Lido Finance, in collaboration with Ackee Blockchain, conducted a security review of the Lido Finance stETH smart contract over a period of 15 engineering days from May 6 to May 17, 2024.
Lido Finance has also expanded the scope to include all contracts in the repository and any changes not reviewed in the previous revision, and Ackee has been awarded an additional time donation of 1.5 engineering days to perform a security review of revision 1.3 between June 17 and June 18, 2024.
methodology
We started our review using the static analysis tool Wake. We then delved deeper into the logic of the contract and used the Wake testing framework for cross-chain fuzzing of the protocol.
We also performed a thorough manual review of the codebase and delved deeply into the logic of the contract. During the review, we paid special attention to:
- Ensure that access control is neither too lax nor too strict.
- Integrated validation for the Optimism stack,
- Ensures that cross-chain architecture and operations are properly secured.
- Ensures that deposits and withdrawals to L2 do not result in double spending.
- Ensures that token prices cannot be manipulated.
- Verify that the system’s arithmetic is correct;
- I’m looking for general issues like data validation.
range
An audit was performed on the commit. 9d6f66c The exact scope is the following files:
- contract/lido/TokenRateNotifier.sol
- Contract/Optimism/CrossDomainEnabled.sol
- Contract/Optimism/L1ERC20ExtendedTokensBridge.sol
- Contract/Optimism/L1LidoTokensBridge.sol
- Contract/Optimism/L2ERC20ExtendedTokensBridge.sol
- Contract/Optimism/OpStackTokenRatePusher.sol
- Contract/Optimism/RebasableAndNonRebasableTokens.sol
- Contract/Optimism/TokenRateOracle.sol
- Contract/Token/ERC20Bridged.sol
- Contract/Token/ERC20BridgedPermit.sol
- Contract/Token/ERC20Core.sol
- Contract/Token/ERC20Metadata.sol
- Contract/Token/ERC20RebasableBridged.sol
- Contract/Token/ERC20RebasableBridgedPermit.sol
- Contract/Token/PermitExtension.sol
result
Here we present our research findings.
Critical severity
No serious problems were found.
High severity
No high severity issues were found.
Medium severity
No medium severity issues were found.
Low severity
L1: Lack of token ratio precision.
L2: unwrap Inconsistent token amounts across events
Warning Severity
W1: How to use solc Optimizer
W2: ERC-20 transferFrom Release Approval
W3: False comments
W4: Limited ERC-2612 Use Cases with ERC-1271
W5: Use of deprecated functions
W6: Initialization programs can be front-run.
W7: Linear calculation of the deviation of the allowed token ratio
W8: Data validation is lacking
Information Severity
I1: Not cached .length In a for loop
I2: Inconsistent modifier order
I3: Unused code
I4: Typo
I5: _mintShares can go back tokensAmount To save gas
conclusion
Our review yielded 15 findings ranging from low to high severity, the most severe being L1.
Ackee Blockchain recommends Lido Finance as follows:
- Validates the system’s arithmetic to limit rounding errors.
- Make sure you have authorization ready for your smart account
- Implement proper data validation
- Fix minor issues with documentation and follow best practices and overall code quality.
The full Lido Finance audit report, which includes a more detailed explanation of all findings and recommendations from Ackee Blockchain, can be found here.
We are very pleased to acknowledge Lido Finance and look forward to working with them again in the future.