Yielding Yellowthroat Incident Report - 24/08/25

On August 24th, it came to the attention of SDVT coordinators that narko2t1 from the SDVT Yielding Yellowthroat Obol cluster had their node operator address compromised (the Individual Manager address, which is the same as their Rewards Address).

This is an address related to cluster participation and receipt of rewards, and is not attached to any kinds of validator operations.

While the scope of the hack is still under investigation, as the cluster’s validator keys were generated via Obol’s Distributed Key Generation mechanisms, the affected address has no effect on the validator keys (or the participant’s key shard).

The cluster participants from the Yielding Yellowthroat cluster have coordinated to utilize voluntary exits to trigger exits for the cluster’s 80 active validators. Exits were then broadcast, and all 80 validators are in the process of exiting at this time.

A more detailed incident report will be published in this thread in the coming days with an update regarding possible next steps for the Yielding Yellowthroat cluster.

The NOM contributor workstream on behalf of the Lido Node Operator Subgovernance Group (LNOSG) would like to provide an update regarding several clusters in the SimpleDVT Module

Participant Node Guardians, currently part of two SSV Clusters and two Obol clusters have decided to wind down their staking operations, which means replacements are needed.

After a discussion with the LNOSG, the following suggestions were made:

1. For the SSV clusters, the rotations will happen in a similar fashion as the recent ones, by utilizing SSV’s re-share functionality. Concretely:

- In the Lido x SSV: Noble Newt cluster, Node Guardians’s proposed replacement is Meria, a Professional Node Operator from the approved backup list, who has been highly responsive and is able to deploy infrastructure in the EU region where the cluster operates.

- In the Lido x SSV: Quiet Quetzal cluster, Node Guardians’s proposed replacement is Stake.lab, another Professional Node Operator from the approved backup list, with strong performance in other clusters and the ability to deploy infrastructure in the Americas region where the cluster is based.

For the Obol clusters, since the re-share functionality is not available, the solution proposed is to transfer the keys and the operational responsibility to Obol’s DV Labs, as a part of the Node Guardians team is joining the team there and would continue to have some oversight of the operations.

The move would cover both the Lido x Obol: Observant Octopus regular cluster and the Lido x Obol: Bold Banshee Super cluster. This avoids disruption for the other participants, with some of the Node Guardians team continuing to be involved, while also bringing Obol’s DV Labs team’s expertise directly to the SimpleDVT Module.

The discussion period is now open for the DAO to consider these changes. The updated proposal is available to view here.

Follow up to Yielding Yellowthroat Incident Report
As mentioned previously, on August 24th, it came to the attention of SDVT coordinators that narko2t1 from the SDVT Yielding Yellowthroat Obol cluster had an address compromised (the Individual Manager address, which was the same as the Rewards Address) as a result of the participant having their password manager compromised, with multiple addresses being drained.

Cluster participants from the Yielding Yellowthroat cluster then coordinated to utilize voluntary exits to trigger exits for the cluster’s 80 active validators, all of which have now exited.

Following the incident, a discussion was opened with the cluster participants and the Lido Node Operator Subgovernance Group about whether narko2t1 should continue to participate as a member of the Yielding Yellowthroat cluster. The other cluster participants and LNOSG agreed that narko2t1 should continue to participate as a member of the cluster, taking greater care to limit exposure of his Simple DVT addresses and to use a cold wallet.

Conclusion

An Easy Track is expected this week to re-create the rewards splitter contracts, and the cluster will coordinate to add narko2t1’s new address to the multisig and reform the cluster via DKG.

The NOM contributor workstream on behalf of the Lido Node Operator Subgovernance Group (LNOSG) would like to provide an update regarding several clusters in the SimpleDVT Module

As notified last week on Kiln precautionary out of order exits in response to a security incident, a set of actions are also proposed for the Lido SimpleDVT clusters where Kiln is a participant.

Currently, Kiln is participating in a total of four clusters: two regular Obol clusters, one regular SSV cluster and one SSV Super cluster.

After a discussion with the LNOSG, the following suggestions were made:

1. For one of the SSV clusters, a rotation will happen in a similar fashion to recent ones, by utilizing SSV’s re-share functionality. For the second cluster, a different path was proposed:

- First, in the Lido x SSV: Arid Anubis Super cluster, the proposal is to proceed with a re-share, rotating in 2xStake, a Community Staker from the backup list, with strong performance, high responsiveness and involvement in the SimpleDVT module, able to deploy infra to the cluster’s EU location;

- Secondly, in the Lido x SSV: Blissful Bear cluster, one more participant, Thunderhead, has requested to withdraw. Since this means that two replacements are needed, the suggestion is to proceed by fully exiting the cluster, and then re-making it. This would help avoid incremental risk to the protocol, while being in line with similar past cases.

The first proposed replacement is MIDL.dev, a Professional Node Operator part of the previously approved SSV backup list, that has strong performance and is also able to deploy infra to the cluster’s EU location.

The second proposed replacement is KysenPool, a Professional Operator from the back-up list, with great performance in their other cluster and availability to deploy infra to the cluster’s location.

2. For the Obol clusters, since the re-share functionality is not available, once clusters are exited, the proposed path forward is to remake them, as done previously (e.g., Majestic Moose or Tranquil Turtle). Therefore:

- For the Lido x Obol: Brave Bison cluster, the proposed replacement is Sub7 Security, a Professional Node Operator from the backup list, with good performance and the ability to deploy infra to the cluster’s EU location;

- In the Lido x Obol: Jubilant Jackal cluster, the proposed replacement is mahof, a Home Staker with good performance and responsiveness from the backup list, also able to have infra in EU where the cluster is located.

The discussion period is now open for the DAO to consider these changes. The updated proposal is available to view here for the regular SSV clusters, here for the SSV super cluster, and here for Obol clusters.

I appreciate the trust. I’ll focus on running reliable infrastructure and contributing to the health of the cluster. I’ll also do my best to support the growth of our community. Thank you very much!

Proposal: Adjusting the Simple DVT Module Share Limit

This proposal seeks DAO approval to raise the Simple DVT Module (SDVTM) target share from 4% to 4.3% in order to:

• Resolve a difference created by net stake outflows since the 4% limit was set; 4% now maps to fewer validators than when originally set, limiting deposits into 15 under-filled SSV Cohort 3 clusters, as well as 4 clusters that saw exits and operator set rotations;

• Align all clusters with the capacity previously approved by the DAO.

No changes are proposed to reward shares, onboarding flow, or per‑cluster key limits; this proposal is solely for adjusting the parameter for the SimpleDVT Module share cap.

Motivation

The SDVTM has recently reached its 4% stake share cap, as set on July 26, 2024. Since then, the protocol has experienced large net stake outflows, decreasing the absolute number of validators represented by the same percentage limit. This has given rise to a small, but impactful bottleneck: the module cannot simultaneously maintain the current share limit, and at the same time finish scaling up clusters that have not reached the targeted number of active validators (80 for regular clusters / 500 for super clusters).

Currently, almost all clusters have validators activated to their limits. After a prolonged period of net stake outflows from the protocol, SSV Cohort 3 began receiving deposits and today each of the 15 clusters sits at 77–78 active keys, awaiting a few activations in order to reach 80 active keys, as in the other regular DVT cohorts.

In parallel, Lido x Obol: Yielding Yellowthroat exited all validators following an August incident as a precaution and currently has 0 active validators, awaiting re‑deposits. Furthermore, following Kiln’s security incident in September, four Simple DVT clusters also went through precautionary changes: one SSV super cluster completed a reshare with a rotated operator set, and three clusters exited and prepared new DKGs, with replacement operators rotating in. Given the large exit queue, final exits are expected around November 3, after which these clusters would be ready for deposits.

Accordingly, adjusting the SDVTM share limit from 4% to 4.3% aligns the initial expectations and previously approved limit with the current market conditions, and also removes the blockers described above. This should provide just enough room to fill up SSV Cohort 3 to 80 keys, as well as allow for re-deposits for the clusters that saw exits and operator rotations. The status of these clusters is summarized below.

Clusters Snapshot

Next Steps

It is suggested that the community review this proposal and provide feedback over the next 7 days. If no major issues are identified and not rectified during this timeframe, this proposal will be submitted for inclusion in the next on‑chain Aragon vote.

By supporting this change, the DAO can promptly complete scaling up SSV Cohort 3 clusters, as well as make sure the rotated clusters continue to operate the expected number of validators. This will continue to ensure a more decentralized, resilient, and secure Lido Node Operator set and continued progress toward the GOOSE goal of Attracting the Best Validator Set.

I support the proposal. It clearly aligns with the Lido DAO Goose goals and ensures that all of the SDVT participants will get the expected number of the active keys in SDVT.

Thanks for preparing it!

Appreciate this thoughtful update, the 4.3% cap lift helps Cohort 3 clusters finally reach our full validator count!