Zircuit / Lido / NEW Proposal

Summary

This engagement is meant to verify the deployment code and smart contract field values of Zircuit’s proposal to deploy `wstETH` on Zircuit L2. The engagement had the following steps: <br> ## Part 1 <br> Identify any code changes made in the listed files between the audited commit hash and the deployment commit hash for the following repositories. <br> ### Repo: https://github.com/lidofinance/lido-l2 <br> - [Audit Report](https://github.com/lidofinance/audits/blob/main/L2/Lido-L2-2022-07-Oxorio-Smart-Contracts-Security-Audit-Report.pdf) - Audited Commit Hash: `082e7eb59de63bd376b30886568813408d04f00b` - Deployment Commit Hash: `d8b68db14a98d49aeff20bfd4ccd581a02ed3f48` - Files: - `contracts/optimism/L1ERC20TokenBridge.sol` - `contracts/proxy/OssifiableProxy.sol` - `contracts/token/ERC20Bridged.sol` - `contracts/optimism/L2ERC20TokenBridge.sol` <br> #### Changes No code changes were identified. <br> #### Deployment Solidity Version The `lido-l2` contracts were compiled and deployed with Solidity version `0.8.10+commit.fc410830`. Below is a list of known issues that exist in `0.8.10`: - AbiReencodingHeadOverflowWithStaticArrayCleanup - Medium Severity - Introduced in `0.5.8` - Fixed in `0.8.16` - AbiReencodingHeadOverflowWithStaticArrayCleanup - Low Severity - Introduced in `0.5.8` - Fixed in `0.8.16` - DirtyBytesArrayToStorage - Low Severity - Introduced in `0.0.1` - Fixed in `0.8.15` - DataLocationChangeInInternalOverride - Very Low Severity - Introduced in `0.6.9` - Fixed in `0.8.14` - NestedCalldataArrayAbiReencodingSizeValidation - Very Low Severity - Introduced in `0.5.8` - Fixed in `0.8.14` </br> For more details about every issue, please check this <a href="https://docs.soliditylang.org/en/latest/bugs.html">link</a>. <br> ### Repo: https://github.com/aave/governance-crosschain-bridges <br> - [Audit Report](https://github.com/lidofinance/audits/blob/main/L2/Governance-Crosschain-Bridges-2022-08-Oxorio-Audit%20Report.pdf) - Audited Commit Hash: `8fa25b0080dd3dcc2390313631aea6796a12c9d8` - Deployment Commit Hash: `57dd43969a68eb076fdbeae2953b572534694986` - Files: - `contracts/bridges/OptimismBridgeExecutor.sol` - `contracts/bridges/L2BridgeExecutor.sol` - `contracts/bridges/BridgeExecutorBase.sol` <br> #### Changes The engagement concluded that the code at the audited commit hash matches the code at the deployment commit hash **with the only difference being in the pragma (solidity version)**. The following are the pragma updates: - `contracts/bridges/BridgeExecutorBase.sol` - `0.8.10` to `^0.8.10` - `contracts/bridges/L2BridgeExecutor.sol` - `0.8.10` to `^0.8.10` - `contracts/bridges/OptimismBridgeExecutor.sol` - `0.8.10` to `^0.8.10` <br> #### Deployment Solidity Version The `governance-crosschain-bridges` contracts were compiled and deployed with Solidity version `0.8.20+commit.a1b79de6`, which does not impact the protocol's security. Below is a list of known issues that exist in `0.8.20`: - VerbatimInvalidDeduplication - Low Severity - Introduced in `0.8.5` - Fixed in `0.8.23` - FullInlinerNonExpressionSplitArgumentEvaluationOrder - Low Severity - Introduced in `0.6.7` - Fixed in `0.8.21` </br> For more details about every issue, please check this <a href="https://docs.soliditylang.org/en/latest/bugs.html">link</a>. <br> ## Part 2 <br> Verify that the on-chain contracts were deployed using the deployment commit hash for both Mainnets and Testnets. <br> ### Mainnet #### Ethereum - `L1ERC20TokenBridge.sol` - Implementation - Address: [0x6bc726C993103197C41d787dd72eCd4D2e1614E8](https://etherscan.io/address/0x6bc726C993103197C41d787dd72eCd4D2e1614E8) - Code: https://github.com/lidofinance/lido-l2/blob/d8b68db14a98d49aeff20bfd4ccd581a02ed3f48/contracts/optimism/L1ERC20TokenBridge.sol - OssifiableProxy - Address: [0x912C7271a6A3622dfb8B218eb46a6122aB046C79](https://etherscan.io/address/0x912C7271a6A3622dfb8B218eb46a6122aB046C79) - Code: https://github.com/lidofinance/lido-l2/blob/d8b68db14a98d49aeff20bfd4ccd581a02ed3f48/contracts/proxy/OssifiableProxy.sol #### Zircuit - `ERC20Bridged` - Implementation - Address: [0x929569e10d9166f31c8284fE3FE5db1C1E56D6b4](https://explorer.zircuit.com/address/0x929569e10d9166f31c8284fE3FE5db1C1E56D6b4) - Code: https://github.com/lidofinance/lido-l2/blob/d8b68db14a98d49aeff20bfd4ccd581a02ed3f48/contracts/token/ERC20Bridged.sol - OssifiableProxy: - Address: [0xf0e673Bc224A8Ca3ff67a61605814666b1234833](https://explorer.zircuit.com/address/0xf0e673Bc224A8Ca3ff67a61605814666b1234833) - Code: https://github.com/lidofinance/lido-l2/blob/d8b68db14a98d49aeff20bfd4ccd581a02ed3f48/contracts/proxy/OssifiableProxy.sol - `L2ERC20TokenBridge` - Implementation: - Address: [0x224F00AEDD7A9F10e571898662ad19CD5abd9F2c](https://explorer.

Project

Lido

Multi-Chain

No active critical issues

Last audited on 2024/10/03

by Quantstamp

Auditor

Quantstamp

Multi-Chain

57.1bn TVS

287 audits on Trustblock

Multi-Tags

Contracts (7)