Liquid Colle Security Smart Contract Audit

Summary

Liquid Collective is a permissioned staking protocol on the Solana blockchain. Using a modified SPL Stake Pool program, Liquid Collective enforces the whitelisting of users to interact with the stake pool. Key actors of the Liquid Collective program retain the ability to add and remove users from the whitelist and pause the program altogether. The modified SPL Stake Pool includes minor changes that alter the `withdraw_stake` instruction to enforce a withdrawal authority's verification. Thus, when the modified SPL Stake Pool is created through the Liquid Collective program, users are restricted from unstaking directly from the SPL Stake Pool. Instead, users must unstake via the Liquid Collective program, which ensures that the user is whitelisted and has withdrawals enabled. The modified SPL Stake Pool also removes a check that ensures the token does not have a freeze authority set. Therefore, the modified SPL Stake Pool can be created with a pool mint account with the freeze authority set. Quantstamp was tasked with auditing the Liquid Collective contracts and the modified SPL Stake Pool to ensure that the program operates as expected and verifies user permissions. The audit team received a high-quality codebase to review with thorough documentation and a moderately comprehensive test suite. During the review, the audit team identified three issues: one high-severity issue that allows unrestricted updates to whitelisted users, one low-severity issue, and one informational issue regarding insufficient validations. Two auditor suggestions are listed in the report for adherence to best practices. The audit team highly recommends addressing the issues listed in this report before deployment.

Project