Lido Finance collaborated with Ackee Blockchain to conduct a security assessment of the stETH smart contracts, utilizing a total of 15 engineering days of time donated between May 6 and May 17, 2024.
Additionally, Lido Finance broadened the review scope to encompass all contracts in the repository and any modifications that had not been examined in earlier assessments. Ackee further received 1.5 engineering days as an additional time donation to review the security of revision 1.3 from June 17 to June 18, 2024.
METHODOLOGY
Our review commenced with static analysis utilizing tools such as Wake. We also delved deeply into the contracts’ logic and employed the Wake testing framework for cross-chain fuzz testing of the protocol.
A comprehensive manual analysis of the codebase was also performed, emphasizing the contracts’ logic. During the evaluation, we focused particularly on:
- ensuring access controls are neither overly permissive nor excessively stringent,
- verifying integration within the Optimism stack,
- securing the cross-chain architecture and operations effectively,
- confirming that deposits and withdrawals to and from L2 don’t allow double spending,
- ensuring the token rate is immune to manipulation,
- verifying the accuracy of the system’s arithmetic,
- and identifying common issues such as data validation problems.
SCOPE
The audit was conducted on the commit 9d6f66c, encompassing the following files:
- contracts/lido/TokenRateNotifier.sol
- contracts/optimism/CrossDomainEnabled.sol
- contracts/optimism/L1ERC20ExtendedTokensBridge.sol
- contracts/optimism/L1LidoTokensBridge.sol
- contracts/optimism/L2ERC20ExtendedTokensBridge.sol
- contracts/optimism/OpStackTokenRatePusher.sol
- contracts/optimism/RebasableAndNonRebasableTokens.sol
- contracts/optimism/TokenRateOracle.sol
- contracts/token/ERC20Bridged.sol
- contracts/token/ERC20BridgedPermit.sol
- contracts/token/ERC20Core.sol
- contracts/token/ERC20Metadata.sol
- contracts/token/ERC20RebasableBridged.sol
- contracts/token/ERC20RebasableBridgedPermit.sol
- contracts/token/PermitExtension.sol
FINDINGS
Below are our findings from the audit.
Critical severity
No critical severity issues were identified.
High severity
No high severity issues were identified.
Medium severity
No medium severity issues were identified.
Low severity
L1: Token rate precision is insufficient
L2: unwrap tokens amount in event is inconsistent
Warning severity
W1: Implementation of solc optimizer
W2: ERC-20 transferFrom triggers Approval
W3: Incorrect comments
W4: Limited use case for ERC-2612 with ERC-1271
W5: Use of deprecated function
W6: Initializers are vulnerable to front-running
W7: Linear calculation of allowed token rate deviation
W8: Inadequate data validation
Information severity
I1: Uncached .length in for loop
I2: Inconsistent order of modifiers
I3: Redundant code
I4: Typographical errors
I5: _mintShares can return tokensAmount to reduce gas usage
CONCLUSION
Our audit yielded 15 findings, ranging from Information to Low severity, with L1 being the most severe.
Ackee Blockchain advises Lido Finance to:
- verify the arithmetic to minimize rounding errors
- ensure that permits are compatible with smart accounts
- carry out thorough data validation
- correct minor issues with documentation, adhering to best practices and improving overall code quality
The complete Lido Finance audit report by Ackee Blockchain, including a detailed overview of all findings and recommendations, is available here.
We were pleased to conduct the audit for Lido Finance and look forward to future collaborations.
Dutch
English
French
German
Greek
Italian
Portuguese
Russian
Spanish