Lido on Ethereum Node Operator (Numic) Security Incident Disclosure - May 21, 2024

Public Incident Disclosure by Numic

This post addresses a potential vulnerability identified and resolved in May 2024. The vulnerability eventuated when a developer computer at Numic got infected with malware.
Node operation was not affected.


  • 11th of May 2024: Due to a malware from a compromised freeware download, most files on the affected computer must have been indexed on this day. There was no targeted attack.
  • 12th of May 2024: The infection was discovered when a suspicious login attempt to an online account was prevented by 2FA. The machine using this account was immediately disconnected and its drive removed. All online passwords were then changed and an investigation started.
  • 14th of May 2024: Upon further investigation of the infected drive, in particular the “NTFS Last Access Time Stamp”, we found indications that the malware had indexed or scanned most of the text, image and archive files.
    All these files were last accessed within a 2-minute time window on 11th of May. In the encrypted backup, which was mounted at the time of the incident, files showed the same pattern. This indicates they had been indexed by the malware.
    As this encrypted backup contains cryptographic material related to Numic usage of the Lido protocol, we informed Lido DAO contributors in the NOM workstream after the discovery.

Impact Assessment

  • We couldn’t be sure what exactly the indexing meant and if the attacker could have downloaded any files or might even be able to break their encryption. Consequently, together with advice from Lido DAO contributors, we decided to start rotating all validators.
  • Meanwhile, node operations continued normally as the validator nodes are separate systems. And as all Lido related withdrawals are sent to the withdrawal vault, none of the ETH staked with Lido could have been withdrawn by potential attackers.


  • A disclosure of this potential vulnerability was not made immediately for security reasons. Instead, a process of validator rotation was started by preventing new deposits to Numic and by broadcasting exit messages beginning on 14th of May over the course of 3 days.
  • A reassessment of our security and backup processes is ongoing. We are in contact with a company specialising in information security according to ISO 27001 to assist us in this process.