TLDR / Summary: The Idols NFT community is seeking the support of the Lido DAO to help recover locked stETH from the project’s treasury which has recently been exploited. The Idols has ~2704.95 stETH that is locked on chain. As part of this proposal, a bounty of 20% of the recovered stETH (~540 stETH) will be split amongst all LDO holders who vote YES
What is The Idols NFT?: The Idols NFT launched in March 2022 as a first of its kind project with the intention of locking away stETH on-chain, securing the Ethereum network forever. At the time, NFT projects were flooding the market, many of which were rug pulls, with founders profiting from mints and trading royalties before abandoning the project. The founders of The Idols wanted to create an NFT project which had immutable, verifiable value on-chain. This intention led to the idea of locking up LIDO’s stETH token on chain and distributing stETH rewards to NFT holders forever. Unlike other NFT projects of the time, the founders of The Idols took 0% of proceeds from the mint funds (100% was locked into the on-chain treasury). The Idols also distributed 100% of secondary sales royalties to the project’s ERC20 token holders. All of these decisions were made with the intention of creating the most community-aligned NFT project to date. Links are not allowed in this proposal but please look at @TheIdolsNFT on X and look at our docs and medium to learn more.
Problem Overview: On Tuesday January 15, 2025, The Idols NFT was exploited by 0xe546480138d50bb841b204691c39cc514858d101. That attacker was able to drain ~97 stETH from our treasury (100% of the unclaimed accrued interest). Any future stETH rewards will be inaccessible under normal conditions, as the contract is being continually exploited daily by attackers on each rebase (for example, 0x7885a44d861851bdb4f3d6b246301c0bb702ac6da8470cc8d2af2909c619feea). This means that in the project’s current state, community members will effectively never again be able to claim their accrued stETH rewards.
In summary our proposal can be distilled down as follows:
Vote YES: Help The Idols NFT recover ~2704.95 stETH locked in its treasury. A bounty of 20% of any recovered stETH will be split proportionally among LDO holders who voted for this option.
Vote NO: The principal stETH in the Idols NFT treasury will continue to be immutably locked on-chain forever, and the associated staking rewards will be exploited by attackers indefinitely unless Lido decides to assist at a future time.
I am in favour of recovering the stETH locked in the contract, at the very least to remove the exploiters revenue on every rebase but also to distribute the remaining stETH (after the 20% bounty) pro rata to Idols holders.
I would suggest that perhaps the 20% bounty could be used in other ways. I think incentivising voting is always beneficial but there could be more value in the DAO delegating it to committees which align closely with not only the Lido vision, but also with Ethereum more generally and the Idols NFT original mission.
At current prices the ~540 stETH could give years of runway to committees such as the CLI, benefitting everyone.
Here Disiaque. I’m deeply involved in the Ethereum community (Ethereum France, DeFi France) and have been engaged in several DeFi DAOs (ParaSwap, Mangrove). I would like to highlight some key points.
First, DefiArte has perfectly explained that IdolsDAO is 100% Ethereum-aligned. As a precursor of the NFTFi movement, the project has gathered 2,700 stETH in a supposedly immutable smart contract.
The hack we encountered is problematic as it has left many victims. After contacting some white hat groups, the former core team tried to reach Lido Governance with this proposal.
I think the main idea is to create a special task force between Lido’s core team and TheIdols to draft a rescue plan for the 2,700 stETH.
To accomplish this, the proposal must be addressed differently:
The proposal of the 20% bounty is rushed and attempts to consider the end before the beginning of the solution. Before addressing the bounty, the Special Task Force needs to address all technical aspects of what can be done or not. The idea should be that IdolsDAO is committed to allocating a significant bounty for LidoDAO treasury. The idea of bribes seems irrelevant to me at this point.
On my side, I would like to highlight a few aspects:
a. Economic: The amount of stETH currently frozen is significant and could be interesting for LidoDAO to rescue.
b. Ethic: As the situation stands, the hacker will continue to gain rewards if LidoDAO and IdolsDAO remain inactive. This situation is unacceptable.
c. Philosophical: Behind this lies the question of trust between communities and the supposed immutability of smart contracts. If LidoDAO wants to move forward, this will be an important precedent for the entire industry.
These are interesting topics, and there are victims out there.
Let’s find a way out!
Consistent with the way we vote with other similar proposals, as much as we regret the loss we will nonetheless vote to reject this motion
We encourage the DAO to finally ratify a social contract framework for how to deal with such proposals in the future, or whether to dismiss them out of hand. Absent such a framework, we can only expect proposals such as this to continue and to increase in their elaborateness.
Recovering funds is a sensitive issue that must be addressed with prudence. It is apparent that Idol wants to recover the stETH because all individuals holding Idol’s NFT have been negatively affected. We’re sorry that Idol’s community has been put into this challenging situation.
General Thoughts
Acknowledging that Idol’s community is in distress is important, but so too is comprehending the position Lido DAO is forced into. Whatever the ruling of Lido DAO – yes or no – either will set a future precedent for counterparties experiencing the same affliction.
In theory, to protect Lido DAO from forming future commitments or responsibility to protocols, applications, or software that use Lido protocol’s stETH or wstETH, it should not directly involve itself in the restoration of lost, stolen, or mismanaged funds.
Hypothetical Supporting Evidence
Hypothetically, if Lido DAO does pass this proposal:
Lido DAO may implicitly admit it is directly involved in or responsible for any transactions on external platforms using stETH or wstETH – indicating a duty of care.
Lido DAO possibly exposes itself to negligence suits, claiming it is liable for external platform actions using stETH or wstETH.
Lido DAO may uphold a community in need but possibly implicate itself as responsible for restoration.
Speculatively, if Lido DAO does not pass this proposal:
Lido DAO may not be responsible for monitoring or policing external users or parties it is not directly involved with.
Lido DAO possibly acknowledges decades of case law in Europe and the Americas that state “Interactive Computer Services” are not liable for external users’ or parties’ actions.
Lido DAO may affirm that Idol is in need but it is not responsible for restoration.
it’s unfortunate wat happened to dee Idols NFT community. but me here agrees with dee brothas at BLOCKWORKS. by assisting in recovering dee treasury it might inadvertently commit to future responsibilities or possibly liabilities related to protocols & applications, or software that utilize stETH or wstETH. me heart goes out to ya. but unfortunately other projects and communities using Lido’s tokens might expect similar support. this will lead to an ongoing obligation that could strain resources me brotha.
Appreciate the respectful discourse so far. I’d like to raise a few reasons I think this is a more unique situation than most hacks involving stETH in use by 3rd parties to Lido DAO, and should have a different decision around the precedent being set.
1. This is not a request to help recover stolen funds.
This is a request to provide an upgrade to prevent the future stealing of staking rewards. The hack is ongoing, and Lido DAO is the only entity with the ability to prevent the ongoing theft by allowing for the recovery of staked funds that are otherwise inaccessible without the upgrade. It is the staking rewards on every rebase that are consistently being stolen, and the staking rewards once stolen are presumed lost with no ask of Lido DAO in relation to those staking rewards.
2. There is no request for arbitration.
Since there is no ask to return stolen staking rewards, we are not asking the DAO to arbitrate between third parties. We are only asking for help in upgrading functionality to access funds that are currently locked, but that the Idols DAO owns.
3. Helping return staked funds could feasibly reduce reputational and regulatory risk for Lido DAO.
Since the hack is ongoing and Lido DAO is the only entity capable of preventing the ongoing theft, there may be some duty to mitigate the ongoing exploit. Even if not caused directly by something contained in Lido code or contracts, the ongoing hack is continuing to happen due in part to a lack of functionality by Lido to return the staked funds. By implementing a solution to allow more robust access to user-owned funds, the ongoing hack could be ended and Lido DAO would have functionality to prevent similar exploits that could arise out of smart contracts built on Lido’s foundations in the future. This could set precedent as a good faith effort to address known vulnerabilities of contracts built on top of Lido’s foundations and incentivize other institutions to build on top of Lido products knowing they will have support of the DAO.
Beyond the self-interest and reducing regulatory risk, there is hopefully the urge to help those of us impacted and feeling the pain from this exploit. I believe the practical and moral considerations align here and ask those who agree to vote yes on the proposal, or propose tweaks to the specifics in helping to achieve the goal of ending the ongoing hack. Thank you.
The injustice of it makes me mad. Because of the design of the Idols, what was meant to be a feature becomes its downfall. It triggers me more than a one-off, run away with the money, hack because of the insult of seeing the constant drip - it’s hackable in perpetuity!
Nevertheless, no Lido contracts were hacked. In fact, it is because Lido works as intended that projects choose it to build on top of it.
What can be done?
Idols can use the same hack to drain the treasury in the same way. I’m no expert but block builders might help.
disclosure: I hold material amounts of Idols, LDO, and stETH.
I’d like to support Mirage88’s post. This is a good opportunity to show that LDO can solve complex problems. This situation is unique because we have an ongoing hack and are only asking that the funds be unstaked and returned to the stakers. If, LDO holders prefer, we could propose a 25% gift(bounty is maybe the wrong word here) to the LDO DAO, as opposed to YES voters. As this is a unique situation, of simply unstaking, it may not become a precedent for recovering ‘lost’ funds in the future. Lido is too big to simply bury its head in the sand going forward, but I understand the technical challenges and risks involved. In this case, Lido is not using any of its own funds and actually making a significant sum. I will continue to support Lido, either way. Thank you
Hi! I’d like to shed some light on the process. I see two major blockers preventing progress to the next stage:
Lack of consensus on the forum. Given that Lido is a DAO, consensus is not always a strict requirement, as different token holders naturally have different opinions. However, there’s an important caveat—without consensus, there’s a high risk of failing to reach quorum during the vote. Right now, even proposals with prior token holder support only barely meet the quorum threshold.
The second blocker is more critical.
The protocol itself cannot mint stETH, right?
Since the final implementation of this proposal requires a protocol upgrade, moving forward without at least an ADR, a detailed specification (LIP), and a thorough discussion and review of implementation’s feasibility, and budgeting makes little sense. Without clarity on who will implement the upgrade and under what budget, any Snapshot vote would be premature, as these aspects are essential to making an informed decision.
Essentially, without addressing these issues, advancing this proposal doesn’t seem viable.