Runtime Verification audits Blockswap’s dETH Gateway

Posted on June 28th, 2023 by Runtime Verification
Posted in Audits

blockswap gateway.png

Runtime Verification is pleased to announce the Blockswap dETH Gateway audit completion. The dETH Gateway protocol offers users a bridgeless path to any EVM ecosystem for dETH. By creating composable oUTXOs, Gateway allows anyone to access staked ETH yield natively on any blockchain. This eliminates third party risk as users can self bridge their own dETH between blockchains. The introduction of the dETH Gateway should fuel the rollup centric future of Ethereum. 

Audit scope

The Blockswap’s dETH Gateway protocol is a recent layer added to their tech stack. dETH is minted when staking with Stakehouse. Stakehouse is a programmable staking layer providing automated accounting and delegation for ETH staking. It does this by recreating the consensus layer validator state on the execution layer and keeping them synched. That means every ETH in the consensus layer can always be 100% accounted for 1:1 with a derivative in the execution layer. It allows a user to register a validator and mint dETH, a derivative token that can be traded freely and is redeemable 1:1 for ETH, with more dETH being minted as a validator earns inflation rewards. Within the Stakehouse protocol, validators are known as KNOTs. Until now, the dETH associated with a KNOT could only be used on Ethereum. With the dETH Gateway protocol, it can now be used on Optimism. To this end, the following operations are provided by the dETH Gateway protocol:

  • State extension: Locks a KNOT's dETH on Ethereum and makes it spendable on Optimism
  • Balance update: If a KNOT's dETH balance on Ethereum has increased due to validator rewards, forward the earned dETH to Optimism (requires that a state extension has already been performed for this KNOT)
  • State unwinding: Removes a KNOT's dETH from Optimism and unlocks it on Ethereum

The audit scope encompasses the entirety of the smart contracts specific to the Gateway protocol. The scope was limited to the Solidity source code contracts, and it excluded any deployment and upgrade scripts, off-chain codebase, and client-side portions of the codebase. A cursory review of the router, an off-chain component, was conducted as well. A detailed list of all the contracts, libraries, and interfaces audited can be found in the report.

Methodology

Runtime Verification conducted a manual code review for a period of 4 weeks, and delivered a detailed report on October 17th,2022.

The first step in the audit process consisted of gaining a better understanding of the protocol's overall design and business logic. This was accomplished by thoroughly reading the code and collaborating with the Blockswap team, along with knowledge gained from previous audits conducted on the protocol.  

Next, a list of properties that the protocol must satisfy was compiled. Then a thorough code review was conducted to ensure that the code matched the design and satisfied the identified properties. Additionally, a high-level model of the protocol was created and used to prove some of the crucial invariants.  A key invariant proved during this process is that the total supply of dETH across the two connected chains (i.e., Ethereum and Optimism) is not affected by the gateway. This is something that any bridging solution should satisfy.

Results

The audit identified and highlighted some issues along with a number of informative findings. The Blockswap team acknowledged all the issues and concerns raised during the audit and incorporated all the necessary changes in the smart contracts.

Users interested in a more detailed and technical explanation of the findings can review the full report in our GitHub repository.

About Blockswap Labs

Blockswap Labs is a research and development company focusing on proof of stake assets and consensus mechanisms. Aligning with Ethereum ethos, Blockswap is creating the first all-inclusive super Network for ETH staking.  Whatever aspect of the Ethereum staking process a user wants to get involved with Blockswap is there making it doable in capital efficient, trustless, permissionless, and safe.

Blockswap Labs delivers end-user products which allow for complex tasks to be completed in 60 seconds. These products are all designed as middleware that can be developed around.  

About Runtime Verification

Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services and products to improve the safety, reliability, and correctness of software systems in the blockchain field.