1. Home
  2. Functions

Functions

Lido assures LDO, stETH tokens remain safe despite flaw in token contract

The “fake deposit” attack enables bad actors to execute a transfer where the requested value is larger than what the user actually owns.

Ethereum staking protocol Lido Finance has assured both Lido DAO (LDO) and staked-Ether (stETH) tokens remain safe despite hackers allegedly exploiting a known security flaw in LDO’s token contract.

Lido didn’t confirm any exploits, but acknowledged the security flaw was known and reassured LDO and stETH funds remain safe in response to a Sept. 10 post by blockchain security firm SlowMist.

SlowMist said LDO’s flawed token contract allows bad actors to facilitate “fake deposit” attacks on exchanges because LDO’s token contract enables users to execute transactions even where they don’t have sufficient funds. This code deviates from the Ethereum Request for Comment 20 (ERC-20) token standard, according to SlowMist.

However, Lido Finance argued the flaw is built into all ERC-20 tokens — not just Lido’s LDO token:

SlowMist said the “fake deposit” attacks came from LDO’s token contract executing transfers where the value is larger than what the user actually owns, triggering a false return as opposed to reverting the transaction. While the firm said Lido's token contract has recently been exploited via this attack, no on-chain evidence was provided.

Cointelegraph reached out to SlowMist for comment but did not receive an immediate response.

Meanwhile, on-chain analyst “Hercules” explained on Sept. 10 that the security flaw may not be picked up by cryptocurrency exchanges.

SlowMist recommends LDO holders to also check the return values of the token contract transfers in addition to the success or failure of a transaction.

The blockchain security firm concluded that token contract implementations and behaviors vary by project and to conduct comprehensive testing before integrating any new tokens.

Related: Ethereum staking services agree to 22% limit of all validators

However, Lido highlighted in the official Ethereum Improvement Proposal document — co-authored by Vitalik Buterin in November 2015 — that both the “transfer” and “transferFrom” functions must return the transfer status and are only recommended to revert a transaction in exceptional cases.

To resolve the security flaw, Lido confirmed the LDO token integration guides will soon be updated.

Magazine: DeFi Dad, Hall of Flame: Ethereum is ‘woefully undervalued’ but growing more powerful

Binance partners with Amazon Web Services to enhance user experience

Paypal USD: Boon for Ethereum but not decentralization, says community

Proponents say PayPal’s PYUSD could see Ethereum become the money layer of the internet, while opponents argue that it’ll act like a poorly designed CBDC.

Paypal’s new Ethereum-based stablecoin, PYUSD has been seen as bittersweet news for the crypto community.

While it could finally see Ethereum find its place in mainstream adoption, it could also spell trouble for decentralization and personal control of assets, warns the community.

The new stablecoin, Paypal USD, was launched on Aug. 7 and is issued by Paxos Trust Co. — the firm behind Binance USD (BUSD). It’s built on Ethereum and “designed for digital payments and Web3,” with the firm saying it will soon be available to United States customers.

The launch has been seen as a boon for Ethereum adoption. Ethereum bulls Anthony Sassano and Ryan Sean Adams believe the ERC-20 stablecoin will push the blockchain closer towards becoming the money layer of the internet.

The number of daily active users on Ethereum currently hovers between 300,000-400,000, according to Etherscan.

However, Sean Adams noted that 430 million accounts actively use the online payment processor, which means that over 5% of the world’s 8 billion people could theoretically be onboarded onto Ethereum through PayPal’s new stablecoin.

Martin Koppelmann, the CEO and co-founder of Gnosis, added that by launching PYUSD on Ethereum’s base layer, Ethereum layer-2s will be able to interact with PYUSD too.

Others, including lawmakers, have seen it as another example of larger institutions embracing crypto, breathing new life into the traditional payments system.

In an Aug. 7 statement, Patrick McHenry, Chair of the United States House Committee on Financial Services said stablecoins like PayPal’s PYUSD “hold promise as a pillar of our 21st century payments system.”

However, not everyone is convinced about PayPal’s new stablecoin.

Several smart contract auditors highlighted that PYUSD’s smart contract contains a 'freezefunds' and 'wipefrozenfunds' function which they claim is a textbook example of a centralization attack vector in Solidity contracts.

This concern was echoed by cryptocurrency researcher Chris Blec, who believes that PayPal will use the controversial functions where necessary.

Digital asset lawyer Sarah Hodder believes many characteristics of PayPal’s stablecoin resemble that of a censorship-enabled central bank digital currency. Another smart contract auditor noted that PYUSD’s smart contract can be changed by PayPal at any time.

In October, PayPal was slammed for a controversial policy that could’ve seen users fined $2,500 for spreading “misinformation.” The firm later backpedalled, claiming the policy update was published “in error.”

Related: PayPal’s crypto holdings increased by 56% in Q1 2023 to nearly $1B

Meanwhile, Blockchain engineer Patrick Collins took a slightly more neutral view, suggesting that PayPal’s PYUSD could have been “epic” but believes some of the engineering choices were suboptimal — such as choosing an outdated version of Solidity to program the contract, making the contract upgradeable and not making it gas efficient.

Sassano also explained in a separate post that while PayPal's stablecoin is centralized, Ethereum users are free to choose whether they wish to use it or not.

PayPal said PYUSD will be rolled out within the next few weeks.

ETH is currently priced at $1,825 which is approximately the same price at the time of PayPal’s announcement about 10 hours ago, according to CoinGecko. Only minor fluctuations have been observed in ETH’s price since then.

Magazine: DeFi Dad, Hall of Flame: Ethereum is ‘woefully undervalued’ but growing more powerful

Binance partners with Amazon Web Services to enhance user experience