{"id":812,"date":"2024-06-25T18:00:42","date_gmt":"2024-06-25T16:00:42","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=812"},"modified":"2024-07-19T14:38:03","modified_gmt":"2024-07-19T12:38:03","slug":"lido-stonks-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/lido-stonks-audit-summary\/","title":{"rendered":"Lido Stonks Audit Summary"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Stonks is a sophisticated solution designed for token exchanges, leveraging the offchain CoW Swap platform. This system enables a specialized Token Management Committee within the DAO framework to safely conduct token swaps without ever taking custody of the tokens on their balance.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Revision 1.0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Lido Finance engaged Ackee Blockchain to perform a security review of the Lido Finance protocol with a total time donation of 7 engineering days in a period between January 28 and February 5, 2024.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Revision 1.1<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The fix review was done on the given commit: <code class=\"codehl\">4c51f22<\/code>. The issues M1, W1, W3, I1, I2, I3, and I4 were fixed according our recommendations. Warnings W2 and W4 were acknowledged as unlikely, regarding the client\u2019s intentions.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Revision 1.2<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Lido Finance engaged Ackee Blockchain to verify that contracts deployed on the Ethereum mainnet correspond to the reviewed codebase. The verification was performed on the commit <code class=\"codehl\">40af0bb<\/code> with minor changes since the last review for the scoped contracts:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Stonks<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">StonksFactory<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">AmountConverter<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">AmountConverterFactory<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Order<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">METHODOLOGY<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Lido Stonks contracts were tested with a differential fuzz test written in the <a href=\"https:\/\/getwake.io\/\" target=\"_blank\" rel=\"noopener\">Wake<\/a> testing framework.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We began our review using static analysis tools, including Wake. We then took a deep dive into the logic of the contracts. In parallel, we have involved Wake testing framework for implementing a differential fuzz test with fork testing, including Chainlink simulations.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">During the review, we paid special attention to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">the correctness of the Chainlink integration,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">compliance with EIP-1271 standard,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring the arithmetic of the system is correct,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">detecting possible reentrancies in the code,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring access controls are not too relaxed or too strict,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">looking for common issues such as data validations,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">searching for possible gas optimizations.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><b>Revision 1.1<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The fix review was done on the given commit: <code class=\"codehl\">4c51f22<\/code>. The issues M1, W1, W3, I1, I2, I3, and I4 were fixed according our recommendations. Warnings W2 and W4 were acknowledged as unlikely, regarding the client\u2019s intentions.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Revision 1.2<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Lido Finance engaged Ackee Blockchain to verify that contracts deployed on the Ethereum mainnet correspond to the reviewed codebase. The verification was performed on the commit <code class=\"codehl\">40af0bb<\/code> with minor changes since the last review for the scoped contracts:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Stonks<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">StonksFactory<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">AmountConverter<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">AmountConverterFactory<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Order<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">SCOPE<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The audit has been performed on the commit <code class=\"codehl\">edf39c7<\/code> and the exact scope was the following files:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Revision 1.0: The audit was initially performed on the commit <code class=\"codehl\">edf39c7<\/code>.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Revision 1.1: The review then continued on the last provided commit: <code class=\"codehl\">4c51f22<\/code>.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Revision 1.2: The review was performed on the commit <code class=\"codehl\">40af0bb<\/code>.\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">FINDINGS<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">During the fuzz testing, we found issues M1, W1, and W3.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Critical severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">High severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Medium severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">M1: <code class=\"codehl\">SafeERC20<\/code> not used for approve<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Low severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No low severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Warning severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">W1: <code class=\"codehl\">MIN_POSSIBLE_BALANCE<\/code> inadequate logic<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W2: Chainlink feed registry mainnet-only<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W3: <code class=\"codehl\">InvalidExpectedOutAmount<\/code> reverts<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W4: Stablecoins assumed stable<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Information severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">I1: Unused code<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I2: Missing event<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I3: Duplicated code<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I4: Typos and documentation\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">CONCLUSION<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Our review resulted in 9 findings, ranging from Info to Medium severity.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The most severe one breaks the protocol when working with non-standard ERC-20 tokens like USDT (see M1). The overall code quality is solid, follows best practices, and contains proper data validations. The code is fully covered with detailed NatSpec documentation, and developers provided a comprehensive specification for onboarding.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Ackee Blockchain recommends Lido Finance to:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">use <code class=\"codehl\">SafeERC20.forceApprove<\/code>\u00a0or <code class=\"codehl\">SafeERC20.safeIncreaseAllowance<\/code> instead of <code class=\"codehl\">ERC20.approve<\/code>,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">be aware of Chainlink data feed limitations (deviation threshold, typical <\/span><span style=\"font-weight: 400;\">heartbeat) that may be the limiting factor for fairness evaluation,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">avoid assuming stablecoins are always valued at 1 USD,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">address all other reported issues.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><b>Ackee Blockchain\u2019s full Lido Finance audit report with a more detailed description of all findings and recommendations can be found <a href=\"https:\/\/github.com\/lidofinance\/audits\/blob\/main\/Ackee%20Blockchain%20Lido%20Stonks%20Audit%20Report%2003-24.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/b><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit Lido Finance and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Stonks is a sophisticated solution designed for token exchanges, leveraging the offchain CoW Swap platform. This system enables a specialized Token Management Committee within the DAO framework to safely conduct token swaps without ever taking custody of the tokens on their balance. &nbsp; Revision 1.0 Lido Finance engaged Ackee Blockchain to perform a security review of the Lido Finance protocol with a&hellip;<\/p>\n","protected":false},"author":17,"featured_media":813,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,103],"tags":[24,137,104],"class_list":["post-812","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-wake","tag-ethereum","tag-lido","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/06\/Lido-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/06\/Lido-600x600.png","author_info":{"display_name":"Stepan Sonsky","author_link":"https:\/\/ackee.xyz\/blog\/author\/stepan\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/812","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=812"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/812\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/813"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=812"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=812"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}