Runtime Verification audits Hone’s Liquid Staking protocol

Posted on September 1st, 2022 by Runtime Verification
Posted in Audits

Runtime Verification audits Hone’s Liquid Staking protocol

Runtime Verification is pleased to announce the completion of Hone’s Liquid Staking smart contract audit. Hone is a protocol built on the Algorand blockchain allowing users to earn Algorand Governance rewards without having to soft lock their ALGO for three months at a time.

Audit scope

The audit scope was limited to the TEAL source code of the smart contract responsible for the Liquid Staking protocol’s central functionalities.

At the onset of the audit process, the various functionalities were separated into two smart contracts. After commencing the audit, the Hone team in collaboration with the auditor reasoned that the system could be simplified and the operation improved by merging the two into a single smart contract.

The Hone liquid staking platform allows users to stake ALGO in exchange for dALGO, a tokenized derivative of a user's staked ALGO. The staked ALGO is committed to the Algorand Governance period in order to earn rewards and cast votes. The earned ALGO is then deposited back into the total staked contract. By using Hone, users can stake their ALGO to earn governance rewards while still having access to their original liquidity via dALGO.

The audit covered only the TEAL source code contract mentioned in the report and it excluded any deployment and upgrade scripts, off-chain codebase and client-side portions of the codebase.

Methodology

Runtime Verification conducted a manual code review for a period of five weeks, and delivered a detailed report on May 30th, 2022.

The first step in the audit process consisted of using an in-house tool to create a high level representation of the code in the TEAL language. The tool was used to gain a better understanding of the model and to check for any unexpected and potentially exploitable behaviors, as well as validating the absence of loopholes in the implementation and business logic.

Next, the code underwent a careful analysis of its more sensitive operations, such as any arithmetic operations performed by the contract, and was searched for any dangerous use cases that could lead to theft of assets or asset loss by the platform users.

Following this analysis, rounds of internal discussion took place over the code and platform design in order to identify possible exploitation vectors and improvements for the analyzed contract.

Finally, a thorough review of the TEAL guidelines published by the Algorand Foundation finished out the audit process. Additionally, in order to make the audit as thorough as possible given the nascent TEAL development and auditing community, a list of known Ethereum vulnerabilities and attack vectors was also reviewed to see if they applied to TEAL smart contracts. If they applied, the code was checked to see if it was vulnerable to them as well.

Results

The audit identified and highlighted some issues along with a number of informative findings. The Hone team addressed all the issues and concerns raised during the audit and incorporated all the necessary changes in the smart contract, which resulted in code changes that were given a best effort review in the final stages of the audit process.

Users interested in a more detailed and technical explanation about the findings can go over the full report in our GitHub repository.

About Hone

Hone is a liquid-governance staking protocol built around Algorand Governance. Users who deposit their ALGO into the Staking Pool receive dALGO, a tokenized version of their underlying ALGO and any rewards earned by the Staking Pool, who participates in Algorand Governance on the depositors behalf. The Staking Pool follows the voting lead of the Algorand Foundation. Hone creates a fully-liquid, yield-bearing token that can be used throughout the Algorand ecosystem without the need to lock-up your ALGO in governance commitments.

About Runtime Verification

Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services and products to improve the safety, reliability, and correctness of software systems in the blockchain field.