_%20Safeguarding%20Staked%20Assets.jpg)
Introduction
Liquid Staking Derivatives (LSDs) have become critical infrastructure on networks like Ethereum and Solana. They allow users to stake assets while retaining liquidity. In the Ethereum ecosystem, LSD protocols account for a massive portion of staked ETH. For example, over 90% of all liquid-staked Ether is held in stETH, which represents roughly one-third of all ETH staked via Lido’s platform alone.
This popularity indicates the high level of trust users and DeFi integrations place in LSD tokens as "receipt" assets. However, recent incidents prove that these systems can introduce systemic risks if not engineered carefully. From de-pegging events to oracle exploits, the failure modes span technical smart contract bugs and economic design flaws.
This post outlines security challenges and best practices for LSD protocols. We draw on industry patterns to safeguard staked assets.
1. Peg Stability and Liquidity Risks
A foundational promise of an LSD token is maintaining near-parity with the underlying staked asset. Theoretically, 1 LSD token represents 1 unit of staked collateral plus rewards. In practice, LSDs often trade below parity due to lack of direct redeemability or market friction.
Liquidity frictions can cause sharp de-pegs during market stress. The June 2022 stETH episode serves as a prime example. As large holders sold stETH, the Curve pool for stETH/ETH became imbalanced. At one point, only roughly 20% of the pool was ETH. This caused massive slippage. The price of stETH dropped to approximately 0.94 ETH. This 6% deviation triggered liquidations and deepened the spiral.
Best Practices: LSD protocols must anticipate liquidity crunches. Protocols should encourage deep liquidity through incentives or built-in exchange pools. Rate limits on withdrawals and mechanisms for arbitrage-friendly redemption help dampen deviations. Transparency regarding scenarios like mass exits is vital for integrator preparation.
2. Secure Minting and Redemption Flows
Minting and redeeming are the most critical flows. Any bug here is catastrophic. Protocols must enforce that new tokens are only minted against real deposits.
A tragic example occurred with a BNB staking derivative in late 2022. An attacker exploited an unprotected mint function to create six quadrillion tokens. The attacker converted these tokens into millions of dollars in stablecoins before the protocol shut down. This proves that a single overlooked check can destroy a protocol's economy.
On Ethereum and Solana, these flows interface with deposit contracts or validator registries. Re-entrancy guards and accounting consistency are paramount. Every variable tracking total staked assets versus minted tokens must stay in sync.
Best Practices: Employ a principle of least privilege. If an oracle or admin calls mint functions, use multi-sig or time-lock protections. Comprehensive testing must cover partial withdrawals and simultaneous stake events. Many protocols adopt rate-limiting on issuance to prevent abrupt supply changes.
3. Rebasing and Reward Accounting Pitfalls
LSD tokens handle rewards in different ways. Rebasing tokens, like Lido's stETH, automatically increase user balances. Non-rebasing tokens, like Rocket Pool’s rETH, use a static balance where the token's value increases relative to the underlying asset.
Rebasing requires careful integration. External protocols must query the up-to-date balance using balanceOf() rather than caching values. Failing to do so can allow users to withdraw more than deposited.
Non-rebasing tokens rely on exchange rate oracles. If the reporting mechanism fails, the token value becomes inaccurate. Protocols that cannot decrease in value due to design implicitly assume slashing will never happen or will be covered off-chain. This is a risky assumption.
Best Practices: Ensure reward accounting is transparent. Provide libraries for integrators handling rebasing tokens. If using an exchange rate model, deploy a public view function or oracle feed. Implement sanity checks, such as Lido’s OracleReportSanityChecker, to reject outlier reports.
4. Oracle and Price Feed Manipulation
Failures often occur in how the LSD is valued in external DeFi markets rather than the staking contract itself. When LSD tokens serve as collateral, inaccurate price feeds enable exploits.
If an oracle reports a staked asset at $100 when the market price is $90, arbitrageurs can borrow against the overstated value and leave bad debt. This manipulation is easier if the LSD has low liquidity.
Staking protocols also rely on oracles for core functionality. If a consortium of oracles falsely reports massive rewards, it inflates token supply.
Best Practices: Decentralize oracle inputs. Use multiple independent reporters and require a quorum of signatures. Impose bounds on how much a reported value can change in one period. Integrators should apply safety margins, such as lending only up to 50% or 60% of the LSD market value, to account for volatility.
5. Validator Performance and Slashing Resilience
LSD tokens depend on the validators securing the network. Poor performance or slashing penalties directly impact holders.
On Ethereum, validators are penalized for offline status or double-signing. Significant downtime can result in a 1% slash of staked tokens. Double-signing acts generally incur a 5% slash. If an LSD protocol concentrates stake with a few operators, a single software bug could slash many validators simultaneously.
Solana protocols have innovated with features like Protected Staking Rewards. This requires validators to cover reward shortfalls due to downtime.
Best Practices: Spread stake across many independent operators to limit correlation. Implement automated monitoring to reduce stake to underperforming nodes. Develop a clear slashing response plan. This might involve socializing the loss or using an insurance fund to make holders whole.
6. Decentralization and Governance Safeguards
Validator centralization is a major security concern. If one liquid staking protocol accumulates more than 33% of the total stake, it risks the network's finality. Exceeding 50% allows for censorship or MEV extraction.
Governance security is equally critical. In the case of StakeHound, a custodial provider lost access to withdrawal keys for 38,000 ETH due to an operational error. This effectively stranded the assets indefinitely.
Best Practices: Cap total stake market share to avoid centralization. Require a diverse set of node operators. Implement robust multi-signature schemes for admin keys. Critical actions should go through on-chain governance with broad participation.
7. Key Custody and Access Management
Off-chain key management is a frequent point of failure. This includes validator withdrawal keys, upgrade keys, and oracle signing keys.
The BNB-chain exploit mentioned earlier was enabled by a compromised deployer key. This allowed the attacker to update the smart contract logic.
Modern protocols use Multi-Party Computation (MPC) or threshold signatures. Lido uses a threshold scheme where a committee majority is required to withdraw ETH. Marinade on Solana structures staking so users retain "withdrawal authority" while the protocol only holds "delegation authority."
Best Practices: Minimize the number of high-privilege keys. Use Hardware Security Modules (HSMs) or MPC wallets. Rotate keys periodically. Establish an incident response plan for key compromise.
8. Integration and Composability Cascades
Composability increases utility but amplifies risk. A problem in one protocol can cascade through others.
During the 2022 stETH de-peg, many holders had leveraged positions. They borrowed ETH against stETH to buy more stETH. When the price dropped, these positions were liquidated, forcing more selling and driving the price down further.
New LSD-Fi applications, like LSD-backed stablecoins, inherit these risks. If an LSD de-pegs, the stablecoin may break its peg as well.
Best Practices: Map out dependency graphs. Understand the risks of protocols you integrate with. If building on LSDs, model scenarios where the token trades at a discount or withdrawals are halted. Incorporate circuit breakers to pause operations if price deviations exceed set thresholds.
9. Comprehensive Auditing and Economic Testing
Securing LSD systems requires more than a standard audit. It demands a full-stack risk review.
Threat Modeling: We enumerate critical flows like deposits, reward distribution, and validator management. We ask "what could go wrong?" regarding code bugs and logic flaws.
Edge Case Testing: We simulate scenarios such as extreme reward volatility, mass slashing, or 100% redemption requests. We analyze historical incidents and replay them in controlled environments.
Economic Assumptions: We pressure-test assumptions like "validators will behave honestly." We scrutinize parameters like bonding periods and oracle thresholds.
Best Practices: Engage security researchers early in the design phase. Use multiple layers of testing, including unit tests, integration tests, and formal verification for critical algorithms.
Conclusion
Securing LSDs involves securing smart contracts, economic models, off-chain infrastructure, and downstream integrations. Spearbit brings together experts in auditing, economic modeling, and protocol design to evaluate these platforms holistically. We pressure-test the entire mechanism to help teams harden their systems before users are at risk.
If you are building in this space and want to fortify your protocol's foundations, contact us to discuss your security needs.