Root Cause
On November 6, 2024, around 11 PM UTC, a code change was made by a Figment developer, which led to a misconfiguration, causing execution layer rewards for some validators run by Figment using the Lido Protocol to be misdirected.
As a result, execution rewards (but not consensus rewards) were impacted for a brief period.
Impact
- The bug was identified on November 6th and fixed within about 9 hours.
- Only execution rewards were impacted; consensus rewards were not affected.
- The issue persisted from approximately 11 PM UTC on November 6 to 8:30 AM UTC on November 7, 2024.
Impact on Lido
- Approximately 1.152 ETH was misdirected for about 9 hours and has since been redirected (here) to the Lido Execution Layer rewards vault.
Our Response
We quickly identified and fixed the bug, restoring all validators to their correct configurations. We’ve also implemented measures to prevent similar issues in the future.
- The bug has been fixed, and no further rewards will be misdirected.
Remediation and Prevention
Figment has acknowledged the impact of this incident and is implementing additional safeguards to prevent similar events in the future.
- Enhanced QA code reviews and automated
testnetdeployments for sensitive code changes - Time-based role escalation with permission security requests for sensitive code changes
- Additional detection and alerting systems from existing and new log sources
Next Steps
We will continue to monitor the system and prevent similar issues in the future.