Lido
Lido is a liquid staking solution for Ethereum, backed by industry-leading staking providers and community stakers. It allows users to stake their ETH without locking up assets or maintaining infrastructure, while still participating in on-chain activities.
Triaged by Immunefi
PoC Required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of funds
Protocol insolvency
Execute arbitrary system commands
Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:
- Changing registration information
- Commenting
- Voting
- Making trades
- Withdrawals, etc.
Subdomain takeover with already-connected wallet interaction
Direct theft of user funds
Malicious interactions with an already-connected wallet, such as:
- Modifying transaction arguments or parameters
- Substituting contract addresses
- Submitting malicious transactions
Any governance voting result manipulation
Theft of tokenized staking yield
Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:
- Password of the victim etc.
Subdomain takeover without already-connected wallet interaction
Out of scope
- Best practice critiques.
- Only accept reports targeting deployed contracts, not latest contracts in repos.
- Only accept reports associated with releases, not develop or feature branches.
- All impact of an attack on Oracles or KAPI must be described in t erms of impact on protocol itself and classified accordingly.
- All impact of an attack on re-entrancy must be described in terms of impact on protocol itself and classified accordingly.
- Rewards on partner contracts are paid at contributors discretion.
- For Auxiliary services only accept vulnerabilities leading to application takeover as "Execute arbitrary system commands"
- Reports regarding domains not listed under the scope section are paid at contributors discretion.
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers