SlowMist warns about ‘fake deposit’ flaw in Lido Token contract
Blockchain security firm SlowMist says malicious actors have already exploited the vulnerability in the LDO Token contract on several cryptocurrency exchanges.
A blockchain security firm, SlowMist, took to X (formerly Twitter) to warn users about a “known operational issue” in the LDO Token contract, saying the vulnerability has already been exploited on trading platforms without naming them.
In an X post published on Sept. 10, the blockchain firm cautioned users about the so-called “fake deposit” attack, which allows bad actors to remotely execute a transfer operation where the requested value is larger than what the victim owns.
Analysts at SlowMist say users should not only rely on the interface data they get when sending or receiving tokens, but also on the actual return values from the token contract. They also cautioned the crypto community about token contracts that “do not adhere to the ERC20 standard.” However, SlowMist didn’t elaborate on which contracts might face the same issue.
“Before integrating new tokens, ensure a deep understanding and analysis of their contract code to ensure the correct deposit logic.”
SlowMist analyst
Lido says tokens are safe
Lido didn’t publicly confirm any exploits of its contract. In a response published on X, the project noted that the issue “is expected and conforms to the ERC20 token standard.” Lido also reassured users that LDO and stETH tokens “are safe.”
Lido is a liquidity staking protocol, which supports multiple blockchain networks and sidechains, including Polygon. According to data from DeFiLlama, the total value locked (TVL) in Lido stands at over $14 billion as of Sept. 11. LDO is an ERC20 governance token used for voting on improvement proposals in the Lido DAO.
