Lido DAO, the governance body behind the world’s largest liquid staking protocol, has launched an emergency vote to rotate out a compromised oracle after a cybersecurity breach involving validator operator Chorus One. The incident, detected over the weekend, resulted in the loss of a small amount of Ether, but crucially, user funds and the integrity of the Lido protocol remain untouched and fully secure.

Image Source: Lido

What Happened

The breach came to light when Lido contributors noticed a suspiciously low balance in one of the addresses used by the Chorus One oracle. Further investigation revealed that the oracle’s hot wallet key, originally created in 2021 and not protected under Lido’s latest security standards, had been compromised. Attackers managed to drain approximately 1.46 ETH, an amount considered negligible in the context of Lido’s vast holdings.

Importantly, the incident was isolated to a single oracle operated by Chorus One. Lido’s sophisticated oracle system relies on a 5-of-9 quorum mechanism, meaning no single compromised key can jeopardize the protocol’s operations. All other oracles and validator sets were immediately checked and found uncompromised, with no evidence of broader infrastructure issues.

Image Source: Chorus One

Immediate Response

Demonstrating the agility of decentralized governance, Lido DAO initiated an emergency on-chain vote to rotate the compromised oracle key across three critical contracts: the Accounting Oracle, the Validators Exit Bus Oracle, and the CS Fee Oracle. The vote, launched within hours of the breach’s discovery, will run for 72 hours, followed by a 48-hour objection window to ensure thorough community oversight.

Chorus One, for its part, is setting up a new machine and generating a fresh key pair under stricter security protocols to replace the compromised node. The compromised address (0x140B) will be replaced by a new, secure address (0x285f), restoring full redundancy and trust in Lido’s oracle network.

Impact

Lido Finance has been quick to reassure its vast user base-who collectively entrust billions of dollars’ worth of Ether to the protocol-that the breach was contained and did not affect user deposits, validator sets, or the broader oracle infrastructure. The protocol remains fully operational, and all staking activities continue as normal.

Renewed Focus on DeFi Security

This incident, while limited in scope, serves as a stark reminder of the persistent cybersecurity challenges facing the decentralized finance (DeFi) sector. As DeFi protocols like Lido become increasingly integral to global digital finance, the sophistication and frequency of attacks continue to rise. In Q1 2025 alone, over $2 billion in crypto assets were lost to hacks and exploits, according to industry reports.

Lido’s multi-layered security approach-including distributed key management, regular audits, and a robust governance process-has proven effective in containing this breach and preventing any systemic fallout. The swift response and transparent communication further strengthen user trust in the protocol.

Looking Ahead

With the emergency vote underway and new security measures implemented, Lido DAO is also conducting a broader infrastructure review to identify and mitigate any additional vulnerabilities. The incident has prompted renewed discussions within the community about best practices for key management and the importance of ongoing vigilance in DeFi governance.

For now, Lido users can rest assured: the protocol is secure, their staked assets are safe, and the DAO’s rapid response has once again demonstrated the resilience of decentralized governance in the face of evolving threats. Stay tuned for further updates as Lido DAO publishes its detailed incident report and continues to lead by example in DeFi security and resilience.