Lido Finance audit details

• Total Prize Pool: $103,500 in USDC
  • HM awards: up to $96,000 in USDC
    • If no valid Highs or Mediums are found, the HM pool is $0
  • QA awards: $4,000 in USDC
  • Judge awards: $3,000 in USDC
  • Scout awards: $500 in USDC
• Read our guidelines for more details
• Starts July 16, 2025 20:00 UTC
• Ends August 11, 2025 20:00 UTC

❗ Important notes for wardens

1. A coded, runnable PoC is required for all High/Medium submissions to this audit.

• This repo includes a basic template to run the test suite.
• PoCs must use the test suite provided in this repo (see PoC.t.sol. Use just test-poc to run this test)
• Your submission will be marked as Insufficient if the POC is not runnable and working with the provided test suite.
• Exception: PoC is optional (though recommended) for wardens with signal ≥ 0.68.

2. Judging phase risk adjustments (upgrades/downgrades):

• High- or Medium-risk submissions downgraded by the judge to Low-risk (QA) will be ineligible for awards.
• Upgrading a Low-risk finding from a QA report to a Medium- or High-risk finding is not supported.
• As such, wardens are encouraged to select the appropriate risk level carefully during the submission phase.

Automated Findings / Publicly Known Issues

The 4naly3er report can be found here.

Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.

• It is assumed that all of the roles in the contracts are assigned correctly concerning the permissions granted;
• It is assumed that ElRewardsStealing penalty is reported timely before Node Operators exit their validators and claim back bond tokens;
• It is assumed that Oracles deliver valid Merkle Trees for rewards distribution and strikes;
• Bond tokens are stored in the form of stETH. Hence, it is assumed that Node Operators accept all of the risks associated with stETH holding;

More on the Known Issues and Security Considerations here - https://hackmd.io/@lido/csm-v2-spec#Security-considerations

Overview

Lido Community Staking Module (CSM) is a permissionless module allowing community stakers to operate Ethereum validators with lower entry costs. Stakers provide stETH bonds, serving as security collateral, and receive rewards in the form of bond rebase and staking rewards (including execution layer rewards), which are socialized across Lido’s staking modules.

More on CSM in the docs.

Links

• Previous audits: Audits are in progress, and there are no finalized reports yet
• Documentation: https://docs.lido.fi/, https://docs.lido.fi/staking-modules/csm/intro (CSM v1), https://operatorportal.lido.fi/modules/community-staking-module (CSM v1), https://github.com/lidofinance/lido-improvement-proposals/blob/develop/LIPS/lip-29.md (CSM v2)
• Website: https://lido.fi/
• X/Twitter: https://x.com/lidofinance

---

Scope

See scope.txt

Files in scope

Files out of scope

See out_of_scope.txt

Additional context

Areas of concern (where to focus for bugs)

• Bond accounting consitency
• No possibility to steal bond funds
• No protocol grieffing

Main invariants

• Node Operators can not claim more rewards than distributed in the Performance Oracle report
• Node Operators can not delete deposited keys
• Add Keys operation ensures that after the keys addition all of the Node Operator's keys are covered with the bond

More invariants here

All trusted roles in the protocol

More on roles here - https://hackmd.io/@lido/csm-v2-spec#Roles-to-actors-mapping

Running tests

• Install Foundry tools

• Install Just

Some Linux distributions (like Arch Linux) might require additional install of netcat (nc). The preferred version is OpenBSD.

git clone git@github.com:code-423n4/2025-07-lido-finance.git
cd 2025-07-lido-finance
foundryup -v 1.0.0
just deps


# Run unit tests
just test-unit

# Run integration tests

export RPC_URL=<YOUR_ETHEREUM_RPC_URL>
export DEPLOY_CONFIG=./artifacts/mainnet/deploy-mainnet.json
export CHAIN=mainnet
export ARTIFACTS_DIR=./artifacts/local/
# Alternatively, set all envs in the .env file
just test-local

# Run upgrade tests
export RPC_URL=<YOUR_ETHEREUM_RPC_URL>
export DEPLOY_CONFIG=./artifacts/mainnet/deploy-mainnet.json
export CHAIN=mainnet
export ARTIFACTS_DIR=./artifacts/local/
# Alternatively, set all envs in the .env file
just test-upgrade

More on how to run tests in the original repo.

To run code coverage

just coverage

Coverage table:

Miscellaneous

Contributors of Lido Finance and contributors' family members are ineligible to participate in this audit.

Code4rena's rules cannot be overridden by the contents of this README. In case of doubt, please check with C4 staff.