{"id":875,"date":"2024-07-29T12:23:53","date_gmt":"2024-07-29T10:23:53","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=875"},"modified":"2024-07-29T12:23:53","modified_gmt":"2024-07-29T10:23:53","slug":"lido-steth-on-optimism-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/lido-steth-on-optimism-audit-summary\/","title":{"rendered":"Lido stETH on Optimism Audit Summary"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Lido Finance engaged Ackee Blockchain to perform a security review of the Lido Finance stETH smart contracts for a total time donation of 15 engineering days in a period between May 6 and May 17, 2024.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Lido Finance also extended the scope to include all the contracts in the repository and all the changes that were not reviewed in the previous revisions and Ackee received an additional time donation of 1.5 engineering days to perform the security review of revision 1.3 between June 17 and June 18, 2024.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">METHODOLOGY<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">We began our review by using static analysis tools, namely <a href=\"https:\/\/getwake.io\/\" target=\"_blank\" rel=\"noopener\">Wake<\/a>. We then took a deep dive into the logic of the contracts and used Wake testing framework for cross-chain fuzzing of the protocol.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We also conducted a thorough manual review of the codebase and took a deep dive into the logic of the contracts. During the review, we paid special attention to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring access controls are not too relaxed or too strict,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">validating the integration into the Optimism stack,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">making sure the cross-chain architecture and operations are properly secured,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring the deposits to and withdrawals from L2 cannot lead to double spending,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">making sure the token rate cannot be manipulated,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ensuring the arithmetic of the system is correct,<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">looking for common issues such as data validation.<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">SCOPE<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The audit has been performed on the commit <code class=\"codehl\">9d6f66c<\/code> and the exact scope was the following files:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/lido\/TokenRateNotifier.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/optimism\/CrossDomainEnabled.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/optimism\/L1ERC20ExtendedTokensBridge.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/optimism\/L1LidoTokensBridge.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/optimism\/L2ERC20ExtendedTokensBridge.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/optimism\/OpStackTokenRatePusher.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/optimism\/RebasableAndNonRebasableTokens.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/optimism\/TokenRateOracle.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/token\/ERC20Bridged.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/token\/ERC20BridgedPermit.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/token\/ERC20Core.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/token\/ERC20Metadata.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/token\/ERC20RebasableBridged.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/token\/ERC20RebasableBridgedPermit.sol<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">contracts\/token\/PermitExtension.sol<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">FINDINGS<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Here we present our findings.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Critical severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No critical severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">High severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No high severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Medium severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">No medium severity issues were found.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Low severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">L1: Insufficient token rate precision<\/span><\/p>\n<p><span style=\"font-weight: 400;\">L2: <code class=\"codehl\">unwrap<\/code> inconsistent tokens amount in event<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Warning severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">W1: Usage of <code class=\"codehl\">solc<\/code> optimizer<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W2: ERC-20 <code class=\"codehl\">transferFrom<\/code> emits <code class=\"codehl\">Approval<\/code><\/span><\/p>\n<p><span style=\"font-weight: 400;\">W3: False comments<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W4: Limited ERC-2612 use-case with ERC-1271<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W5: Use of a deprecated function<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W6: Initializers can be front-run<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W7: Linear calculation of the allowed token rate deviation<\/span><\/p>\n<p><span style=\"font-weight: 400;\">W8: Insufficient data validation<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Information severity<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">I1: Uncached <code class=\"codehl\">.length<\/code> in for loop<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I2: Inconsistent modifiers order<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I3: Unused code<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I4: Typos<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I5: <code class=\"codehl\">_mintShares<\/code> can return <code class=\"codehl\">tokensAmount<\/code> to save gas<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">CONCLUSION<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Our review resulted in 15 findings, ranging from Info to Low severity. The most severe one being L1.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Ackee Blockchain recommends Lido Finance to:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">validate the arithmetic of the system to limit rounding errors<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">make sure permits are prepared for smart accounts<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">implement proper data validation<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">fix minor problems with the documentation, following best practices and the overall code quality<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><b>Ackee Blockchain\u2019s full Lido Finance audit report with a more detailed description of all findings and recommendations can be found <a href=\"https:\/\/github.com\/Ackee-Blockchain\/public-audit-reports\/blob\/master\/2024\/ackee-blockchain-lido-steth-optimism-report.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/b><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit Lido Finance and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lido Finance engaged Ackee Blockchain to perform a security review of the Lido Finance stETH smart contracts for a total time donation of 15 engineering days in a period between May 6 and May 17, 2024. Lido Finance also extended the scope to include all the contracts in the repository and all the changes that were not reviewed in the previous revisions&hellip;<\/p>\n","protected":false},"author":22,"featured_media":877,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,103],"tags":[89,137,140,104],"class_list":["post-875","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-wake","tag-audit-summary","tag-lido","tag-optimism","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/07\/lido-ETHs.png-1-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2024\/07\/lido-ETHs.png-1-600x600.png","author_info":{"display_name":"Andrey Babushkin","author_link":"https:\/\/ackee.xyz\/blog\/author\/andrey-babushkin\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/875","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=875"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/875\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/877"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}