Lido is a decentralized liquid staking protocol for Ethereum. Triggerable withdrawals are a new feature based on the EIP-7002 standard that allows the withdrawal of validators who have previously deposited via the Lido protocol.
The main purpose of triggerable withdrawals is to allow Lido DAO to withdraw funds locked in a validator when the node operator refuses to submit a withdrawal request. This feature was made available after EIP-7002 was implemented on mainnet.
Withdrawal triggers are unauthorized. However, the user must either provide data whose hashes match what they have already submitted in Easy Track or trigger the shutdown after Oracle provides the report data.
Lido worked with Ackee Blockchain Security to conduct a security review of Lido Triggerable Withdrawals, donating a total of 38 engineering days from June 5 to July 14, 2025. Ten engineering days were allocated to manually guided fuzzing using Wake.
Lido then worked with Ackee Blockchain Security to conduct a revision review of the results of previous revisions. The review was conducted between July 23 and July 25, 2025, and revealed no new findings.
Lido conducted a third review in collaboration with Ackee Blockchain Security. This time, we donated 0.5 total engineering days for the period between September 8 and September 16, 2025, a change since the previous revision and no new results were found.
methodology
We began our review by implementing and running manually guided differential fuzz tests in Wake to verify the correctness of the new features and ensure that the changes did not break existing invariants. Fuzzing was conducted targeting contracts that were forked from the mainnet and related contracts that were upgraded to the latest version. This ensures full compatibility with mainnet deployments. Two staking modules were used to test the triggerable withdrawal feature: Node Operator Registry and Community Staking Module v2. More information about the fuzzing process can be found in the full audit report linked at the end of this article.
In parallel, we performed an in-depth manual review of the code, focusing particularly on triggerable retract functionality, compatibility with EIP-7002, and new code changes (commits) since the last audit. 1ffbb7e). During our review we focused on:
- A permissionless mechanism that triggers validator termination;
- Compatibility with EIP-7002;
- Explore new attack vectors due to triggerable fetch functionality
- A permissionless mechanism for reporting delayed termination validators;
- Ensures that all state variables are updated appropriately and that immutability is not broken.
- Ensure access controls are neither too lax nor too strict. and
- I’m looking for common problems like data validation.
Static analysis tools were also used to review the code, resulting in I4 and I5.
range
The first audit was performed on commit. 628c873 In the core repository, the scope is:
contracts/0.4.24/nos/NodeOperatorRegistry.solcontracts/0.8.9/LidoLocator.solcontracts/0.8.9/StakingRouter.solcontracts/0.8.9/TriggerableWithdrawalsGateway.solcontracts/0.8.9/WithdrawalVault.solcontracts/0.8.9/WithdrawalVaultEIP7002.solcontracts/0.8.9/oracle/AccountingOracle.solcontracts/0.8.9/oracle/ValidatorsExitBus.solcontracts/0.8.9/oracle/ValidatorsExitBusOracle.solcontracts/0.8.9/lib/ExitLimitUtils.solcontracts/0.8.25/lib/BeaconTypes.solcontracts/0.8.25/lib/GIndex.solcontracts/0.8.25/lib/SSZ.solcontracts/0.8.25/ValidatorExitDelayVerifier.sol
Early review commit 8beee97 Changed to a commit 4 days after the start of the audit. 628c873.
The classification of security findings is determined by two subscales: Impact and Probability. This two-dimensional rating provides a more noise-free view of the severity of the problem without loss of information. The probability factor reduces the severity of intermediate issues that the team typically recognizes as information and warnings.
Here are the results of our review: 11 items found Severity levels range from information to low severity. The most severe findings, L1 and L2, are respectively associated with limited responsiveness of the system when changing shutdown limiting configuration parameters and inconsistencies in the total number of shutdown requests processed. The overall code quality is high, with comprehensive documentation and good architecture.
critical severity
No critical severity issues were found.
Severity High
No high severity issues were found.
medium severity
No medium severity issues were found.
low severity
L1: Termination limits updated inconsistently when configuration changes
L2: Inconsistent calculation of total requests processed
warning severity
W1: Call to unimplemented function
W2: Missing interface inheritance.
w3:outdated IConsensusContract interface
W4: _setExitDeadlineThreshold underflow
Information Severity
I1: Code optimization
I2: Lack of event occurrence
I3: Lack of context for deprecated function NatSpec
I4: Unused error
I5: Deprecated using-for directive
trust model
Lido allows unauthorized triggering of validator termination when a validator is included in a report submitted via Easy Track or Oracle. This protocol relies on two trusted components to submit retraction reports:
The flow to trigger validator termination via Easy Track is as follows:
- The hash of the report is submitted to:
SUBMIT_REPORT_HASH_ROLERole assigned to Easy Track; - Anyone can submit report data using the same hash you provided in the first step. and
- Anyone can trigger the termination of any validator included in the report.
The flow to trigger validator termination via Oracle is as follows:
- A hash of the report is submitted by consensus agreement.
- Report data will be submitted to:
SUBMIT_DATA_ROLEby role or consensus membership; and - Anyone can trigger the termination of any validator included in the report.
Easy Track is an on-chain component that performs lightweight voting. If the minimum objection threshold is not met, the proposal passes.
Trigger Exits Bot is an off-chain component that ensures withdrawal requests are not unnecessarily delayed so that users can experience a smooth exit.
The Validator Late Prover Bot is an automated tool that detects and reports late validators who fail to terminate within the required time period after requesting termination.
Addresses containing: ADD_FULL_WITHDRAWAL_REQUEST_ROLE Roles can submit withdrawal requests through the Triggerable Withdrawal Gateway.
To use the Staking Router feature, the caller’s address must be assigned a specific role.
conclusion
Ackee Blockchain Security recommended Lido Finance:
- Ensures that contract upgrades and initialization occur atomically to prevent proactive attacks that could lead to loss of control over the contract.
- It is always inherited from the interface of the contract that implements the interface. and
- Address any identified issues.
Ackee Blockchain Security’s full Lido Finance Triggerable Withdrawals audit report can be found here.
We were delighted to thank Lido Finance and look forward to working with them again.