Ethereum Staking Giant Lido Loses Just 1.4 ETH in Hack Attempt
Ethereum staking giant Lido suffers minimal losses of 1.4 ETH due to hack attempt
The private key belonging to Chorus Key has been compromised and a vote is currently underway to change the Oracle vendor.
Shaurya Malwa | Edited by Parikshit Mishra May 12, 2025 5:53 AM
Key points:
- Lido, the leading Ethereum liquid staking protocol, has avoided a major security incident after a key used by the operator of the Chorus One validator was compromised.
- The hack resulted in the theft of 1.46 ETH in gas fees, but user funds remained safe and no further compromise was reported.
- Lido has initiated an emergency DAO vote to replace the compromised Oracle key, which will improve security and help prevent similar incidents in the future.
Lido, Ethereum's largest liquid staking protocol, has avoided a major security incident after one of its nine oracle keys was compromised in what appears to be a minor but serious breach involving validator operator Chorus One.
Lido controls over 25% of all ETH staked on Ethereum, making it one of the most systemically important protocols in the Ethereum ecosystem.
The compromised key was linked to a hot wallet used for Oracle reporting, resulting in the theft of just 1.46 ETH ($4,200) in gas fees. No user funds were affected, and no larger breach was detected, according to reports from X from Lido and Chorus One.
The Lido oracle system is a blockchain-based tool that provides Ethereum consensus data to Lido smart contracts using a 5 out of 9 quorum mechanism. This means that even if one or two keys are compromised, the system can continue to function securely.
Participants first noticed suspicious activity early Sunday, when a low balance alert prompted a closer look at the address. This revealed unauthorized access to an Oracle private key used by Chorus One, which was created in 2021 and did not have protections that meet the standards for new keys, the company said in its X post.
In response, Lido launched an emergency DAO vote to rotate the compromised oracle key across three contracts: the Accounting Oracle, the Validators Exit Bus Oracle, and the CS Fee Oracle. A new key was generated using enhanced security controls to prevent a repeat of the incident.
The hack occurred at a time when several other Oracle operators were experiencing unrelated node issues, including a minor Prysm bug introduced by Ethereum's recent Pectra upgrade, which caused a temporary delay in Oracle's May 10 reports.
The compromised address (0x140B) is replaced with a new secure address (0x285f), with the on-chain vote already approved and 48 hours in the making as of Monday morning Asia time.
