Smart Contract Security Audit For Everstake

A Thorough Security Audit of Staking and Validator Contracts

Score:
10 /10
Ecosystem:
Type:
Staking Platform Validator Infrastructure
Background Image

Overview

Everstake is a responsible validator trusted by 625k+ users across 70+ blockchain networks. Created by engineers for the entire community in 2018. It’s a self-funded, profitable business employing 125+ people and running over 8,000 nodes.

Technologies: Solidity

Task

We were assigned to detect and describe security issues in the smart contract of Everstake.

We needed to check the smart contracts with the following parameters:

Whether the contract is secure;

Whether the contract corresponds to the documentation;

Whether the contract meets best practices in terms of the efficient use of gas and code readability.

We have scanned this smart contract for commonly known and more specific vulnerabilities:

  • Unsafe type inference;
  • Timestamp Dependence;
  • Reentrancy;
  • Implicit visibility level;
  • Gas Limit and Loops;
  • Transaction-Ordering Dependence;
  • Unchecked external call – Unchecked math;
  • DoS with Block Gas Limit;
  • DoS with (unexpected) Throw;
  • Byte array vulnerabilities;
  • Malicious libraries;
  • Style guide violation;
  • ERC20 API violation;
  • Uninitialized state/storage/ local variables;
  • Compile version not fixed.

In addition, Everstake was checked against less common vulnerabilities from the internal Blaize.Security knowledge base.

Contract Overview

The scheme of staking the ETH deposit by a validator on Beacon chain

Contract Overview Image

In this use case, we consider the security of the contracts for Everstake. Our task was to find and describe security issues in the platform’s smart contracts. The Blaize.Security team has received a set of contracts prepared by the Everstake team. Contracts include:

- PoolB2B.sol – a staking smart contract that allows users to deposit ETH, which is then staked by a specific validator on Beacon chain.
- ValidatorList.sol – library, which simplifies the work with the list of validators.

The goal of the audit was to ensure the correctness of interaction with Beacon chain deposit smart contracts, validate that smart contracts are optimized in terms of gas usage, and Solidity best practices, and validate smart contracts against the list of common vulnerabilities.

Smart Contract Security Audit Procedure

Blaize.Security has an established security audit procedure. It includes the following steps:

Comprehensive Security Audit

  • Manual code review;
  • Static analysis by automated tools;
  • Business logic review;
  • Unit test coverage check;
  • Extensive integration testing;
  • Fuzzy and exploratory testing;
  • Providing a detailed report of detected issues;
  • Verification of fixes;
  • Final audit report preparation & publishing.

Automated Tools Analysis

  • The team has checked the contract with the help of several publicly available automated analysis tools, such as Mythril, Solhint, Slither, and Smartdec. Also, we have done manual verification of all the issues detected by automated tools.

Manual Code Review

  • During the manual audit, the Blaize Security team analyzed contracts against the list of common vulnerabilities and internal checklists and validated the correspondence of the business logic of the protocol to the described one.
  • There were several low and lowest issues found during the manual audit. Low issues described the unused fee variable and unused functions, while the lowest issues were connected to gas optimization, validation of logic, and other improvements of smart contracts.

Unit Test Coverage

  • The scope of the audit includes the unit test coverage, which is based on the smart contracts code, documentation, and requirements presented by the Everstake team. Coverage is calculated based on the set of Hardhat framework tests and scripts from additional testing strategies. Though, in order to ensure the security of the contract, our auditors recommend the Everstake team put in place a bug bounty program to encourage further and active analysis of the smart contracts.

Security Analysis Report

  • In the end, we have provided the Everstake team with a smart contract security analysis report. The document contains all detected risks and the possible variants of their mitigations, issues, vulnerabilities details, and recommendations for their improvements.

Audit Result

The Everstake team has successfully fixed or verified all of the issues found. Additionally, auditors have proposed several gas optimizations in order to decrease the gas costs of functions. All the issues and proposed optimizations can be seen in the Complete analysis section.

The Blaize.Security team has also prepared a set of fork-tests in order to validate the correctness of the smart contract’s logic and interaction with the Beacon Chain deposit smart contract.

Audit Result Image

The overall security of smart contracts is high enough. Contracts are well-written, contain Natspec documentation, and are gas-optimized. Thus, according to the rules listed above, the level of overall Everstake security can be evaluated as Highly Secure. The security score is an incredible 10 out of 10 points!

Score:
10 /10
Rate Background
Audit Report

See the security audit details

Detailed Report

Get in Touch

Your blockchain dreams deserve top-tier security. Let's secure them together with our team of certified blockchain security professionals.
Get consulting on WEB3 security from top-tier security researchers and auditors. Contact us, and let's fortify your decentralized future.