Lido Identifies ZKsync wstETH Bridge Endpoint Contract Vulnerability

Key Highlights:

• Lido identified a potential vulnerability in the ZKsync wstETH bridge endpoint but confirmed no funds were exploited.
• New deposits to the ZKsync bridge have been paused, while withdrawals and token transfers remain unaffected.
• A fix has been prepared and will be audited and deployed through Lido’s next on-chain governance vote in late March or early April.

Lido, which is an open-source Ethereum staking firm, disclosed a potential vulnerability in the ZKsync wstETH bridge endpoint contract. This prompted precautionary measures, but no losses have been reported as of yet. The issue was caught in the contract that allowed transfers of wrapped staked Ether between Ethereum and ZKsync.

In an official statement, Lido said there is no evidence that the vulnerability has been exploited. The protocol added that wstETH holders on ZKsync remain unaffected. Other bridge contracts are not impacted.

Lido Pauses Fresh ZKsync Bridge Deposits

As a precaution, Lido has paused new deposits into the ZKsync bridge. Withdrawals from ZKsync and token transfers continue to operate normally. The pause applies only to fresh deposits moving through the affected endpoint.

The vulnerability relates specifically to the bridge endpoint contract. In blockchain infrastructure, a bridge acts as a gateway between networks. It allows assets such as wstETH to move from Ethereum’s mainnet to a Layer 2 environment. In this case, the concern centers on that gateway rather than the wstETH token itself.

Because the issue was detected before any confirmed exploitation, the immediate impact is operational rather than financial. Users currently holding wstETH on ZKsync retain access to their funds. They can withdraw and transfer tokens without disruption. However, they cannot deposit additional wstETH through the paused bridge until further notice.

Lido has prepared a fix. The update will undergo an audit before deployment. As a decentralized protocol governed by token holders, Lido cannot bring in changes instantly. Hence, the patch will be introduced during the next scheduled on-chain governance vote, expected in late March or early April. Once approved and deployed, the deposit function will resume.

The temporary pause may create short-term liquidity constraints. Since no new wstETH can enter ZKsync via the bridge, the available supply on that network is effectively capped. If demand goes up whilst deposits remain halted, price differences may appear across decentralized exchanges operating on ZKsync.

At the time of reporting, wstETH on ZKsync traded near $2,402.27, after it dipped roughly 1.2% over the previous hour. The drop likely hints at the temporary restriction, which limits arbitrage activity that would normally help maintain price alignment between networks.

Bridge vulnerabilities have usually been a point of risk in decentralized finance. Even when funds remain safe, the discovery of a flaw can influence market confidence. In this instance, Lido emphasized that the action was taken out of caution. The protocol has assured users that it will provide further updates as developments unfold.

The announcement comes shortly after Lido completed the rollout of its V3 Phase 3 upgrade. That update marked a milestone for the staking protocol. Minting of stETH is now permissionless for all stVaults. The minting cap for identified node operators has also been extended.

Under the new structure, vaults operated by non-identified node operators can mint stETH within a defined framework. A 50 percent reserve ratio applies, along with graduated minting caps. The changes are designed to increase participation and also maintain safeguards.

Against that backdrop, the bridge pause introduces a temporary friction point. It does not alter the underlying staking mechanism. Nor does it affect other bridge integrations.

For users, the immediate takeaway is clear. Existing funds remain accessible. Deposits into ZKsync are paused until governance approval finalizes the fix. Monitoring will continue in the interim.

Also Read: SlowMist Flags Security Concerns in Bitget Wallet Swap Feature