Lido Finance has kicked off an emergency DAO vote after spotting a security issue with one of its oracle keys managed by Chorus One. On May 10, 2025, a contributor flagged the problem when they noticed the wallet tied to that oracle suddenly had a much lower ETH balance than expected.
The compromised wallet, which had been in use since 2021, was drained overnight. It’s believed that the private key may have leaked at some point in the past. There’s no sign that Chorus One’s infrastructure or Lido’s software was breached.
Stakers Not Affected, Protocol Is Safe
Lido confirmed that stakers aren’t affected at all. The protocol continues to run as normal, and the system remains secure. Lido’s oracles operate with a 5-out-of-9 quorum, meaning even if one fails or is compromised, the rest can keep things running safely. All eight other oracles were checked and found to be secure.
What Happened Behind the Scenes
After spotting the unusual balance, Lido contributors contacted Chorus One to confirm the issue. A response team was formed right away to investigate what went wrong, whether other systems were at risk, and to make sure no other keys or machines were affected.
At the same time, there were some delays in Oracle reports on May 10 due to unrelated technical issues. Four other oracles faced problems too, including a minor bug in the Prysm client. That caused reporting delays of about 1–2 hours, but those were resolved quickly and had nothing to do with the compromised key.
Here’s what the report delays looked like:
- Accounting Oracle: delayed by around 1 hour, delivered at 14:06 UTC
- Validators Exit Bus Oracle: delayed by around 2 hours, delivered at 14:40 UTC
What’s Being Done Now
Lido is now rotating the compromised Chorus One oracle key. A new wallet address is being added to replace the old one across three contracts:
- Accounting Oracle
- Validators Exit Bus Oracle
- Consensus Layer Fee Oracle
The old address 0x140Bd8FbDc884f48dA7cb1c09bE8A2fAdfea776E is being replaced with a new one: 0x285f8537e1dAeEdaf617e96C742F2Cf36d63CcfB.
This change is being carried out through an on-chain vote, which starts immediately. The vote will run for 72 hours, followed by a 48-hour objection period to allow the community to raise any concerns.
Investigation Still Ongoing
Lido contributors and engineers from Chorus One are still working together to figure out how exactly the private key got exposed. They’re also reviewing whether any other systems might have been affected and checking the full security setup.
So far:
- The issue appears limited to a single key
- No other Oracle addresses were compromised
- The Oracle software and its dependencies are clean
A full post-mortem will be shared once the investigation wraps up.
Also Read: Swyftx Halts Withdrawals and Trading Amid Rumors of Hack
