This engagement is meant to verify the deployment code and smart contract field values of Zircuit’s proposal to deploy `wstETH` on Zircuit L2. The engagement had the following steps:
## Part 1
Identify any code changes made in the listed files between the audited commit hash and the deployment commit hash for the following repositories.
### Repo: https://github.com/lidofinance/lido-l2
- [Audit Report](https://github.com/lidofinance/audits/blob/main/L2/Lido-L2-2022-07-Oxorio-Smart-Contracts-Security-Audit-Report.pdf) - Audited Commit Hash: `082e7eb59de63bd376b30886568813408d04f00b` - Deployment Commit Hash: `d8b68db14a98d49aeff20bfd4ccd581a02ed3f48` - Files: - `contracts/optimism/L1ERC20TokenBridge.sol` - `contracts/proxy/OssifiableProxy.sol` - `contracts/token/ERC20Bridged.sol` - `contracts/optimism/L2ERC20TokenBridge.sol`
#### Changes No code changes were identified.
#### Deployment Solidity Version The `lido-l2` contracts were compiled and deployed with Solidity version `0.8.10+commit.fc410830`. Below is a list of known issues that exist in `0.8.10`: - AbiReencodingHeadOverflowWithStaticArrayCleanup - Medium Severity - Introduced in `0.5.8` - Fixed in `0.8.16` - AbiReencodingHeadOverflowWithStaticArrayCleanup - Low Severity - Introduced in `0.5.8` - Fixed in `0.8.16` - DirtyBytesArrayToStorage - Low Severity - Introduced in `0.0.1` - Fixed in `0.8.15` - DataLocationChangeInInternalOverride - Very Low Severity - Introduced in `0.6.9` - Fixed in `0.8.14` - NestedCalldataArrayAbiReencodingSizeValidation - Very Low Severity - Introduced in `0.5.8` - Fixed in `0.8.14`
For more details about every issue, please check this link.
### Repo: https://github.com/aave/governance-crosschain-bridges
- [Audit Report](https://github.com/lidofinance/audits/blob/main/L2/Governance-Crosschain-Bridges-2022-08-Oxorio-Audit%20Report.pdf) - Audited Commit Hash: `8fa25b0080dd3dcc2390313631aea6796a12c9d8` - Deployment Commit Hash: `57dd43969a68eb076fdbeae2953b572534694986` - Files: - `contracts/bridges/OptimismBridgeExecutor.sol` - `contracts/bridges/L2BridgeExecutor.sol` - `contracts/bridges/BridgeExecutorBase.sol`
#### Changes The engagement concluded that the code at the audited commit hash matches the code at the deployment commit hash **with the only difference being in the pragma (solidity version)**. The following are the pragma updates: - `contracts/bridges/BridgeExecutorBase.sol` - `0.8.10` to `^0.8.10` - `contracts/bridges/L2BridgeExecutor.sol` - `0.8.10` to `^0.8.10` - `contracts/bridges/OptimismBridgeExecutor.sol` - `0.8.10` to `^0.8.10`
#### Deployment Solidity Version The `governance-crosschain-bridges` contracts were compiled and deployed with Solidity version `0.8.20+commit.a1b79de6`, which does not impact the protocol's security. Below is a list of known issues that exist in `0.8.20`: - VerbatimInvalidDeduplication - Low Severity - Introduced in `0.8.5` - Fixed in `0.8.23` - FullInlinerNonExpressionSplitArgumentEvaluationOrder - Low Severity - Introduced in `0.6.7` - Fixed in `0.8.21`
For more details about every issue, please check this link.
## Part 2
Verify that the on-chain contracts were deployed using the deployment commit hash for both Mainnets and Testnets.
### Mainnet #### Ethereum - `L1ERC20TokenBridge.sol` - Implementation - Address: [0x6bc726C993103197C41d787dd72eCd4D2e1614E8](https://etherscan.io/address/0x6bc726C993103197C41d787dd72eCd4D2e1614E8) - Code: https://github.com/lidofinance/lido-l2/blob/d8b68db14a98d49aeff20bfd4ccd581a02ed3f48/contracts/optimism/L1ERC20TokenBridge.sol - OssifiableProxy - Address: [0x912C7271a6A3622dfb8B218eb46a6122aB046C79](https://etherscan.io/address/0x912C7271a6A3622dfb8B218eb46a6122aB046C79) - Code: https://github.com/lidofinance/lido-l2/blob/d8b68db14a98d49aeff20bfd4ccd581a02ed3f48/contracts/proxy/OssifiableProxy.sol #### Zircuit - `ERC20Bridged` - Implementation - Address: [0x929569e10d9166f31c8284fE3FE5db1C1E56D6b4](https://explorer.zircuit.com/address/0x929569e10d9166f31c8284fE3FE5db1C1E56D6b4) - Code: https://github.com/lidofinance/lido-l2/blob/d8b68db14a98d49aeff20bfd4ccd581a02ed3f48/contracts/token/ERC20Bridged.sol - OssifiableProxy: - Address: [0xf0e673Bc224A8Ca3ff67a61605814666b1234833](https://explorer.zircuit.com/address/0xf0e673Bc224A8Ca3ff67a61605814666b1234833) - Code: https://github.com/lidofinance/lido-l2/blob/d8b68db14a98d49aeff20bfd4ccd581a02ed3f48/contracts/proxy/OssifiableProxy.sol - `L2ERC20TokenBridge` - Implementation: - Address: [0x224F00AEDD7A9F10e571898662ad19CD5abd9F2c](https://explorer.