StakeStone
Summary
StakeStone is an omni-chain liquid staking token protocol. Users can deposit ETH into a `StoneVault` and receive STONE, StakeStone's native LST, in return. The ETH is then staked in a portfolio of strategies voted on by STONE token holders, accruing the value of STONE over time. Users can use their STONE to withdraw ETH at the end of the round, or instantly for a fee. STONE is a Layer-zero OST, allowing it to be used across several chains. During the audit, we uncovered a few issues surrounding the voting mechanisms for proposals, most importantly the lack of quorum (STONE-1). The owner of `EigenLSTRestaking` also seems to have the ability to withdraw stETH for themselves (STONE-2). There are also configuration functions that are not implemented, which could leave contracts unusable in the future (STONE-3). We noticed that the `Account` contract could not make calls to the `controller`, though the impact could not be assessed without knowing the full use case (STONE-10). We were not able to assess the test suite as we were unable to run it. We strongly encourage the StakeStone team to build a full test suite with strong code coverage before deployment. **Fix-Review Update:** The StakeStone team fixed or acknowledged all of the issues in the report.
Issues (11)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 5 | 1 | - | - | 6 |
Fixed | 3 | 2 | - | - | 5 |
| Total | 8 | 3 | 0 | 0 | 11 |