Lido Audit Report: MEV-boost

Lido Audit Report: Statemind Discovers Zero Critical Bugs In Leading Ethereum Staking Solution

Following the official Statemind launch and the splash made recently related to preventing what would be the third-largest hack in DeFi history, we are back once again with a report on the popular liquidity staking protocol Lido.

Unlike other situations unfolding since the Statemind debut, there were, fortunately, no critical vulnerabilities to reveal. Although the discovery of issues is the goal of every auditor team, in the end, we are seeking to provide a safer blockchain industry, and we aren’t here to receive accolades.

Here is a closer look at the services that Statemind offers to top crypto projects like Lido.

What Our Research Turned Up: No Critical Vulnerabilities Found In Lido

Lido is extremely useful to the cryptocurrency community. Rather than staking ETH for potentially years at a time, Lido allows ETH token holders the flexibility to use staked ETH as collateral to trade, earn rewards, and more at any time. Lido has also been a hot topic in the crypto industry recently due to its adjacency to the Ethereum Merge to PoS.

The detailed, nine-page report outlines the MEV-Boost relay allowlist project and its results, as well as key recommendations made by the Statemind team. According to Lido, the on-chain relay allowlist is planned to be used by Node Operators participating in the Lido protocol after the ETH Merge to extract MEV. Node Operators would utilize the contract to maintain up-to-date software configuration.

Across all the audit areas, zero critical, high, or medium-priority vulnerabilities were discovered. Seven informational bugs were reported to the Lido team involving easily fixable vulnerabilities that pose no meaningful threat to users or funds.

The Recommendations We Made: Simple And Straightforward Storage Structure

Informational flaws were found related to gas optimization and in other areas.

Key recommendations involve checking the number of relays right after the msg.sender check, removing the zero address check for msg.sender, checking if the token address is a contract in the function _safe_erc20_transfer, and utilizing mapping that maps URI to index of relay in the array.

This last solution is optimized in favor of storage structure simplicity and straightforwardness.

What We Do: Statemind Partners With Top Blockchain Projects And Protocols

The security auditing report on Lido is the first audit released publicly by Statemind since our launch earlier this month. Statemind made its public debut after stepping forward as the white hat hacker who saved $350M in funds across the Avalanche protocol.

Statemind is a leading blockchain security auditing firm with over 100,000 LoC of Solidity and Vyper experience combined, we have secured over $10B in TVL, and this number continues to grow with each discovery of a significant vulnerability. Companies like Yearn.Finance, 1INCH, and Lido trust our auditing expertise.

We are currently taking on additional select clients, so please get in touch.