following the Pectra upgrade, with a strong focus on addressing the challenges during the immediate transition period. The update incorporates changes that maintain the accuracy and reliability of critical operational data even in the face of significant protocol changes.

Initial Challenges and Constraints:

• The audit was conducted during active development and Pectra related updates, requiring tight coordination with Lido engineers.
• The security review required deep staking knowledge and understanding the complex business logic.

Objectives:

• Verify compatibility with upcoming Pectra update.
• Ensure that all required changes have been implemented.

Identified threats

As before every audit, thorough threat modeling is performed. The results are made available to the client for joint analysis.

Key assets that require protection:

• Report’s submitted data, including:
  • stETH/ETH ratio components
  • Withdrawal requests queue border
  • Ejected validators
• Ether managed by the protocol
• Bonds
• Protocols availability

Threats and potential attackers goals:

• Manipulation of the stETH/ETH rate to steal ETH
• Lock users’ funds in the contract
• Bonds theft
• Running validators without required bond
• Bypassing business logic limits (e.g. the withdrawal request delay)
• Pausing the protocol by maliciously activating bunker mode
• Denial of Service (e.g. due to Oracle malfunction)

Potential scenarios to achieve the indicated attacker’s goals:

• Excluding validators from the total ETH balance calculation
• Front-running deposits to preset withdrawal credentials
• Retrieving on-chain data from incorrect block via archive node
• Invalid calculation of validator parameters after Pectra upgrade (e.g. max effective balance)
• Using post-Pectra algorithms for pre-Pectra blocks
• Intentional slashing by an operator to break ejector module
• Intentional slashing by an operator to manipulate the safe border calculation
• Intentional exit of validator by its operator to break the ejector module
• Take advantage of arithmetic errors
• Incorrect selection of validators to be ejected (e.g. re-ejecting validators)
• Keeping ETH on validators forced to exit
• Missing a report for one or more frames
• Unprocessed changes introduced in the fork upgrade function (e.g. populating pending_deposits)
• Missing ETH balances of validators not yet added to registry but already submitted via Deposit contract
• Incorrect calculation of future activation and withdrawable epochs (changed in Pectra fork)
• Lack of proper update of consensus version parameter
• Influence or bypass the business logic of the system
• Inconsistency with documentation
• Design issues
• Uncaught exceptions

More can be found in the report.

Security Review results

A comprehensive security review outlined five vulnerabilities (2 medium, 3 low) and one additional recommendation.

Key findings:

• [Medium Severity] Uncaught exception on creating ejection report: an issue that could halt report generation during forced validator exits.

• [Medium Severity] Node Operator can exit and slash their validator to move withdrawal finalization border epoch: issue allowed for bypassing the border epoch as determined by the mass slashing event.

The team started improving the codebase immediately during the audit and we verified during the retest that most important vulnerabilities have been completely removed. Two issues with low impact on risk were acknowledged with the detailed team’s response.

Security enhancements:

• A previously uncaught exception that could halt report generation was fully mitigated. The logic now includes explicit checks for available validators, preventing the risk of failures during report submission.
• By eliminating the filtering step, the algorithm now considers all slashed validators that are still not withdrawable rather than only those with the absolute earliest exit epoch.

Knowledge transfer:

Lido engineers were active participants in validating attack scenarios and contributing detailed documentation and insights, significantly helping during the verification process.

Client rating