MAINNETBETA

eigenlayer.xyz

eigenlayer.xyz
5.7MODERATEhigh
6 sectionsrun #1
Findings13 high17 medium
DEPGOVTKNAUDCTR
Last analyzed 15d ago runs

Summary

EigenLayer is the dominant Ethereum restaking protocol with roughly $4.7B in TVL across Ethereum and Base, securing staked ETH and liquid staking tokens for Autonomous Verifiable Services. Smart contract security is unusually strong—19 disclosed audits, a $2M Immunefi bounty, and zero on-chain exploits over three years of production—but governance is more centralized than marketing suggests, with multiple upgrade paths bypassing the documented 10-day timelock. EIGEN tokenomics add material sell pressure via 8% annual inflation, ~37M monthly insider unlocks through September 2027, and emission-subsidized rewards rather than fee revenue. Overall risk is moderate-to-elevated at 5.7/10.

Trust Assumptions

Restakers must trust that the 3-of-5 Protocol Council and 3-of-6 Operations multisigs (Eigen Labs–affiliated) will not abuse upgrade authority over $4.7B in upgradeable proxy contracts, that the 9-of-13 Community multisig will not exploit its ability to upgrade core contracts immediately via a 1-of-2 ProxyAdmin Safe, and that the 1-of-7 Pauser multisig will not halt deposits or withdrawals without genuine cause. Users also depend on Ethereum beacon-chain proofs via EIP-4788 with no fallback, on LST issuers (Lido, Rocket Pool, Coinbase) not depegging or pausing, on individual AVS slashing logic not cascading across shared operator stake, and on the unverified EmissionsController correctly minting the ~146M EIGEN issued annually.

What Could Go Wrong

A compromised Community multisig quorum (9 of 13 signers) or Operations multisig quorum (3 of 6 signers) could upgrade DelegationManager, StrategyManager, bridge contracts, or the EmissionsController without the advertised 10-day timelock, potentially altering slashing, withdrawal, or minting logic affecting billions in restaked collateral. An AVS slashing event or LST depeg could cascade through StrategyManager to reduce slashable stake across multiple services simultaneously, while persistent 8% EIGEN inflation and ~37M monthly insider unlocks could compress token value independent of protocol health. October 2024 demonstrated operational fragility: a $5.7M email-phishing theft of investor tokens and an X account hack costing users an estimated $800K–$1M—neither was a contract exploit, but both show social-engineering and custody risks around a team-controlled, non–token-voted governance structure.

Recommendation

EigenLayer is reasonable for experienced restakers who understand slashing exposure and accept multisig-led governance, but capital allocators should size positions assuming upgrade authority is more concentrated than public documentation implies. Monitor on-chain pause state (RewardsCoordinator is partially paused), monthly EIGEN unlock events, Operations multisig activity on bridge whitelist changes, and any proxy upgrades initiated outside the 10-day timelock path. EIGEN holders and yield farmers should be especially cautious given uncapped inflation and insider vesting; reduce exposure if unverified contracts (EmissionsController, KeyRegistrar) remain unverified, if Base bridge governance is not brought to mainnet parity, or if new AVS slashing parameters are deployed without post-upgrade audit coverage.

Key Findings (30)

high
10 Unverified Contract Addresses on Block Explorersverification
high
Proxy Upgrade Safe Uses 1-of-2 Threshold with Community Multisig Owneraccess-control
high
All Core Restaking Contracts Are Upgradeable Proxiesupgradability
high
Base Chain Governance Materially Weaker Than Mainnetcross-chain
high
Community Multisig Can Bypass 10-Day Timelock on Key Contractstimelock
high
55% Genesis Allocation to Investors and Early Contributorsconcentration
high
Uncapped 8% Annual Inflation With Ongoing Mintingemission
high
EmissionsController Is Unverified — Sole bEIGEN Mintercontract
high
Ethereum Beacon Chain via EIP-4788 (No Fallback Oracle)consensus
high
LST Provider Token Contagion via StrategyManagerprotocol
high
AVS Ecosystem Composability and Slashing Cascade Riskprotocol
high
October 2024 Email Phishing — $5.7M Investor Token Theftincident
high
October 2024 X Account Compromise — Fake Airdrop Phishingincident
medium
Operations Multisig Directly Owns Multiple Core Contractsaccess-control
medium
Pauser Multisig Can Halt Protocol with Single Signaturepausability
medium
RewardsCoordinator Partially Paused On-Chainoperational
medium
Base Multichain Timelock Uses 1-Day Delay vs 10 Days on Mainnetcross-chain
medium
Complex Slashing Logic with Acknowledged Accounting Edge Casesslashing
medium
Operations Multisig Controls Bridge and Rewards Upgrades Without Timelockcentralization
medium
Single-Signer Emergency Pause Authorityemergency
medium
No On-Chain Token Governancecentralization
medium
Active Monthly Insider Unlock Cliff (~37M EIGEN/Month)vesting
medium
Centralized Emission Policy via Foundation-Led Incentives Committeegovernance
medium
Restaking Rewards Are Emission-Subsidized, Not Fee-Generatedincentives
medium
Limited Proven Token Demand Beyond Emissions and Speculationutility
medium
Governance Power Not Yet Token-Decentralizedconcentration
medium
Custom Multichain Certificate Bridge (Ethereum → Base)bridge
medium
Bridge Chain Whitelist Controlled by Operations Multisig Without Timelockbridge
medium
Global Root Confirmation Threshold at 100%bridge
medium
Unverified KeyRegistrar Contractprotocol

Analysis Sections

EigenLayer mainnet uses verified Gnosis Safe multisigs (Protocol Council 3/5, Operations 3/6, Community 9/13, Pauser 1/7) with a 10-day OpenZeppelin TimelockController for core upgrades. Operations can propose and cancel timelock transactions; Protocol Council executes. However, several upgrade paths bypass the timelock (Community via 1-of-2 ProxyAdmin safe; Operations directly owns bridge/rewards contracts), pausing requires only 1-of-7 signatures, and Base chain governance is materially weaker (1-day timelock, identical 3/6 PC/Ops signer sets, bridge proxies owned by Operations without timelock). No on-chain token voting exists.

Findings (7)

highBase Chain Governance Materially Weaker Than Mainnet

On-chain verification shows Base uses a 1-day timelock (86400s) vs 10 days on Ethereum (864000s). Base Protocol Council and Operations multisigs share identical 3-of-6 signer sets (0x841b... and 0x8ed5...), unlike mainnet's distinct 3/5 and 3/6 councils. Base Community multisig is only 3-of-6 with 50% signer overlap with PC/Ops. Bridge contracts OperatorTableUpdater and TaskMailbox on Base are UUPS proxies owned directly by Base Operations multisig with no timelock intermediary.

on-chain RPC verificationBase timelock 0xe48d7... getMinDelay()=86400; Base PC/Ops both 3/6 with identical owners; TaskMailbox owner=0x8eD55c7640497Db15aC32c698c1a06E2E604d865 (Base Operations)
highCommunity Multisig Can Bypass 10-Day Timelock on Key Contracts

StrategyManager, EigenPodManager, EIGEN, and bEIGEN are owned by a 1-of-2 Gnosis Safe (0x369e6F597e22EaB55fFb173C6d9cD234BD699111) whose owners are the main timelock and the Community multisig. With threshold 1, the 9-of-13 Community multisig can execute upgrades or token admin actions immediately without waiting for the 10-day timelock delay.

on-chain RPC verificationSafe 0x369e6F... threshold=1, owners=[timelock 0xC06Fd4F8..., community 0xFEA47018...]; StrategyManager.owner()=0x369e6F...; EIGEN.owner()=0x369e6F...
mediumOperations Multisig Controls Bridge and Rewards Upgrades Without Timelock

CrossChainRegistry (0x9376a586...) and RewardsCoordinator (0x7750d328...) on Ethereum are UUPS proxies with owner set directly to the Operations multisig (0xBE1685C81aA44FF9FB319dD389addd9374383e90). A 3-of-6 Eigen Labs-controlled multisig can upgrade these contracts immediately, bypassing the 10-day timelock that protects other core contracts.

on-chain RPC verificationCrossChainRegistry.owner()=0xBE1685C81aA44FF9FB319dD389addd9374383e90; RewardsCoordinator.owner()=0xBE1685C81aA44FF9FB319dD389addd9374383e90
protocol docsOperations (Ops) multisig 3-of-6 owned by Eigen Labs
mediumSingle-Signer Emergency Pause Authority

The Pauser multisig (0x5050389572f2d220ad927ccbea0d406831012390) requires only 1-of-7 signatures to act. Documentation claims 1-of-8 but on-chain verification shows 7 owners. Any single pauser key compromise enables immediate protocol-wide pause of deposits and critical functions.

on-chain RPC verificationPauser multisig getThreshold()=1, getOwners().length=7
protocol docsPauser multisig 1-of-8 held by Eigen Labs & Eigen Foundation
mediumNo On-Chain Token Governance

EigenLayer governance operates through appointed multisigs and an off-chain ELIP process, not on-chain EIGEN token voting. Protocol Council (including 2 Eigen Foundation members per charter) holds sole execution authority for core upgrades. Operations multisig holds timelock CANCELLER_ROLE, enabling veto of queued proposals.

on-chain RPC verificationTimelock hasRole: PROPOSER=[protocol_council, operations]; CANCELLER=[operations]; EXECUTOR=[protocol_council]
protocol docsProtocol Council has sole power to execute ELIPs; Operations holds canceler role on timelock
lowPauser Multisig Owner Count Differs From Documentation

Official documentation lists Pauser as 1-of-8, but on-chain getOwners() returns 7 addresses on Ethereum mainnet and 6 on Base. Threshold of 1 is confirmed on both chains.

on-chain RPC verificationEthereum Pauser owner_count=7; Base Pauser owner_count=6; threshold=1 on both
infoMainnet Timelock Configuration Verified

Primary timelock enforces 10-day delay (864000 seconds). bEIGEN-dedicated timelock enforces 24-day delay (2073600 seconds). Protocol Council and Operations are confirmed proposers; Operations is the sole canceller; Protocol Council is executor.

on-chain RPC verificationtimelock_main getMinDelay()=864000; timelock_beigen getMinDelay()=2073600

Governance Checklist

Multisig (not EOA) for admin actionsAll governance roles use Gnosis Safe multisigs verified on-chain
Timelock on core upgrades (mainnet)10-day delay on primary timelock 0xC06Fd4F8...
Timelock on all upgrade pathsCommunity 1-of-2 ProxyAdmin safe and Operations direct ownership bypass timelock
Cross-chain governance parityBase uses 1-day timelock, weaker multisigs, direct Operations control of bridge
On-chain token governanceELIP + multisig process only; no EIGEN voting
Timelock cancellation checkOperations multisig holds CANCELLER_ROLE on mainnet and Base timelocks
Emergency pause requires multisig quorum >1Pauser is 1-of-7 on mainnet, 1-of-6 on Base

Multisig Configuration (On-Chain Verified)

ChainMultisigAddressThresholdOwners
EthereumProtocol Council0x461854d84ee845f905e0ecf6c288ddeeb4a9533f3/55
EthereumOperations0xbe1685c81aa44ff9fb319dd389addd9374383e903/66
EthereumCommunity0xfea47018d632a77ba579846c840d5706705dc5989/1313
EthereumPauser0x5050389572f2d220ad927ccbea0d4068310123901/77
EthereumMultichain Deployer0xa3053ef25f1f7d9d55a7655372b8a31d0f40eca93/77
BaseProtocol Council0x841b988aaeafce13b6456ff34015fbc42aedb7e63/66
BaseOperations0x8ed55c7640497db15ac32c698c1a06e2e604d8653/66
BaseCommunity0xc107547924c7d1d3e2d10ea8df534bbfc5f373e63/66
BasePauser0x1a051ef1524cbaea57ca04319ef93fe78903d5e61/66

Timelock Delays

Mainnet primary timelock
10days
Mainnet bEIGEN timelock
24days
Base timelock
1day

Key Governance Entities

TimelockControllerethereumPrimary Timelock
TimelockControllerethereumbEIGEN Timelock
GnosisSafeethereumProxyAdmin Safe (1-of-2)
TimelockControllerbaseBase Timelock

Analysis History

#1completed5.715d agocurrent