MAINNETBETA

lido.fi

lido.fi
4.2MODERATEmedium
6 sectionsrun #1
Findings4 critical20 high6 medium
DEPGOVTKNAUDCTR
Last analyzed 16d ago runs

Summary

Lido is the largest Ethereum liquid staking protocol, holding roughly $15B in pooled ETH across mainnet and bridged L2 deployments. It has operated since 2020 with no successful core smart-contract exploit, backed by one of DeFi's deepest audit programs (99+ reports, including recent V3 v3.0.2 fix reviews) and mature mainnet governance with Dual Governance, a ~4-day timelock, and emergency multisigs. Primary risks are a large upgradeable contract surface (20+ proxies still admin-controlled by the Aragon Agent), 12 Etherscan-unverified contracts including the proxy admin itself, dependence on a custom oracle committee with no on-chain fallback, weaker L2 governance controls, and concentrated LDO voting power. Overall risk is moderate at 4.2/10.

Trust Assumptions

Users trust that Ethereum's beacon chain and deposit contract remain secure, that Lido's HashConsensus oracle committee will submit honest quorum reports (with SanityChecker bounds holding), and that the Aragon DAO governance path—including Dual Governance staker veto, Emergency Protected Timelock delays, and 4-of-7 / 5-of-7 emergency committees—will not be captured by concentrated LDO holders (~22% in the top three addresses, ~50%+ in the top five). They also trust that canonical rollup bridges, Chainlink L2 rate feeds, and TokenRateNotifier keep bridged wstETH aligned with L1, that node operators will not suffer widespread key compromise or slashing, and that the Aragon Agent will only execute audited upgrades rather than malicious proxy swaps.

What Could Go Wrong

A compromised or malicious DAO vote routed through the Aragon Agent could upgrade core OssifiableProxy contracts (VaultHub, WithdrawalQueue, AccountingOracle) before stakers can veto, altering minting, withdrawal, or burn logic across ~$15B in TVL—made harder to detect because 12 deployed contracts, including the Agent and AccountingOracle proxy, lack Etherscan source verification. Oracle committee failure or coordinated key compromise could delay or skew stETH rebases; if sanity-check limits were loosened via governance, incorrect rebases could misstate pooled ETH balances. L2 bridge executors on Arbitrum, Optimism, and Base accept L1 governance actions with zero delay and no guardian, so a passed mainnet vote could immediately upgrade L2 bridge logic with weaker cross-chain safeguards than mainnet's timelock stack. Secondary-market stETH depegs (as low as ~0.93 ETH in June 2022) can persist when withdrawal demand exceeds buffer capacity, hitting lending protocols and leveraged positions even when eventual 1:1 redemption remains available via the FIFO queue.

Recommendation

Lido is appropriate for long-term ETH staking exposure given its five-year track record, extensive auditing, and layered mainnet governance, but size alone is not a guarantee—monitor proxy upgrade proposals, oracle report cadence, and L2 bridge executor actions. Users holding bridged wstETH on L2, using stETH as DeFi collateral, or relying on stVaults (v3) should be more cautious due to L2 governance gaps, Chainlink rate-feed dependencies, and LazyOracle/IPFS reporting. LDO-heavy governance participants and CEX-custodied vote wallets warrant scrutiny given concentration risk. Consider reducing exposure if core proxies are upgraded without fresh audits, if unverified contracts remain unresolved, if oracle quorum incidents recur, or if L2 executor parameters are not brought to mainnet parity.

Key Findings (30)

critical
Aragon Agent (0x3e40D73E) Unverified on Etherscanverification
critical
AccountingOracle Proxy Unverifiedverification
critical
Burner Contract Unverifiedverification
critical
Ethereum Beacon Chain Is Foundational Single Point of Failureconsensus
high
LDO Token Contract Unverifiedverification
high
Veto Signaling Escrow Unverifiedverification
high
L1 Base Bridge Unverifiedverification
high
OpStackTokenRatePusher Unverifiedverification
high
Arbitrum Chainlink Rate Feed Unverifiedverification
high
Optimism TokenRateOracle Unverifiedverification
high
Base L2ERC20TokenBridge Unverifiedverification
high
Polygon DataBus Unverifiedverification
high
Protocol Deployer EOA Unverifiedverification
high
Widespread OssifiableProxy Upgrade Surfaceupgradability
high
L2 Bridge Executors Have Zero Delay and No Guardiancross-chain
high
High LDO Governance Concentrationconcentration
high
Custom HashConsensus Oracle Committee Governs All stETH Rebasesoracle
high
LazyOracle and IPFS Metadata for stVaults (v3)oracle
high
L2 wstETH Depends on Canonical Rollup Bridgesbridge
high
Validator Operations Concentrated in Curated, CSM, and Simple DVT Modulesnode-operator
high
12 Deployed Contracts Unverified on Etherscanaudit-gap
high
October 2021 Deposit Front-Running (Immunefi)vulnerability
high
March 2022 Critical UI Code Injection (Bug Bounty)vulnerability
high
August 2025 CSVerifier Weak GIndex Validation (Immunefi)vulnerability
medium
stETH Uses Legacy AppProxyUpgradeableupgradability
medium
Single Aragon Agent Controls Proxy Admin Roleaccess-control
medium
Emergency Protected Timelock Governs Upgradesgovernance
medium
Oracle Quorum and Sanity Checker Dependenciesoracle
medium
LazyOracle and V3 Vault Reportingoracle
medium
VaultHub Privileged Roles for Mint and Bad Debtvaulthub

Analysis Sections

Lido mainnet governance is a mature Aragon DAO wrapped in Dual Governance and an Emergency Protected Timelock (~4-day execution delay, 4/7 and 5/7 emergency multisigs). Aragon Voting (50% support, 5% quorum, 5-day votes) is the sole DG proposer; DG Admin Executor holds EXECUTE_ROLE/RUN_SCRIPT_ROLE on the Aragon Agent after the DG transition. L2 bridge executors (Arbitrum, Optimism, Base) accept actions from the Aragon Agent with zero timelock and no guardian — a cross-chain governance asymmetry. DSM deposit guardians are 4-of-6 individual EOAs.

Findings (7)

highL2 Bridge Executors Have Zero Delay and No Guardian

On-chain verification shows Arbitrum, Optimism, and Base Governance Bridge Executors all set ethereumGovernanceExecutor to the Aragon Agent (0x3e40d73eb977dc6a537af587d48316fee66e9c8c), delay=0, and guardian=0x0. L2 actions queued by L1 governance execute immediately (1-day grace period only), with no L2 guardian able to cancel malicious action sets. This creates weaker controls on L2 than mainnet's Dual Governance + timelock stack.

on-chain RPCArbitrum executor 0x1dca41859cd23b526cbe74da8f48ac96e14b1a29: getEthereumGovernanceExecutor()=0x3e40d73eb977dc6a537af587d48316fee66e9c8c, getDelay()=0, getGuardian()=0x0
contract sourceL2BridgeExecutor: onlyEthereumGovernanceExecutor can queue; guardian can cancel if non-zero (BridgeExecutorBase.sol)
mediumDSM Guardians Are Individual EOAs (4-of-6 Quorum)

Deposit Security Module owner is the Aragon Agent, but deposit attestation/pause requires 4-of-6 guardian signatures. All six guardians verified on-chain as EOAs (zero bytecode), not multisigs. Compromise of four guardian keys could pause deposits or block deposit attestations without DAO vote.

on-chain RPCDSM getOwner()=0x3e40d73eb977dc6a537af587d48316fee66e9c8c, getGuardianQuorum()=4, getGuardians() returns 6 addresses — all EOAs per eth_getCode
mediumMulti-Layer Governance Stack Increases Operational Risk

Protocol changes traverse Aragon Voting → Dual Governance (staker veto) → Emergency Protected Timelock (3-day submit + 1-day schedule delay) → DG Admin Executor → Aragon Agent execution. Emergency Activation (4/7) and Execution (5/7) committees, tiebreaker, and reseal (5/6) add safety valves but increase failure modes. A July 2025 Immunefi-reported DG weakness (funds not at risk) underscores residual design risk.

on-chain RPCTimelock getGovernance()=0xc1db28b3301331277e307fdcff8de28242a4486e (Dual Governance), afterSubmitDelay=259200s, afterScheduleDelay=86400s, MIN_EXECUTION_DELAY=259200s
discovery.json2025-07-21 DG weakness reported via Immunefi — funds not at risk
mediumAragon Agent Controls Core Proxy Upgrades

LidoLocator OssifiableProxy admin is the Aragon Agent (proxy__getAdmin() verified on-chain). stETH uses an EIP-897 delegate proxy (implementation 0x6ca84080381e43938476814be61b779a8bb6a600). All upgrade authority flows through the Agent, reachable only via the DG Admin Executor after the permissions transition — concentrated but DAO-gated.

on-chain RPCLidoLocator proxy__getAdmin()=0x3e40d73eb977dc6a537af587d48316fee66e9c8c; stETH implementation()=0x6ca84080381e43938476814be61b779a8bb6a600
lowAragon Agent Source Unverified in Local Contract Cache

The Aragon Agent (0x3e40d73eb977dc6a537af587d48316fee66e9c8c) — the central permission holder for ~$15B TVL — has no verified source in the pipeline contract cache. It is an Aragon OS Agent contract, not a Gnosis Safe (getOwners/getThreshold revert). On-chain ACL confirms DG Admin Executor holds EXECUTE_ROLE and RUN_SCRIPT_ROLE; Aragon Voting no longer holds these roles post-DG transition.

contract sourcecontracts/ethereum/0x3e40d73eb977dc6a537af587d48316fee66e9c8c.sol: source NOT VERIFIED
on-chain RPCKernel/ACL hasPermission: AdminExecutor 0x23e0b465633ff5178808f4a75186e2f2f9537021 has EXECUTE_ROLE and RUN_SCRIPT_ROLE on Agent; Voting does not
infoEmergency Committees and Reseal Multisigs Verified On-Chain

Emergency Protected Timelock has emergency protection enabled (not in emergency mode). Emergency Activation Committee is a 4-of-7 Gnosis Safe; Emergency Execution Committee is 5-of-7 (overlapping signer set). Reseal Committee is a 5-of-6 Gnosis Safe (0xffe21561251c49adccfad065c94fb4931df49081). Tiebreaker committee at 0xf65614d73952be91ce0ae7dd9cff25ba15bee2f5 is a custom contract (8147 bytes), activation timeout 365 days.

on-chain RPCEmergency Activation 4/7: 0x8b7854488fde088d686ea672b6ba1a5242515f45; Emergency Execution 5/7: 0xc7792b3f2b399bb0edf53fecdceceb97fbeb18af; Reseal 5/6: 0xffe21561251c49adccfad065c94fb4931df49081
infoHistorical Deployer EOA Has No Active On-Chain Authority

The Lido Contract Creator EOA (0x55bc991b2edf3ddb4c520b222be4f378418ff0fa) has zero bytecode and no verified owner/admin role on core contracts. It is a historical deployer artifact, not a current single point of failure.

on-chain RPCeth_getCode(0x55bc991b2edf3ddb4c520b222be4f378418ff0fa) = 0x (EOA)

Governance Checklist

On-chain DAO voting (Aragon + LDO)50% support, 5% quorum, 5-day voteTime
Dual Governance (staker veto)DG is timelock governance; Voting is sole proposer
Timelock on mainnet upgrades3d submit + 1d schedule (~4d total)
Emergency multisigs4/7 activation, 5/7 execution, 5/6 reseal
L2 timelock parity with mainnetL2 bridge executors: delay=0, guardian=0x0
DSM guardians use multisig4-of-6 individual EOAs
Deployer EOA retains adminDeployer EOA inactive — no current authority

Key Governance Entities

votingethereumAragon Voting
agentethereumAragon Agent
dual-governanceethereumDual Governance
timelockethereumEmergency Protected Timelock
executorethereumDG Admin Executor
multisigethereumEmergency Activation Committee
multisigethereumEmergency Execution Committee
multisigethereumReseal Committee
moduleethereumDeposit Security Module
bridge-executorarbitrumArbitrum Governance Bridge Executor
bridge-executoroptimismOptimism Governance Bridge Executor
bridge-executorbaseBase Governance Bridge Executor

Governance Parameters

LDO vote support required
50%
LDO vote min quorum
5%
Vote duration
5days
Timelock submit delay
3days
Timelock schedule delay
1days
DSM guardian quorum
4 / 6
L2 bridge executor delay
0seconds
Tiebreaker activation timeout
365days

Analysis History

#1completed4.216d agocurrent