Lido said that within the past 24 hours, Lido DAO contributors became aware of an early platform vulnerability that affected InfStones, an active node operator using Lido on Ethereum over the past few months. The vulnerability was disclosed to InfStones in July 2023 by dWallet Labs. The node operator has announced that the vulnerability has been resolved.
The vulnerability is related to potentially exposing root-level access to 25 validator servers to external attackers that may not be related to the Lido protocol. It is currently unknown to Lido contributors whether servers or keys associated with Lido validators are included in the scope of the affected systems, and we are actively working with node operators to investigate the incident to understand its full scope and potential impact.