TL;DR
A major LDO wallet was compromised via unauthorized access to a seed phrase. The Lido Protocol and Lido Treasury are unaffected and all user funds are safe. Following a temporary restriction on the movement of compromised funds, contributors propose an asset recovery path.
This proposal focuses on asset recovery using a highly conservative approach, designed to minimize governance risk and preserve the integrity of Lido DAO decision-making.
Incident Context
Over the past week Lido contributors received confirmed reports from a major LDO holder that their holdings had been compromised by a malicious actor via unauthorized access to a seed phrase. The Lido Protocol is unaffected. All user funds are safe, and at no time did this present a threat to the protocol.
After confirming the report and identities of the victims, and in conjunction with leading on-chain security groups, a governance action was initiated to temporarily restrict the movement of the compromised funds via (vote 196). This measure was taken to allow sufficient time to assess recovery options and prevent further loss. An official investigation is ongoing. The response has been extremely successful, with only ~0.1% of funds lost.
The current state of things is:
- assets are currently sitting in the perpetrator-controlled wallet;
- transfers are temporarily restricted (one year); after that they are vested for a year more;
- the situation is stable for now but is not resolved.
The next phase of response is asset recovery. Lido contributors propose a recovery path that will revoke vesting of the compromised funds and re-assign to the new accounts under a new long vesting cliff delay.
Out of an abundance of caution contributors propose to put a year long lock on the moved funds after a vote following the vesting revocation from the compromised address. While contributors have verified the victim’s identity, the nature of the incident, their rightful ownership of the LDO tokens and are convinced the request to re-assign the tokens is entirely appropriate, the extended lock provides an additional layer of governance by facilitating challenge from any interested party during that period.
The recovery involves a DAO Governance on-chain motion that proposes to:
- revoke vesting for all compromised LDO tokens back to Aragon Token Manager;
- reassign vesting of an equivalent amount of LDO to 10 newly provided addresses, controlled by the affected party, with allocations split and subject to the following vesting parameters:
- cliff duration — 1 year
- total vesting duration — 1 year (cliff passed unlocks all funds);
- revoke previously granted roles associated with the
LDORevestingcontract.
Note: The split into multiple addresses is requested by the affected party to implement a more robust cold-storage/multisig architecture for the recovered funds.
Contributors are grateful for the cooperation of the wider Lido community. Further, thanks to protocol security features, including Dual Governance and the Voting Objection period, the Lido protocol remains protected from governance attacks throughout this process.