[Security Disclosure] DG weakness reported through Immunefi (funds not at risk)

TL;DR

A Dual Governance weakness was reported through Immunefi. The issue was not exploited; existing “training-wheels” safeguards and the DG Emergency Committee allow for effective mitigation, and user funds remain safe. Users do not need to do anything, and the vulnerability is expected to be fixed in the scheduled onchain voting slot for August.

Introduction

A potential griefing vulnerability was reported on July 13th affecting the current implementation of the Dual Governance RageQuit mechanism, which if exploited could delay ETH withdrawals triggered via RageQuit state (this state activates when >10% of stETH total supply vetoes the ongoing proposal, and is thus very unlikely to occur). The issue was not exploited; existing “training-wheels” safeguards and the DG Emergency Committee allow for effective mitigation, and user funds remain safe.

Users do not need to do anything, and the vulnerability is expected to be fixed in the scheduled onchain voting slot for August.

The vulnerability was reported via Lido’s Immunefi bug bounty program by an anonymous whitehat.

Potential impact and current risk status

At discovery, the vulnerability carried a high potential impact: if triggered, it could significantly delay the withdrawal of all ETH queued in an active RageQuit round.

The likelihood of exploitation is assessed as low, as it would require Dual Governance to enter a RageQuit state (requiring >10% of stETH total supply in the opposition escrow contract).

The shortest mitigation path is enabled by existing and active “training-wheels”: triggering of the bug can be prevented through the Emergency Committee, thus user funds are not at risk.

Mitigations

The full fix for the issue involves releasing updated smart contracts and updating settings in the EmergencyProtectedTimelock contract.

Until the upgrade with the fix is executed, the Emergency Committee is on standby to preventively switch on Emergency Mode in the unlikely event that 1% (“veto signalling threshold”, far before 10% required for Rage Quit) of total stETH supply is locked in veto signalling escrow. If Emergency Mode is activated, then the committee can disable Dual Governance at any moment. Further, only the Emergency Committee will be able to enact approved (by tokenholders) Dual Governance proposals, which means that executing any action under the Dual Governance scope will require coordination between the DAO and the Emergency Committee. Should Emergency Mode be activated, its set duration is 30 days, within which either the fixed version of the contracts will be proposed to the DAO, or a vote to prolong Emergency Mode will be started (in the event that a fix can’t be prepared within a 30-day time window.)

Vulnerability details

The crucial part of Dual Governance is the escrow smart contract. It stores the tokens opposing LDO governance, as well as processes withdrawal requests if RageQuit is triggered (the latter requires at least 10% of total stETH supply to be locked in escrow). There’s a service method Escrow.startRageQuitExtensionPeriod(), which allows for RageQuit to be extended, once all stETH is withdrawn from the Lido on Ethereum protocol, but before ETH is claimed from escrow. By design, this method should be triggerable only once, but a disclosure received through the Immunefi bug bounty program shows the “only once” check didn’t function correctly. This ultimately allows for permissionlessly prolonging of RageQuit, blocking both protocol governance from working and users claiming their ETH from escrow; however existing protocol mechanisms exist that would prevent such a deadlock state from being reached.
For the bug to be exploitable in the first place, Rage Quit state must be entered. Even in this case, the issue is mitigatable through a protocol upgrade, with the Tiebreaker committee’s action.

Next steps

To fix the issue fully, contributors are working on a patched version of the Dual Governance smart contracts and a deployment plan. Once ready, necessary deployment preparations will take place: testnet rehearsal, auditing the fix and verifying mainnet deployment. This will culminate in a DAO vote proposing the enactment of the fix. Among the preparation measures, contributors are considering a special bug bounty focused on the updated Dual Governance smart contracts deployed to testnet. Please look out for announcements.

The process is expected to take approximately two months, mostly so that the fix can be thoroughly tested. More details will be shared in the full postmortem once the issue is fully mitigated.

Sincere thanks to Immunefi and the whitehat who reported this vulnerability (as a separate note, the report’s high quality and immediate clarity also positively influenced the grant amount). This contribution strengthens Lido protocol’s security and advances its mission to make staking simple, secure, and decentralised.

17 Likes

We welcome the proposed fix and acknowledge the responsible approach taken in addressing this issue. The transparent disclosure, combined with the clear roadmap for remediation, is aligned with best practices for decentralised protocol security.

We appreciate the engagement of contributors and the swift responses to reports from the whitehat community, and look forward to supporting the on-chain proposal.

2 Likes