The most critical subjects covered in our audit are the security of the funds stored in the system, the distribution of the buffered ETH and the rewards to the various modules, the management of the modules, the node operators and the public keys of the validators, the correctness of the allocation algorithm, and the low-level handling of the storage and access control. The most important issue we uncovered relates to incorrectly trimming the array containing the address of the reward recipients. Moreover, we uncovered an important correctness issue in the MemUtils.memcpy function which, however, has no impact in the current implementation. All the aforementioned issues have been addressed.
The general subjects covered are upgradeability, the efficiency of the implementation, the documentation and unit testing. We find the security in all aforementioned areas high. The documentation is comprehensive, and the unit testing is extensive.
In summary, we find that the codebase provides a high level of security. Unfixed issues reported by ChainSecurity in previous reports are omitted in this one.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.