MixBytes team was engaged and has finished the verification of the wstETH deployment on zkSync. Three security researchers checked the presented information according to the internal checklist. The results are as follows:
- All contracts functionality accounts for features of zkSync VM and message transferring between Ethereum and zkSync.
- The proposed solution architecture is very similar to the canonical wstETH bridge (Optimism and Base wstETH bridges) with some additionals specific to the zkSync rollup.
- Deployed contracts match the audited scope. All findings from the report are addressed in the contracts. All crucial findings were fixed before deployment.
- Most of the contracts were deployed via create2, which allows redeploying contracts in case of their destruction. Contracts can be destroyed only after approval from Lido DAO (according to the current ACL), so this should be accounted for in further decisions. However, for now, it doesn’t bring any additional risks.
- All contracts were correctly deployed and initialized according to the forum proposal.
- ACL setup was implemented as it presented without any additional roles and addresses.