- Total Prize Pool: $28,000 USDC
- HM awards: $18,975 USDC
- Analysis awards: $1,150 USDC
- QA awards: $575 USDC
- Bot Race awards: $1,725 USDC
- Gas awards: $575 USDC
- Judge awards: $2,760 USDC
- Lookout awards: $1,740 USDC
- Scout awards: $500 USDC
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts November 10, 2023 20:00 UTC
- Ends November 15, 2023 20:00 UTC
The 4naly3er report can be found here.
Automated findings output for the audit can be found here within 24 hours of audit opening.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues
section is considered a publicly known issue and is ineligible for awards.
Stader Labs has created new contracts for its upcoming Kelp product. The scope of the audit is to review the contracts and ensure that they are secure, resilient, and working as intended.
LRTConfig: An upgradeable contract which is responsible for storing the configuration of the Kelp product. It is also responsible for storing the addresses of the other contracts in the Kelp product.
LRTepositPool: An upgradeable contract which receives the funds deposited by users into the Kelp product. From here, the funds are transferred to NodeDelegators contracts.
NodeDelegator: These are contracts that receive funds from the LRDepositPool and delegate them to the EigenLayer strategy. The funds are then used to provide liquidity on the EigenLayer protocol. It is also an upgradeable contract.
LRTOracle: An upgradeable contract which is responsible for fetching the price of Liquid Stasking Tokens tokens from oracle services.
RSETH: Receipt token for depositing into the Kelp product. It is an upgradeable ERC20 token contract.
Also see our blog for additional info
See Linktree
Contract | SLOC | Purpose | Libraries used |
---|---|---|---|
LRTConfig | 111 | Configuration contract | |
LRTDepositPool | 97 | User interfacing contract when funds are deposited | |
NodeDelegator | 65 | Recipient of funds from LRTDepositPool. In turn, it sends funds to Eigenlayer strategies | |
LRTOracle | 60 | get prices of liquid staking tokens | |
RSETH | 45 | receipt token user receives upon depositing in LRTDepositPool | |
RSETH | 45 | receipt token user receives upon depositing in LRTDepositPool | |
ChainlinkPriceOracle | 25 | wrapper contract to integrate chainlink oracles in LRTOracle | |
LRTConfigRoleChecker | 33 | Handles role checks | |
UtilLib | 7 | Helper function lib | |
LRTConstants | 10 | shared constant variables |
It also includes the inherited interface contracts.
Dependency / Import Path | Count |
---|---|
@openzeppelin/contracts-upgradeable/access/AccessControlUpgradeable.sol | 2 |
@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol | 1 |
@openzeppelin/contracts-upgradeable/token/ERC20/ERC20Upgradeable.sol | 1 |
@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol | 4 |
@openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol | 2 |
@openzeppelin/contracts/access/IAccessControl.sol | 1 |
@openzeppelin/contracts/interfaces/IERC20.sol | 3 |
@openzeppelin/contracts/token/ERC20/IERC20.sol | 2 |
We are aware that EigenLayer has an mechanism to pause deposits in its protocol. Hence we created a layer called NodeDelegator which holds assets and deposits them into EigenLayer asset strategy. The intention is for these NodeDelegator contracts to deposit into Eigenlayer once deposit is available.
- All core contracts are upgradeable.
- LSTs deposited by users will end up on that LST asset strategy contract in the Eigenlayer protocol
- If you have a public code repo, please share it here:
- How many contracts are in scope?: 17
- Total SLoC for these contracts?: 504
- How many external imports are there?: 1
- How many separate interfaces and struct definitions are there for the contracts within scope?: 8
- Does most of your code generally use composition or inheritance?: Inheritance
- How many external calls?: 2
- What is the overall line coverage percentage provided by your tests?: 98
- Is this an upgrade of an existing system?: False
- Check all that apply (e.g. timelock, NFT, AMM, ERC20, rollups, etc.): ERC-20 Token
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: True
- Please describe required context: Funds are eventually deposited into EigenLayer strategy and we are using Chainlink price oracles for fetching LST prices
- Does it use an oracle?: Chainlink
- Describe any novel or unique curve logic or mathematical models your code uses: N/A
- Is this either a fork of or an alternate implementation of another project?: False
$ forge test
Get a gas report:
$ forge test --gas-report
Compile the contracts:
$ forge build
Get a test coverage report:
$ forge coverage --report lcov && lcov --remove lcov.info -o lcov.info 'test/*' 'script/*'