Crypto Flexs
  • DIRECTORY
  • CRYPTO
    • ETHEREUM
    • BITCOIN
    • ALTCOIN
  • BLOCKCHAIN
  • EXCHANGE
  • ADOPTION
  • TRADING
  • HACKING
  • SLOT
Crypto Flexs
  • DIRECTORY
  • CRYPTO
    • ETHEREUM
    • BITCOIN
    • ALTCOIN
  • BLOCKCHAIN
  • EXCHANGE
  • ADOPTION
  • TRADING
  • HACKING
  • SLOT
Crypto Flexs
Home»HACKING NEWS»Lido CSM Audit Summary – Ackee Blockchain
HACKING NEWS

Lido CSM Audit Summary – Ackee Blockchain

By Crypto FlexsOctober 20, 20246 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Lido CSM Audit Summary – Ackee Blockchain
Share
Facebook Twitter LinkedIn Pinterest Email

The Lido Community Staking Module (CSM) is a permissionless module that allows community stakers to run Ethereum validators with a low cost of entry. Stakers provide stETH bonds that act as security collateral and receive rewards in the form of bond rebasing and staking rewards (including execution layer rewards) that are socialized across Lido’s staking module. Lido Staking Router (SR) V2 is a component that utilizes a modular design to support staking modules such as CSM.

Ackee Blockchain Security has assigned two specialized teams to audit Lido CSM updates. One team focused on the Community Staking Module (CSM) and the other team focused on the Staking Router (SR). The Lido CSM update itself is divided into two parts: new contracts for the CSM codebase, which are in separate repositories, and changes to existing core contracts, such as SR. To ensure a thorough and efficient review, each team simultaneously audited two parts, covering security aspects of CSM and SR respectively.

In both reports, Ackee Blockchain Security found 46 issues, resulting in 32 fixes for Lido Finance.

Lido Finance collaborated with Ackee Blockchain Security to conduct a security review of the Lido Finance Community Staking module for a total of 74 engineering days from July 16 to September 6, 2024.

Lido Finance also partnered with Ackee Blockchain Security to conduct a security review of the Lido Finance Staking Router for a total of 26 engineering days from July 22 to August 23, 2024.

Both times the donation included Fuzzing with. wake framework. The audit revealed 7,831 lines of fuzz tests, 58 execution flows, and 36 stateful invariants. All tests are public. awesome weather test Repo. The audits of CSM and SR included 5256 and 3434 lines of code, respectively.

methodology

The CSM methodology includes the review, implementation, and execution of manually guided differential stateful fuzz tests in the Wake testing framework to verify the correctness of the system. Ackee conducted a thorough manual review of the code, focusing on the following aspects:

  • Bonds provided by node operators are properly accounted for and cannot be stolen from any account.
  • The system does not have any underflow/overflow issues that could lead to incorrect state updates.
  • There is no way to prevent abuse of permissionless capabilities from putting node operators into unintended states and performing actions on contracts.
  • Node operators cannot hold invalid keys and cannot disrupt system functionality.
  • CSM cannot cause a denial of service to other staking modules and the logic responsible for key storage.
  • Node operators can withdraw their rewards and uncollateralized funds without any problems.
  • Although this is not true, it is not possible to falsify evidence for the deletion or withdrawal of a validator, which is allowed by the smart contract.
  • The system does not suffer from denial of service attacks from node operators spamming transactions.
  • Access controls are neither overly restrictive nor lax and are appropriately enforced across all critical functions.
  • Node operators cannot earn more rewards than specified in the reward distribution report.
  • If there are not enough votes to reach the configured quorum, the reward distribution report cannot be approved.
  • Node operators cannot break a module’s logic by putting the validator in an unexpected state.

Manual review was performed concurrently with: staking router Ackee Blockchain Security conducted the audit. Any issues that could be of medium or higher severity were immediately reported to the Lido team. These issues include the date they were reported in the description of this article. The review was concluded using static analysis tools, including: awake.

The SR methodology involves creating a Python model of the Lido protocol using the new Curated Staking module (NodeOperatorsRegistry) and the Community Staking Module (CSM) as modules. All in-scope contracts, including the CSM codebase, have been deployed and the rest of the protocol architecture has been forked from the mainnet. In the Python model, Ackee built a manually guided fuzzing campaign using flows implemented for each function in the contract. Finally, we defined some of the most notable stateful immutables.

  • Python states are equivalent to contracts (differential testing approach).
  • Invariance to the number of keys (e.g., the number of keys deposited is always less than or equal to the number of keys examined).
  • More stateless checks, like correct incrementing of nonce, correct event emission.

While reviewing staking routers, Ackee paid special attention to the following:

  • Exploring the potential attack surface of key contracts due to the introduction of permissionless staking modules;
  • New probe and suspend mechanism in DepositSecurityModule;
  • Possible malfunctions of the Guardian, including signature playback and correct nonce usage;
  • Accounting Oracle’s Multi-Transaction Step 3 Report;
  • Permissionless reward distribution by NodeOperatorsRegistry;
  • Ensure overall access controls are neither too relaxed nor too strict.
  • I’m looking for common problems like data validation.

range

A CSM audit report has been performed on the commit. 8ce944 and 13f78f They are housed in a community staking module and a handy tracking repository respectively.

  • All files in the src directory except src/interfaces in the community staking module repository;
  • contract/EVMScriptFactories/CSMSettleELStealingPenalty.sol in the Easy Tracking repository.

The SR audit report further specifies the scope of commits. fafa23 Includes:

  • contract/0.4.24/nos/NodeOperatorsRegistry.sol
  • contract/0.8.9/DepositSecurityModule.sol
  • contract/0.8.9/StakeRouter.sol
  • contract/common/lib/MinFirstAllocationStrategy.sol
  • contract/0.8.9/oracle/AccountingOracle.sol
  • contract/0.8.9/sanity_checks/OracleReportSanityChecker.sol

Findings

Lido CSM+SR’s investigation revealed a total of 46 issues, 32 of which were resolved by Lido Finance.

criticalhighmiddlelowinformationwarninggun
00111181646

conclusion

The review resulted in 46 findings ranging from informational to medium severity, and 32 of the 46 findings were corrected by Lido Finance. In the most severe case of M1, no valid key covered bond is deposited, incorrectly preventing node operators from creating new validators in certain circumstances.

Ackee Blockchain Security recommends Lido Finance.

  • Ensure that off-chain services operate as expected to achieve security guarantees in the system.
  • Be careful when using unsafe functions and functions that do not properly update all internal state, such as CSAccounting.updateBondCurve or CSAccounting.setBondCurve.
  • Avoid using unconfirmed blocks that rely heavily on the correctness of external contracts, as violating the assumptions can lead to serious vulnerabilities.
  • Ensures that contracts are deployed and initialized atomically so that pre-execution of the initialization function is not possible.
  • Resolve any reported issues.

Ackee Blockchain Security’s full Lido Finance CSM audit report can be found here. The Lido Finance SR report can be found here.

We were delighted to thank Lido Finance and look forward to working with them again.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Encryption Inheritance Update: April 2, 2025

June 6, 2025

Summary of Domain Audit that cannot be stopped -Ackee Blockchain

June 5, 2025

Director Trezor: What is the best hardware wallet in 2025?

June 4, 2025
Add A Comment

Comments are closed.

Recent Posts

Solana Whale will not announce $ 17 million in four years. Should I worry?

June 7, 2025

HOLONYM’s Human Network: Convert on boarding on boarding on human -friendly keys

June 7, 2025

The SEC gets $ 1.1m case when Crypto Schemer crosses the court.

June 7, 2025

NFT artists reproduce ‘password tax nightmares’ with new songs.

June 7, 2025

NVIDIA’s GB200 NVL72 and Dynamo improve MoE model performance

June 7, 2025

Despite market volatility

June 7, 2025

TEZOS promotes scaling efforts by activating data soluble layers.

June 7, 2025

It shows a graphite network. Tesla is nothing without trust because Tesla’s Tesla spent $ 150 billion after Musk and Trump’s fallout.

June 7, 2025

The merchant warns that Bitcoin is in ‘cancer price behavior’.

June 7, 2025

Is Bitcoin Price Rally $ 150K by the end of the year?

June 7, 2025

How does it affect Bitcoin?

June 7, 2025

Crypto Flexs is a Professional Cryptocurrency News Platform. Here we will provide you only interesting content, which you will like very much. We’re dedicated to providing you the best of Cryptocurrency. We hope you enjoy our Cryptocurrency News as much as we enjoy offering them to you.

Contact Us : Partner(@)Cryptoflexs.com

Top Insights

Solana Whale will not announce $ 17 million in four years. Should I worry?

June 7, 2025

HOLONYM’s Human Network: Convert on boarding on boarding on human -friendly keys

June 7, 2025

The SEC gets $ 1.1m case when Crypto Schemer crosses the court.

June 7, 2025
Most Popular

Game Changers for Digital Asset Investment Strategies

February 8, 2024

Craig Wright admits to falsifying key documents to claim Satoshi Nakamoto’s identity

February 9, 2024

Whales suddenly deposit Etherrium Altcoin to Binance and OKX, and the price drops to 50%.

March 25, 2025
  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms and Conditions
© 2025 Crypto Flexs

Type above and press Enter to search. Press Esc to cancel.