ETHx Security | Tech Explainer
This blog covers how different security aspects are managed and monitored at Stader for ETHx’s safety.
About Stader
Stader is a multi-chain, non-custodial liquid staking protocol on six chains, including Polygon, Fantom, BNB, NEAR, Hedera, and Terra 2.0. With over $120 Mn in TVL across chains, Stader is trusted by 70K+ wallets and a community of 150K+ members.
Stader’s mission is to unlock a passive income opportunity for 1Bn+ people through staking and DeFi. We aim to achieve this by simplifying staking & offering the best yield opportunities with our liquid staking solution across multiple blockchains.
ETHx (following Stader’s convention of an x-for-suffix for liquid tokens) is the liquid staking token for staked Ethereum offered by Stader. ETHx aims to provide Stakers with a decentralized and scalable solution with diverse DeFi integrations.
This blog series aims to give the reader an understanding of the inner workings of ETHx, covering the architecture through a series of posts outlined below
In this blog post, we will explore the steps to ensure ETHx is operational and reliable. For added clarity, we split security into the following categories.
Code Security
- Audits
ETHx smart contracts have been audited by three renowned auditors: SigmaPrime, Halborn, and Code4rena. The audit reports are available here.
- SigmaPrime has audited other liquid staking protocols like Rocketpool. They also maintain the Lighthouse consensus client. Sigma Prime is our end-to-end audit partner and has audited ETHx smart contracts, Stader Node, our offchain and Oracle code.
- Halborn is a renowned cybersecurity firm that has audited many protocols, including Stader’s liquid tokens on other EVM and Rust-based blockchains. Halborn has audited the ETHx smart contracts, Oracle code and Stader Node.
- Code4rena is a public security audit platform that crowdsources smart contract audits. They have worked with some of the top DeFi protocols on Ethereum. As part of this audit, we have worked with expert security researchers and incorporated their feedback into the smart contracts.
With multiple rounds of expert audits, ETHx is one of the most thoroughly audited ETH liquid staking protocols. - Public testnets
Stader has launched two public testnets to test out various components of ETHx– Node Onboarding, Stader Node, Deposits, Rewards, Exits and Oracles. Over 10 weeks, around 400 node operators and 600 validators tested different components of the ETHx codebase. We achieved 100% feature coverage as part of this testing, with test participants providing valuable feedback on improvements. - Stader testing
Internally, the Stader team has extensively tested the entire tech stack over several months, covering all code flows. Our smart contract test coverage is 99%+ and is being improved actively.
Furthermore,we ran end-to-end testing covering the complete tech stack on Goerli with 100s of validators. On mainnet, we deployed ~3000 ETH ($5.6M) and worked with several permissionless and permissioned operators to spin up ~70 validators to test the contract setup and ensure systems function properly. - Immunefi bug bounty
Similar to Stader’s bug bounties for liquid tokens on other EVM chains, we are launching a $1M bug bounty program with Immunefi to identify critical bugs in the ETHx smart contracts. This bug bounty program will offer higher rewards than many other ETH liquid staking protocols to ensure that Stader is informed & fixes any identified bugs swiftly. - Upgradability and pausing
Stader’s smart contracts are pausable and upgradable to protect against any bugs identified post-launch. In case of contract upgrades, the timelock contract assumes ownership of all deployed ETHx contracts. The timelock contract has a minimum proposal delay of 7 days, giving everyone ample time to verify the proposed changes. A 6-on-9 multi-sig acts as the sole proposer of the timelock contract. The signers for this multi-sig are prominent members of the Ethereum community.
Over the past few months, Stader has deliberately prioritized code safety by implementing all the above steps and working with reputed security experts to provide unbiased third-party reviews.
Economic Security
ETHx is a liquid staking protocol where stakers lend their ETH to earn staking rewards. Parallel to this, node operators put up 4 ETH and 0.4 ETH worth of SD tokens as security collateral to borrow staker ETH to run validators. Node operators are compensated for their capital and operational risk.
The 4 ETH security collateral protects the staker ETH by absorbing all operational risks. Let us discuss different aspects of protecting staked ETH.
- Improper validator setup
An operator can front-run the first deposit transaction to set a malicious withdraw credential to steal the 28 ETH lent to them. Stader solves this by checking if the validator’s appropriate withdraw credential is set before lending 28 ETH to a node operator. Moreover, if frontrunning is detected, a 3 ETH penalty is imposed on the operator with no loss to staker ETH.
Similarly, a node operator can incorrectly sign the first deposit transaction. Like the frontrunning case, Stader ensures that a valid signature is provided before lending 28 ETH, avoiding losses for staker ETH. - Reward loss prevention
The following penalties are levied on a validator to protect staker’s rewards:
- 1 ETH penalty for MEV misappropriation
Stader has partnered with Rated Network to identify MEV misappropriation. Any time an ETHx validator proposes a block with a fee recipient different from Stader’s recommended address, an MEV misappropriation penalty is imposed.
- DAO penalty for other loss of rewards
The Stader DAO can add penalties for validators in the case of any other deviant behaviors causing significant loss of rewards to stakers.
Preventing reward loss maximizes the rewards earned through staked ETH. With penalties compensating for downtime and MEV-theft, stakers can rest assured that their ETH will continue to earn top rewards despite node operator performance volatility. - Slashing loss protection
A validator’s 4 ETH security collateral compensates for any loss of funds due to slashing or other ETH network-imposed penalties. When a validator exits, a node operator only gets any remaining collateral (a portion of the 4 ETH) after accounting for all of staker’s ETH and their rewards. - Node operational risk management
An operator can run a validator with ETHx only after pre-recording an exit message that Stader securely stores. Stader broadcasts this pre-signed exit message to stop a validator from reaching dangerous penalty levels, thereby force-exiting a validator.
A node operator with consistent signs of sub-optimal performance will eventually accumulate enough penalty. At that point, they are exited and their staked funds are recycled. Lost rewards or staked funds, if any, are compensated from the 4 ETH security collateral, making stakers whole. - ETH network degradation risk management
A safe mode ensures fair penalty distribution between node operators and stakers under extreme network conditions. A Safe Mode disables withdrawals until the conditions stabilize. Once the network conditions return to normal, the DAO will disable safe mode and re-enable withdrawals. The monitoring manager imposes Safe Mode in two cases:
- A percentage of all ETH validators are slashed, leading to unsafe correlation penalty levels. ETH network imposes correlation penalties for validators suboptimally performing under bad network conditions.
- More than 50% of ETHx validators are facing downtime. This is done as a measure of caution to ensure no bugs affect a subset of the Stader validators.
With Safe Mode, stakers see minimized impact of the loss of funds, with node operators taking on the majority of risk for sub-optimal performance.
Oracle Security
Oracles play an integral role in the functioning of ETHx contracts. Securing the Oracle operators is essential.
- Collateral backing
Each Oracle operator provides security collateral to back their Oracle performance. The list of Oracle operators is here. All the accumulated collateral is managed by a 3-on-5 multi-sig operated by reputed ETH ecosystem members. - Reputation
Each Oracle operator is reputed, has demonstrated technical proficiency and exemplifies Ethereum’s tenets. They have publicly acknowledged their role in ETHx Oracles and their commitment to contribute to Stader DAO, the stakers and node operators. - Consensus mechanisms
ETHx Oracles require a strict majority of Oracle operators to function. If a subset of Oracles cannot fulfill duties due to malintent or malfunction, ETHx Oracles would continue functioning as usual. Critical updates like Exchange Rates have built-in guardrails, enabling inspection mode if two subsequent rates deviate significantly. - Dispute mechanism
Stader leverages Rated Network as an MEV misappropriation Oracle partner. A dispute mechanism powered by UMA prevents unfair erroneous reports impacting node operators.
With the current setup of Oracles and operators, ETHx strives for an optimal balance of decentralization, gas savings and transparency to continue protecting both stakers and node operators.
Protocol Health Security
To ensure that ETHx works as designed, Stader has developed several health metrics to monitor the functioning of systems.
- Alerts
- ETHx circulating supply increase
- Roles & permissions change on any deployed ETHx contract
- Lack of Oracle consensus
- Safe Mode conditions
- Frontrunning detection
- Invalid signature detection
- Exchange Rate Inspection Mode
- Privileged user address monitoring
- Unusual reward behavior for validators - Public dashboards
To provide transparency about the state of the ETHx system, the Stader team is also building dashboards for public monitoring. We will be sharing the public dashboards in next few weeks.
This was to cover how different security aspects are managed and monitored at Stader for ETHx’s safety. For feedback and improvements, please on Twitter, Telegram or Discord.
Join 17,000+ ETHx early birds now! Get launch alpha and early access to $1M in launch incentives.
The ETHx launch is right around the corner. See you on mainnet on July 10, 2023.