I reviewed the audit reports for EtherFi and found a few statements in the reports that indicated potential security shortcomings. I wanted to highlight those here so the community is aware of the potential technical risks and provide some recommendations for improvement before weETH is considered for listing.
Audit Report Statements to Highlight
From the Omniscia Report, page 2 conducted on May 17, 2023:
We evaluated all alleviations performed by EtherFi and have identified that certain exhibits have not been adequately dealt with. We advise the EtherFi team to revisit the following exhibits: SME-04M, EFM-05M, EFN05M
These issues include three Major security issues that were left unaddressed including a logical fault affecting ETH 2.0 Validator Withdrawals.
In the Nethermind Audit Report conducted on July 5th, 2023, some of these issues, including the one affecting ETH 2.0 Validator Withdrawals, appear to have been at least somewhat mitigated (6.2, page 13). However, the Executive Summary (page 3) did make several statements calling the readiness of the code into question:
After thoroughly examining the current implementation of the ether.fi protocol, we propose conducting further comprehensive reviews and extensive testing before contemplating any deployment decisions
We also highlight that: a) new functionalities have been incorporated into the code during the audit, which we consider beyond the original scope, and should be further reviewed
The last audit was conducted by Solidified on Oct 23rd, 2023. It noted that there was a medium to high level of complexity stating:
There are a lot of external calls between the different contracts that need to be authorized and that pass important data such as the original caller as a function argument.
It also appears that a Hats.Finance bug competition was conducted in November 2023 but it was not included in the Audit Page provided and had to be found independently. It reported at least one Medium Issue.
Present Concerns about Security
Number of Critical Issues Reported
In addition to these specific comments, there are concerns about the number of Critical Issues found in each report:
- Omniscia (May 2023) - Major Issues Identified: 11
- Nethermind (July 2023) - Critical/High Issues Identified: 7 (includes at least one issue also reported in the Omniscia audit)
- Solidified (Oct 2023) - Critical/Major Issues Identified: 5
- Hats.Finance (Nov 2023): Medium Issues Identified: 1
While its good to see these issues caught and addressed, the significant number of severe issues still being found in the codebase by the third audit is concerning. While it appears that no serious issues were raised in the Hats.Finance competition beyond 1 Medium, the nature of code competitions means that the level of review that the codebase received might not have been exhaustive.
Inability to Verify Source Code and latest Audit Commit
The EtherFi codebase could not be found on the website and does not appear to be open-soruced. The commit hash referenced in the last audit report (Solidified, page 1) is not publicly accessible and so its impossible to verify if the latest source code deployed on-chain matches the last version that was audited.
Active Bug Bounty Program and Security Contact Not Listed in Docs
The EtherFi documentation page has a Bug Bounty section but it only contains the following statement with no clear plan or timelines to offer a bug bounty program:
ether.fi are huge believers in the power of the Ethereum community and open source. We have plans to offer bug bounties to the community and software development community at large.
After further digging, it does appear that EtherFi has started a bug bounty program with Immunefi but has not updated their documentation.
It’s also important to note that there is no clear security contact that could be provided in the docs or website for bugs to be reported to the team in a clear and secure manner.
Request to EtherFi Team
Given the serious security risks that Compound Finance takes on when listing a collateral asset, especially an LRT, I encourage the EtherFi team to make improvements to their security posture before the community considers listing the asset.
My main asks are:
- Update the Audit Reports page to include all of the latest audits conducted. I would also like to receive some confirmation that all major issues raised in these reports were resolved, especially the Omniscia report issues that appear to have been partially resolved during the Nethermind audit but is not clear.
- Provide enough information to transparently verify that the currently deployed contracts were included in the last audit scope. Given that many of the deployed contracts are verified on Etherscan, I see no reason as to why a GitHub codebase can’t also be made available with direct references to the audit commit included in the latest contract deployments.
- Please update the Bug Bounty page to include the Immunefi bounty program and provide an easy way to contact the EtherFi security team regarding an issue.
There are other security improvements that could also be considered but these appear to be the most pressing.