Affine Labs - UltraETH LRT
Summary
This audit evaluates Affine Lab's Liquid Restaking Token (LRT) ultraETH. The tokenized vault allows users to deposit stETH and receive shares in the form of ultraETH. The staked ETH is delegated to various operators within the Eigenlayer and Symbiotic ecosystems. These operators use stETH as collateral for their actively validated services (AVS). Consequently, user deposits are exposed to both the risks of slashing and the rewards accrued by the operators. Overall, the codebase is well-written and adequately tested. It is nearly complete but currently undergoing active development. Some changes may have occurred between this audit and deployment. No high-severity vulnerabilities were found during the audit. Most significant findings relate to potential misuse of the privileged Harvester role, which could adversely affect the protocol (see AFF-1, AFF-2, AFF-3). Additionally, several recommendations were made to enhance security, such as using `safeTransfer`or including storage gaps for upgradeable contracts. **Updates**: All serious issues have been adequately addressed, and other issues have been acknowledged by the team with a sufficient explanation. Significant improvements to the NatSpec as well as the test suite were made after the audit.
Issues (7)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 3 | - | - | - | 3 |
Fixed | 2 | 2 | - | - | 4 |
| Total | 5 | 2 | 0 | 0 | 7 |