Lido Contains Oracle Key Breach After Chorus One Wallet Compromised

• Lido responded fast to a wallet breach linked to an oracle key and kept the protocol secure and fully active.
• The breach caused a small ETH loss but had no effect on staking or user funds due to system design.
• Lido started a DAO vote to replace the key and improve security while checking all other oracle systems.

Ethereum staking platform Lido acted quickly after a security breach affected one of its oracle keys. The breach involved a wallet managed by validator operator Chorus One. It resulted in a loss of 1.46 ETH, worth around $3,675.

The incident was discovered on May 10. A Lido contributor saw a low balance alert on the wallet. Further checks confirmed that someone had accessed the wallet without permission. The wallet was used for oracle voting and not protected under Lido’s stricter security rules.

Immediate Action Taken

Lido and Chorus One worked together to contain the issue. The wallet was created in 2021 and used only to sign oracle reports. It did not hold client assets. Chorus One confirmed that the wallet usually had a low balance. This reduced the impact of the breach.

The Lido protocol stayed safe and fully functional. The design of its oracle system helped as it uses a 5-out-of-9 voting system to approve changes. This means one compromised key could not control the system. Lido checked all other oracle keys and systems and no further threats were found.

Lido then started an emergency DAO vote. This vote will replace the affected oracle key. It applies to three contracts: the Accounting Oracle, the Validators Exit Bus Oracle, and the CS Fee Oracle. The vote lasts 72 hours and includes a 48-hour objection period.

Security Updates in Place

A new key has already been created and it is stored securely under updated security rules. Chorus One said that it now uses better protection for all keys. This includes HashiCorp Vault and role-based access control. These updates meet current standards and lower the risk of future attacks.

On the same day as the breach, Lido faced other oracle delays. Four oracle operators had node-level bugs. These bugs were unrelated to the breach. The problems were fixed quickly. No user funds were affected, and all services stayed active.

Review and Next Steps

Lido has launched a full review of its oracle setup. The team wants to make sure no issues remain. A full report will follow when the review ends. Chorus One stated that this event does not reflect its current security methods. Lido confirmed that the core system stayed safe and user funds were never at risk.