A security flaw in the LDO token contract was recently used by hackers to carry out fraudulent deposit attacks on exchanges, according to a security alert issued by cryptocurrency security firm SlowMist.
According to SlowMist, the LDO token contract does not follow the ERC20 standard, which states that a transfer transaction must bounce if the sender does not have sufficient funds. Instead, it simply returns “false” as a result, without triggering a transaction reversal on the LDO token contract.
This means that a malicious user can transfer more LDO tokens to an exchange than they actually have, and the exchange may not detect the error and credit the user's account with a fake amount. The user can then withdraw other tokens from the exchange using the incorrect balance.
SlowMist recommended several actions for exchanges and other platforms that integrate LDO tokens to prevent such attacks. These include:
- When performing token deposits, checking not only the success or failure of the transactions, but also the return values of the token contract.
- Conducting a comprehensive analysis of the token contract code before integrating new tokens, especially those that do not comply with the ERC20 standard.
- Performing regular code audits and security checks to ensure the robustness and security of the system.
*This is not investment advice.