< Back to articles

Everstake ETH2 Batch Deposit Contract Audit Summary

Audits, Solidity, Wake 2 hours ago

Everstake is a blockchain infrastructure provider operating validators across multiple networks. The ETH2 Batch Deposit Contract allows consolidating multiple validator deposits into a single transaction and forwarding them atomically to the official ETH2 Deposit Contract

Everstake engaged Ackee Blockchain Security to perform a security review of Everstake ETH2 Batch Deposit Contract with a total time donation of 2 engineering days in a period between November 11 and November 14, 2025.

Everstake then engaged Ackee Blockchain Security to perform a fix review of the findings from the previous revision.

METHODOLOGY

  1. Verification of technical specification
    The audit scope is confirmed with the client, and auditors are onboarded to the project. Provided documentation is reviewed and compared to the audited system.
  2. Tool-based analysis
    A deep check with Solidity static analysis tool Wake in companion with Solidity (Wake) extension is performed, flagging potential vulnerabilities for further analysis early in the process.
  3. Manual code review
    Auditors manually check the code line by line, identifying vulnerabilities and code quality issues. The main focus is on recognizing potential edge cases and project-specific risks.
  4. Local deployment and hacking
    Contracts are deployed in a local Wake environment, where targeted attempts to exploit vulnerabilities are made. The contracts’ resilience against various attack vectors is evaluated.
  5. Unit and fuzz testing
    Unit tests are run to verify expected system behavior. Additional unit or fuzz tests may be written using Wake framework if any coverage gaps are identified. The goal is to verify the system’s stability under real-world conditions and ensure robustness against both expected and unexpected inputs.
  6. Wake-AI assisted vulnerability discovery
    As the last step, the scope is checked against Wake AI, an LLM-powered audit tool, to identify potentially missed vulnerabilities. This step is executed at the end of the audit process to avoid distracting auditors from manual review.

We began our review using static analysis tools, including Wake. We then performed a thorough manual review of the code, especially focusing on integration with the canonical ETH2 Deposit Contract. During the review, we paid special attention to:

  • ensuring no griefing or front-running attacks are possible;
  • ensuring interactions with external contracts are correctly implemented;
  • ensuring compatibility with recent Ethereum protocol updates;
  • verifying the arithmetic of the system is correct;
  • looking for common issues such as data validation.

At the end of the review, we engaged Wake AI, which discovered issue I2.

SCOPE

The audit was performed on the commit c2c12ba[1] in the contracts repository and the scope was the following:

  • contracts/ETH2BatchDepositConsolidation.sol

The contract in scope was also deployed at the 0x4ff41fa0f4e77129c4c0607994050473c2067e6d address on Mainnet.

FINDINGS

The classification of a security finding is determined by two sub-ratings: Impact and Likelihood. This two-dimensional rating makes the severity of issues more noise-free, without losing any information. The likelihood factor usually decreases severity of medium issues that would be just acknowledged by the team to infos and warning.

Our review resulted in 2 findings of Informational severity:

Critical severity

No critical severity issues were found.

High severity

No high severity issues were found.

Medium severity

No medium severity issues were found.

Low severity

No low severity issues were found.

Warning severity

No warning severity issues were found.

Informational severity

I1: Limited deposit validation

I2: Missing cumulative deposit funds check

TRUST MODEL

The contract is permissionless and introduces no additional trust assumptions beyond the official ETH2 Deposit Contract

CONCLUSION

Ackee Blockchain Security recommended Everstake to:

    • investigate the findings and severity of the issues;
    • read and review the complete audit report; and
    • address all identified issues.

Ackee Blockchain Security’s full Everstake ETH2 Batch Deposit Contract audit report can be found here.

We were delighted to audit Everstake and look forward to working with them again.

You May Also Like

Education, Ethereum, Solidity, Tutorial, Uncategorized, Wake January 14, 2026
Wake Debugging Guide
Audits, Solana, Trident January 14, 2026
Kamino Lend Fuzz Tests Summary
Education, Solana, Trident January 8, 2026
School of Solana 2025 Recap