Between 17.02.2022 and 25.02.2022, the Ackee Blockchain Security Team successfully performed the audit of Everstake’s EverSOL Stake Pool. The whole auditing process was performed with a total time donation of 5 engineering days. 

At the time of writing this post, Everstake is the biggest decentralized staking provider, trusted by 625 000 users, and helps secure PoS protocols (Solana, Polkadot, Ethereum 2.0(Ethereum, yes we know), Terra, Cosmos, and many more)

How does the Everstake EverSOL Stake Pool work?

EverSOL Stake Pool provides an opportunity for staking delegators to gain more yield by enabling liquid staking and issuing liquid tokens (eSOL)

Delegators who stakes with EverSOL Stake Pool receive eSOL for every SOL they deposited to the pool. Deposited SOL tokens are then delegated to a set of selected validators, according to the EverSOL Delegation Strategy. EverSOL Stake Pool has instant unstake, and delegators can skip the general Solana unstake period and undelegate immediately. Minted eSOL tokens can be used in DeFi to generate additional yield.

According to EverSOL Stake Pool roadmap, the EverSOL DAO will be created and play an essential role in the staking mechanism. Delegators will be able to choose from two options how they can use their staking rewards:

  1. Delegators will be able to support the DAO. 7% of their rewards will be sent to the DAO’sTreasury. (The funds will be used to fund Solana-based projects)
  2. Or delegators will choose to earn more rewards by sending rewards back to the Stake Pool SOL balance.

If you want to learn more about the Everstake and EverSOL Stake Pool, please visit the official EverSOL documentation here.

 

A summary of the audit and its findings follows up.

Our audit methodology for EverSOL Stake Pool consisted of:

  1. Code review 
    • High-level review of the specifications, sources, and instructions provided to us to make sure we understand the project’s size, scope, and functionality.
    • Detailed manual code review, which is the process of reading the source code line-by-line to identify potential vulnerabilities. We focus mainly on common classes of Solana program vulnerabilities, such as missing ownership checks, missing signer authorization, signed CPI of unverified programs, cosplay of Solana accounts, missing rent exemption assertion, bump seed canonicalization, incorrect accounts closing, casting truncation, numerical precision errors, arithmetic overflows or underflows.
    • Comparison of the code and given specifications, ensuring that the program logic correctly implements everything intended.
    •  Review of best practices to improve efficiency, clarity, and maintainability. 
  1. Testing and automated analysis
    • Run client’s tests to ensure that the system works as expected, potentially write missing unit or fuzzy tests using our own testing framework Trdelnik
  1. Local deployment + hacking 
    • The programs are deployed locally, and we try to attack the system and break it. There is no specific strategy here, and each project’s attack attempts are characteristic of each program audited. However, when trying to attack, we rely on the information gained from previous steps and our rich experience.

What were our findings?

During the audit, we paid special attention to the findings from previous audits of the Stake pool program (whether it was correctly addressed) and the newly added functionality.

The whole auditing process, including using our toolset, manual code review, unit testing, and fuzzy testing, resulted in identifying two low severity issues, although both were general recommendations rather than security issues.

Low severity issues are more comments and recommendations rather than security issues.

Overall code quality is high as it is a program from the SPL library and the newly added functionality also copies this high standard. Documentation from Everstake significantly helped us understand the system overview.

The Ackee Blockchain security team recommended Everstake to address reported issues and monitor the SPL stake-pool and apply major changes in the future, as the program is still in active development.

We were delighted to audit Everstake EverSOL Stake Pool and we are looking forward to working with them again. 

The full Ackee Blockchain audit report of EverSOL Stake Pool is here:

Everstake x Ackee Blockchain audit