Lido Halts Deposits After Critical ZKsync Bridge Flaw

The recently identified vulnerability resides in the wstETH bridge's endpoint smart contract on the ZKsync network. While Lido has not disclosed the specific technical details of the flaw, they have confirmed that it was a "potential weakness" that could have been exploited. Importantly, there is no evidence that any malicious actors took advantage of this vulnerability, and all user funds on ZKsync are reported to be safe. In response to the discovery, Lido developers utilized an emergency multisig mechanism to immediately pause new deposits to the ZKsync bridge as a precautionary measure. This rapid response highlights the security protocols Lido has in place for such events. However, withdrawals of wstETH from ZKsync back to the Ethereum mainnet remain fully operational, ensuring users can access their funds. As of late January 2025, there were 2,504 wstETH on the ZKsync network. The halt on new deposits temporarily caps the growth of Lido's liquid staked ETH on this Layer-2 solution. The ZKsync bridge, a collaboration between Lido and Matter Labs, initially went live in January 2024, representing Lido's fifth Layer-2 integration. A fix for the vulnerability has already been developed and is pending a security audit. Due to Lido's decentralized governance structure, the permanent solution will be deployed through the next scheduled on-chain omnibus vote in late March or early April. This adherence to the governance process, while ensuring community oversight, means the deposit function will remain paused for several weeks. The market reacted to the news with a downturn in the prices of both Lido's LDO and ZKsync's ZK tokens. LDO saw a drop of over 3.5%, while ZK fell by more than 3.1% in the 24 hours following the announcement. This price action reflects investor uncertainty despite the assurance that no funds were lost.