Lido Finance pauses deposits due to flaw in ZKsync wstETH bridge - Coinfea

Ethereum liquid staking protocol Lido Finance has informed its users of a potential security weakness in its ZKsync wstETH bridge endpoint contract, adding that it has suspended new deposits till the issue is resolved.

ContentsLido Finance temporarily halts depositsA fix is expected to come after its on-chain vote“As of yet, there is no indication that the weakness was exploited, and wstETH holders on ZKsync are not affected. No other bridges are affected,” Lido Finance said on X. Withdrawals from ZKsync and token transfers were described as unaffected. Nevertheless, the platform moved swiftly, pausing new bridge deposits out of what it described as “an abundance of caution.”

Lido Finance temporarily halts deposits

Lido has not publicly shared the technical nature of the flaw, referring only to a “potential weakness” reported in the ZKsync wstETH bridge endpoint contract, the smart contract layer that facilitates the movement of wrapped staked ETH between the Ethereum mainnet and the ZKsync Layer 2 network.

Lido integrated ZKsync as its fifth Layer 2 deployment, developed in collaboration with Matter Labs and the txSync team to build canonical wstETH bridging smart contracts. The ZKsync bridge went live on 3 January 2024, following a Lido DAO governance vote the previous month. Lido has an emergency multisig mechanism that enables it to disable deposits and withdrawals on the ZKsync side when necessary. That lever appears to have been pulled in this instance.

Lido wrote, “A fix has been prepared and will be audited and deployed via the next scheduled on-chain Lido governance omnibus vote (late March / early April), after which deposits will resume.” The reliance on a governance vote to deploy the fix reflects both the decentralized structure of Lido’s operations and the procedural safeguards built into its upgrade process.

A fix is expected to come after its on-chain vote

For users and investors, it also means the timeline is subject to the mechanics of on-chain coordination, a reality that has historically introduced delays in decentralized finance protocols. Lido said updates would follow and that deposits would resume once the fix was live. The announcement has not helped the fortunes of the respective tokens, with markets unnerved by the prospect of a fix that will not arrive until at least late March and possibly early April.

Lido’s native governance token, LDO, has declined by more than 3.5% over the past 24 hours, trading at $0.3057. ZK, the native token of ZKsync’s parent network, has also dropped more than 3.1% to $0.01863 over the same period. However, both tokens were already on a decline before Lido’s announcement. The protocol controls roughly one-third of all staked ether on the Ethereum network, making it the single largest staking operator by a substantial margin.

Any security incident, or even the perception of one, carries systemic implications that extend well beyond the specific ZKsync integration. For now, existing wstETH holders on ZKsync can take some comfort from Lido’s assurances while withdrawals remain fully operational. Cryptopolitan reported earlier today that another project, Neutron, a BTCFi project that offers Bitcoin holders yields on their staked tokens, also paused certain services until at least March 9 after a security update, where it said” a whitehat flagged a vulnerability” in its code.