Vulnerability Disclosure Prompts InfStones to Rotate Validator Keys 

Brian Yue
Last updated: | 2 min read
In response to a substantial vulnerability uncovered by security researchers at dWallet Labs, the operator plans to execute key rotations as a proactive security measure.
Source: Pixabay

InfStones, a crucial node operator affiliated with Lido Finance, is poised to temporarily remove its Ethereum validators from the liquid staking protocol.

In response to a substantial vulnerability uncovered by security researchers at dWallet Labs, the operator plans to execute key rotations as a proactive security measure.

InfStones was informed of the vulnerability associated with the open-source library Tailon in July 2023, and the issue has been successfully addressed since then.

According to dWallet Labs, a hacker exploiting this vulnerability would have had the capability to obtain the private keys of validators across various blockchain networks, potentially leading to losses equivalent to over $1 billion in cryptocurrencies such as Ether and BNB.

“Over one billion dollars of staked assets were staked on all of these validators, and such an attacker would have been able to gain full control of all of them,” the security firm said.

Lido, the largest liquid staking protocol on Ethereum, manages over 9.23 million Ether, boasting a market value surpassing $19 billion. Lido protocol empowers users to deposit ETH and engage in network staking via validator nodes, with the validator nodes then issuing derivative tokens to users which serve as a representation of their staked deposits.

A cadre of contributors, referred to as operators, bears the responsibility of operating these ETH validator nodes. They furnish the essential IT infrastructure and servers indispensable for the seamless functioning of the nodes.

Lido Finance verified that the vulnerability was tied to potential root-level access, affecting 25 of InfStones’ validator servers. Luckily, the company also noted that there was no evidence of any key leakage or exploitation that arose from this issue.

“To clarify: There is currently no indication of key leakage or compromise, and the vulnerability may not affect validators related [to] the Lido protocol,” the company said in an X post on Wednesday.

In its security report, dWallet Labs asserted that the vulnerability had the potential to trigger a security breach affecting the ETH staked through InfStones’ nodes on Lido. In response, the firm recommended the rotation of validator keys for all nodes that might have been exposed to this vulnerability.

InfStones has taken a proactive stance by agreeing to withdraw its validators and shift to new keys, according to Lido. The decision is now contingent upon government approval.

To ensure continuity and stability, the ether that was initially staked on the potentially affected validators is set to be redirected into the Lido protocol for re-staking.