ETHx Security
In this section, we will delve into the security and reliability of ETHx for both node operators and end users. For better understanding, we have divided ETHx security into four sections: code security, economic security, protocol health security, and oracle security.
Code Security
- Audits ETHx has been audited by three renowned auditors: SigmaPrime, Halborn, and Code4rena. The audit reports are available here. With multiple rounds of expert audits, ETHx is one of the most thoroughly audited ETH liquid staking protocols.
- Public testnets Stader has launched two public testnets to test out various components of ETHx. Over 10 weeks, around 400 node operators and 600 validators tested different components of the ETHx codebase.
- Stader testing Internally, the Stader team has extensively tested the entire tech stack over several months, covering all code flows. Our smart contract test coverage is 99%+ and is being improved actively.
- Immunefi bug bounty Stader is launching a $1M bug bounty program with Immunefi to identify critical bugs in the ETHx smart contracts.
- Upgradability and pausing Stader’s smart contracts are pausable and upgradable to protect against any bugs identified post-launch. In case of contract upgrades, the timelock contract assumes ownership of all deployed ETHx contracts.
Economic Security
Improper validator setup An operator can front-run the first deposit transaction to set a malicious withdraw credential to steal the 28 ETH lent to them. Stader solves this by checking if the validator’s appropriate withdraw credential is set before lending 28 ETH to a node operator. Moreover, if frontrunning is detected, a 3 ETH penalty is imposed on the operator with no loss to staker ETH. Similarly, a node operator can incorrectly sign the first deposit transaction. Like the frontrunning case, Stader ensures that a valid signature is provided before lending 28 ETH, avoiding losses for staker ETH.
Reward loss prevention
1 ETH penalty for MEV misappropriation - Stader has partnered with Rated Network to identify MEV misappropriation. Any time an ETHx validator proposes a block with a fee recipient different from Stader’s recommended address, an MEV misappropriation penalty is imposed. DAO penalty for other loss of rewards - The Stader DAO can add penalties for validators in the case of any other deviant behaviors causing significant loss of rewards to stakers.
Slashing loss protection A validator’s 4 ETH security collateral compensates for any loss of funds due to slashing or other ETH network-imposed penalties. When a validator exits, a node operator only gets any remaining collateral (a portion of the 4 ETH) after accounting for all of staker’s ETH and their rewards.
Node operational risk management An operator can run a validator with ETHx only after pre-recording an exit message that Stader securely stores. Stader broadcasts this pre-signed exit message to stop a validator from reaching dangerous penalty levels, thereby force-exiting a validator.
ETH network degradation risk management A safe mode ensures fair penalty distribution between node operators and stakers under extreme network conditions. A Safe Mode disables withdrawals until the conditions stabilize. Once the network conditions return to normal, the DAO will disable safe mode and re-enable withdrawals. The monitoring manager imposes Safe Mode in two cases:\ - A percentage of all ETH validators are slashed, leading to unsafe correlation penalty levels. \ - More than 50% of ETHx validators are facing downtime.
Oracle Security
- Collateral backing Each Oracle operator provides security collateral to back their Oracle performance. The list of Oracle operators is here. All the accumulated collateral is managed by a 3-on-5 multi-sig operated by reputed ETH ecosystem members.
- Consensus mechanisms ETHx Oracles require a strict majority of Oracle operators to function. If a subset of Oracles cannot fulfill duties due to malintent or malfunction, ETHx Oracles would continue functioning as usual. Critical updates like Exchange Rates have built-in guardrails, enabling inspection mode if two subsequent rates deviate significantly.
- Dispute mechanism Stader leverages Rated Network as an MEV misappropriation Oracle partner. A dispute mechanism powered by UMA prevents unfair erroneous reports impacting node operators.
Protocol Health Security
Stader has implemented a range of health metric alerts to ensure the proper functioning of ETHx. The following alerts are currently active and serve to monitor the system's performance according to its intended design.
- ETHx circulating supply increase
- Roles & permissions change on any deployed ETHx contract
- Lack of Oracle consensus
- Safe Mode conditions
- Frontrunning detection
- Invalid signature detection
- Exchange Rate Inspection Mode
- Privileged user address monitoring
- Unusual reward behavior for validators