Lido Stonks Audit Summary

Stonks is a sophisticated solution designed for token exchanges, leveraging the offchain CoW Swap platform. This system enables a specialized Token Management Committee within the DAO framework to safely conduct token swaps without ever taking custody of the tokens on their balance.

Revision 1.0

Lido Finance engaged Ackee Blockchain to perform a security review of the Lido Finance protocol with a total time donation of 7 engineering days in a period between January 28 and February 5, 2024.

Revision 1.1

The fix review was done on the given commit: 4c51f22. The issues M1, W1, W3, I1, I2, I3, and I4 were fixed according our recommendations. Warnings W2 and W4 were acknowledged as unlikely, regarding the client’s intentions.

Revision 1.2

Lido Finance engaged Ackee Blockchain to verify that contracts deployed on the Ethereum mainnet correspond to the reviewed codebase. The verification was performed on the commit 40af0bb with minor changes since the last review for the scoped contracts:

Stonks

StonksFactory

AmountConverter

AmountConverterFactory

Order

METHODOLOGY

Lido Stonks contracts were tested with a differential fuzz test written in the Wake testing framework.

We began our review using static analysis tools, including Wake. We then took a deep dive into the logic of the contracts. In parallel, we have involved Wake testing framework for implementing a differential fuzz test with fork testing, including Chainlink simulations.

During the review, we paid special attention to:

the correctness of the Chainlink integration,
compliance with EIP-1271 standard,
ensuring the arithmetic of the system is correct,
detecting possible reentrancies in the code,
ensuring access controls are not too relaxed or too strict,
looking for common issues such as data validations,
searching for possible gas optimizations.

Revision 1.1

Revision 1.2

Stonks
StonksFactory
AmountConverter
AmountConverterFactory
Order

SCOPE

The audit has been performed on the commit edf39c7 and the exact scope was the following files:

Revision 1.0: The audit was initially performed on the commit edf39c7.

Revision 1.1: The review then continued on the last provided commit: 4c51f22.

Revision 1.2: The review was performed on the commit 40af0bb.

FINDINGS

During the fuzz testing, we found issues M1, W1, and W3.

Critical severity

No critical severity issues were found.

High severity

No high severity issues were found.

Medium severity

M1: SafeERC20 not used for approve

Low severity

No low severity issues were found.

Warning severity

W1: MIN_POSSIBLE_BALANCE inadequate logic

W2: Chainlink feed registry mainnet-only

W3: InvalidExpectedOutAmount reverts

W4: Stablecoins assumed stable

Information severity

I1: Unused code

I2: Missing event

I3: Duplicated code

I4: Typos and documentation

CONCLUSION

Our review resulted in 9 findings, ranging from Info to Medium severity.

The most severe one breaks the protocol when working with non-standard ERC-20 tokens like USDT (see M1). The overall code quality is solid, follows best practices, and contains proper data validations. The code is fully covered with detailed NatSpec documentation, and developers provided a comprehensive specification for onboarding.

Ackee Blockchain recommends Lido Finance to:

use SafeERC20.forceApprove or SafeERC20.safeIncreaseAllowance instead of ERC20.approve,
be aware of Chainlink data feed limitations (deviation threshold, typical heartbeat) that may be the limiting factor for fairness evaluation,
avoid assuming stablecoins are always valued at 1 USD,
address all other reported issues.

Ackee Blockchain’s full Lido Finance audit report with a more detailed description of all findings and recommendations can be found here.

We were delighted to audit Lido Finance and look forward to working with them again.

Ethereum Lido Wake

METHODOLOGY

SCOPE