TLDR:
- A private key belonging to Lido validator Chorus One was compromised
- The breach resulted in the theft of 1.46 ETH ($4,200) in gas fees
- No user funds were affected due to Lido’s 5-of-9 quorum security system
- Lido initiated an emergency DAO vote to rotate the compromised oracle key
- The compromised key was from 2021 and lacked current security standards
Ethereum’s largest liquid staking protocol, Lido, narrowly avoided a major security incident after detecting that one of its nine oracle keys was compromised. The breach involved validator operator Chorus One and resulted in the theft of 1.46 ETH (approximately $4,200) in gas fees.
⚠️ Emergency Lido DAO vote announcement: rotate single Lido Oracle related to compromised Chorus One oracle private key.
Stakers are not affected. The protocol remains secure and fully operational. The oracle system is robust by design, with a 5/9 quorum, and all other…
— Lido (@LidoFinance) May 11, 2025
The incident was first detected early Sunday when a low-balance alert triggered closer inspection of the address. Security teams discovered unauthorized access to an oracle private key used by Chorus One.
Lido secures over 25% of all ether staked on Ethereum, making it a vital component of the Ethereum ecosystem. Despite the breach, no user funds were affected thanks to Lido’s robust security architecture.
The compromised key was connected to a hot wallet used for oracle reporting. According to Chorus One, the key was originally created in 2021 and was not secured to the same standards as newer keys.
Technical Response and Enhanced Security Measures
Lido’s oracle system supplies Ethereum consensus data to Lido’s smart contracts using a 5-of-9 quorum mechanism. This design ensures that even if up to four keys are compromised, the system can still function securely.
In response to the breach, Lido launched an emergency DAO vote to rotate the compromised oracle key across three contracts: the Accounting Oracle, the Validators Exit Bus Oracle, and the CS Fee Oracle.
The compromised address (0x140B) is being replaced by a new secure address (0x285f). This on-chain vote has already been approved and is currently in its 48-hour objection period as of Monday morning.
Chorus One has stated they are setting up a new machine to ensure better security going forward. The new key has been generated using enhanced security controls to prevent similar incidents.
The hack occurred as several other oracle operators were experiencing unrelated node issues, including a minor Prysm bug introduced by Ethereum’s recent Pectra upgrade, which briefly delayed oracle reports on May 10.
Lido Finance emphasized that the issue was restricted to the Chorus One oracle and was not system-wide. The team also clarified that the problem was not due to a coding issue in any particular blockchain oracle or software.
This incident comes amid broader cybersecurity concerns in the crypto industry. According to cybersecurity firm Hacken, over $2 billion in crypto was lost due to malicious activity in Q1 2025 alone.
The vast majority of those stolen funds were attributed to the $1.4 billion Bybit hack in February 2025. Hacken also reported that crypto hacks were responsible for $357 million in losses in April 2025, an increase from March.
Cybersecurity threats in crypto have become so widespread, particularly from hacking groups associated with North Korea, that G7 countries may discuss these threats at their next summit.
The Lido incident highlights the need for constant vigilance and robust security measures in decentralized finance as more complex digital systems develop larger attack surfaces.
Stay Ahead of the Market with Benzinga Pro!
Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders:
- Breaking market-moving stories before they hit mainstream media
- Live audio squawk for hands-free market updates
- Advanced stock scanner to spot promising trades
- Expert trade ideas and on-demand support
