Lido on Ethereum Node Operator (InfStones) Platform Vulnerability Investigation - November 22, 2023

Izzy · November 22, 2023, 7:50pm

Thank you for the details of the investigation, the impact analysis, and the summary of the actions taken especially the important initiative of setting up a bug bounty and commencing an external audit to assess the effectiveness of your IT security processes & controls.

Based on the understanding of a group of DAO contributors after discussions with InfStones and the researchers (dWallet labs), my personal opinion is that:
note, this is not a DAO edict as the DAO has not had time to consider and vote on the below, but is what I and fellow contributors I’ve spoken to would suggest

In line with the DAO’s mission, although there is currently no indication that any keys have been compromised, from a preponderance of caution and safety that all current (10,001) InfStones validators should be exited;
Following such an “out of order exit” process, the ETH from these validators will flow back into the Lido protocol via the Withdrawal Vault and be re-allocated to validator keys in the buffer based on the on-chain distribution mechanism (there are currently a sufficient number of keys in the buffer to absorb this cycling);
Exits can be processed in such a way as to not necessarily clog the exit queue, but hastily nonetheless.

Currently, InfStones would not be eligible to receive any of this “cycled” ETH as they do not have “depositable keys” in the registry, as a result of resetting their limit earlier. The only way for them to get depositable keys would be to request to increase their limit via easy track (would take three days and be subject to possible objection by LDO holders) or for a full DAO vote that would increase their limit.

We suggest that a DAO discussion should follow regarding next steps:

are there any additional details or information required by the community to fully understand and assess the situation?
do we feel that the NO has sufficiently remediate the issues in the systems / processes, and is the DAO satisfied with the NO’s response?
should the Node Operator remain in the set? if so,
should the node operator submit new keys, and when should the node operator be allowed to increase their limit?

Topic		Replies	Views
CryptoManufaktur 2022-12-21 Ethereum validators outage Node Operators	4	4428	December 29, 2022
Lido on Ethereum Node Operator (Numic) Security Incident Disclosure - May 21, 2024 Node Operators	7	2310	July 9, 2024
Slashing Incident involving RockLogic GmbH Validators - April 13, 2023 Node Operators	37	12338	August 10, 2023
RockLogic Monthly Notes - 02/2024 Node Operators	1	857	February 7, 2024
RockLogic Monthly Notes - 05/2024 Node Operators	0	416	May 15, 2024

Lido on Ethereum Node Operator (InfStones) Platform Vulnerability Investigation - November 22, 2023

Related topics