$LDO According to PANews (11/5), 0xngmi - the founder of DefiLlama - revealed on X (Twitter) that a hacker successfully infiltrated one of the multisig addresses in Lido's Oracle system, stealing 1.4 ETH before being detected.
🔍 Attack Details:
Target: The multisig address belonging to Lido Oracle (used to verify on-chain data).
Method: The hacker gained control of 1 private key in the multisig mechanism, but only withdrew 1.4 ETH (≈ $3,500) before being detected.
Reason for the breach: The small amount of money made the unusual transaction detectable by the monitoring system.
💡 Security Suggestions from 0xngmi:
"Perhaps a small amount of tokens (e.g., 0.1 ETH) should be placed in the multisig wallet as a 'canary' – if this token amount is moved, it means the wallet has been compromised."
🛡️ Lessons for DeFi Projects:
Multisig is not "invulnerable": Clear permissions need to be established and activities monitored regularly.
Early warning: Set up trigger alerts for all transactions from the multisig wallet.
Limit permissions: Oracle wallets should only hold enough ETH to cover gas fees, avoiding large balances.
Good news: Lido confirmed there is no risk to data or user funds, as the Oracle multisig is separate from the main wallet.
