Security Risks for Staking Providers

By Silvia Barredo and Daejun Park

Over the past eight months, a series of companies have undergone smart contract security audits with Runtime Verification. These companies have something in common: they are staking providers operating in the DeFi ecosystem.

This blog post aims to explain some common mistakes, patterns and aims to create awareness about security threats affecting staking providers and other DeFi projects.

DeFi, a paradise for hackers

Over the past year and a half, DeFi has experienced exponential growth with more than 2.9 million users at the time of writing this blog post, and it doesn’t show any signs of slowing down.

Many DeFi projects have been born in the past few years, and with that, a new opportunity for users to play with their tokens and earn money in different ways such as staking, yield farming, providing liquidity, etc.

If we think about it, this scenario is a boiling pot for disaster if projects are not careful with their security. Many projects are created in a rush to get to market and don’t consider security one of their main priorities.

Even if that’s not the case for most projects, the ratio is high enough to negatively impact how the community (and especially outsiders) perceives the ecosystem. Just think about how many times you have read news about a compromised project on Twitter.

There are many new projects with tons of tokens stored on their contracts, and that’s attractive for anyone with bad intentions. If a hacker finds a way to penetrate the contract through a bug or a vulnerability, it’s payday.

Staking providers in the DeFi ecosystem

One of the ways users can make passive income from their tokens is through a staking provider. For those who aren’t familiar with the term, staking is the process of actively participating in transaction validation on a proof-of-stake blockchain. A minimum amount of tokens and hardware is often needed to be a validator, making it inaccessible for most users. Staking providers take care of everything, and you, as a user, can stake any amount and get rewarded without worrying about anything else.

Like any other platform, some security risks are involved when using a Staking Provider. Suppose you are a user willing to participate. In that case, your tokens must be deposited in the platform’s contract, which translates to losing total control of your tokens for a period of time.

Because of this, projects providing staking services must have security as one of their main priorities. Some ways for projects to ensure a maximum level of security are smart contract audits, testing, formal verification, an in-house security team, and bug bounties. Another way to improve security is to consult different experts and not settle, for example, with just one audit from one company.

Although the more security techniques a project applies, the more protected the project it’s going to be; there is no way to guarantee if a code is free of vulnerabilities. For those wanting to go the extra mile to protect their users, insurances against smart contract failures are a good option.

Security recommendations for staking providers

Our team at Runtime Verification has carried out a series of security audits on staking providers such as StakerDAO, StakeWise and Stakefish. Instead of just listing concrete results found during the audits, we are going to explain common mistakes in DeFi projects and staking providers. But first, let’s take a look at the methodology approach followed by our team to make the audits as thorough as possible:

Runtime Verification’s team has encountered a series of continuous mistakes and vulnerabilities when conducting audits on staking providers and DeFi projects. For those working on a DeFi project, double-check your code, take a look at the following potential vulnerabilities and how to avoid them:

These are just some common mistakes, but there are countless vulnerabilities that a project can face, and its users and the community will cherish any efforts towards improving the overall security. Remember, it’s never too late to step up your game.

About Runtime Verification

Runtime Verification is a technology startup based in Champaign-Urbana, Illinois. The company uses runtime verification-based techniques to perform security audits on virtual machines and smart contracts on public blockchains. It is dedicated to using its dynamic software analysis approach to improve the safety, reliability, and correctness of software systems in the blockchain field.

Originally published at