Lido on Ethereum: Form Audits Committee

Abstract

From the very start of Lido, external audits used to be one of the cornerstone quality standards for the code used in Lido products, specifically for the on-chain code. With Lido’s growing success, audit reports have eventually become an integral attribute of any significant Lido release.
However, until now there was no clear and public process around planning audits for major protocol upgrades. This results in messed-up timelines, release delays, and hectic operations around finding audit slots, posting finalized audit reports, and funding the related expenses.

Proposal to form Audits Committee

We propose forming the Lido on Ethereum Audits Committee aimed at reducing the operational load of the dev team, optimizing audit pipelines, communicating with auditors and the DAO on related topics, and also increasing awareness of Lido security standards within the community.
The main goals of the Audits Committee would be:

  • Secure at least two finalized audits for each significant release.
    The most critical (e.g. Withdrawals-related) projects should have 3 audits on them. Rotating auditors from the partner pool and the previously not engaged ones should be considered a good practice. Not having 2nd public audit report for a major project should be a blocker for release.
  • Besides the audit slots for the scheduled releases, have the ability to secure mid-sized audit slots on-demand. Consider a retainer from a reliable partner.
  • Figure out and maintain a sustainable workflow to secure formal verification for critical Lido protocol parts.
  • Communicate with auditor service providers, and establish long-term relationships with reliable parties.
  • Secure funding from the DAO, and budget audit-related expenses based on current demand.
  • Keep the community posted about the important audits secured, in order to increase the community awareness of Lido’s security standards.
  • Maintain public docs hub page/website page with all the completed audits.
  • Perform internal housekeeping of audit slots, their occupation, and scheduling

Proposed Committee composition

We propose including core contributors familiar with Lido roadmaps and short-term timelines in the Audits Committee:

Invitation to partner with Lido

Lido is open to partnership with any existing audit service providers including community contest-based solutions.
We encourage entities to approach Lido on Ethereum Audits Committee to discuss partnership opportunities and find the best ways to keep Lido secure. Please email us at [email protected] – we will be happy to chat!

9 Likes

There demand for high-quality audits in Lido is quite significant, as the security of the protocol is a must. The proposal communicates the workgroup and an entry point for audits, as well as notes the current focus on the Ethereum Lido protocol.

6 Likes

Hey, thank you for the public audit committee introduction.

Hope that it’s a win-win initiative for the Lido DAO and audit service providers. Excited to be a part of it.

2 Likes

Hi, thanks for this initiative. Definitely, the ecosystem needs good and reliable auditors.

Hi everyone,

We are decurity.io — a team of 20 that does full-stack web3 security audits. Our customers include Yearn, 1inch, Symbiosis, and others. We are members of the team who won the 2nd place worldwide during the Paradigm CTF contest among security auditing teams.

We’ll be happy to contribute to the Lido’s security in different ways: manual smart contract audit, penetration testing, DevSecOps pipeline integration, transaction security monitoring.

Our main points of contact:
Email: [email protected]
Telegram: @beched (Omar Ganiev, CEO), @theRaz0r (Arseniy Reutov, CTO).

3 Likes

Hi there! Thanks for dropping us a line, we will have you in mind when planning the audits going forward.

1 Like

Hi @GrStepanov,

Would love to introduce you to Omniscia. We do audits, pen tests, tokenomics analysis and due diligence.

We have audited close to 250 projects like L’Oreal, Euler, Morpho, DappRadar, Tokemak, AvaLabs, Matic, LimitBreak, OlympusDAO since 2021.

  • Our reports are web-based and include aggressive gas-saving recommendations
  • We have a clean track record (not on the rekt leaderboard)
  • Static analysis represent < 10% of the work we will conduct on your contracts. The bulk of the audit consists of having extremely senior security engineers manually review your contracts
  • Our chief security officer won the Code4rena / Opensea contest: https://twitter.com/Omniscia_sec/status/1623821249960116224

Happy to connect by email at [email protected] or telegram at @ClementBarbier

2 Likes

Nice to meet you! Looking forward to connecting with Omniscia as soon as we start planning our future audit needs.

2 Likes

Hi @GrStepanov,

It’s a pleasure to introduce Supremacy to the community.

Supremacy is a leading blockchain security agency, composed of industry hackers and academic researchers, providing clients with a one-stop security solution for the whole life cycle with our technology precipitation and innovative research. Our partners include Curve[.]fi, Scroll and others.

  • We have launched a powerful transaction explorer: Cruise is Supremacy’s Transaction Explorer designed for Web3.0 Ecosystem. currently supports 10+ EVM chains. In this field, its blockchain support far exceeds that of similar competitors.

  • In addition, we also launched the world’s first Vyperlang-based war game: VyperPunk, which has helped a large number of Vyperlang community members learn about security and has been well received by the contributors.

We are pleased to provide security support to the Lido community, including: Security Advisor, Security Auditing, Threat Intelligence, Situational Awareness, Threat Interdiction, Emergency Response and On-chain Tracking.

The community can link to us through the following ways:

  • Email: [email protected]
  • Twitter: twitter[.]com/Supremacy_CA
  • Telegram: t[.]me/SupremacyInc
3 Likes

Thank you for reaching out! We will definitely add Supremacy to the list of audit service providers to work with in the future.

2 Likes

Hi Lido team,

We are Aria would love to form a partnership where we can prove our value in smart contact auditing. Our highly experienced team, enriched by years of expertise in elite units at the IDF, possesses extensive knowledge in web3, cybersecurity, and vulnerability research.

We can help with:

  • Manual smart contact audit
  • Share our proprietary technology of fuzzing for your teams

Our team at Aria has successfully discovered critical bug bounties at Immunefi, conducted private audits with Coinmama and Secret and identified vulnerabilities in Code4rena for several projects.

Happy to connect via Email at: [email protected] or at LinkedIn at: https://www.linkedin.com/in/ido-holtsman-4a5049187/

1 Like

Thank you for coming by! Right now we are covered, but there’s a good chance we will be willing to partner later in the year (probably in 1-2 months from now).

Hey @GrStepanov and Lido team!
We are KALOS - Making Web3 Space Safer for Everyone.

KALOS is a flagship service of HAECHI LABS, providing blockchain wallets and security audits since 2018. Over the course of last 5 years, we have secured nearly $60B crypto assets on over 400 projects.

We bring together the best experts to make web3 space safer for everyone. Our team consists of security researchers with various expertise - smart contract, blockchain, cryptography, web security, reverse engineering, and binary analysis. Their skills have lead to multiple strong performances in reputable CTFs over the past few years.

We will be happy to provide a high quality audit and contribute to Lido’s security. Further informations (our team, tech blog, etc.) can be found in our website below - feel free to connect via email :slight_smile:

2 Likes

Check our website at: https://aria-labs.io/

Thank you for getting in touch!