Lido on Ethereum: Form Audits Committee

Dear Lido Audits Committee,

The Least Authority team is interested in supporting the Lido ecosystem with security audits and other security consulting services. In order to provide sustainable support and not merely a one-time audit, we are proposing a series of audits and other security support services coordinated with your ecosystem with a security roadmap.

Why us?

With our mission to support the development of usable technology solutions to advance digital security and preserve privacy as a fundamental human right, we see Lido as fundamental to empowering users and our security auditing efforts essential to enabling the effective use of it.

We offer a flexible approach where the timeline and deliverables are dependent on your current needs. We have the capability to cover a wide spectrum of Web3 ecosystems and programming languages, allowing us to provide comprehensive support to meet the diverse needs of your ecosystem. Our team has skills for reviewing code in multiple Languages, such as C, C++, Python, Haskell, Rust, Node.js, Solidity, Go, JavaScript, ZoKrates, and circom, for common security vulnerabilities and specific attack vectors. The team reviews implementations of cryptographic protocols and distributed system architecture in cryptocurrency, blockchains, payments, smart contracts, zero-knowledge protocols, and consensus protocols. Additionally, the team can utilize various tools to scan code and networks and build custom tools as necessary, and supports development teams from the design phase through the production launch and after. Our security consulting efforts allow us to advance the security of systems and contribute to the community of developers who build them. This is especially true for our clients who choose to publish the reports of the reviews we completed for them, including our review of the Ethereum 2.0 specifications for the Ethereum Foundation, along with reports for Metamask, Centrifuge, ChainSafe and others.

Commitment to transparency

We publish our audits to help developers and projects implement best practices in security, resulting in the creation of more robust and trustworthy Web3 applications. This, in turn, fosters increased adoption and investment in Web3 technologies, driving growth and economic benefits. Our dedication to raising the overall security standards within the Web3 space ensures that your ecosystem remains resilient in the face of evolving threats.

We look forward to discussing the details and possibilities of our collaboration further.

The following links provide more information about our work:

To see a list of our published audit reports: https://leastauthority.com/security-consulting/published-audits/

A blog post about our work with zero-knowledge proofs: https://leastauthority.com/blog/pioneering-zero-knowledge-proofs/

A blog post about our work with Web3 wallets: https://leastauthority.com/blog/navigating-web3-wallets-enabling-a-secure-user-experience/

For more information about our security consulting, please visit: https://leastauthority.com/security-consulting/

Please let us know if you are interested in any of our work and would like to discuss it further! You can schedule a call with us here: https://calendly.com/least-authority-security-consulting/info-session

3 Likes

Thank you for the introduction! @glory @Shu
We definitely will be keeping our eyes on both Halborn and The LEast Authority, looking forward to working with your teams in the future.

2 Likes

Hey, just wanted to say that you rarely come across projects with an organized approach to security like you guys. So, kudos on that!

Andreas @Omniscia

5 Likes

DeFiSafety has new security systems that directly mitigate the risks of lost keys and insider threats. We will guide you through a defined process where each risk will be quantified and can be mitigated. We do not ask for private data through the process.

This process involves categorization of the multisig actions, signers and health, using a DeFiSafety process.
It will involve some activities from the Lido team such as risk categorization of MultiSig actions. The output will be a set of recommendations for improved security. The result will be a clear system that Lido can use in the future without DeFiSafety support, or we can come back and review your progress.

DeFiSafety has been reviewing security in DeFi protocols for 4 years. We are unique in that we view DeFi security through a process lens. Indeed process errors are now responsible for most losses in DeFi. ( Link available upon request) For this reason we are best positioned to help protocols mitigate these threats.

Please consider trying this service. It may help Lido or at least give you a third party assurance that you have strong processes. You will find our pricing competitive as DeFiSafety are not auditors.

1 Like

Hi @GrStepanov and Lido team,

I am reaching out from AstraSec, a cybersecurity firm founded in early 2024. Our team of smart contract auditors have extensive experience, having conducted audits for renowned DeFi projects such as AAVE, Curve, and Pancakeswap and more.

At AstraSec, we have also had the privilege of working with prominent clients like 1inch, Magpie, Wagmi, LayerBank, FWX Finance, ParaSwap, Floin, Orbs, and Rango for our audit services.

We are eager to contribute to Lido’s security and ensure the robustness of your smart contracts.

You can find more information about us here:

Twitter: x.com

Website: https://astrasec.ai/

Github (Audit Reports): GitHub - astrasecai/audit-reports: AstraSec audit reports

Email: [email protected]

Telegram: @patricklou

Looking forward to the opportunity to collaborate.

Best regards,

Patrick Lou

AstraSec

1 Like

Dear Lido Audits Committee,

I wanted to introduce you to our auditing services.

Home to some of the best smart contract security researchers in the market and one of the strongest Developer Relations teams in the industry - Cyfrin professionals come from backgrounds at Chainlink, Alchemy, Google, Apple, Meta and other industry-leading organisations.

Cyfrin contributes to Web3 security by providing auditing services, open-source developer tooling and free education.

Security Problem

According to the REKT Database, as of July 2024, total losses in the DeFi sector exceeded $80 billion. In 2022 alone, DeFi experienced hacks resulting in over $3.8 billion in losses. In 2023, although funds stolen decreased to $1.7 billion, the number of individual hacking incidents actually grew from 219 in 2022 to 231 in 2023.

This is a security problem, a best practices problem, and a branding problem—rightfully keeping institutions and users away from a world-changing technology. Failing to address this issue undermines the very efforts to bring Web3 into the mainstream.

Introduction to Cyfrin

Laser-focused on Web3 security, Cyfrin is a market leader in smart contract audits. We have effectively conducted audits for some of the largest protocols, securing over $20B in TVL. We have gone one step further by building a competitive audit platform, CodeHawks, to bolster web3 security further.

In addition to providing private and competitive security audits, we provide open-source tooling and services for the entire community with Solodit and Aderyn.

At Cyfrin, we’ve taken on the enormous task of embedding security at every section of the web3 stack. More than a blockchain security research firm, Cyfrin is a web3 security powerhouse solving crypto’s most fundamental issues: security, education, and developer experience.

  • We have some of the industry’s best security researchers. We offer private and competitive audits and facilitate multi-phase audits, offering a modular mixture of both types based on the need to increase the protocol’s protection.

  • We offer in-depth educational content through Cyfrin Updraft to onboard developers into Web3 and teach them how to build on it securely.

  • We have created the most watched smart contract security/developer educational content on earth, taught by our co-founder, Patrick Collins.

  • We have developed open-source tools to give researchers greater information access and provide developers with a safer building experience.

    • Solodit: Aggregates bounties and security findings from the world’s top Smart Contract auditing companies and solo auditors, helping update the industry on the latest Smart Contract threats, bounties, and competitions.
    • Aderyn: Built using Rust, Aderyn integrates seamlessly into small and enterprise-level development workflows. It offers lightning-fast command-line static analysis functionality and a framework for building custom detectors that adapt to any Solidity codebase.

Cyfrin Private Audits

Cyfrin employs a rigorous audit process in which our security researchers thoroughly review smart contracts or protocol codebases to identify, report, and mitigate critical vulnerabilities that could disrupt protocol services. We minimize redundancies and optimize outcomes by integrating end-to-end security solutions with cutting-edge smart contract audits and expert researchers.

Our private audit service is tailored to meet the needs of both upcoming and established protocols. Our security research team collaborates closely with the protocol team to detect weaknesses and provide in-depth guidance on industry best practices. Consistent communication ensures that teams can swiftly address any vulnerabilities unearthed, enabling them to begin developing solutions without delay.

CodeHawks Competitive Audits

Cyfrin’s CodeHawks offers competitive audits, a cost-effective, thorough, and industry-endorsed way to enhance protocol security.

Unlike a traditional private audit, competitive audits offer a community-driven approach to security. Hundreds of security researchers, nicknamed Hawks, review a smart contract or codebase and compete to identify vulnerabilities, inefficiencies, and potential issues. Those auditors who find the vulnerabilities are rewarded through a prize pool established before the competition starts.

CodeHawks v2

The CodeHawks team has been gathering feedback to better understand the features security researchers and protocols want, from how they use the platform to where enhancements should be made. This has led to improved processes (submissions, judging, appeals), usability, talent management, integrations, and more.

Today, CodeHawks has taken the next step in our journey and launched the next generation of competitive auditing platforms, CodeHawks v2.

What’s new in the updated CodeHawks platform?

Already one of the most intuitive, easiest-to-use competitive audit platforms, Codehawks v2 represents a step change in usability with a complete platform refactor, a new suite of features, and better tools for protocols and auditors.

Protocols’ process for listing and managing competitions is faster, easier, and more comprehensive. A new dashboard and cleaner look level up the auditor experience. New rules have been introduced to improve the appeals process and community judging, making them more streamlined and fair.

Key Terms

  • Private audit: A team, consisting of usually 2-3 security researchers, spends weeks looking at a protocol’s codebase to find the most critical exploit vectors in a codebase, as well as perform architecture analysis, fuzz testing, improvement pull reviews, etc.
  • Public Competitive Audit: An audit where hundreds, of security researchers review a codebase and compete for funds in a set reward pool based on the complexity of vulnerabilities found, its impact, and its uniqueness.
  • Private Competitive Audit: An invite-only audit where a protocol invites top-performing auditors to review their code and compete in community driven audit competition.
  • Multi-Phase Audit: a model known as the Multi-Phase audit. Crafted to maximize the quality of audits, a critical aspect in the Web3 space, by strategically incentivizing auditors and ensuring that the protocol codebase goes through at least two comprehensive auditing phases, Private & Competitive, enhancing the protocol’s ultimate security.

Contact Details

Telegram: Cyfrin_MScrine
Email: [email protected]

1 Like

Dear Lido team and respected community members,

Cyberscope Security Auditors would like to conduct a proof of concept (POC) for the Lido Ecosystem.

About the Company:
Cyberscope is a leading cybersecurity firm specializing in smart contract audits and blockchain security. Our partner network includes Coinmarketcap, Coingecko, Polygon DAO, and more. We have secured over 2.5k projects over the past 4 years, some of the clients you might know:

  • Defi Kingdoms
  • Origin Protocol
  • Quickswap

Value proposition
Cyberscope and Lido team will have a call to define a small scope of work (could be a new contract or an old one) We will then start working for FREE on that contract and after a couple of days, we will present you our preliminary Audit report. Your security team will work closely with our Auditors to approve the report and comment/feedback on the findings and then we will proceed with delivery. If you are satisfied with the results, we will have a follow-up discussion about doing paid work on securing more of your smart contracts

Finally, if you are going to Singapore Token2049 we will be thrilled to meet you in person and discuss this further. Stay safe!

Contact Details
Telegram: @coinscopeco_admin
Email: [email protected]

1 Like

Hello, thank you for reaching out.
We will indeed consider your proposal when picking an audit service provider for our upcoming projects. Meanwhile, I’d remind you that all of the Lido on-chain code is open, so if your team would like to get familiar with it, you are very welcome
There’s a good chance that Lido folks will be present at the Singapore conference.

2 Likes

Hi @GrStepanov, team and community.

I’m Jamie, one of the leads at web3 Security and Smart Contract Auditing firm Hashlock. We’re one of the fastest-growing security firms in the space having completed 200+ audits and secured more than $1.3B assets onchain to date.

To give further insight into our firm’s capabilities, we work very extensively across the following:

  • Smart contract audits - almost all ecosystems & languages
  • Architecture and infrastructure review + formal verification
  • Bug Bounty program hosting
  • Security consultation & workshops - pre-audit
  • Penetration testing
  • On-chain monitoring

Our team has extensive experience securing Bridges, dApps, Wallets, Layer 1/2/3s, DeFi (all niches), Data DAOs, RWA & DePIN protocols, GameFi, Payment processors, AI and more.

Please feel free to reach out to me here:
[email protected]
or
[email protected] (Hashlock co-founder & director)

1 Like

Hi @GrStepanov and the Lido team,

I would like to introduce Consensys Diligence to the Lido DAO.

With a team of exceptionally talented researchers, Diligence is committed to advancing the blockchain ecosystem through open-source initiatives, promoting best practices, and securing some of the most recognized and complex projects. We specialize in smart contract audits and fuzzing services.

We are trusted by leading Dapp teams and enterprises, and we have deep expertise in liquid staking derivatives projects, such as Rocket Pool, among others. Our team also includes auditors who have worked on Lido V2 and Ethereum withdrawals with Lido.

It would be a pleasure for us to partner with you and help keeping Lido secure.

  • Website: consensys[.]io/diligence/
  • Email: vlad[.]yaroshuk@consensys[.]net
2 Likes

Dear Lido Audits Committee and community members,

I would like to introduce Composable Security and how we can support in increasing security.

Get to know us:

As a company we focus on Staking, Re-staking, AVS, and UniswapV4 projects. We are a team of 2 experienced security researchers (drdr_zz & wh01s7) that contribute to the space since 2019.

Damian Rusinek (drdr_zz)

  • PhD in Computer and Information Systems Security
  • Involved in professional security since 2016.
  • Co-author of Smart Contract Security Verification Standard.
  • Speaker @ EthCC, EthZurich, Web3 Security Conference

Paweł Kuryłowicz (wh01s7)

  • Co-author of Smart Contract Security Verification Standard.
  • Involved in professional security since 2017.
  • Pioneer in threat modeling for smart contracts.
  • Creator of Security Guide for App CTOs.

Proud of :trophy:

  • Creators of the first security standard for smart contracts Smart Contract Security Verification Standard.
  • Supported by Uniswap Foundation grant we have conducted research on the threat landscape for hooks in UniswapV4.
  • Speakers & mentors at EthCC, ETHGlobal London, ETHWarsaw, Web3 Security Conference, EthereumZurich and more.
  • Creators of the first Security Guide for DApps (100+ pages of free knowledge).
  • 2x First place during War Room Games Paris @ EthCC 2023 and Brussels @ EthCC 2024.
  • In the previous company, we developed an interactive video program that trained 1,000+ developers.
  • Besides smart contract security our experience was gained through 6+ years securing global fintechs and Polish banks.

Services:

  • Threat modeling
  • Ongoing audits
  • Smart contract audits
  • Security advisory
  • Security consultations

We value long-term and close cooperation with the team, which seems to be exactly what you expect. We are ready to help you not only with code auditing, but also support you in discussing solutions and implementing internal best practices that will result in savings and improved results in the future.

Contact

Mail: [email protected]
Twitter: Composable_Sec
Telegram: wh01s7, drdr_zz
GitHub: ComposableSecurity

1 Like

Hello Audit Committee and Lido team - excited to share our proposal on how we can contribute to making Lido more secure.

Why Proactive, Pre-Audit Security is a Must

While an audit is a critical step in a sophisticated security process, audits are not foolproof (90% of exploited smart contracts were audited at least once). At Olympix, we believe in empowering internal teams with the tools they need to make their smart contracts as secure as possible.

Intro to Olympix

Olympix is a suite of proactive smart contract security tools for developers which includes static analysis, automated unit testing, and mutation testing. Our tools enable your developers (who know the code best) to find and resolve vulnerabilities in-house, prior to the first audit. Teams that use our tools:

  • are better prepared for audits (low hanging fruit vulnerabilities already resolved, cleaner code, better line & branch coverage with unit tests, etc)
  • see drastically reduced audit findings which gives them greater confidence in that audit and signals to auditors, partners, and users that they are writing more secure code to begin with
  • have an additional layer of insurance built into the security process and less reliance on audits

In the last quarter, $60M in exploits would have been prevented had those teams used our tools prior to the audit.

Why Olympix?

Our tools are built on sophisticated, proprietary architecture, including custom IR (intermediate representation). Why this matters:

  • Eliminates the need for recompilation, resulting in analysis speeds up to 100x faster than solc-dependent tools.
  • Enables analysis of incomplete or non-compilable code, supporting early-stage development and partial updates.
  • Supports multi-version Solidity projects.
  • Handles complex Solidity-specific types and conversions with high accuracy.

Our tools were also built for developers. They are incredibly easy to use and can be installed and run with a single click. The tools not only identify vulnerable lines of code, but explain why the line of code is vulnerable, how the vulnerability plays out in real-world exploits, and how to fix the issue.

Our first tool, the free version of our static analyzer, is used by over 30% of Solidity developers. Our paid tools currently protect over $10B in TVL from startups to global enterprises.

How Olympix Saves on Security Costs

Because we’re a tool rather than a one-off service, we help increase security on a continuous basis without requiring additional spend - essentially allowing you to scale security without scaling security costs.

Teams that use Olympix also see reduced audit spend on pay-per-vulnerability models, or where multiple audits were previously required to reach high confidence.

Contact
website: olympix[.]ai
email: channi@olympix[.]ai, sarah@olympix[.]ai
twitter: Olympix_ai
telegram: channigreenwall, sarahjanehicks

2 Likes

Thank you for reaching out! We will definitely keep you in mind when planning our future security demands.

1 Like

Hello all!

At :evergreen_tree: Formal Land, we want to bring the maximum level of security for web3 applications and specialize in formal verification techniques. For that reason, we are trying to make formal verification as low-cost as possible to cover more use cases.

We developed the open-source tool coq-of-solidity to formally verify Solidity smart contracts on arbitrary complex properties thanks to the proof assistant :rooster: Coq in the backend. We also worked a lot in the past on the verification of Rust/OCaml web3 systems (Sui, AlephZero, Tezos).

We would be glad to be part of the teams auditing the Lido code and offer a maximal level of safety for it! :slightly_smiling_face:

Contact
website: formal[.]land
email: contact@formal[.]land
X: FormalLand
telegram: guillaumeclaret

Thanks!

2 Likes