Ethereum liquid staking protocol Lido Financ e in formed its users of a potential security weakness in its ZKsync wstETH bridge endpoint contract, adding that it has suspended new deposits till the issue is resolved. The disclosure, published on X by Lido Finance, stated, “As of yet, there is no indication that the weakness was exploited, and wstETH holders on ZKsync are not affected. No other bridges are affected. ” Withdrawals from ZKsync and token transfers were described as unaffected. Nevertheless, the platform moved swiftly, pausing new bridge deposits out of what it described as “an abundance of caution.” What exactly is the vulnerability and who is affected? Lido has not publicly shared the technical nature of the flaw, referring only to a “potential weakness” reported in the ZKsync wstETH bridge endpoint contract, the smart contract layer that facilitates the movement of wrapped staked ETH between the Ethereum mainnet and the ZKsync Layer 2 network. Lido integrated ZKsync as its fifth Layer 2 deployment, developed in collaboration with Matter Labs and the txSync team to build canonical wstETH bridging smart contracts. The ZKsync bridge went live on 3 January 2024, following a Lido DAO governance vote the previous month. Lido has an emergency multisig mechanism that enables it to disable deposits and withdrawals on the ZKsync side when necessary, and that lever appears to have been pulled in this instance. Why can a fix not be deployed without governance vote? Lido wrote, “A fix has been prepared and will be audited and deployed via the next scheduled on-chain Lido governance omnibus vote (late March / early April), after which deposits will resume.” The reliance on a governance vote to deploy the fix reflects both the decentralized structure of Lido’s operations and the procedural safeguards built into its upgrade process. Yet for users and investors, it also means the timeline is subject to the mechanics of on-chain coordination, a reality that has historically introduced delays in decentralized finance protocols. Lido said updates would follow and that deposits would resume once the fix was live. The announcement has not helped the fortunes of the respective tokens, with markets unnerved by the prospect of a fix that will not arrive until at least late March and possibly early April. Lido’s native governance token, LDO, has fallen by more than 3.5% over the past 24 hours to trade at $0.3057. ZK, the native token of ZKsync’s parent network, has also dropped more than 3.1% to $0.01863 over the same period. However, both tokens were already on a decline before Lido’s announcement. The protocol controls roughly one-third of all staked ether on the Ethereum network, making it the single largest staking operator by a substantial margin. Any security incident, or even the perception of one, carries systemic implications that extend well beyond the specific ZKsync integration. For now, existing wstETH holders on ZKsync can take some comfort from Lido’s assurances while withdrawals remain fully operational. Cryptopolitan reported earlier today that another project, Neutron, a BTCFi project that offers Bitcoin holders yields on their staked tokens, also paused certain services until at least March 9 after a security update where it said” a whitehat flagged a vulnerability” in its code. If you're reading this, you’re already ahead. Stay there with our newsletter .
