Original author: @IsdrsP, Lido validator node manager
Original text translated by: Nicky, Foresight News
On the morning of May 10, the oracle service provider Chorus One disclosed that one of Lido's oracle hot wallets was hacked, resulting in 1.46 ETH being stolen. However, security audits indicated that this isolated incident had limited impact, as the compromised wallet was designed solely for lightweight operational purposes.
Oracle attacks do sound terrible. However, Lido's architectural design, stakeholder value philosophy, and security-oriented contributor culture mean that the impact of such events is extremely limited—even if an oracle is completely compromised, it will not lead to catastrophic consequences.
So, what makes Lido unique?
Thoughtful design and layered protection mechanisms
Lido's oracles are responsible for transmitting information from the consensus layer to the execution layer and reporting protocol dynamics. They do not control user funds. A single compromised oracle will only cause minor issues, and even if the arbitration process (quorum) is compromised, it will not lead to catastrophic consequences.
What malicious actions might a single compromised oracle attempt?
A) Submit malicious reports (but will be ignored by honest oracles);
B) Deplete the ETH balance of that specific oracle address (which is only used for operating transactions and does not hold the funds of stakers).
What exactly are the responsibilities of oracles?
Lido's oracles are essentially a distributed mechanism consisting of 9 independent participants (with a consensus of 5/9), primarily responsible for reporting protocol status, with current core functions including:
• Token inflation reward distribution (rebase)
• Withdrawal process handling
• Monitor validator exits and performance for reference by CSM (Community Security Module)
These oracles will submit their observed state "reports" to the protocol. These reports are used to calculate daily accumulated rewards or penalties, update stETH balances, process and ultimately confirm withdrawal requests, calculate validator exit requests, and assess validator performance.
Essentially, Lido's oracles are different from what people typically understand as "multi-signatures". Oracles cannot access the funds of stakers or the protocol, cannot control any protocol contract upgrades, and cannot upgrade or manage their own membership. Instead, the Lido DAO maintains the list of oracles through voting.
The functions of the oracles are extremely limited—they can only perform the following operations: submit reports that strictly adhere to deterministic, audited, and open-source algorithms designed for different protocol objectives; execute transactions in specific circumstances to implement report results (e.g., the protocol's daily rebase operations).
What would happen in the worst-case scenario if 5 out of 9 oracles were compromised? In this case, the compromised oracles could collude to submit malicious reports, but any report must pass an on-chain enforced protocol rationality check.
If the report violates these rationality checks, its processing time will be extended (and may even never be "settled"), as the values in the report must conform to the allowable value change range over a specific period (days or weeks).
In the worst-case scenario, this could mean that a rebase similar to stETH (whether positive or negative) may take longer to take effect, which would impact stETH holders, but the effect on most holders is negligible unless someone is using stETH with leverage in DeFi.
There are also other possibilities: if malicious oracles and their accomplices possess certain information or have the capacity to implement large penalties at the consensus layer (such as mass slashing), they may exploit the execution layer's stETH update delays for economic gain. For example, in the event of mass slashing, some individuals might sell off part of their stETH through decentralized exchanges (DEX) before a negative rebase takes effect. However, this will not affect users' withdrawal operations initiated directly through Lido, as the protocol's "emergency mode" (bunker mode) will be activated to ensure the fair execution of the withdrawal process.
Instant and thorough transparency
From start to finish, all participants in the Lido ecosystem—whether contributors, node operators, or oracle operators—consistently prioritize transparency and goodwill, ensuring the rights of stakers and the healthy development of the entire ecosystem. Whether actively releasing detailed post-analysis reports, compensating for staking losses caused by infrastructure downtime, proactively withdrawing validation nodes for preventive reasons, or quickly releasing comprehensive incident reports, these participants always see transparency as a top priority.
Continuous iterative upgrades
Lido is always at the forefront of technological development, committed to using zero-knowledge proof (ZK) technology to enhance the security and trustlessness of the oracle mechanism. As early as the initial stage, the team invested over $200,000 in dedicated funding to support trustless verification of consensus layer data through zero-knowledge proof technology.
These explorations of technology ultimately led to the development of the SP1 zero-knowledge oracle "dual-check" mechanism by the SuccinctLabs team, which is set to officially launch within the year. This mechanism provides an additional layer of security verification for potential negative rebase operations through verifiable consensus layer data.
Currently, this type of zero-knowledge technology is still in the development stage, and related zero-knowledge virtual machines (zkVM) need to undergo practical testing. There are also limitations such as slower computation speeds and higher computational costs, making it impossible to completely replace trusted oracles. However, in the long term, such solutions are expected to become trust-minimized alternatives to existing oracles.
Oracle technology is very complex and has varied application scenarios in the DeFi field. In the Lido protocol, oracles are carefully designed as core components, significantly reducing the potential risk impact through effective decentralized architecture, separation of responsibilities, and a multi-layer verification system.
Original link
