LSD Staking

Smart Contract Audit Report

Audit Summary

LSD Staking allows users to stake LSD tokens into multiple providers to earn rewards over time.

For this audit, we reviewed the following contracts on the Ethereum Mainnet:

• LSDOwner contract at 0xfB82EEd38Af0a89341650cA7165e60baeD64E862.
• LSDStorage contract at 0xC1D358ad6580F232796262aAf3F2EE2FA5E9b484.
• LSDUpdateBalance contract at 0xB89A9CdE26Fcf918935Af2DFB602585E193BC1aA.
• LSDDepositPool contract at 0x03E530b9330F9fC3785697024dC07Cb211937260.
• LSDTokenVELSD contract at 0x39cC7C0C84c10fc18D4b97Accd22B916B0cfCE61.
• LSDTokenVault contract at 0xa96837E49E71B46cbD51c42b00f8ac0482c1b0B6.
• LSDLIDOVault contract at 0xBEb77C9ceCd8791Afb8A3BbDf65eAA3f20ac9C36.
• LSDTokenStaking contract at 0x6f951dF5b393100dBb3AF20bDFb760608254ee1d.
• LSDLpTokenStaking contract at 0xFCFB49fAB7cA30A664e77A9f790232268fD702e2.
• LSDRewardsVault contract at 0x9f6BD58bB877bF8EDB270a25089C2d5a45A81beE.

Audit Findings

All findings have been resolved, though some centralized aspects are present.
Date: April 28th, 2023.
Updated: May 19th, 2023 with updated contracts and addresses.
Updated: May 24th, 2023 with a reduced scope. The team has elected to remove the LSDTokenLSETH contract and all associated High level Findings from the audit report as the team intends to redesign the contract to address the contract's current unsafe behavior.

Finding #1 - LSDDepositPool - High (Resolved)

Description: The withdrawEther() function always withdraws from the current provider.
Risk/Impact: Users may be unable to withdraw if their deposit was routed to a different provider and the current provider does not have sufficient liquidity.
Recommendation: The LSDDepositPool should record what provider and amount of ETH users have deposited. They can then specify from which provider they would like to withdraw.
Resolution: The LSDDepositPool has been updated to only support 1 provider.

---

Finding #2 - LSDTokenVault - Low (Resolved)

Description: The contract does not maintain deposited token balances separately from rewards tokens.
Risk/Impact: If there are insufficient tokens for rewards, users may be able to withdraw another user's deposited tokens as rewards.
Recommendation: The contract should maintain a balance of deposited tokens to prevent rewards claims from paying out with those tokens.
Resolution: The team has implemented a LSDRewardsVault contract to separate the deposited tokens from the rewards tokens.

---

Finding #3 - LSDLpTokenStaking - Informational (Resolved)

Description: The contract addLiquidity() function checks if the uniswapRouterAddress has been given max approval on each call.
Recommendation: The team should give the router max approval in the construction to save gas on each addLiquidity() call.
Resolution: The team has implemented the above recommendation.

---

Finding #4 - LSDLpTokenStaking & LSDTokenStaking - Informational (Resolved)

Description: The History struct contains an isBonus bool variable that is never meaningfully used in the contracts.
Recommendation: The team should consider removing this variable to save on the storage costs of each History struct.
Resolution: The team has implemented the above recommendation.

---

Finding #5 - LSDLpTokenStaking & LSDTokenStaking - Informational (Resolved)

Description: The stakeLSD() and stakeLP() functions increment the number of stakers but the unstakeLSD() and unstakeLP() functions do not decrement the stakers when a user fully unstakes.
Recommendation: The team should decrement the number of stakers when a user fully unstakes.
Resolution: The team has implemented the above recommendation.

Contracts Overview

• As the contracts are implemented with Solidity v0.8.0, they are safe from any possible overflows/underflows.

LSDDepositPool Contract:

• This contract allows users to deposit ETH in return for lsETH tokens.
• Deposited ETH must be at least the minimum deposit amount set in the LSDOwner contract.
• Users will be minted lsETH tokens proportional to the amount of ETH deposited.
• Users will be minted additional tokens if they have a veLSD token balance and there is currently a multiplier set in the LSDOwner contract.
• Deposited ETH will be sent to the "provider" addresses
• The lsdRPVault and lsdSWISEVault are outside the scope of this contract so we are unable to give an assessment in regard to security.
• The LSDTokenLSETH contract may withdraw ETH from the contract at any time. The specified amount of ETH will be withdrawn from the current provider.
• THe LSDTokenLSETH contract is out of scope for this audit so we are unable to give an assessment in regard to security.

LSDUpdateBalance Contract:

• This contract is used to maintain the underlying ETH value of the LSDTokenLSETH contract.
• The LSDTokenLSETH contract may increase the underlying ETH balance at any time.
• The LSDTokenLSETH contract may decrease the underlying ETH balance at any time.
• THe LSDTokenLSETH contract is out of scope for this audit so we are unable to give an assessment in regard to security.
• Additionally, the underlying ETH balance will increase over time.
• Once per day, the underlying ETH balance may be "updated" by any address.
• The underlying ETH balance will be increased based on the number of elapsed days and the current APY.
• If there is insufficient liquidity one user may receive another user's ETH when withdrawing.

LSDLIDOVault Contract:

• This contract is used to process ETH deposited into the LSDDepositPool contract.
• All ETH deposited into the contract will be used to mint Lido stETH tokens.
• The Lido contracts are outside the scope of this audit so we are unable to give an assessment in regard to security.
• The LSDDepositPool may withdraw ETH from the contract at any time.
• The amount of stETH tokens required to receive the specified amount of ETH from the Uniswap liquidity pool is calculated.
• The required stETH tokens are then swapped for ETH and sent to the recipient specified in the LSDDepositPool.

LSDTokenStaking Contract:

• This contract allows users to stake LSD tokens for veLSD tokens while earning additional LSD rewards.
• Any address may stake LSD tokens for an equivalent amount of veLSD tokens.
• Users will earn rewards per block based on the amount of tokens staked and the current period's APR.
• Each period has a start time, end time, and APR.
• The lsdDaoContract may choose to add a "bonus period" where users will earn rewards at a greater rate for the duration of the period.
• Rewards will return to the default rate at the end of the period.
• The team must ensure there are sufficient LSD tokens in the LSDTokenVault or users will be unable to unstake or claim rewards.
• The lsdDaoContract may set the main APR rate and bonus period APR rate to any values at any time.
• The lsdDaoContract may set the duration of a bonus period to any value at any time.

LSDLpTokenStaking Contract:

• This contract allows users to stake Uniswap LSD LP tokens to earn rewards in the form of LSD tokens.
• Users will earn rewards per block based on the amount of tokens staked and the current period's APR.
• Each period has a start time, end time, and APR.
• The lsdDaoContract may choose to add a "bonus period" where users will earn rewards at a greater rate for the duration of the period.
• Rewards will return to the default rate at the end of the period.
• The team must ensure there are sufficient LSD tokens in the LSDTokenVault or users will be unable to unstake or claim rewards.
• Users have the option to send the contract ETH and LST tokens that will automatically be used to add to liquidity. The received LP tokens will be staked for the user.
• The lsdDaoContract may set the main APR rate and bonus period APR rate to any values at any time.
• The lsdDaoContract may set the duration of a bonus period to any value at any time.

LSDTokenVault & LSDRewardsVault Contract:

• This contract is used to store staked LSD and LSD-LP tokens.
• Any address may transfer tokens to the contract to be used when users unstake and claim rewards.
• The LSDTokenStaking contract may withdraw tokens as either a withdraw or a rewards claim at any time.
• The LSDLpTokenStaking contract may withdraw tokens as either a withdraw or a rewards claim at any time.

LSDTokenVELSD Contract:

• This contract defines the VE-LSD token.
• veLSD tokens are non-transferrable.
• Users are minted veLSD tokens by staking LSD tokens in the LSDTokenStaking contract.
• The LSDTokenStaking contract may mint and burn tokens on users' behalf at any time.

LSDOwner Contract:

• This contract is used to manage various settings and values used throughout the platform.
• The owner may set the APY, Staking APR, and Staking Bonus APR to any values at any time.
• The owner may add a Bonus period and enable the Bonus in the LSDTokenStaking contract at any time.
• The owner may set the Protocol fee, minimum deposit amount, and multiplier to any values at any time.
• The owner may set the LIDO APY, RP APY, and SWISE APY to any values at any time.
• The owner may update the implementation address of any contract used in the platform at any time.

LSDStorage Contract:

• This contract is used to maintain values used across all other contracts in the platform.
• Values may only be set after the contract has been initiated.
• The Guardian address set upon deployment may set the contract to initialized at any time.
• Any LSD platform contract registered as a valid contract may set the value for any key.

Audit Results

Contract Source Summary and Visualizations

About SourceHat

SourceHat has quickly grown to have one of the most experienced and well-equipped smart contract auditing teams in the industry. Our team has conducted 1800+ solidity smart contract audits covering all major project types and protocols, securing a total of over $50 billion U.S. dollars in on-chain value!
Our firm is well-reputed in the community and is trusted as a top smart contract auditing company for the review of solidity code, no matter how complex. Our team of experienced solidity smart contract auditors performs audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more!

Contact us today to get a free quote for a smart contract audit of your project!

What is a SourceHat Audit?

Typically, a smart contract audit is a comprehensive review process designed to discover logical errors, security vulnerabilities, and optimization opportunities within code. A SourceHat Audit takes this a step further by verifying economic logic to ensure the stability of smart contracts and highlighting privileged functionality to create a report that is easy to understand for developers and community members alike.

How Do I Interpret the Findings?

Each of our Findings will be labeled with a Severity level. We always recommend the team resolve High, Medium, and Low severity findings prior to deploying the code to the mainnet. Here is a breakdown on what each Severity level means for the project:

• High severity indicates that the issue puts a large number of users' funds at risk and has a high probability of exploitation, or the smart contract contains serious logical issues which can prevent the code from operating as intended.
• Medium severity issues are those which place at least some users' funds at risk and has a medium to high probability of exploitation.
• Low severity issues have a relatively minor risk association; these issues have a low probability of occurring or may have a minimal impact.
• Informational issues pose no immediate risk, but inform the project team of opportunities for gas optimizations and following smart contract security best practices.

• Go Home