Lido Community Staking Module
Zealynx audited Lido Finance's Community Staking Module (CSM), the permissionless validator on-ramp into the Lido protocol. The review was conducted in collaboration with Shieldify across approximately 3,000 nSLOC, focusing on bond-lock accounting and asset-recovery flows. Two Low severity findings were identified: a potential arithmetic overflow in the bond-lock accumulation path, and a fee-on-transfer token accounting issue in the asset recovery library.
Scope
2 files · 3,000 SLOCFindings
click any row for the full write-upKey Findings
- Potential overflow in
_lock()accumulation path. Theuncheckedblock inCSBondLock._lock()adds new amounts to any existing locked amount; over repeated calls this can theoretically overflow even though access is restricted toonlyCSM. Recommended either an explicit overflow check or an upper bound on lockable amounts. - Fee-on-transfer tokens can desync
recoverERC20()accounting.AssetRecovererLib.recoverERC20()emits the requested amount inERC20Recoveredand assumes the full transfer succeeds; for fee-on-transfer tokens the actual transferred amount is lower, leading to misleading event data and potential off-chain reconciliation issues. Recommended a balance-delta check around thesafeTransferto record the true amount.
Team & approval
Disclaimer
This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.
