K9 Liquid Staking
Smart Contract Audit Report
Executive Summary
This report presents the outcomes of our collaborative engagement with the K9 team, focusing on the comprehensive evaluation of the k9-liquid-staking-contracts repository.
Our team conducted an initial security assessment from June 16th to August 13th, 2024, and updated the report on August 26th to reflect deployment to the Sepolia testnet. This report was updated again on September 3rd, 2024 to include the SHIB knBONE and SHIB Bridge contracts. An additional update was made on September 18th, 2024 to reflect minor changes and deployment to Ethereum and Shibarium Mainnet.
knBone:
K9 Liquid Staking is a new platform which includes bridging support and staking methods to earn rewards.
Audit Scope
Name |
Source Code - Proxy (ETH / Shibarium) |
Source Code - Implementation (ETH / Shibarium) |
Visualized |
KnBONE |
|||
KnBONE SHIB |
|||
UnstBONE |
|||
InstantPool |
|||
NodeOperatorRegistry |
|||
BridgeETH |
|||
BridgeSHIB |
Name/Source Code |
Visualized |
BridgeETH
|
|
BridgeSHIB
|
|
InstantPool
|
|
KnBONE
|
|
KnBONE SHIB
|
|
UnstBONE
|
|
NodeOperatorRegistry
|
Audit Findings
No findings were identified, though some centralized aspects are present.
System Overview
KNBONEThe KNBONE contract is designed to manage the staking and reward distribution system within the platform, including token management, validator interactions, and governance. It primarily handles the distribution of rewards, the management of staked assets, and ensures compliance with various operational parameters set by the DAO. Users can deposit BONE tokens into the contract in exchange for their KnBONE token value. When depositing, users can either be instantly minted their tokens on the same chain, or have their minted tokens bridged to L2 through the associated Bridge contract. BONE and knBONE exchange rates are fetched using exchange rates determined by validator shares.
A user or the Bridge contract can initiate a BONE withdrawal request for the user, specifying the KnBONE amount to use for withdrawal from the instant liquidity pool as well as the KnBONE amount to withdraw from the NodeOperatorRegistry's list of registered Node Operators. An Instant Pool usage fee is taken from the Instant Pool amount. If the Instant Pool does not hold sufficient funds but a staking pool withdrawal amount is specified, the remaining Instant Pool request is added to the Node Operator withdrawal request. Node Operator withdrawal requests are added to the request queue for future claims.
Distribution of rewards to various stakeholders, including the DAO, Instant Pool, staking mechanism, and node operators is also handled through this contract. Once rewards have reached the lower reward bound, they are distributed based on each entity's associated fee percentage. Additionally, any address can trigger the delegation of the contract's unreserved BONE to the associated ValidatorShare address. This delegation is split between the NodeOperatorRegistry's eligible NodeOperators. These delegated tokens earn rewards that are distributed to the DAO, Instant Pool, DepositManager, and Node Operators.
The contract also supports functionality for managing staked assets through interaction with validator shares. It enables the withdrawal of rewards from validators and rebalancing of tokens delegated to them based on their performance. The funds can also be withdrawn from stopped validators by the NodeOperatorRegistry address. The DAO Role can also trigger a token rebalance across Node Operators at any time. Reward claims from validators must be executed using a valid withdrawal request.
The DAO Role has the ability to update the DAO fee, operators fee, Instant Pool fee, staking fee, protocol fee, and Instant Pool usage fee at any time. The DAO Role can also update the DAO, node operator registry, Instant Pool, deposit manager, bridge, unstBONE, and L2 staking addresses. The DAO Role can also update the lower bounds for delegation and reward distribution. The Pauser and Unpause Roles have the ability to pause and unpause the contract, respectively. Deposits, withdrawals, delegations, and claims are all disabled while the contract is paused. The DAO address is granted the Admin, DAO, Pause, and Unpause Roles upon deployment.
KNBONE SHIBThe SHIB knBONE contract contains little functionality but can be bridged between both the ETH and SHIB chains. The Minter role has the authority to mint any quantity of SHIB KnBONE tokens to any address at any time. The Burner role is exclusively permitted to burn tokens from its own address or from another user's address if approval has been granted, although users can also send their tokens to the 0x..dead address to reduce the circulating supply. The contract includes Pause and Unpause roles, which allow the respective holders to pause and unpause the contract; during a pause, all token transfers are disabled. Upon initialization, the specified Bridge address is assigned both the Minter and Burner roles, while the specified DAO address is granted the Admin, Pause, and Unpause roles. This contract adheres to the ERC20 standard.
UNSTBONEThe UnstBONE contract is an ERC721 token contract that serves as a representation of withdrawal requests for the knBONE token. The contract is designed to manage the minting, burning, and transferring of NFTs that correspond to withdrawal claims of knBONE. Each token minted represents a unique withdrawal request. The owner can update the associated KnBONE address at any time. The owner also has the ability to pause the contract at any time, disabling minting, burning, and transfers. The owner also has the ability to withdraw any ERC20 token from this contract at any time.
BRIDGE ETHThe BridgeETH contract facilitates cross-chain transfers of the knBONE token, leveraging a network of Validators to verify transactions. It includes several roles: DAO Role for administrative control, Validator Role for validators who confirm transactions, and Pause and Unpause Roles for controlling the contract's operational status. The contract requires a minimum number of validator signatures to validate cross-chain transactions. The DAO Role can update the minimum required signatures and fee receiver address at any time. The contract can be paused at any time, disabling all bridging functionality. The DAO address is granted the Admin, DAO, Pause, and Unpause Roles upon initialization.
Users can deposit knBONE tokens into the contract while it is unpaused, which logs the transaction details. The contract then manages cross-chain transactions by first verifying that a transaction has not been processed previously. It checks for the necessary number of validator approvals before transferring the specified amount of knBONE to the intended recipient and allocating a fee to a designated fee receiver. When withdrawing, the user provides signature information which is then validated, including the amount to be withdrawn from the Instant and Staking Pools.
BRIDGE SHIBThe BridgeSHIB contract facilitates bridging functionality on the Shibarium network side. A user can initiate a deposit through this contract at any time, passing a receiver, amount, fee, instant pool amount, withdrawal request amount, nonce, deadline, and signature. The signature is verified to have originated from an address with the Acceptor Role and to ensure that the provided values match the signature data. A deposit cannot be made if the deadline has passed or if the nonce has already been used. The chain ID of the signature must also match the chain that the deposit is made on. Upon deposit, the provided SHIB knBONE amount plus the fee is burned from the user.
A user can execute a withdrawal from this contract, providing a chain ID, transaction ID, amount, and signature list, all of which are verified. Withdrawals require a minimum number of signatures from addresses with the Validator Role in order to be executed. The specified amount of knBONE is then minted to the specified receiver.
The DAO Role can update the minimum number of signatures at any time. The Pause Role and Unpause Roles can pause and unpause the contract, respectively. Deposits and withdrawals are disabled while the contract is paused. The specified DAO address is granted the DAO, Pause, and Unpause Roles upon initialization. The Acceptor address along with a list of Validators are also set upon initialization.
NODE OPERATOR REGISTRYThe NodeOperatorRegistry contract integrates with the knBONE contract, used for managing and monitoring Node Operators used in the platform.
The Add Node Operator and Remove Node Operator Roles have the ability to add an eligible Node Operator and remove an existing Node Operator at any time, respectively. The Node Operator reward address and Validator ID are specified when adding. This reward address also has the ability to remove itself from the registry if desired. Any address can also remove a Node Operator if it is currently unstaked or ejected.
The contract is used to determine whether the system is "balanced" or not, by calculating the difference between the Validator with the largest stake amount vs the Validator with the smallest stake amount. If this difference is greater than the minimum rebalance threshold, the system is considered unbalanced and the withdrawal amount from overstaked Validators to be used for rebalancing is calculated. This total withdraw amount is then multiplied by the maximum withdrawal percentage per rebalance, decreasing the amount to be withdrawn in a single rebalance. The amount withdrawn from a single Validator must also exceed a certain amount, influenced by the minimum request withdrawal percent.
The DAO Role has the ability to update the associated KnBONE address, minimum rebalance threshold, minimum request withdrawal percent to allow withdrawal, and maximum withdrawal percentage per rebalance at any time. The Pauser and Unpause Roles have the ability to pause and unpause the contract, respectively. Invalid Node Operator removals and reward address updates are disabled while the contract is paused. A Node Operator's reward address can update its own address at any time.
As the Validator contract was not included within the scope of this audit, we are unable to assess its security or functionality.
Instant PoolThe InstantPool contract is used to store tokens, granting specific roles to manage its functionality. The Withdrawer Role, designated for the K9 Staked BONE address, can withdraw any specified tokens to any address at any time, as long as the contract is not paused. The Pauser Role has the ability to pause the contract, while the Unpause Role can resume operations. Upon initialization, a designated address, intended to be a DAO, receives the Admin, Pause, and Unpause Roles to control the contract.
Vulnerability Analysis
| Vulnerability Category | Notes | Result |
|---|---|---|
| Arbitrary Jump/Storage Write | N/A | PASS |
| Centralization of Control |
|
WARNING |
| Compiler Issues | N/A | PASS |
| Delegate Call to Untrusted Contract | N/A | PASS |
| Dependence on Predictable Variables | N/A | PASS |
| Ether/Token Theft | N/A | PASS |
| Flash Loans | N/A | PASS |
| Front Running | N/A | PASS |
| Improper Events | N/A | PASS |
| Improper Authorization Scheme | N/A | PASS |
| Integer Over/Underflow | N/A | PASS |
| Logical Issues | N/A | PASS |
| Oracle Issues | N/A | PASS |
| Outdated Compiler Version | N/A | PASS |
| Race Conditions | N/A | PASS |
| Reentrancy | N/A | PASS |
| Signature Issues | N/A | PASS |
| Sybil Attack | N/A | PASS |
| Unbounded Loops | N/A | PASS |
| Unused Code | N/A | PASS |
| Overall Contract Safety | PASS |
About SourceHat
SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!
Contact us today to get a free quote for a smart contract audit of your project!
What is a SourceHat Audit?
Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.
How Do I Interpret the Findings?
Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:
- High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
- Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
- Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
- Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.