Lido V2 Contest Report

The contest audit report and MixBytes make no statements or warranties about the utility of the code, the safety of the code, suitability of the business model, investment advice, endorsement of the platform or its products, regulatory regime for the business model, or any other statements about the fitness of the contracts to purpose, or their bug-free status. The contest documentation is for discussion and information purposes only.

Mixbytes services offered are limited to contest hosting and contest conduct assistance on the MixBytes Camp platform and within the MixBytes Camp community. Mixbytes does not provide audit services within this contest. MixBytes Camp community members are not employees, partners, agents, contractors, or subcontractors of Mixbytes. MixBytes in no way shall be held liable or responsible for MixBytes Camp community members. MixBytes in no way controls or distributes the bounty fund. Mixbytes does not conduct any KYC verification on its platform.

1.2 Objective

The audit contest takes place in order to identify possible security vulnerabilities and flaws by the independent security researchers who are team members of the MixBytes Camp community.

The result of the contest is a unified report containing a list of all triaged vulnerabilities found during the contest, ranked according to the approved severity level.

Within the scope of the audit contest, there is no stage of re-audit after bug fixing on the Project’s side.

Finding Severity breakdown

All vulnerabilities discovered during the audit contest are classified based on their potential severity and ranked in the following way:

Critical

Bugs leading to assets theft, fund access locking, or any other loss of funds.

High

Bugs that can trigger a contract failure. Further recovery is possible only by manual modification of the contract state or replacement.

Medium

Bugs that can break the intended contract logic or expose it to DoS attacks, but do not cause direct loss funds.

Low

Bugs that do not have a significant immediate impact and could be easily fixed.

1.3 Project Overview

The Lido Ethereum Liquid Staking Protocol built on Ethereum allowes their users to earn staking rewards on the Beacon chain without locking Ether or maintaining staking infrastructure.

The second version of the protocol (Lido V2) has a withdrawal feature. This is a complex task due to the difficulty of synchronizing access to data between the Consensus and Execution Layers, as well as the async nature of the Consensus Layer validator exit and slashing mechanics.

Lido V2 handles withdrawal requests in an asynchronous manner using a FIFO queue. The mechanics are hugely affected by the asynchronous nature of the Ethereum withdrawal operations.

Lido V2 enables various staking modules to be introduced with the Staking Route.

The Staking Router contract is responsible for appropriately balancing stake distribution, accrued rewards and operation of the plugged-in staking modules.

1.4 Project Dashboard

Project Summary

Sponsor

Lido

Project name

Lido contest

Timeline

February 14 2023 - March 21 2023

Project Log

21.02.2023

e57517730c3e11a41e9cbc32ce018726722335b7

Commit for the contest

07.04.2023

29efd7f69df2ef983ca07c43e7e855d05c3ca8c3