Mitigating Risks and Best Practices for Restaking in EigenLayer
Cobo Security Team's in-depth study of liquid staking protocols & LSTs and the ultimate guide to safe participation
The Cobo Security Team has researched dominant liquid restaking protocols and Liquid Staking Tokens (LST) in the market. Our thorough examination includes a meticulous assessment of the associated risks from the smart contract, with the aim to empower users with vigilant risk management.
As Ethereum liquid restaking gains traction, projects have chosen Eigenlayer as their foundation. Restaking involves strategically redistributing users' staked assets across protocols, leveraging trust from the Ethereum Beacon staking layer. This approach lets users maximize profits and extends the same level of trust and security to other projects as the Ethereum Beacon layer.
To help users identify potential smart contract risks in interactions among liquid restaking protocols, the Cobo Security Team researched 6 liquid restaking protocols and respective LST assets, where risks are outlined to enable users to participate in protocol restaking effectively.
Note: The Cobo Security Team's findings are based on UTC time before Feb 5, 2024, midnight.
Risks Involved in Restaking Protocols
Majority of the restaking protocols are built atop EigenLayer. For users, participating in restaking entails potential exposure to the following risks:
Smart Contract Risks
Participating in restaking involves interacting with the project's contract, exposing users to the risk of contract attacks.
Projects built on EigenLayer ultimately secure their funds within the contracts of the EigenLayer. In the event of an attack on the EigenLayer contract, the funds of associated projects may be jeopardized.
EigenLayer hosts two distinct types of restaking: native ETH restaking and LST restaking. While LST restaking directly stores funds within EigenLayer contracts, native ETH restaking involves funds residing in the ETH Beacon chain. Consequently, users participating in LST restaking may incur losses due to risks associated with EigenLayer contracts.
Project owners wield high-risk permissions, potentially allowing for the misuse of user funds through sensitive permissions.
LST Risks
LST tokens may lose their peg or experience price fluctuations and value losses due to upgrades or attacks on the LST contract.
Withdrawal Risks
Mainstream restaking protocols, with the exception of EigenLayer, lack support for withdrawals. In cases where the project team hasn't updated the contract to facilitate withdrawals, users face an indefinite inability to access their assets, necessitating liquidity exit from the secondary market.
In response to the outlined risks, the Cobo security team conducted a comprehensive investigation into several mainstream restaking protocols in the current market and summariozed the findings. Key observations include:
Low project completion: Withdrawal logic is absent in most projects.
Centralization risk: User assets are controlled by a multi-signature wallet, posing a potential rug pull risk for the project team.
In the event of malicious behavior or loss of multi-signature private keys as mentioned in the second point, it could result in asset loss.
To make these security findings more digestible, we have organized and categorized our research findings into a table. Here's a breakdown of what we discovered:
As EigenLayer serves as the foundational infrastructure for all projects, beyond the points outlined in the table, users should also be attentive to the following considerations:
EigenLayer is presently deployed in contracts on the Ethereum mainnet, but it has not fully realized all functionalities outlined in its whitepaper, such as AVS and slash. Specifically, the slash function has only implemented related interfaces without complete logic. Notably, the current slash is triggered by the owner of the StrategyManager contract (the project's admin permission), suggesting a relatively centralized execution method.
In the course of participating in EigenLayer native ETH restaking, users undertaking the setup of an EigenPod contract for managing restaking funds must also operate their own Beacon chain node service. This entails bearing the risk of potential slashing by the Beacon chain. When engaging in native ETH restaking, users are advised to select reputable node service providers. Furthermore, since ETH is stored in the Beacon chain, the withdrawal process necessitates mutual agreement between users and node service providers, as these providers assist users in withdrawing relevant funds from the Beacon chain.
As EigenLayer hasn't fully implemented features like AVS and slash mechanisms, the Cobo Security Team advises users against enabling the delegate function unless they thoroughly understand the associated risks, as doing so might result in fund losses.
Upon code reviews, we have identified certain projects with code-related vulnerabilities that may pose risks to user fund security. In response, we promptly initiated communication with the respective project teams to discuss and verify the identified risk points. Here are some of the vulnerabilities we observed and the outcomes of our collaborative discussions:
Eigenpie
All contracts within Eigenpie are designed as upgradable contracts, and the authority for upgrades is vested in a 3/6 Gnosis Safe multisig.
However, the upgrade permissions for the MLRT token contracts linked to cbETH, ethX, and ankrETH in the MLRT token are currently held by Externally Owned Account (EOA) addresses.
Cobo reached out to the EigenPie team before publishing this article, and the Eigenpie team promptly confirmed their commitment to transferring the upgrade permissions for all MLRT tokens to the multisig wallet within 24 hours.
KelpDAO
When a user stakes, KelpDAO computes the share portion allocated to the user, and it is necessary to calculate the value of the share. However, we found that the manual update of rsETHPrice in the calculation formula requires the corresponding oracle to be updated manually. The share price of the respective token contracts is used as the price source but for stETH, a direct conversion of 1:1 is employed. If stETH experiences a discount in the secondary market during the staking process, there appears a potential arbitrage opportunity.
On Feb 5th, KelpDAO clarified that the exchange rate for the Lido contract is fixed at 1 stETH = 1 ETH. Since withdrawal functionality is not yet available in KelpDAO, arbitrageurs would not be able to capitalize on this strategy. In addressing this concern, the KelpDAO team has proposed the implementation of a circuit breaker mechanism upon the introduction of withdrawals. This mechanism will assess the market price of stETH, compare it with the contract price of stETH, and implement necessary safeguards in the event of significant deviations.
Renzo
The OperatorDelegator is tasked with directing protocol funds to EigenLayer based on various deposit ratios. However, during the configuration of OperatorDelegators, the protocol fails to verify whether the total of all OperatorDelegator ratios exceeds 100%. This could result in a scenario where OperatorDelegator-1 (70%) and OperatorDelegator-2 (70%) can coexist.
This issue predominantly impacts user fund withdrawals, and given the incomplete withdrawal logic, the precise effect on the principal cannot be determined at this moment.
In this particular situation, the Renzo team clarifies that funds might be directed to the wrong OperatorDelegator contract for deposit or withdrawn from the incorrect OperatorDelegator. Renzo notes that although this technical issue may result in discrepancies in the expected allocations assigned to different operators, it will not impact the calculation of Total Value Locked (TVL) or the security of funds.
Essentially, the Renzo team will resolve this technical issue in the upcoming contract upgrades.
Beyond the risks tied to the protocol's functionality, it's crucial to consider the risk associated with LST (protocol token) in the restaking process. The Cobo security team has looked into the examination of mainstream LST tokens in the market and compiled the findings for convenient reference, outlined below:
Navigating Restaking Risks: A Comprehensive Guide to Safe Participation
Restaking, being a nascent concept, is still in its early stages. Risks exist at both the contract and protocol layers.
The Cobo Security Team has devised a comprehensive guide that enables users to navigate the restaking narratives with greater confidence and security.
Capital Allocation
For users with substantial capital seeking to engage in restaking, a judicious strategy involves direct participation in EigenLayer's Native ETH restaking. The rationale behind this choice lies in the security afforded by Native ETH restaking, wherein the deposited ETH assets are securely stored in Beacon chain contracts rather than within EigenLayer contracts. This structural distinction ensures heightened protection, mitigating the risk of immediate access to user assets even in the unlikely event of a contract attack.
For users with significant capital, reluctant to endure extended redemption times, opting for the relatively secure stETH as the participating asset directly involved in EigenLayer is advisable.
For users seeking additional returns, a strategic approach involves selectively allocating a portion of their funds to projects such as Puffer, KelpDAO, Eigenpie, and Renzo, all built on EigenLayer. This allocation should align with their risk tolerance. However, it's crucial to note that none of these projects have implemented withdrawal logic. Therefore, users participating in such protocols need to consider the associated withdrawal risks. Additionally, liquidity in the secondary market for related LRT should be factored into the investment process.
Monitoring Tools and Configuration
Protocols listed in the document currently have the ability for contract upgrades and pausing. Additionally, project multisigs can execute high-risk operations. For advanced users, configuring corresponding contract monitoring to track contract upgrades and sensitive operations executed by project teams is recommended.
Furthermore, teams and users looking to invest ETH in projects can collaborate with Cobo Argus to set up automated bots and single-signature authorization configurations for Safe wallets. These configurations can be based on changes in pool-based Total Value Locked (TVL), fluctuations in ETH prices, and movements of large whales, enabling automatic deposits to EigenLayer and various restaking protocols.
About Cobo
Cobo is a globally trusted leader in digital asset custody solutions. As the world’s first omni-custody platform, Cobo offers the complete spectrum of solutions from custodial wallets to non-custodial wallets including MPC and smart contract wallets, as well as Wallet-as-a-Service, a DeFi management platform (Argus), and an off-exchange settlement network (SuperLoop). Trusted by over 500 institutions with billions in assets under custody, Cobo inspires confidence in digital asset ownership by enabling safe and efficient management of digital assets and interactions with Web 3.0. Cobo is ISO27001 certified, SOC2 Type 1 and Type 2-compliance-certified, and licensed in 4 jurisdictions.
For more information, please visit www.cobo.com.