SMART CONTRACT SECURITY AUDIT FOR EVERSTAKE
Everstake is a responsible validator trusted by 625k+ users across 70+ blockchain networks. Created by engineers for the entire community in 2018. It’s a self-funded, profitable business employing 125+ people and running over 8,000 nodes.
The Blaize Security team was happy to conduct the second smart contract security audit for Everstake. You can read a new one here.
ABOUT THE PROJECT
In this use case, we consider the security of the contracts for Everstake. Our task was to find and describe security issues in the platform’s smart contracts. The Blaize.Security team has received a set of contracts prepared by the Everstake team. Contracts include:
- PoolB2B.sol – a staking smart contract that allows users to deposit ETH, which is then staked by a specific validator on Beacon chain.
- ValidatorList.sol – library, which simplifies the work with the list of validators.
The goal of the audit was to ensure the correctness of interaction with Beacon chain deposit smart contracts, validate that smart contracts are optimized in terms of gas usage, and Solidity best practices, and validate smart contracts against the list of common vulnerabilities.
We were assigned to detect and describe security issues in the smart contract of Everstake.
We needed to check the smart contracts with the following parameters:
Whether the contract is secure;
Whether the contract corresponds to the documentation;
Whether the contract meets best practices in terms of the efficient use of gas and code readability.
We have scanned this smart contract for commonly known and more specific vulnerabilities:
- Unsafe type inference;
- Timestamp Dependence;
- Implicit visibility level;
- Gas Limit and Loops;
- Transaction-Ordering Dependence;
- Unchecked external call – Unchecked math;
- DoS with Block Gas Limit;
- DoS with (unexpected) Throw;
- Byte array vulnerabilities;
- Malicious libraries;
- Style guide violation;
- ERC20 API violation;
- Uninitialized state/storage/ local variables;
- Compile version not fixed.
In addition, Everstake was checked against less common vulnerabilities from the internal Blaize.Security knowledge base.
SMART CONTRACT SECURITY AUDIT PROCEDURE
Blaize.Security has an established security audit procedure. It includes the following steps:
- Manual code review;
- Static analysis by automated tools;
- Business logic review;
- Unit test coverage check;
- Extensive integration testing;
- Fuzzy and exploratory testing;
- Providing a detailed report of detected issues;
- Verification of fixes;
- Final audit report preparation & publishing.
See our recent smart contract audit case: Smart Contract Security Audit for Binaryx.
AUTOMATED TOOLS ANALYSIS
The team has checked the contract with the help of several publicly available automated analysis tools, such as Mythril, Solhint, Slither, and Smartdec. Also, we have done manual verification of all the issues detected by automated tools.
MANUAL CODE REVIEW
During the manual audit, the Blaize Security team analyzed contracts against the list of common vulnerabilities and internal checklists and validated the correspondence of the business logic of the protocol to the described one.
There were several low and lowest issues found during the manual audit. Low issues described the unused fee variable and unused functions, while the lowest issues were connected to gas optimization, validation of logic, and other improvements of smart contracts.
UNIT TEST COVERAGE
The scope of the audit includes the unit test coverage, which is based on the smart contracts code, documentation, and requirements presented by the Everstake team. Coverage is calculated based on the set of Hardhat framework tests and scripts from additional testing strategies. Though, in order to ensure the security of the contract, our auditors recommend the Everstake team put in place a bug bounty program to encourage further and active analysis of the smart contracts.
SECURITY ANALYSIS REPORT
In the end, we have provided the Everstake team with a smart contract security analysis report. The document contains all detected risks and the possible variants of their mitigations, issues, vulnerabilities details, and recommendations for their improvements.
NEED A SMART CONTRACT AUDIT TOO? CHECK ALL BLAIZE SECURITY SERVICES.
The Everstake team has successfully fixed or verified all of the issues found. Additionally, auditors have proposed several gas optimizations in order to decrease the gas costs of functions. All the issues and proposed optimizations can be seen in the Complete analysis section.
The Blaize.Security team has also prepared a set of fork-tests in order to validate the correctness of the smart contract’s logic and interaction with the Beacon Chain deposit smart contract.
The overall security of smart contracts is high enough. Contracts are well-written, contain Natspec documentation, and are gas-optimized.
Thus, according to the rules listed above, the level of overall Everstake security can be evaluated as Highly Secure. The security score is an incredible 10 out of 10 points!
The audit document with the full list of identified vulnerabilities and recommendations for their improvements can be found below:Everstake-Audit-report