Runtime Verification audits stakefish Ethereum staking 2.0
Runtime Verification is thrilled to announce stakefish Ethereum staking 2.0 audit completion. Stakefish is a staking service provider offering users the chance to stake their tokens to earn rewards while simultaneously helping to secure PoS networks.
Audit scope
Last December, stakefish launched a new version of their non-custodial Ethereum staking service. The new version allows users to stake as little as 0.1 ether at a time, unlike the original version which required staking a minimum of 32 ether. This new feature lowers the entry barrier for countless users, making it easy for everyone to start staking and receiving rewards in the future once the staking period is over.
The audit scope is limited to the core contracts of the “stakefish Ethereum staking 2.0” product. A total of 6 contracts were reviewed (more information about the reviewed contracts can be found in the report), together with a lightweight review of the library contracts and interfaces. We worked with the client to choose one git-commit for the audit and added an extra commit before the end of the audit to review one change in the code that contained a gas optimization.
The audit only covered Solidity contracts and it excluded any deployment and upgrade scripts, off-chain codebase and client-side portions of the codebase.
Methodology
Runtime Verification conducted a manual audit on the stakefish Ethereum Staking 2.0 smart contracts for a period of three weeks and published a detailed report on October 22nd, 2021.
The first step was to understand and analyze the business logic of the contracts. A series of diagrams were drawn to understand the flow and any possible attack scenarios. Key properties were validated to rule out the possibility of a loophole that could cause an exploit or inconsistencies between the logic and the implementation.
The second step consisted of checking if the code was vulnerable to already known security issues and attack vectors. This step helps to rule out a series of potential attack scenarios that the developers could have missed.
The last step consisted of symbolically executing part of the compiled code to search for any exploitable scenarios at the bytecode level introduced by the Solidity Compiler.
Results
The audit identified and highlighted some critical issues along with a number of informative findings. The stakefish team addressed all the issues and concerns raised during the audit and incorporated all the necessary changes in the smart contracts. The code is well written following Solidity best practices, and the documentation provided with the functions was complete and key to understanding the code’s logic.
During the audit, a third-party individual (@tsudmi) reported to the community an exploit affecting the Eth2 deposit contract of some staking platforms. Stakefish team worked closely with our team to investigate if the exploit affected stakefish Eth2 staking. In the case of stakefish, the exploit scenario is not applicable because stakefish’s trust model involves no third party operators.
Users interested in a more detailed and technical explanation about the findings can go over the full report in our GitHub repository.
About Stakefish
Stakefish is the leading validator for Proof of Stake blockchains. With support for 10+ networks, their mission is to secure and contribute to this exciting new ecosystem while enabling users to stake with confidence. Because stakefish nodes and team are globally distributed, the team is able to maintain 24-hour coverage.
About Runtime Verification
Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses formal methods to perform security audits on virtual machines and smart contracts on public blockchains. It also provides software testing, verification services and products to improve the safety, reliability, and correctness of software systems in the blockchain field.