Summary
The most critical subjects covered in our audit are the security of the funds stored in the system, the distribution of the buffered ETH and the rewards to the various modules, the management of the modules, the node operators and the public keys of the validators, the correctness of the allocation algorithm, and the low-level handling of the storage and access control. The most important issue we uncovered relates to incorrectly trimming the array containing the address of the reward recipients. Moreover, we uncovered an important correctness issue in the MemUtils.memcpy function which, however, has no impact in the current implementation. All the aforementioned issues have been addressed.
The general subjects covered are upgradeability, the efficiency of the implementation, the documentation and unit testing. We find the security in all aforementioned areas high. The documentation is comprehensive, and the unit testing is extensive.
In summary, we find that the codebase provides a high level of security. Unfixed issues reported by ChainSecurity in previous reports are omitted in this one.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.
About Lido Staking Router
Lido implements a modularization of the current Lido system. This allows Lido to introduce various different staking modules with the Node Operators Registry being just one of these modules. The Staking Router contract is responsible for appropriately distributing the 32 ETH batches and the accumulated rewards among the different modules. To that end, Lido implemented an allocation algorithm.
We are completely satisfied with this engagement. ChainSecurity team was very flexible about slot booking and provided deep code analysis with non-trivial findings.I’ve asked around about this whole experience and everyone considers your work over the top, thank you so much! ❤️
Lido on Ethereum contributors