We’ve received new vulnerability disclosure under the Lido Immunefi bug bounty program. Due to the insecure default Intercom setup on help.lido.fi website, it was possible to read & write the chat with any user without authorization. The vulnerability is mitigated already. To the best of our knowledge the issue had no real impact — the comms team uses help.lido.fi as a support materials / FAQ store, and user communication is happening through other channels (telegram, discord & twitter mostly).
The vulnerability is of high severity in Immunefi terms with the bounty of $7500. It’s a Boulder in LEGO’s terms, so the council have had a vote concluding for the payout.