Back to case studies

Audit dates:

Feb 6, 2023

-

Feb 17, 2024

Company Background

LinkPool was founded with the mission of simplifying staking on Chainlink nodes and reducing the technical expertise required to build and manage them.

Today, they offer cutting-edge DeFi solutions to institutional and enterprise clients like Google, IBM, AccuWeather, and Associated Press.

Audit Summary

Stats

N/A
TVL
600
nSLOC
12
Days
4
Lead Security Researchers
17
Bugs found

Findings

0
Critical
2
High
5
Medium
10
Low
Audit Overview

The Cyfrin team has been committed to enhancing the security of the new LiquidSDIndexPool protocol, enabling users to deposit liquid staking derivative tokens, such as Rocket Pool ETH and Lido ETH, and receive a representative token in return. The innovative approach aims to average the interest rate across multiple staked ETH derivative protocols while generating revenue from withdrawal fees.

Thanks to a long history of security reviews strengthening the security of DeFi protocols holding millions of dollars in TVL, and in-depth expertise of the Chainlink eco-system - leveraging the Cyfrin auditing team was a natural choice for the Linkpool team.

Lead auditors, Patrick Collins and Ben Sacchetti, with the assistance of Giovanni di Siena and Hans Friese, prepared the final report finding a total of 17 vulnerabilities 2 of which were High.

Here you can read the full security report.

Audit Details

High-level Protocol Breakdown

The LiquidSDIndexPool protocol aims to simplify and diversify Ethereum staking, providing users with a more aggregated and potentially lower-risk environment compared to individual options.

At its core, the protocol allows users to deposit liquid staking derivative tokens (LSDs) like Rocket Pool ETH (rETH) and Lido ETH (stETH). In return, users receive a token representing their share in a collective basket of these assets.

From a technical standpoint, the protocol operates within a sophisticated smart contract environment. The smart contract code handles deposits, withdrawals, and fee calculations, ensuring precise tracking of user deposits and efficient management of the asset pool. Users interact with the protocol by depositing their LSDs and can withdraw their investments along with earned interests, subject to withdrawal fees.

Revenue generation is achieved through fees imposed on withdrawals, which play a crucial role in the protocol's economic model.

Why Cyfrin?

With multiple team members of Cyfrin’s security teams having extensive expertise in the DeFi ecosystem, Cyfrin was perfectly positioned for a thorough review of the LinkPool protocol.

Our auditors’ deep knowledge of DeFi meant we could jump quickly into the codebase, be better aware of its potential and limitations, ask more thoughtful questions, and look at edge cases we would not have likely considered otherwise.

The Cyfrin team's dedication to comprehensive security reviews helps uncover vulnerabilities that might be missed otherwise.

On the other hand, Cyfrin establishes continuous communication channels with its customers ensuring high availability support, quick and extensive context gathering, and thorough mitigation assistance to the protocols reviewed.

Enhancing fee withdrawal security and ensuring their functioning

The LiquidSDIndexPool protocol generates revenue, charging fees from users upon withdrawal, which are locked in the contract. Knowing how crucial the fees mechanic is to the success of the protocol, the Cyfrin team decided to dig deep into it from the get-go, uncovering a few issues with the overall process, and a critical finding related to unrecoverable protocol fees.

Withdrawal fees had the possibility of becoming unrecoverable and locked within the contract. The protocol's calculation method treated withdrawal fees as part of user funds, even though the corresponding iETH receipts were burned. As a result, both individual users and fee holders were unable to claim these funds.

For instance, if a user deposited 1000 stETH and later withdraws 950 stETH (leaving 50 stETH in the protocol as a fee), these 50 stETH were incorrectly considered as user deposits, preventing their withdrawal.

It was recommended to adjust the code to accurately update total deposits and to consider tracking fees separately from deposits. The Linkpool team promptly addressed this by stating that to withdraw all funds, the admin must set the withdrawal fee to 0, allowing users to withdraw their underlying assets at a higher rate.

As part of Cyfrin's thorough security review, several other issues related to the withdrawal mechanism were identified, including loss of precision in withdrawal amounts, protection against changing storage layout, and reverting to zero deposit.

The Linkpool team has taken steps to address and acknowledge these concerns, ultimately enhancing the security of their protocol, users, and customers.

Our Auditing Process

To ensure a thorough and top-tier security review, Cyfrin assembles a team of two or more senior security researchers who possess extensive expertise in relevant domains of the protocol. These researchers undergo meticulous KYC procedures and are subject matter experts in their field.

Combining the proficiency of auditors with years of experience, along with in-depth knowledge in economics, mathematics, and blockchain allows Cyfrin to uncover a higher number of vulnerabilities and provide comprehensive results despite the protocol in review.

The impressive results achieved during the Linkpool protocol audit were made possible by Cyfrin's commitment to prioritizing customer security, transparency, long-term sustainability, and cross-team communication. Going above and beyond to fully understand the protocols and ensure the reliability of the systems involved.

The audit was conducted by our security team, including Patrick Collins and Ben Sacchetti, supported by Giovanni di Siena and Hans Friese.

Conclusion

Cyfrin's audit of the LinkPool LiquidSDIndexPool highlights the critical importance of conducting comprehensive security reviews in the ever-evolving DeFi landscape.

By proactively identifying vulnerabilities and implementing necessary enhancements, the protocol's security has been significantly strengthened, setting a high standard for future audits.

Cyfrin is dedicated to fostering a safer Web3 industry. Our thorough security review of Linkpool has deepened our team's understanding of DeFi systems, staking, and liquidity pools.

Furthermore, our extensive communication with the team has proven invaluable in uncovering vulnerabilities while gaining a faster grasp of the codebase.

Disclaimer

Cyfrin has performed a thorough security review of the codebase in scope as of the date specified, which should not be construed as an endorsement of the protocol. Despite our comprehensive review, vulnerabilities may still exist, and we encourage users to conduct their own research before engaging.

Secure your protocol today

Join some of the biggest protocols and companies in creating a better internet. Our security researchers will help you throughout the whole process.
Stay on the bleeding edge of security
Carefully crafted, short smart contract security tips and news freshly delivered every week.