Lido Suffers Minor Oracle Exploit as 1.46 ETH Stolen, DAO Responds
One of Lido’s nine oracles was compromised, resulting in a 1.46 ETH drain. The DAO has triggered an emergency vote to restore operational security.
The Lido staking protocol faced a minor breach this week after an attacker exploited one of its Chorus One-managed oracles to steal 1.46 ETH (about $3,700). The exploit was flagged by a low-balance warning tied to the affected address.
Importantly, Lido’s 5-of-9 key consensus model prevented deeper compromise, ensuring the protocol’s continued stability. The DAO has already initiated a vote to revoke and rotate the exposed address.
A Breach in the Oracle: The Chorus One Exploit
On May 10, 2025, a Chorus One oracle linked to Lido was compromised via a leaked private key. The address in question, created in 2021, was a low-balance hot wallet used for gas fee transactions. A total of 1.46 ETH was withdrawn by the attacker.
Investigation on all fronts is still ongoing; we will share a full postmortem after we conclude the investigation,
Chorus One stated in a Lido governance forum post. The operators noted that the attack bore hallmarks of automation, not targeted intrusion.
A preliminary security sweep of the affected infrastructure yielded no signs of further threats. Chorus One has stated it will issue a complete postmortem after finalizing the investigation.
Lido DAO’s Governance Response
Lido DAO moved quickly to contain the incident, initiating a vote to rotate out the compromised address (0x140B) in favor of a newly generated one (0x285f) secured to higher standards. While support for the proposal is unanimous, it has not yet reached the quorum threshold necessary for execution.
In the worst case, [compromised oracles] may mean something like stETH rebases (whether positive or negative) take longer to materialize, which will affect stETH holders but mostly in a negligible manner apart from those who may be using stETH in a leveraged manner in DeFi,
said Izzy, Lido’s Head of Validators, in a post on X.
Rotation of the compromised oracle key is scheduled across three contracts: Accounting Oracle, Validators Exit Bus Oracle, and CS Fee Oracle. After a 48-hour review period, the new address will begin serving all oracle calls.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
