Original author: @IsdrsP, Lido Validator Node Supervisor

Original compilation: Nicky, Foresight News

On May 10th, the oracle service provider Chorus One disclosed that a hot wallet of Lido’s oracle was hacked, resulting in the theft of 1.46 ETH. However, according to security audits, this isolated incident has limited impact, as the wallet in question was originally designed for lightweight operational purposes.

An oracle being attacked sounds really bad. However, Lido’s architectural design, the value philosophy of stakeholders, and the security-oriented contributor culture mean that the impact of such events is extremely limited—even if the oracle is completely compromised, it will not result in catastrophic consequences.

So, what exactly is unique about Lido?

Thoughtful design and layered protection mechanisms

The oracle of Lido is responsible for transmitting information from the consensus layer to the execution layer and reporting on protocol dynamics. They do not control user funds. A single point of failure in the oracle will only cause minor troubles, and even if the arbitration process (quorum) is compromised, it will not lead to catastrophic consequences.

What malicious behaviors might a single compromised oracle attempt?

A### Submit malicious report (but will be ignored by honest oracles);

B) exhausts the ETH balance of that specific oracle address (which is only used for operational transactions and does not hold the funds of stakers).

) What exactly is the role of an oracle?

Lido’s oracle is essentially a distributed mechanism consisting of 9 independent participants (requiring 5/9 consensus), mainly responsible for reporting the protocol state, with current core functions including:

• Token inflation rewards distribution (rebase)

• Withdrawal Process Handling

• Exit of verification nodes and performance monitoring for reference by CSM (Community Security Module)

These prophecy opportunities submit their observed state “reports” to the protocol. These reports are used to calculate the daily accumulated rewards or penalties, update stETH balances, process and ultimately confirm withdrawal requests, calculate validator exit applications, and measure validator performance.

Essentially, the Lido oracle differs from what people typically understand as “multi-signature.” The oracle cannot access the funds of stakers or the protocol, nor can it control any upgrades to the protocol contracts, let alone upgrade itself or manage membership. Instead, the Lido DAO maintains the oracle list through voting.

The functionality of the oracle is extremely limited—it can only perform the following operations: submit reports that strictly adhere to deterministic, audited, and open-source algorithms designed for different protocol objectives; execute transactions in specific cases to implement report results (for example, the daily rebase operation of the protocol).

If 5 out of 9 oracles are compromised, what would be the worst-case scenario? In this case, the compromised oracles may conspire to submit malicious reports, but any report must pass the on-chain enforced protocol validity check.

If the report violates these rationality checks, the processing time will be extended (and may even never be) “settled,” because the values in the report must conform to the allowable range of value changes within a specific time period (a few days or weeks).

In the worst case, this could mean that a rebase similar to stETH (whether positive or negative) takes longer to take effect, which would impact stETH holders, but the effect on most holders is negligible unless someone is using stETH with leverage in DeFi.

There are also other possibilities: if malicious oracles and their accomplices possess certain information or have the ability to impose large penalties at the consensus layer (such as large-scale confiscation), they may exploit the delay in the execution layer stETH update to seek economic benefits. For example, if a large-scale confiscation occurs, some individuals may sell part of their stETH on decentralized exchanges (DEX) before the negative rebase takes effect. However, this will not affect the withdrawal operations initiated directly by users through Lido, as the protocol’s “emergency mode” (bunker mode) will be activated to ensure that the withdrawal process is executed fairly.

Instant and Complete Transparency

From start to finish, all participants in the Lido ecosystem—whether contributors, Node operators, or oracle operators—have always prioritized transparency and goodwill, ensuring the rights of stakers and the healthy development of the entire ecosystem. Whether it is actively publishing detailed post-analysis reports, compensating for staking losses caused by infrastructure downtime, proactively withdrawing from validation Nodes for preventive reasons, or quickly releasing comprehensive incident reports, these participants have always regarded transparency as a top priority.

Continuous Iteration and Upgrade

Lido is always at the forefront of technology research and development, dedicating itself to enhancing the security and trustlessness of oracle mechanisms using Zero-Knowledge Proof (ZK) technology. As early as the initial stages, the team invested over $200,000 in special funds to support trustless verification of consensus layer data through Zero-Knowledge Proof technology.

These explorations into technology ultimately led to the official launch of the “Double Check” mechanism of the SP1 zero-knowledge oracle developed by the SuccinctLabs team within the year. This mechanism provides an additional layer of security verification for potential negative rebase operations through verifiable consensus layer data.

Currently, this type of zero-knowledge technology is still in the development stage. The related zero-knowledge virtual machines (zkVM) need to undergo practical testing and also have limitations such as slower computation speed and higher computational costs, making them unable to completely replace trusted oracles. However, in the long run, these solutions are expected to become a trust-minimized alternative to existing oracles.

Oracle technology is highly complex, and its application scenarios in the DeFi space vary widely. In the Lido protocol, oracles are carefully designed as core components, significantly reducing the potential risk impact through an effective decentralized architecture, a separation of duties mechanism, and a multi-layer verification system.

Original link

：