Lido DAO

Proposal

On Nov 22, Lido DAO contributors were made aware of two platform vulnerabilities in the validator infrastructure of one of the Curated Set Node Operators (InfStones) that utilize the Lido on Ethereum Protocol.

As a result of the mutual understanding of the potential implications of the vulnerabilities, the Node Operator volunteered to exit the validators out of an abundance of caution. The stake for the 10,001 validators that they were operating has since begun flowing back into the Lido on Ethereum Protocol through the Lido Withdrawal Vault.

Further information about this investigation and resulting actions can be found here.

InfStones has posted a response on the Lido research forums indicating their understanding and approach regarding the infrastructure vulnerabilities; and has stated that the relevant gaps have been remediated. Additionally, InfStones indicate that they have now set up a bug bounty program that covers their infrastructure, and have also completed a SOC 2 Type 1 audit using an external third party, and have additionally indicated that they will conduct a pentest with a third party, with the results to be shared with the DAO once available.

Additionally, they agreed to:

• Reset their validators limit (i.e. preventing any new deposits from being allocated to them) (done), and
• Remove any previously submitted validator keys from the node operator registry (in progress) prior to submitting new keys.

At this juncture, the DAO is asked to decide on the below:

• Is the DAO satisfied that the Node Operator has appropriately remediated the issues in their infra such that InfStones should remain in the Curated Operator Set?
• If so, when should the Node Operator resume submitting validator keys to the Node Operator Registry?

Voting Instructions

This is a single-option vote.

• If you believe that the Node Operator has shown enough evidence that the vulnerability has been remediated and can resume submitting keys in a guarded fashion (i.e. through a kind of probationary period, see Next Steps below), vote “Resume key submission”.
• If you believe that the Node Operator should be removed from the Node Operator set, vote “Remove InfStones from NO Set”.
• If you believe that additional time is needed to assess the question (e.g. because there is not enough information), vote “Additional time required”.

Next Steps

If the “Resume key submission” reaches quorum, then the Node Operator will resume key submission at their convenience and raise their validator limit in a guarded manner while awaiting the penetration testing results. This will entail a probationary period during which: (a) no further similar vulnerability should be identified, and (b) no hacking / slashing incidents should occur, and © the quantity of active validators cannot exceed 2,500 validators. The probationary period will last until the 3rd party penetration test results are provided to the DAO. InfStones will communicate these actions to the DAO via research forums to ensure that there are no objections to the pace of key submission.

If the “Remove InfStones from NO Set” option reaches quorum, a separate on-chain vote will be required to deactivate the Node Operator.

If the “Additional time required” option reaches quorum, a new discussion will commence on the forums so that the details of additional investigation and follow-up to be performed can be agreed. Voters who voted this option are requested to opine on the forums about what kinds of additional information or analysis would help to reach a decision, with the view of being able to have another vote on the matter in early 2024 (e.g. by mid January).