Dear Lido Audits Committee,

The Least Authority team is interested in supporting the Lido ecosystem with security audits and other security consulting services. In order to provide sustainable support and not merely a one-time audit, we are proposing a series of audits and other security support services coordinated with your ecosystem with a security roadmap.

Why us?

With our mission to support the development of usable technology solutions to advance digital security and preserve privacy as a fundamental human right, we see Lido as fundamental to empowering users and our security auditing efforts essential to enabling the effective use of it.

We offer a flexible approach where the timeline and deliverables are dependent on your current needs. We have the capability to cover a wide spectrum of Web3 ecosystems and programming languages, allowing us to provide comprehensive support to meet the diverse needs of your ecosystem. Our team has skills for reviewing code in multiple Languages, such as C, C++, Python, Haskell, Rust, Node.js, Solidity, Go, JavaScript, ZoKrates, and circom, for common security vulnerabilities and specific attack vectors. The team reviews implementations of cryptographic protocols and distributed system architecture in cryptocurrency, blockchains, payments, smart contracts, zero-knowledge protocols, and consensus protocols. Additionally, the team can utilize various tools to scan code and networks and build custom tools as necessary, and supports development teams from the design phase through the production launch and after. Our security consulting efforts allow us to advance the security of systems and contribute to the community of developers who build them. This is especially true for our clients who choose to publish the reports of the reviews we completed for them, including our review of the Ethereum 2.0 specifications for the Ethereum Foundation, along with reports for Metamask, Centrifuge, ChainSafe and others.

Commitment to transparency

We publish our audits to help developers and projects implement best practices in security, resulting in the creation of more robust and trustworthy Web3 applications. This, in turn, fosters increased adoption and investment in Web3 technologies, driving growth and economic benefits. Our dedication to raising the overall security standards within the Web3 space ensures that your ecosystem remains resilient in the face of evolving threats.

We look forward to discussing the details and possibilities of our collaboration further.

The following links provide more information about our work:

To see a list of our published audit reports: https://leastauthority.com/security-consulting/published-audits/

A blog post about our work with zero-knowledge proofs: https://leastauthority.com/blog/pioneering-zero-knowledge-proofs/

A blog post about our work with Web3 wallets: https://leastauthority.com/blog/navigating-web3-wallets-enabling-a-secure-user-experience/

For more information about our security consulting, please visit: https://leastauthority.com/security-consulting/

Please let us know if you are interested in any of our work and would like to discuss it further! You can schedule a call with us here: https://calendly.com/least-authority-security-consulting/info-session

Thank you for the introduction! @glory @Shu
We definitely will be keeping our eyes on both Halborn and The LEast Authority, looking forward to working with your teams in the future.

Hey, just wanted to say that you rarely come across projects with an organized approach to security like you guys. So, kudos on that!

Andreas @Omniscia

DeFiSafety has new security systems that directly mitigate the risks of lost keys and insider threats. We will guide you through a defined process where each risk will be quantified and can be mitigated. We do not ask for private data through the process.

This process involves categorization of the multisig actions, signers and health, using a DeFiSafety process.
It will involve some activities from the Lido team such as risk categorization of MultiSig actions. The output will be a set of recommendations for improved security. The result will be a clear system that Lido can use in the future without DeFiSafety support, or we can come back and review your progress.

DeFiSafety has been reviewing security in DeFi protocols for 4 years. We are unique in that we view DeFi security through a process lens. Indeed process errors are now responsible for most losses in DeFi. ( Link available upon request) For this reason we are best positioned to help protocols mitigate these threats.

Please consider trying this service. It may help Lido or at least give you a third party assurance that you have strong processes. You will find our pricing competitive as DeFiSafety are not auditors.

Hi @GrStepanov and Lido team,

I am reaching out from AstraSec, a cybersecurity firm founded in early 2024. Our team of smart contract auditors have extensive experience, having conducted audits for renowned DeFi projects such as AAVE, Curve, and Pancakeswap and more.

At AstraSec, we have also had the privilege of working with prominent clients like 1inch, Magpie, Wagmi, LayerBank, FWX Finance, ParaSwap, Floin, Orbs, and Rango for our audit services.

We are eager to contribute to Lido’s security and ensure the robustness of your smart contracts.

You can find more information about us here:

Twitter: x.com

Website: https://astrasec.ai/

Github (Audit Reports): GitHub - astrasecai/audit-reports: AstraSec audit reports

Email: [email protected]

Telegram: @patricklou

Looking forward to the opportunity to collaborate.

Best regards,

Patrick Lou

AstraSec

Dear Lido Audits Committee,

I wanted to introduce you to our auditing services.

Home to some of the best smart contract security researchers in the market and one of the strongest Developer Relations teams in the industry - Cyfrin professionals come from backgrounds at Chainlink, Alchemy, Google, Apple, Meta and other industry-leading organisations.

Cyfrin contributes to Web3 security by providing auditing services, open-source developer tooling and free education.

Security Problem

According to the REKT Database, as of July 2024, total losses in the DeFi sector exceeded $80 billion. In 2022 alone, DeFi experienced hacks resulting in over $3.8 billion in losses. In 2023, although funds stolen decreased to $1.7 billion, the number of individual hacking incidents actually grew from 219 in 2022 to 231 in 2023.

This is a security problem, a best practices problem, and a branding problem—rightfully keeping institutions and users away from a world-changing technology. Failing to address this issue undermines the very efforts to bring Web3 into the mainstream.

Introduction to Cyfrin

Laser-focused on Web3 security, Cyfrin is a market leader in smart contract audits. We have effectively conducted audits for some of the largest protocols, securing over $20B in TVL. We have gone one step further by building a competitive audit platform, CodeHawks, to bolster web3 security further.

In addition to providing private and competitive security audits, we provide open-source tooling and services for the entire community with Solodit and Aderyn.

At Cyfrin, we’ve taken on the enormous task of embedding security at every section of the web3 stack. More than a blockchain security research firm, Cyfrin is a web3 security powerhouse solving crypto’s most fundamental issues: security, education, and developer experience.

• We have some of the industry’s best security researchers. We offer private and competitive audits and facilitate multi-phase audits, offering a modular mixture of both types based on the need to increase the protocol’s protection.

• We offer in-depth educational content through Cyfrin Updraft to onboard developers into Web3 and teach them how to build on it securely.

• We have created the most watched smart contract security/developer educational content on earth, taught by our co-founder, Patrick Collins.

• We have developed open-source tools to give researchers greater information access and provide developers with a safer building experience.

  • Solodit: Aggregates bounties and security findings from the world’s top Smart Contract auditing companies and solo auditors, helping update the industry on the latest Smart Contract threats, bounties, and competitions.
  • Aderyn: Built using Rust, Aderyn integrates seamlessly into small and enterprise-level development workflows. It offers lightning-fast command-line static analysis functionality and a framework for building custom detectors that adapt to any Solidity codebase.

Cyfrin Private Audits

Cyfrin employs a rigorous audit process in which our security researchers thoroughly review smart contracts or protocol codebases to identify, report, and mitigate critical vulnerabilities that could disrupt protocol services. We minimize redundancies and optimize outcomes by integrating end-to-end security solutions with cutting-edge smart contract audits and expert researchers.

Our private audit service is tailored to meet the needs of both upcoming and established protocols. Our security research team collaborates closely with the protocol team to detect weaknesses and provide in-depth guidance on industry best practices. Consistent communication ensures that teams can swiftly address any vulnerabilities unearthed, enabling them to begin developing solutions without delay.

CodeHawks Competitive Audits

Cyfrin’s CodeHawks offers competitive audits, a cost-effective, thorough, and industry-endorsed way to enhance protocol security.

Unlike a traditional private audit, competitive audits offer a community-driven approach to security. Hundreds of security researchers, nicknamed Hawks, review a smart contract or codebase and compete to identify vulnerabilities, inefficiencies, and potential issues. Those auditors who find the vulnerabilities are rewarded through a prize pool established before the competition starts.

CodeHawks v2

The CodeHawks team has been gathering feedback to better understand the features security researchers and protocols want, from how they use the platform to where enhancements should be made. This has led to improved processes (submissions, judging, appeals), usability, talent management, integrations, and more.

Today, CodeHawks has taken the next step in our journey and launched the next generation of competitive auditing platforms, CodeHawks v2.

What’s new in the updated CodeHawks platform?

Already one of the most intuitive, easiest-to-use competitive audit platforms, Codehawks v2 represents a step change in usability with a complete platform refactor, a new suite of features, and better tools for protocols and auditors.

Protocols’ process for listing and managing competitions is faster, easier, and more comprehensive. A new dashboard and cleaner look level up the auditor experience. New rules have been introduced to improve the appeals process and community judging, making them more streamlined and fair.

Key Terms

• Private audit: A team, consisting of usually 2-3 security researchers, spends weeks looking at a protocol’s codebase to find the most critical exploit vectors in a codebase, as well as perform architecture analysis, fuzz testing, improvement pull reviews, etc.
• Public Competitive Audit: An audit where hundreds, of security researchers review a codebase and compete for funds in a set reward pool based on the complexity of vulnerabilities found, its impact, and its uniqueness.
• Private Competitive Audit: An invite-only audit where a protocol invites top-performing auditors to review their code and compete in community driven audit competition.
• Multi-Phase Audit: a model known as the Multi-Phase audit. Crafted to maximize the quality of audits, a critical aspect in the Web3 space, by strategically incentivizing auditors and ensuring that the protocol codebase goes through at least two comprehensive auditing phases, Private & Competitive, enhancing the protocol’s ultimate security.

Contact Details

Telegram: Cyfrin_MScrine
Email: [email protected]