Lido on Ethereum: Form Audits Committee

Abstract

From the very start of Lido, external audits used to be one of the cornerstone quality standards for the code used in Lido products, specifically for the on-chain code. With Lido’s growing success, audit reports have eventually become an integral attribute of any significant Lido release.
However, until now there was no clear and public process around planning audits for major protocol upgrades. This results in messed-up timelines, release delays, and hectic operations around finding audit slots, posting finalized audit reports, and funding the related expenses.

Proposal to form Audits Committee

We propose forming the Lido on Ethereum Audits Committee aimed at reducing the operational load of the dev team, optimizing audit pipelines, communicating with auditors and the DAO on related topics, and also increasing awareness of Lido security standards within the community.
The main goals of the Audits Committee would be:

  • Secure at least two finalized audits for each significant release.
    The most critical (e.g. Withdrawals-related) projects should have 3 audits on them. Rotating auditors from the partner pool and the previously not engaged ones should be considered a good practice. Not having 2nd public audit report for a major project should be a blocker for release.
  • Besides the audit slots for the scheduled releases, have the ability to secure mid-sized audit slots on-demand. Consider a retainer from a reliable partner.
  • Figure out and maintain a sustainable workflow to secure formal verification for critical Lido protocol parts.
  • Communicate with auditor service providers, and establish long-term relationships with reliable parties.
  • Secure funding from the DAO, and budget audit-related expenses based on current demand.
  • Keep the community posted about the important audits secured, in order to increase the community awareness of Lido’s security standards.
  • Maintain public docs hub page/website page with all the completed audits.
  • Perform internal housekeeping of audit slots, their occupation, and scheduling

Proposed Committee composition

We propose including core contributors familiar with Lido roadmaps and short-term timelines in the Audits Committee:

Invitation to partner with Lido

Lido is open to partnership with any existing audit service providers including community contest-based solutions.
We encourage entities to approach Lido on Ethereum Audits Committee to discuss partnership opportunities and find the best ways to keep Lido secure. Please email us at [email protected] – we will be happy to chat!

16 Likes

There demand for high-quality audits in Lido is quite significant, as the security of the protocol is a must. The proposal communicates the workgroup and an entry point for audits, as well as notes the current focus on the Ethereum Lido protocol.

7 Likes

Hey, thank you for the public audit committee introduction.

Hope that it’s a win-win initiative for the Lido DAO and audit service providers. Excited to be a part of it.

2 Likes

Hi, thanks for this initiative. Definitely, the ecosystem needs good and reliable auditors.

Hi everyone,

We are decurity.io — a team of 20 that does full-stack web3 security audits. Our customers include Yearn, 1inch, Symbiosis, and others. We are members of the team who won the 2nd place worldwide during the Paradigm CTF contest among security auditing teams.

We’ll be happy to contribute to the Lido’s security in different ways: manual smart contract audit, penetration testing, DevSecOps pipeline integration, transaction security monitoring.

Our main points of contact:
Email: [email protected]
Telegram: @beched (Omar Ganiev, CEO), @theRaz0r (Arseniy Reutov, CTO).

3 Likes

Hi there! Thanks for dropping us a line, we will have you in mind when planning the audits going forward.

1 Like

Hi @GrStepanov,

Would love to introduce you to Omniscia. We do audits, pen tests, tokenomics analysis and due diligence.

We have audited close to 250 projects like L’Oreal, Euler, Morpho, DappRadar, Tokemak, AvaLabs, Matic, LimitBreak, OlympusDAO since 2021.

  • Our reports are web-based and include aggressive gas-saving recommendations
  • We have a clean track record (not on the rekt leaderboard)
  • Static analysis represent < 10% of the work we will conduct on your contracts. The bulk of the audit consists of having extremely senior security engineers manually review your contracts
  • Our chief security officer won the Code4rena / Opensea contest: https://twitter.com/Omniscia_sec/status/1623821249960116224

Happy to connect by email at [email protected] or telegram at @ClementBarbier

2 Likes

Nice to meet you! Looking forward to connecting with Omniscia as soon as we start planning our future audit needs.

2 Likes

Hi @GrStepanov,

It’s a pleasure to introduce Supremacy to the community.

Supremacy is a leading blockchain security agency, composed of industry hackers and academic researchers, providing clients with a one-stop security solution for the whole life cycle with our technology precipitation and innovative research. Our partners include Curve[.]fi, Scroll and others.

  • We have launched a powerful transaction explorer: Cruise is Supremacy’s Transaction Explorer designed for Web3.0 Ecosystem. currently supports 10+ EVM chains. In this field, its blockchain support far exceeds that of similar competitors.

  • In addition, we also launched the world’s first Vyperlang-based war game: VyperPunk, which has helped a large number of Vyperlang community members learn about security and has been well received by the contributors.

We are pleased to provide security support to the Lido community, including: Security Advisor, Security Auditing, Threat Intelligence, Situational Awareness, Threat Interdiction, Emergency Response and On-chain Tracking.

The community can link to us through the following ways:

  • Email: [email protected]
  • Twitter: twitter[.]com/Supremacy_CA
  • Telegram: t[.]me/SupremacyInc
3 Likes

Thank you for reaching out! We will definitely add Supremacy to the list of audit service providers to work with in the future.

2 Likes

Hi Lido team,

We are Aria would love to form a partnership where we can prove our value in smart contact auditing. Our highly experienced team, enriched by years of expertise in elite units at the IDF, possesses extensive knowledge in web3, cybersecurity, and vulnerability research.

We can help with:

  • Manual smart contact audit
  • Share our proprietary technology of fuzzing for your teams

Our team at Aria has successfully discovered critical bug bounties at Immunefi, conducted private audits with Coinmama and Secret and identified vulnerabilities in Code4rena for several projects.

Happy to connect via Email at: [email protected] or at LinkedIn at: https://www.linkedin.com/in/ido-holtsman-4a5049187/

1 Like

Thank you for coming by! Right now we are covered, but there’s a good chance we will be willing to partner later in the year (probably in 1-2 months from now).

Hey @GrStepanov and Lido team!
We are KALOS - Making Web3 Space Safer for Everyone.

KALOS is a flagship service of HAECHI LABS, providing blockchain wallets and security audits since 2018. Over the course of last 5 years, we have secured nearly $60B crypto assets on over 400 projects.

We bring together the best experts to make web3 space safer for everyone. Our team consists of security researchers with various expertise - smart contract, blockchain, cryptography, web security, reverse engineering, and binary analysis. Their skills have lead to multiple strong performances in reputable CTFs over the past few years.

We will be happy to provide a high quality audit and contribute to Lido’s security. Further informations (our team, tech blog, etc.) can be found in our website below - feel free to connect via email :slight_smile:

2 Likes

Check our website at: https://aria-labs.io/

Thank you for getting in touch!

Hey everyone,

Nethermind Security is the specialized security arm of Nethermind, providing Smart Contract Audits, Formal Verification and Real-Time Monitoring solutions for Ethereum and Starknet builders. Our teams of blockchain security experts have a strong academic background and have long-standing experience analyzing Solidity and Cairo smart contracts.

Nethermind is collaborating with Lido on the research and design of a good validator set maintenance mechanism and we also run and manage a large set of validators for Lido. We believe Nethermind Security is well suited to expand this cooperation by helping to secure the Lido ecosystem.

Nethermind is a world-class team of engineers and researchers with expertise in protocol engineering, blockchain security, layer two scaling, decentralized finance, smart contracts development, and cryptography research.

Website: https://nethermind.io

Email: [email protected]

Twitter: https://twitter.com/NethermindEth, https://twitter.com/NethermindStark

Telegram: @Bobbayb

3 Likes

A Standardized framework for ranking a smart contract audit firm would streamline the external audit process of Lido developments , I’ve put together a description of each criterion that can be consider in the decision matrix. I believe this will help bring clarity and alignment as Lido ecosystem grows larger.

Note :

  1. This is an example and the company name used are fictional and for representative purpose only.
  2. The weightage and variables showcased is representative purpose only.
  3. Feedback is appreciated

Decision Matrix for Smart Contract Audit Firm Ranking

Criteria Description Adjusted Weightage (%) AlphaAudit (1-10) BetaCheck (1-10) GammaGuard (1-10)
Protocol Experience Familiarity with Lido protocol or similar protocol 9% 9 8 7
Audit Availability Ability to provide multiple audits for every release 9% 8 9 7
On-demand Audits Availability for unexpected audit requirements 9% 8 7 9
Formal Verification Capability to perform in-depth code verifications 5% 7 8 8
Partnership Potential Likelihood of long-term collaboration with Lido 9% 9 7 8
Communication Quality Ease and clarity in communication 9% 8 9 7
Financial Compatibility Affordability and alignment with Lido’s budget 9% 8 7 9
Reputation Feedback from community and past performance 9% 9 8 7
Lido Security Adaptability Alignment with Lido’s security standards 9% 8 7 8
Project Familiarity Knowledge about Lido’s plans and projects 5% 7 8 7
Previous Audits Volume Total number of past audits conducted 4% 9 8 7
Project Value Protection Total value of projects audited in the past 4% 8 9 7
Post-audit Compromises Number of projects compromised after audit(Negative Impact) 4% 8 9 7
Post-audit Fund Losses Amount lost from projects after audits(Negative Impact) 4% 9 8 8
Audit Firm Rating Total Score (out of 10) 100% 8.2 7.9 7.7

Calculation Steps

  • The Weightage (%) column should sum up to 100%.
  • The scores for the audit firms are on a scale of 1 to 10, where 1 represents the lowest performance and 10 the highest.
  • Criteria with potential negative impacts, like “Post-audit Compromises” or “Post-audit Fund Losses,” should be scored inversely. A higher number of incidents would result in a lower score.
  • After scoring each audit firm, multiply each criterion score by its weightage to get the weighted score for each criterion.
  • Sum all the weighted scores for each firm to get a total score.
1 Like

Thanks for sharing this!
Normally, the audit committee tries to diversify the audit service provider set for Lido, but prioritizing the firms already familiar with our codebase would probably result in picking the same firms again.
Besides, the committee tries to pick the right team for every single project, based on the firm’s past work, claimed expertise, and track record.
Formats of security services vary vastly from traditional security assessments to community challenges, formal verification, etc., and not all of those would fit into the proposed evaluation framework.
Last but not least, audit services are pricey these days, and it also is an important point when discussing audits for a specific project.

3 Likes

:wave: Hi @GrStepanov and Lido team,

We are Ackee Blockchain Security (ackeeblockchain[.]com/), a team of auditors and white hat hackers who perform security audits and assessments. Our clients are projects like:

  • Axelar
  • 1inch
  • Layer Zero
  • Safe
  • CoW Swap
  • Trader Joe
  • Ipor
  • Neon EVM
  • and many more…

Apart from auditing we also develop open-source tooling. Woke is a Python-based development and testing framework for Solidity.
(ackeeblockchain[.]com/woke/docs/latest/testing-framework/overview/).

We would love to contribute to Lido’s security! Looking forward to discussing this further!

Contact:

Website: ackeeblockchain[.]com

Email: hello@ackeeblockchain[.]com

Telegram: @TomasABCH (Tomas Bayer, COO)

2 Likes

Hi @Grstepanov,

It’s a pleasure to introduce Halborn to the community.

Halborn is an award-winning, elite cybersecurity company for blockchain organizations founded in 2019 by renowned ethical hacker Steven Walbroehl and growth hacker Rob Behnke. We’ve been trusted by organizations such as:

Uniswap, zkSync, Matter Labs, Circle, Solana, Dapper Labs, Polygon, Animoca Brands, Sushi, and many more.

Halborn provides Smart Contract Audits, Advanced Penetration Testing, DevOps & Automation, and Security-Advisory-as-a-Service.

Halborn serves as your reputable partner to continuously assess your most vital assets, save time in your development lifecycle and provide world-class cybersecurity consulting and assessments every step of the way — far beyond smart contracts.

The community can link to us through the following ways:

  • Website: halborn[.]com
  • Email: scott[.]gralnick@halborn[.]com
  • Twitter: twitter[.]com/@HalbornSecurity
  • Telegram: scottgr
3 Likes