In a notable breakthrough in the decentralized finance (DeFi) space, Lido Finance has activated an emergency decentralized autonomous organization (DAO) vote following the identification of a compromise in one of its oracle keys held by Chorus One. This incident highlights the utmost importance of sound security practices in DeFi protocols.
Incident Overview and Immediate Response
On May 10, 2025, a Lido contributor noted an unusual draining of the ETH balance of a wallet belonging to a Lido oracle run by Chorus One. The wallet, which had been active since 2021, was discovered to have been drained overnight, hinting at a possible private key leak. Initial investigations suggest that the leak had happened in the past, and there is currently no evidence of a breach of Chorus One’s infrastructure or Lido’s software systems.
Lido’s oracle mechanism is secured by a 5-out-of-9 quorum mechanism to guarantee operational robustness even if an oracle is hacked. Once the hack was discovered, Lido immediately conducted an emergency DAO vote to swap out the hacked oracle key. The hacked address, 0x140Bd8FbDc884f48dA7cb1c09bE8A2fAdfea776E, is being substituted with a new address, 0x285f8537e1dAeEdaf617e96C742F2Cf36d63CcfB, in three essential contracts: Accounting Oracle, Validators Exit Bus Oracle, and Consensus Layer Fee Oracle. The on-chain vote has started and will last for 72 hours, after which a 48-hour objection period will be held to resolve community concerns.
Simultaneously, Lido suffered delays in oracle reports on May 10 because of unrelated technical issues, such as a small bug in the Prysm client that impacted four other oracles. These delays, which lasted between one and two hours, were quickly resolved and were not related to the compromised key incident.
Security Measures and Ongoing Investigation
As a response to the attack, Lido and Chorus One have taken thorough security audits to guarantee the integrity of the remaining oracle infrastructure. All the other Oracle keys have been confirmed to be secure, and no issues have been encountered with the Oracle software or its dependencies. Chorus One is taking extra measures by hosting a new machine that will only be used for Oracle operations, thereby segregating it from other workloads to curb any possible threats.
The joint investigation by Lido contributors and Chorus One engineers continues, with the aim of determining the root cause of the key compromise and assessing the overall security posture. A comprehensive post-mortem report will be published upon completion of the investigation, offering transparency and insights into the incident and the steps taken to avoid future incidents.
This incident emphasizes the need for proactive security measures and rapid response systems in DeFi platforms to ensure the trust and safety of stakeholders’ assets.
