Ethereum staking protocol Lido Finance claims that an apparent flaw in the logic of its token contract is not a cause for concern.

In an X post on Sept. 10, blockchain security firm SlowMist said it had identified an operational issue with the LDO Token contract, which it claims has been recently exploited by malicious actors for “fake deposit” attacks on exchanges.

“Specifically, when the LDO token contract executes a transfer operation with a quantity exceeding the user’s actual holdings, it doesn’t trigger the usual transaction rollback. Instead, it merely returns “false” as the outcome rather than indicating a failure,” wrote SlowMist on X.

The flawed contract supposedly allows a malicious actor to send more LDO tokens to an exchange than they actually hold – a discrepancy that may be overlooked by many exchanges.

Lido responded to SlowMist’s claims, saying that the contract’s behavior was nothing out of the ordinary and it conforms to the ERC-20 token standard. The staking platform assured users that both LDO and staked ETH (stETH) remained safe.

Typically, the ERC-20 token standard calls for the transfer function to be reversed if the sender lacks sufficient funds. Although it would appear that Lido’s contract deviates from this standard, Lido claims that transfer functions are required to return transfer status and revert transactions in exceptional cases. 

However, one X user pointed out that the EIP documentation that Lido referred to stipulates that the transfer should be reversed if the transfer amount exceeds the user’s balance.

“The exploitation of this security flaw raises broader questions about the reliability of token contracts and adherence to industry standards. With the growing complexity of token contracts, the risk of similar vulnerabilities is substantial,” said another user on X.