Covalent Operational Staking
Disclaimer
Note that as of the date of publishing, the contents of this report reflect the current understanding of known security patterns and state of the art regarding system security. You agree that your access and/or use, including but not limited to any associated services, products, protocols, platforms, content, and materials, will be at your sole risk.
The review does not extend to the compiler layer, or any other areas beyond the programming language, or other programming aspects that could present security risks. If the audited source files are smart contract files, risks or issues introduced by using data feeds from offchain sources are not extended by this review either.
Given the size of the project, the findings detailed here are not to be considered exhaustive, and further testing and audit is recommended after the issues covered are fixed.
To the fullest extent permitted by law, we disclaim all warranties, expressed or implied, in connection with this report, its content, and the related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.
FOR AVOIDANCE OF DOUBT, THE REPORT, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.
Coverage of Issues
Covalent Operational Staking
Independent Security Assessment
01 Executive Summary
02 Disclaimer
Note that as of the date of publishing, the contents of this report reflect the current understanding of known security patterns and state of the art regarding system security. You agree that your access and/or use, including but not limited to any associated services, products, protocols, platforms, content, and materials, will be at your sole risk.
The review does not extend to the compiler layer, or any other areas beyond the programming language, or other programming aspects that could present security risks. If the audited source files are smart contract files, risks or issues introduced by using data feeds from offchain sources are not extended by this review either.
Given the size of the project, the findings detailed here are not to be considered exhaustive, and further testing and audit is recommended after the issues covered are fixed.
To the fullest extent permitted by law, we disclaim all warranties, expressed or implied, in connection with this report, its content, and the related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.
FOR AVOIDANCE OF DOUBT, THE REPORT, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.
03 Audit Methodology
The above files' code was studied in detail in order to acquire a clear impression of how its specifications were implemented. The codebase was then subject to deep analysis and scrutiny, resulting in a series of observations. The problems and their potential solutions are discussed in this document and, whenever possible, we identify common sources for such problems and comment on them as well.
• Project Diagnosis
Understanding the size, scope and functionality of your project’s source code based on the specifications, sources, and instructions provided.
• Manual Code Review
Reading your source code line-by-line to identify potential vulnerabilities.
• Specification Comparison
Determining whether your project’s code successfully and efficiently accomplishes or executes its functions according to the specifications.
• Test Coverage Analysis
Determining whether the test cases cover your code and how much of your code is exercised.
• Symbolic Execution
Analyzing a program to determine the specific input that causes different parts of a program to execute its functions.
Reviewing the source code to improve maintainability, security, and control based on the latest established industry and academic practices, recommendations, and research.
04 Coverage of Issues
05 Finding Detailed Analysis
Re-Entrancy Risk in Withdrawal Logic
External token transfers were found to precede internal state updates in certain withdrawal paths.
Follow the Checks-Effects-Interactions pattern and use a ReentrancyGuard.
A malicious validator could deploy a contract to perform staking. Upon calling 'withdraw', the contract's fallback function could re-enter the staking contract, repeatedly draining liquidity before the validator's recorded stake is decremented.
Flawed Cooldown Algorithm
Incorrect block reference usage allowed for potentials bypass of the mandatory security cooldown period.
Standardize cooldown logic using block.timestamp or strictly validated block numbers.
A validator could trigger an unstaking request and, due to the logic flaw, bypass the 7-day security window to immediately withdraw their funds and exit the protocol during a slashable event.
Improper Delegation Capacity Validation
A formula error in the delegation capacity check could lead to inconsistent validator states.
Refactor the capacity calculation to use singular, immutable state variables.
Validators could accidentally exceed their intended protocol caps, leading to a situation where delegators are unable to unstake due to failed capacity invariant checks in the withdrawal logic.
Administrative Lockup via Multiplier
The 'maxCapMultiplier' lacks an upper-bound constraint and can be lowered arbitrarily.
Implement sanity checks to prevent setting the multiplier below current active levels.
A negligent administrator could set the multiplier to a value lower than the current total staked amount, effectively locking all future staking transactions and potentially bricking withdrawal logic that relies on these bounds.
Unconstrained Commission Rates
Validator commission rates lack a protocol-enforced cap.
Hardcode a maximum commission cap (e.g., 20%) in the smart contract.
A malicious validator could attract delegators with a 0% fee, then suddenly increase it to 100%, capturing all rewards generated by delegators before they have time to react and unstake.
BACKCODE ANALYTICS
Formal verification & cryptographic audit lab. We provide the mathematical certainty required for the decentralized future.