The most critical subjects covered in our audit are the correctness of the accounting, asset solvency, access control and functional correctness. During the audit, the most important reported issues were:
– Replacing a Validator Eventually Blocks the System
– Usage of address(this).balance in restake Can Block the System that requires from Everstake to inject liquidity to correct the accounting in case of necessity.
The issues have been fixed during the second week of the audit.
Security regarding all the aforementioned subjects is satisfactory. Even though the probability of one of the validators getting slashed is low, slashing could occur. That would require manual, trust-based intervention, see Slashing is not taken into account and Trust Model.
The general subjects covered are documentation, unit testing, code complexity, and gas efficiency. Documentation has been greatly improved during the last iteration. Unit testing and testing in general is basic, a good test suite will help ensure corner cases are considered.
In summary, we find that the codebase provides a satisfactory level of security, provided the Trust Model.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.