Stonks is a sophisticated solution designed for token exchanges, leveraging the offchain CoW Swap platform. This system enables a specialized Token Management Committee within the DAO framework to safely conduct token swaps without ever taking custody of the tokens on their balance.
Revision 1.0
Lido Finance engaged Ackee Blockchain to perform a security review of the Lido Finance protocol with a total time donation of 7 engineering days in a period between January 28 and February 5, 2024.
Revision 1.1
The fix review was done on the given commit: 4c51f22
. The issues M1, W1, W3, I1, I2, I3, and I4 were fixed according our recommendations. Warnings W2 and W4 were acknowledged as unlikely, regarding the client’s intentions.
Revision 1.2
Lido Finance engaged Ackee Blockchain to verify that contracts deployed on the Ethereum mainnet correspond to the reviewed codebase. The verification was performed on the commit 40af0bb
with minor changes since the last review for the scoped contracts:
- Stonks
- StonksFactory
- AmountConverter
- AmountConverterFactory
- Order
METHODOLOGY
Lido Stonks contracts were tested with a differential fuzz test written in the Wake testing framework.
We began our review using static analysis tools, including Wake. We then took a deep dive into the logic of the contracts. In parallel, we have involved Wake testing framework for implementing a differential fuzz test with fork testing, including Chainlink simulations.
During the review, we paid special attention to:
- the correctness of the Chainlink integration,
- compliance with EIP-1271 standard,
- ensuring the arithmetic of the system is correct,
- detecting possible reentrancies in the code,
- ensuring access controls are not too relaxed or too strict,
- looking for common issues such as data validations,
- searching for possible gas optimizations.
Revision 1.1
The fix review was done on the given commit: 4c51f22
. The issues M1, W1, W3, I1, I2, I3, and I4 were fixed according our recommendations. Warnings W2 and W4 were acknowledged as unlikely, regarding the client’s intentions.
Revision 1.2
Lido Finance engaged Ackee Blockchain to verify that contracts deployed on the Ethereum mainnet correspond to the reviewed codebase. The verification was performed on the commit 40af0bb
with minor changes since the last review for the scoped contracts:
- Stonks
- StonksFactory
- AmountConverter
- AmountConverterFactory
- Order
SCOPE
The audit has been performed on the commit edf39c7
and the exact scope was the following files:
Revision 1.0: The audit was initially performed on the commit edf39c7
.
Revision 1.1: The review then continued on the last provided commit: 4c51f22
.
Revision 1.2: The review was performed on the commit 40af0bb
.
FINDINGS
During the fuzz testing, we found issues M1, W1, and W3.
Critical severity
No critical severity issues were found.
High severity
No high severity issues were found.
Medium severity
M1: SafeERC20
not used for approve
Low severity
No low severity issues were found.
Warning severity
W1: MIN_POSSIBLE_BALANCE
inadequate logic
W2: Chainlink feed registry mainnet-only
W3: InvalidExpectedOutAmount
reverts
W4: Stablecoins assumed stable
Information severity
I1: Unused code
I2: Missing event
I3: Duplicated code
I4: Typos and documentation
CONCLUSION
Our review resulted in 9 findings, ranging from Info to Medium severity.
The most severe one breaks the protocol when working with non-standard ERC-20 tokens like USDT (see M1). The overall code quality is solid, follows best practices, and contains proper data validations. The code is fully covered with detailed NatSpec documentation, and developers provided a comprehensive specification for onboarding.
Ackee Blockchain recommends Lido Finance to:
- use
SafeERC20.forceApprove
orSafeERC20.safeIncreaseAllowance
instead ofERC20.approve
, - be aware of Chainlink data feed limitations (deviation threshold, typical heartbeat) that may be the limiting factor for fairness evaluation,
- avoid assuming stablecoins are always valued at 1 USD,
- address all other reported issues.
Ackee Blockchain’s full Lido Finance audit report with a more detailed description of all findings and recommendations can be found here.
We were delighted to audit Lido Finance and look forward to working with them again.