Blaize
Contact us
  • Home
  • Services
    • Back
    • Blockchain ecosystems
    • Decentralized application
    • Smart contracts
    • Developer tools
    • Enterprise solutions
    • Blockchain integration
    • NFT Development Services
    • NFT Marketplace Development
    • GameFi Development
    • Token Development Services
  • Blaize.Security
  • Solutions
    • Back
    • Blockchain Consulting Services
    • For enterprises
  • Team
  • Cases
  • Blog
  • Careers
  • Vacancies
  • fb
  • LinkedIn
  • Twitter
info@blaize.tech +38 095 53 72 031

Kyiv, Ukraine

26 Metalistiv St

Dnipro, Ukraine 20

Sichovykh Striltsiv St

SMART CONTRACT SECURITY AUDIT FOR EVERSTAKE

2 weeks

Share:

Share on FacebookShare on TwitterShare on TelegramShare on WhatsApp

Everstake is a responsible validator trusted by 625k+ users across 70+ blockchain networks. Created by engineers for the entire community in 2018. It’s a self-funded, profitable business employing 125+ people and running over 8,000 nodes.

The Blaize Security team was happy to conduct the second smart contract security audit for Everstake. You can read a new one here.

ABOUT THE PROJECT 

In this use case, we consider the security of the contracts for Everstake. Our task was to find and describe security issues in the platform’s smart contracts. The Blaize.Security team has received a set of contracts prepared by the Everstake team. Contracts include:

  • PoolB2B.sol – a staking smart contract that allows users to deposit ETH, which is then staked by a specific validator on Beacon chain.
  • ValidatorList.sol – library, which simplifies the work with the list of validators.
The scheme of staking the ETH deposit by a validator on Beacon chain
The scheme of staking the ETH deposit by a validator on Beacon chain

The goal of the audit was to ensure the correctness of interaction with Beacon chain deposit smart contracts, validate that smart contracts are optimized in terms of gas usage, and Solidity best practices, and validate smart contracts against the list of common vulnerabilities.

MAIN REQUIREMENTS

We were assigned to detect and describe security issues in the smart contract of Everstake.

We needed to check the smart contracts with the following parameters:

Whether the contract is secure; 

Whether the contract corresponds to the documentation; 

Whether the contract meets best practices in terms of the efficient use of gas and code readability.

We have scanned this smart contract for commonly known and more specific vulnerabilities:

  • Unsafe type inference; 
  • Timestamp Dependence; 
  • Reentrancy; 
  • Implicit visibility level; 
  • Gas Limit and Loops; 
  • Transaction-Ordering Dependence; 
  • Unchecked external call – Unchecked math;
  • DoS with Block Gas Limit; 
  • DoS with (unexpected) Throw; 
  • Byte array vulnerabilities; 
  • Malicious libraries; 
  • Style guide violation; 
  • ERC20 API violation; 
  • Uninitialized state/storage/ local variables; 
  • Compile version not fixed.

In addition, Everstake was checked against less common vulnerabilities from the internal Blaize.Security knowledge base.

SMART CONTRACT SECURITY AUDIT PROCEDURE

Blaize.Security has an established security audit procedure. It includes the following steps: 

  1. Manual code review;
  2. Static analysis by automated tools;
  3. Business logic review;
  4. Unit test coverage check;
  5. Extensive integration testing;
  6. Fuzzy and exploratory testing;
  7. Providing a detailed report of detected issues;
  8. Verification of fixes;
  9. Final audit report preparation & publishing.

See our recent smart contract audit case: Smart Contract Security Audit for Binaryx. 

AUTOMATED TOOLS ANALYSIS 

The team has checked the contract with the help of several publicly available automated analysis tools, such as Mythril, Solhint, Slither, and Smartdec. Also, we have done manual verification of all the issues detected by automated tools.

MANUAL CODE REVIEW 

During the manual audit, the Blaize Security team analyzed contracts against the list of common vulnerabilities and internal checklists and validated the correspondence of the business logic of the protocol to the described one.

There were several low and lowest issues found during the manual audit. Low issues described the unused fee variable and unused functions, while the lowest issues were connected to gas optimization, validation of logic, and other improvements of smart contracts.

UNIT TEST COVERAGE

The scope of the audit includes the unit test coverage, which is based on the smart contracts code, documentation, and requirements presented by the Everstake team. Coverage is calculated based on the set of Hardhat framework tests and scripts from additional testing strategies. Though, in order to ensure the security of the contract, our auditors recommend the Everstake team put in place a bug bounty program to encourage further and active analysis of the smart contracts.

SECURITY ANALYSIS REPORT

In the end, we have provided the Everstake team with a smart contract security analysis report. The document contains all detected risks and the possible variants of their mitigations, issues, vulnerabilities details, and recommendations for their improvements.   

NEED A SMART CONTRACT AUDIT TOO? CHECK ALL BLAIZE SECURITY SERVICES. 

AUDIT RESULT

The Everstake team has successfully fixed or verified all of the issues found. Additionally, auditors have proposed several gas optimizations in order to decrease the gas costs of functions. All the issues and proposed optimizations can be seen in the Complete analysis section.

The Blaize.Security team has also prepared a set of fork-tests in order to validate the correctness of the smart contract’s logic and interaction with the Beacon Chain deposit smart contract.

The overall security of smart contracts is high enough. Contracts are well-written, contain Natspec documentation, and are gas-optimized.

Thus, according to the rules listed above, the level of overall Everstake security can be evaluated as Highly Secure. The security score is an incredible 10 out of 10 points!

The audit document with the full list of identified vulnerabilities and recommendations for their improvements can be found below:

Everstake-Audit-report

Service

  • Security audit

Blockchain

  • Ethereum

Project stage

Security audit

Other cases

DECENTRALIZED APP DEVELOPMENT FOR THE CRYPTO GAME

Service

  • Blockchain based platforms
  • Crypto games
  • Smart contracts
  • Staking platforms
  • Token emission and distribution

Blockchain

  • Ethereum
  • Polygon
6 months
SMART CONTRACT SECURITY AUDIT FOR LIQUIDACCESS

Service

  • Security audit

Blockchain

  • Ethereum
1 week
Building and Running Collator Node: A Unified Deployment Solution

Service

  • Blockchain infrastructure
  • Blockchain nodes

Blockchain

  • Polkadot
  • Substrate
2.5 months
SMART CONTRACT SECURITY AUDIT FOR CUPCAKE – NFT APP

Service

  • Security audit

Blockchain

  • Ethereum
3 weeks
SMART CONTRACT SECURITY AUDIT FOR NEMUS

Service

  • Security audit

Blockchain

  • Ethereum
2 weeks
SMART CONTRACT SECURITY AUDIT FOR EVERDUES

Service

  • Security audit

Blockchain

  • BNB Chain
  • Ethereum
  • Polygon
1 week
STAKING SYSTEM DEVELOPMENT FOR THE DEFI SECURITY PLATFORM HACKLESS

Service

  • Blockchain based platforms
  • DeFi applications
  • Smart contracts
  • Token emission and distribution

Blockchain

  • BNB Chain
4 weeks
SMART CONTRACT SECURITY AUDIT FOR GEROBI

Service

  • Security audit

Blockchain

  • Aurora
3 days
Blaize

Address

Kyiv, Ukraine
26 Metalistiv St
Dnipro, Ukraine
20 Sichovykh Striltsiv St

Contact us

  • Tel.: +34 624 45 15 40
  • E-mail: info@blaize.tech

Menu

  • Home
  • Cases
  • Blog
  • Careers

Socials

  • Facebook
  • Twitter
  • LinkedIn
  • twitter
  • facebook
  • linkedin

Services

  • Blockchain ecosystems
  • Decentralized application
  • Smart contracts
  • Developer tools
  • Enterprise solutions
  • Blockchain integration
  • Smart contract audit
  • NFT development services
  • NFT marketplace
  • GameFi development
  • Token development
  • Blaize.Security

Solutions

  • For Startaps
  • For Enterprises

Subscribe news







    Popular Topics

    • 6 platforms for dApp development in 2023
    • How to do a smart contract audit
    • Tokenomics for crypto games
    • Smart contracts vulnerabilities
    • Launch an ICO, STO, and IEO in 2023
    • Create a stablecoin on Ethereum
    • Top 7 DeFi exploits&hacks in 2022
    top blockchain developers
    top blockchain developers
    techreviewer
    GoodFirms Badge
    defisec

    Copyright © Blaize - blockchain development company 2018-2023

    B2B inbound marketing with