Lido DAO Responds to Oracle Hack with Emergency Vote to Replace Compromised Chorus One Node

On May 11, 2025, Lido DAO, the governance body behind the Ethereum liquid staking protocol Lido Finance, initiated an emergency vote to replace a compromised oracle node operated by Chorus One after a suspected private key leak led to the theft of 1.46 ETH (approx.3,800 at the time). The isolated incident did not disrupt Lido’s operations or affect stakers, thanks to the protocol’s robust 5-of-9 multisignature oracle system.

Incident Details and Immediate Response

According to the official statement, A compromise of an oracle key was detected on May 10, 2025, when a Lido contributor noticed an unusual balance depletion in the Chorus One oracle address (0x Ditto:140Bd8FbDc884f48dA7cb1c09bE8A2fAdfea776E), which had been in use since 2021 and held a deliberately low balance of 1.46 ETH. A response group formed by the oracle operator confirmed that an unauthorized entity had accessed the address, likely due to leakage of a hot wallet private key at a point in the past. Chorus One, the node operator, confirmed the attack was not a result of broader infrastructure vulnerabilities or flaws in Lido’s software. The team is integrating the new address (0x285f8537e1dAeEdaf617e96C742F2Cf36d63CcfB) into three contracts: AccountingOracle, ValidatorsExitBusOracle, and CSFeeOracle.

Lido’s oracle system, designed with a 5-of-9 quorum, ensured that the compromise of a single node did not threaten protocol stability. The remaining eight oracle nodes were thoroughly audited and showed no signs of breach, and no evidence suggested a wider attack on Chorus One’s infrastructure. Lido emphasized that stakers’ funds remained unaffected, and the protocol continued to operate normally. The emergency DAO vote, launched on May 11, includes a 72-hour voting period followed by a 48-hour objection phase to replace the compromised key, with unanimous support so far, though quorum has not yet been reached.

Community Reactions

Community members praised Lido’s effective detection system and swift oracle emergency rotation protocol, which enabled timely issue identification and minimized losses. DefiLlama founder 0xngmi highlighted the breach’s silver lining: the attacker’s decision to drain the small 1.4 ETH balance exposed the compromise early. They suggested that placing small token amounts in multisignature wallets could serve as a “canary” to detect unauthorized access, a strategy that proved effective in this case.

Broader Context and Security Implications

The attack, while minor in financial impact, highlights the persistent cybersecurity risks in DeFi. A Q1 2025 report by Hacken noted over $2 billion in crypto losses in just three months due to hacks and scams, with $357 million lost in April alone. Hacken CEO Dyma Budorin, speaking at Token2049, stressed the need for stronger cybersecurity measures and code auditing to counter increasingly sophisticated attacks, including those linked to groups like North Korea’s hacking collectives. The Lido incident reinforces the importance of multisignature systems and proactive monitoring, as demonstrated by the low-balance alert that limited losses.

Lido and Chorus One are conducting a joint investigation to determine the exact cause of the key leak, with a full post-mortem promised upon completion. Chorus One has already set up a new machine to enhance security and is reviewing its infrastructure to prevent future incidents. The event may prompt broader industry discussions on hot wallet security and multisig wallet best practices, potentially influencing regulatory focus on DeFi security protocols. Due to Lido’s prompt response, the hack had no significant impact on the protocol. Lido’s token, LDO, saw a 4.1% price decline over the past 24 hours as of press time.