Lido Finance engaged Ackee Blockchain to perform a security review of the Lido Finance stETH smart contracts for a total time donation of 15 engineering days in a period between May 6 and May 17, 2024.
Lido Finance also extended the scope to include all the contracts in the repository and all the changes that were not reviewed in the previous revisions and Ackee received an additional time donation of 1.5 engineering days to perform the security review of revision 1.3 between June 17 and June 18, 2024.
METHODOLOGY
We began our review by using static analysis tools, namely Wake. We then took a deep dive into the logic of the contracts and used Wake testing framework for cross-chain fuzzing of the protocol.
We also conducted a thorough manual review of the codebase and took a deep dive into the logic of the contracts. During the review, we paid special attention to:
- ensuring access controls are not too relaxed or too strict,
- validating the integration into the Optimism stack,
- making sure the cross-chain architecture and operations are properly secured,
- ensuring the deposits to and withdrawals from L2 cannot lead to double spending,
- making sure the token rate cannot be manipulated,
- ensuring the arithmetic of the system is correct,
- looking for common issues such as data validation.
SCOPE
The audit has been performed on the commit 9d6f66c and the exact scope was the following files:
- contracts/lido/TokenRateNotifier.sol
- contracts/optimism/CrossDomainEnabled.sol
- contracts/optimism/L1ERC20ExtendedTokensBridge.sol
- contracts/optimism/L1LidoTokensBridge.sol
- contracts/optimism/L2ERC20ExtendedTokensBridge.sol
- contracts/optimism/OpStackTokenRatePusher.sol
- contracts/optimism/RebasableAndNonRebasableTokens.sol
- contracts/optimism/TokenRateOracle.sol
- contracts/token/ERC20Bridged.sol
- contracts/token/ERC20BridgedPermit.sol
- contracts/token/ERC20Core.sol
- contracts/token/ERC20Metadata.sol
- contracts/token/ERC20RebasableBridged.sol
- contracts/token/ERC20RebasableBridgedPermit.sol
- contracts/token/PermitExtension.sol
FINDINGS
Here we present our findings.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
No medium severity issues were found.
Low severity
L1: Insufficient token rate precision
L2: unwrap inconsistent tokens amount in event
Warning severity
W1: Usage of solc optimizer
W2: ERC-20 transferFrom emits Approval
W3: False comments
W4: Limited ERC-2612 use-case with ERC-1271
W5: Use of a deprecated function
W6: Initializers can be front-run
W7: Linear calculation of the allowed token rate deviation
W8: Insufficient data validation
Information severity
I1: Uncached .length in for loop
I2: Inconsistent modifiers order
I3: Unused code
I4: Typos
I5: _mintShares can return tokensAmount to save gas
CONCLUSION
Our review resulted in 15 findings, ranging from Info to Low severity. The most severe one being L1.
Ackee Blockchain recommends Lido Finance to:
- validate the arithmetic of the system to limit rounding errors
- make sure permits are prepared for smart accounts
- implement proper data validation
- fix minor problems with the documentation, following best practices and the overall code quality
Ackee Blockchain’s full Lido Finance audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Lido Finance and look forward to working with them again.
