Q1 2024 can be best described for the stake.link protocol as the quarter of “firsts.”
stake.link was the first protocol in Onchain Finance to take Chainlink Staking cross-chain to Arbitrum L2, the first protocol to enable users to directly utilize and engage with CCIP instead of merely benefiting from CCIP on the backend, and today, we announce that we are the first organization to host and publish the first public competitive audit of a CCIP integration.
It’s our core thesis that Chainlink node operators and decentralized oracle networks will power the world’s agreements and global financial system to usher in a world of truth and instantaneous settlement of commerce in a fully decentralized and secure manner. All roads lead to CCIP.
A journey of a thousand miles begins with a single step, and with our deployment to Arbitrum, Chainlink Staking and stake.link’s cross-chain journey begins!
Cyfrin and CodeHawks
Cyfrin is a company that specializes in smart contract security audits, tools, and education. Boasting top researchers in the field, Cyfrin provides industry-leading security services chosen by major decentralized protocols and infrastructure providers. They play a crucial role in ensuring the safety and reliability of blockchain projects.
Cyfrin was co-founded by Hans Friese, Alex Roan, and Patrick Collins who many in the Chainlink Community are familiar with as the former Lead Developer Advocate at Chainlink Labs.
CodeHawks is a leading competitive smart contract audit marketplace founded by Cyfrin. CodeHawks, through their public auditing model, works to protect DeFi and Onchain Finance Protocols, their users, and funds from smart contract exploits with security reviews through a streamlined process of deep and competitive audits performed by renowned auditors as well as anyone with the know-how of performing smart contract audits.
Our rationale for choosing to work with Cyfrin and CodeHawks was simple:
-
Cyfrin consists of some of the most accomplished security research professionals in the Web3 industry
-
CodeHawks’ platform enables anyone the ability to access stake.link’s codebase, pour over it, review it, audit it, and search for vulnerabilities.
Best put – more eyes means more audits which yields an optimal end result of producing the most secure, ironclad smart contracts that we can deploy.
Stake.link’s Approach to Security
Security is top of mind in all that we do–and it has to be in the dynamic landscape of Web3, where hacks and exploits loom. Over $7.7B has been lost in Web3 due to security lapses, with 44% stemming from cross-chain bridging and oracle exploits.
In a digital economy that operates 24/7, ensuring continuous uptime, reliability, and robust smart contracts is non-negotiable. That’s why we take extensive steps to ensure that both the users of the protocol and applications that rely on stake.link can have full confidence in the standing of our security.
Our commitment especially extends to full transparency—we publicly share all completed security audits. Find them on our GitHub page here.
It’s because of our commitment to a security-centric approach and transparency that naturally led us to working with Cyfrin and CodeHawks.
Results of the CodeHawks Audit
For those that wish to review the full report, you can access it here as well as the stake.link GitHub audit page here. Below, we encompass the 2 High Risk vulnerabilities and 2 Medium Risk vulnerabilities.
Here are the key takeaways from the report:
High Risk: 2
-
H-01. A user can steal an already transferred and bridged reSDL lock because of approval
-
H-02. Not Update Rewards in handleIncomingUpdate Function of SDLPoolPrimary Leads to Incorrect Reward Calculations
Medium Risk: 2
-
M-01. A user can lose funds in sdlPoolSecondary if tries to add more SDL tokens to a lock that has been queued to be completely withdrawn
-
M-02. Attacker can exploit lock update logic on secondary chains to increase the amount of rewards sent to a specific secondary chain
Low Risk: 13
“These look pretty serious, what next?”
Exactly what you would expect. All vulnerabilities were addressed and resolved.
Each vulnerability listed above was identified, summarized in detail, assessed to determine the degree of impact (low v medium v high), and recommendations were made to ensure all findings were patched.
In total, there were 415 submissions made upon the completion of the three week audit period that concluded on January 12, 2024 with 16 unique vulnerabilities identified.
27,500 USDC was up for grabs in this competitive audit, and we want to congratulate the top 5 auditors for their work and findings (usernames as they are in Discord):
1). @elhaj - $6998.83
2). @innertia - $5612.82
3). fontotheworld - $4786.42
4). @Draiakoo - $1250.71
5). @Toshii - $976.06
Ending Thoughts
We thank Cyfrin, CodeHawks, and the auditors that participated in the competition. It’s been just under three weeks since stake.link’s deployment to Arbitrum, and we’re proud to report that everything is running smoothly and exactly as it should.
Security is something we will not compromise on. We’re all collectively reminded what the monetary and human costs are each time we see a headline about a hack or an exploit. We’re committed to ensuring that when it comes to security, we refuse to cut corners and will continue working with industry leading security experts like Cyfrin, and when appropriate, doing more competitive audits.
OK;LG
Disclaimer: This communication is directed only and persons outside the UK, and should not be acted on by any person located in the UK. Any persons located in the UK should make their own determination as to whether their participation in the stake.link protocol could be subject to UK regulatory requirements, and stake.link makes no claims (express or implied), and accepts no liability, in relation to the potential application of UK regulatory requirements to such persons or their activity.