Lido
About
Lido is a liquid staking protocol for Ethereum that allows users to stake any amount of ETH and receive stETH, a token that earns staking rewards while remaining liquid and usable across DeFi applications. It connects stakers with a diversified set of node operators who run Ethereum validators, eliminating the need for users to run infrastructure or meet the 32 ETH minimum. Beyond core staking, Lido Earn products (EarnETH and EarnUSD) deploy stETH across blue-chip DeFi protocols for additional reward opportunities.
Where Does Yield Come From?
How stETH earns yield
The stETH token gets its value from two kinds of Ethereum rewards that Lido's validators earn. Validators are the computers that run the Ethereum network.
1. Consensus Layer rewards — These are paid in newly created ETH. Validators earn them by doing the network's work: checking and confirming blocks of transactions, proposing new blocks, and joining sync committees.
2. Execution Layer rewards — These come from transaction activity. They include:
- Priority fees (tips users add to get their transactions processed faster, including the part known as EIP-1559 tips)
- MEV (Maximal Extractable Value) — extra value that block builders capture by ordering transactions strategically. This MEV is sent to Lido's Execution Rewards Vault, and both the node operators and stETH holders benefit.
How rewards reach stETH holders
All rewards are pooled together and shared equally among every stETH holder through a daily rebase (around 12:30 UTC each day). A group of oracles (the AccountingOracle, using a 5-out-of-9 voting quorum) reports on validator performance — penalties, withdrawals, and rewards. An algorithm then adjusts the total stETH supply using a shares system: your stETH balance = your shares × (total pooled ETH ÷ total shares).
Fees taken from rewards
Lido takes a 10% protocol fee on staking rewards (this rate can change if the Lido DAO votes to update it). That 10% is split between node operators and the DAO Treasury. The split depends on the staking module:
- Curated Module: 5% to node operators, 5% to the DAO
- Community Staking Module (permissionless): 3.5% to node operators, 6.5% to the DAO
The fee is waived during periods when penalties exceed earned rewards (net negative rewards).
Important details about the tokens
- stETH is a rebasing token — its balance changes automatically each day to reflect rewards.
- wstETH is a non-rebasing version (a wrapper around stETH) designed for easier use in DeFi apps.
Lido Earn (extra yield on top)
Beyond core staking, Lido's EarnETH and EarnUSD products take pooled ETH or stETH and lend it to top DeFi protocols. This generates supplementary yield on top of the base staking rewards. These products have their own fee structures at the vault level.
Where it all comes from
All these yields come from Ethereum's native activity — newly issued ETH and transaction fees — not from inflation or extra token emissions by a protocol.
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
Sigma Prime01-12-2020 |
| The audit identified 5 medium-risk findings (all resolved or closed), 8 low-risk findings (mostly addressed), and 5 informational items, with no critical or high-severity vulnerabilities, indicating that the core Lido contract logic was deemed secure for its v0.2.1 release, though residual design risks around oracle timing and DKG parameterization were acknowledged. |
Quantstamp04-11-2020 - 11-12-2020 |
| The audit found no high-risk vulnerabilities, and the single medium-risk issue (inability to withdraw until Eth2 phase 2) was acknowledged as a protocol-level constraint beyond the smart contract's control. With 7 of 14 issues resolved and all remaining items acknowledged with documented mitigation plans, the report indicates a reasonably secure codebase appropriate for its scope, though users must be aware of the Eth2 phase 2 dependency for withdrawals. |
MixBytes12-04-2021 - 26-04-2021 |
| The MixBytes audit identified no critical or major issues in the Lido Oracle contract, and all four warnings and three comments were either fixed or acknowledged by the Lido team, confirming the contracts are secure to use according to the auditor's criteria. |
MixBytes26-04-2021 - 14-05-2021 |
| The audit found no critical or major vulnerabilities; the two warnings and five comments were all either fixed or acknowledged by the Lido team, leading MixBytes to conclude the contracts are secure for use according to their criteria. |
MixBytes14-05-2021 - 24-05-2021 |
| No critical or high-severity vulnerabilities were found; the single comment-level issue was remediated, and the auditors concluded the contract is secure to use according to their criteria. |
MixBytes20-05-2021 - 10-06-2021 |
| No critical or major vulnerabilities were found; the four warnings were either acknowledged, fixed, or deemed non-issues, and all comments were addressed by the Lido team. The smart contracts were considered secure to use according to MixBytes' security criteria. |
MixBytes06-07-2021 - 30-07-2021 |
| The audit found no critical or high-severity vulnerabilities, and all reported warnings and comments were either fixed or acknowledged, indicating the contracts are secure for use per MixBytes' criteria. |
MixBytes02-08-2021 - 04-08-2021 |
| This audit found no vulnerabilities in the bETH vault contracts, meaning the code passed MixBytes' security review with a clean bill of health prior to deployment. The clean result, however, reflects the assessed scope at that time and should be considered alongside any subsequent audits for the evolving protocol. |
MixBytes18-08-2021 - 07-09-2021 |
| No critical or major issues were found in the wstETH contract, and all five warning-level findings were addressed (acknowledged or deemed non-issues) by the Lido team, resulting in a clean audit with the contracts assessed as secure for use. |
MixBytes03-08-2021 - 06-09-2021 |
| The audit confirms that all identified warnings were fixed and the single comment acknowledged, with no critical or major vulnerabilities found, so the Easy Track contracts are considered secure for use per MixBytes' assessment criteria. |
MixBytes10-09-2021 - 23-09-2021 |
| The audit found no critical or major vulnerabilities, and all warnings and comments were acknowledged by the Lido team with no fixes applied, indicating the contract's risk profile is low given its limited utility role as a rewards period mediator. |
MixBytes02-09-2021 - 01-10-2021 |
| The audit found no critical vulnerabilities; the single major issue (shared voteTime affecting active votes) was acknowledged with an operational plan rather than a code fix, and all warnings/comments were accepted to preserve interface conformance and minimize diff from the upstream Aragon Voting contract. |
Sigma Prime01-10-2021 |
| The audit found one resolved High-severity vulnerability (uninitialized implementation) that was fully mitigated by removing the upgradeability mechanism, while the three Low-severity and five Informational items were addressed or acknowledged; the Easy Track contracts were deemed safe for deployment after the remediations. |
MixBytes07-12-2021 - 25-01-2022 |
| The audit found no critical vulnerabilities; one major issue regarding Wormhole fee handling was acknowledged and later fixed, and all warnings and comments were acknowledged by the client with documented rationale, leaving no unmitigated security risks in the deployed contracts. |
MixBytes15-11-2021 - 07-02-2022 |
| The audit found zero critical issues, one major bug (fixed), and a handful of warnings and comments that were either fixed or acknowledged, confirming the stETH-AAVE integration contracts were safe for deployment after the remediations. |
MixBytes17-01-2022 - 28-02-2022 |
| The single critical vulnerability (front-running of burned shares) plus two lower-severity findings were all acknowledged and fixed by Lido, making the final audited code safe for deployment. The contracts are non-upgradable and non-ownable, reducing post-deployment risk. |
MixBytes15-10-2021 - 28-02-2022 |
| The audit identified no critical vulnerabilities, and all two major findings were resolved before deployment, establishing a solid security baseline for the Deposit Security Module; residual warnings were either fixed or acknowledged by the Lido team without affecting the overall safety of the protocol. |
Oxorio04-05-2022 |
| Oxorio found zero critical issues and one major (high-severity) bug that was fixed; all 12 findings were resolved or acknowledged, and the report concludes the contracts are secure and ready for mainnet deployment. |
MixBytes19-05-2022 - 23-05-2022 |
| The audit found no critical vulnerabilities; the single High and most Medium/Low findings were fixed prior to mainnet deployment, with two minor items (excess stETH recovery and transferShares usage in wstETH) acknowledged due to upgrade constraints, indicating a reasonable security posture for the merge-ready Lido protocol. |
MixBytes25-05-2022 - 01-06-2022 |
| The audit confirmed no critical or high-severity vulnerabilities; the single medium issue was acknowledged as harmless, and all low issues were fixed or accepted by design, making the deployed two-phase voting contract safe for mainnet use. |
ChainSecurity23-08-2022 |
| The codebase demonstrates a high level of security with no critical, high, or medium vulnerabilities found; all nine low-severity findings were acknowledged or risk-accepted by the Lido team, and the report concludes that the protocol provides strong security for its staking functionality. |
MixBytes25-08-2022 |
| The deployed code matches the audited commit with all findings addressed, confirming that no critical vulnerabilities remain in the live Lido contracts covered by this compliance note. |
Statemind05-09-2022 - 09-09-2022 |
| The audit concluded with no critical, high, or medium severity vulnerabilities; all 7 informational findings were either fixed or acknowledged, confirming the MEV-Boost relay allowlist contract was safe for mainnet deployment. |
Statemind12-09-2022 - 15-09-2022 |
| No critical, high, or medium severity vulnerabilities were found; the four informational items were either fixed or acknowledged with reasonable rationale. The Insurance Fund contract is considered secure for its intended self-insurance custody purpose. |
Statemind19-09-2022 - 30-09-2022 |
| The audit identified one High-severity griefing vector that was acknowledged but not code-fixed, with operational mitigations in place; the remaining findings are informational code-quality issues or accepted design trade-offs, so the protocol can be considered safe to operate under active monitoring and with fallback governance mechanisms. |
Statemind24-01-2023 - 27-01-2023 |
| The audit found no critical, high, or medium severity vulnerabilities, with only five informational issues identified — four of which were fixed and one acknowledged. The TRP Vesting Escrow contracts are considered safe for deployment based on this assessment. |
ChainSecurity03-01-2023 - 02-02-2023 |
| The audit found no critical or high-severity unresolved issues, and all major correctness problems were fixed during the engagement, indicating a robust codebase; the three remaining low-severity items are risk-accepted and slated for a future upgrade, which does not materially affect current protocol safety. |
| The audit found 8 issues (3 medium, 2 low, 3 informational) in Lido's dc4bc batch BLSToExecutionChange signing software, all of which were resolved or accepted by the development team, indicating effective remediation of the identified security concerns. | |
Hexens06-02-2023 - 14-04-2023 |
| The audit identified a critical vulnerability in the Withdrawal Queue hint mechanism and three high-severity issues, all of which were fixed or acknowledged and validated before the V2 upgrade; the report concludes that overall security and code quality increased significantly after remediation. |
MixBytes Camp14-02-2023 - 21-03-2023 |
| The contest found no critical vulnerabilities and only one high-severity issue (replay of pause signatures), which was deemed acceptable by the sponsor given governance safeguards; the three medium and thirteen low findings were either fixed or acknowledged without material residual risk to Lido V2's core staking and withdrawal logic. |
Statemind20-03-2023 - 24-03-2023 |
| The audit identified one high-severity Vyper compiler bug that was fixed, and no critical or medium issues, indicating GateSeals were well-constructed for their emergency-pause purpose. The residual informational items are acknowledged design choices or low-risk concerns that do not compromise the protocol's safety in practice. |
Certora01-02-2023 - 25-04-2023 |
| The two critical and several high/medium issues were fixed by Lido before or during the audit engagement, while acknowledged items were accepted as design trade-offs or mitigated via governance controls, making the core contracts safe for deployment assuming honest oracle quorum and vigilant DAO governance. |
Statemind13-02-2023 - 28-04-2023 |
| The audit identified 2 critical and 8 high-severity issues, with most resolved before the final commit; the remaining acknowledged items carry mitigated risk under the protocol's staking-module trust model and DAO governance, making the upgrade safe for deployment as reviewed. |
Statemind13-04-2023 - 10-05-2023 |
| The Statemind audit found zero critical, high, or medium severity vulnerabilities in the Lido V2 upgrade template; all 14 issues were informational and either fixed (7) or acknowledged (7) with mitigations, indicating the upgrade template is safe for its intended use. |
Statemind05-05-2023 - 10-05-2023 |
| The deployment validation successfully confirmed that all Lido V2 mainnet contract deployments match their audited source commits and are correctly configured, finding no discrepancies. The contracts were declared ready for upgrade with no residual validation issues. |
Hexens24-04-2023 - 01-05-2023 |
| The audit found no critical, high, or medium severity issues, confirming the Lido V2 Oracle codebase was in strong security standing at the time of review, with only minor test correctness and informational matters identified. |
| The audit identified no critical vulnerabilities and 6 major issues—all acknowledged by the Lido team with governance-mediated mitigations—indicating a robust security posture for the Lido V2 upgrade, though residual risks around governance, oracle dependence, and MEV dynamics remain by design. | |
| The audit identified three MAJOR bunker-mode manipulation vectors and several WARNING-level issues, all acknowledged or fixed by the Lido team; no findings were left unaddressed, though the residual oracle-report manipulation risks for stETH-dependent protocols warrant continued monitoring. | |
Statemind28-08-2023 - 20-10-2023 |
| Statemind's roles analysis reveals a well-documented but highly centralized permission landscape where most critical-impact roles are ultimately gated by Aragon DAO voting (5% quorum), presenting residual governance-attack risk if an adversary accumulates enough LDO or exploits non-unique signer sets across multisigs; many unassigned critical roles further elevate the precautionary security surface. |
Oxorio18-10-2023 |
| The audit found no critical or high-severity vulnerabilities; the two warning-level issues are acknowledged/addressable design limitations rather than exploitable flaws, and informational items were either fixed or acknowledged. Overall the Easy Track contracts present a low security risk for deployment. |
Pessimistic28-11-2023 - 04-12-2023 |
| The audit found no critical or high-severity vulnerabilities; both medium-severity issues were either fixed or acknowledged with operational mitigations, and all low-severity issues were resolved, indicating good overall code quality for the Lido Stonks project. |
Statemind11-12-2023 - 24-12-2023 |
| The audit found no critical, high, or medium severity vulnerabilities, and all 10 informational issues were either fixed or acknowledged, indicating a solid security posture for these EasyTrack factory contracts. |
Ackee Blockchain28-01-2024 - 05-02-2024 |
| No critical or high-severity issues were found; the single medium-risk finding (unsafe ERC20.approve) was fixed, and the remaining warnings were either resolved or acknowledged as acceptable design constraints for mainnet-only deployment with active operational monitoring. |
Statemind11-04-2024 - 11-04-2024 |
| The deployment validation passed with no issues — all deployed GateSeal contracts match their audited blueprints and are correctly configured for use on mainnet. |
ChainSecurity27-05-2024 - 18-06-2024 |
| The audit concluded that the LIP-23 Negative Rebase Check codebase provides a high level of security with no major issues uncovered; all identified findings were resolved during the engagement through either code corrections or specification changes. |
Ackee Blockchain18-03-202428-03-202427-06-202401-07-2024 |
| No critical or high-risk vulnerabilities were found across both audit rounds; all 10 Warning-level items were either fixed or acknowledged by Lido, and 3 of 4 Informational items were resolved, indicating the Simple Delegation contracts were deemed safe for deployment with residual design concerns around delegation centralization and the outdated compiler version. |
MixBytes21-06-2024 - 23-07-2024 |
| The Sanity Checker audit found no critical, high, or medium severity vulnerabilities; only 8 low-severity observations were reported, half of which were fixed in re-audit while the remainder were acknowledged as minor. The contract's core logic for validating oracle report inputs is sound. |
Ackee Blockchain Security22-07-2024 - 23-08-2024 |
| No critical or high-severity issues were found; the codebase was described as 'very solid' and all Low/Info findings were remediated, with the two acknowledged Warning items representing acceptable design trade-offs given the existing DAO governance controls. |
Ackee Blockchain14-10-2024 |
| The audit found no critical or high-severity issues; the single medium-severity finding (M1) was fixed, and all other findings were either resolved or acknowledged, indicating sound contract-level security for the CSM launch. Residual design risks remain tied to off-chain service correctness and the absence of EIP-7002, as acknowledged by Lido. |
MixBytes23-07-2024 - 07-10-2024 |
| The audit found no critical or high-severity vulnerabilities, and the 10 medium-severity issues were either fixed (4) or acknowledged by the Lido team with documented mitigations, indicating a solid security posture for the CSM contracts at the time of assessment. |
MixBytes23-09-2024 - 23-11-2024 |
| No critical, high, or medium severity issues were discovered; the three low-severity findings (two fixed, one acknowledged) indicate the Lido Oracle codebase was well-secured at the time of this engagement. |
Certora08-08-2024 - 05-09-2024 |
| All critical and high-severity findings were fixed, and the Certora Prover formally verified the core safety invariants of the Dual Governance contracts, making the protocol safe for deployment pending final configuration parameter review. |
Certora10-01-2025 - 07-02-2025 |
| The audit found no critical or high-severity issues; four medium and two low findings were identified, with most addressed via fixes or acknowledgment from the Lido team, and the formal verification confirmed key safety invariants of the Dual Governance system. |
Certora03-08-2025 |
| This hotfix review confirms that the targeted vulnerability in the rage quit extension period has been correctly patched with no side effects, and no additional bugs were found in the modified code. |
Statemind12-09-2024 - 25-10-2024 |
| The audit found no critical or high severity vulnerabilities; the 4 medium-risk items were either fixed or acknowledged with sound design rationale, and the 42 informational issues were largely resolved, indicating a well-scrutinized codebase ready for deployment. |
Statemind27-05-2025 - 05-06-2025 |
| The deployment validation and script review confirm that the deployed Dual Governance contracts match the audited commit with correct parameters, and the launch service contracts align with specifications with no serious vulnerabilities found, meaning the deployment is safe to proceed from a verification standpoint. |
Statemind18-08-2025 - 19-08-2025 |
| This is a clean fix-review and deployment-validation report: the Escrow.sol patch remediated the target issue with no new vulnerabilities introduced, and all deployed contracts were verified to match the audited code. No residual risks were identified in the scope reviewed. |
OpenZeppelin06-01-2025 - 15-01-2025 |
| No critical, high, or medium severity vulnerabilities were found in the Lido Dual Governance update, with only three low-severity findings and six informational notes, all addressed (resolved or acknowledged) by the Lido team, indicating a well-secured codebase. |
Runtime Verification13-02-2025 |
| All formal verification properties for Lido's Dual Governance protocol passed, confirming that the contract logic correctly implements the intended state transitions, accounting, and access control under the assumptions modeled. This is a correctness assurance report, not a vulnerability audit, so no security findings were identified or disclosed. |
Statemind10-03-2025 - 10-03-2025 |
| The deployment validation concluded successfully with all deployed GateSeal contracts matching their audited blueprint and containing correct parameters. No security findings were produced as this was a deployment correctness check, not a vulnerability assessment. |
MixBytes03-02-2025 - 17-03-2025 |
| The audit found no critical or high-severity vulnerabilities, and the sole medium-severity issue was fixed, so the Lido Oracle v5 codebase presents a solid security posture for deployment. One low-severity finding was acknowledged with acceptable rationale, posing negligible residual risk. |
Composable Security07-04-2025 |
| All identified medium-severity vulnerabilities were fully remediated, and the low-severity items were either fixed or acknowledged with documented mitigations, making the Lido Oracle V5 codebase safe for deployment pending continued monitoring of post-Pectra edge cases. |
Composable Security20-08-2025 - 22-08-2025 |
| The consultation found no vulnerabilities introduced by the upgrade, and the fix is considered secure under the stated assumption that the KAPI `used` parameter reliably indicates keys deposited through the DSM module and controlled by the Node Operator. |
Ackee Blockchain12-09-202412-10-202414-10-202408-04-2025 |
| The audit found no critical or high-severity vulnerabilities; the single medium-severity issue was fixed, and most findings were resolved or acknowledged. Residual risk rests on off-chain component correctness and the absence of EIP-7002, which Lido has mitigated through conservative bond sizing and limited module share allocation. |
MixBytes23-07-2024 - 08-07-2025 |
| The audit found no critical or high severity vulnerabilities, with all 10 medium and 31 low findings representing manageable risks; several medium issues were fixed during the engagement, and the core attack vectors were verified as secure, indicating a well-scrutinized codebase suitable for deployment. |
MixBytes24-03-2025 - 26-03-2025 |
| This audit found zero vulnerabilities across all severity levels, indicating the code was already well-hardened prior to the formal review through a preliminary specification review that addressed earlier improvement suggestions. No residual risks were identified for the audited contracts. |
MixBytes25-06-2025 - 15-07-2025 |
| The audit found no critical, high, or medium severity issues and all three low-severity findings were resolved, indicating that the Easy Track validator exit contracts are well-secured for deployment. |
Composable Security20-06-202521-06-202523-06-2025 |
| The consultation found that the hotfix introduces no new exploitable vulnerabilities, but its security depends on proper node operator configuration and the fallback mechanism that reverts to the default vulnerable flow after a 15-minute bundle delay, meaning residual risk from the original front-running issue remains during extended delays. |
Nethermind16-06-2025 - 04-07-2025 |
| The audit found one High-severity under-constrained vulnerability that could inflate reported balances and DoS the oracle, along with Medium and Low issues — all were fixed before the final report, leaving no open critical or high-risk findings in the audited scope. The protocol's added zkOracle layer therefore represents a well-scrutinized addition to Lido's accounting infrastructure. |
Code4rena16-07-2025 - 11-08-2025 |
| The C4 competitive audit found no high or medium severity vulnerabilities, only low-risk and non-critical operational friction points, indicating the Lido CSM V2 codebase is well-constructed with respect to security. |
MixBytes09-09-2025 - 10-09-2025 |
| The WstETH Staker contract passed the MixBytes security audit with zero findings — no vulnerabilities of any severity were identified, indicating a well-engineered, stateless, and immutable design. The clean result implies no residual security risk from the audited code scope. |
Ackee Blockchain16-09-2025 |
| The audit found no Critical, High, or Medium severity vulnerabilities, with all identified Low-to-Informational issues addressed or acknowledged, and the final review confirmed the project is ready for deployment. |
Composable Security09-06-2025 - 10-07-2025 |
| The audit found only 2 low-severity issues and 2 informational recommendations, with no critical, high, or medium findings; all findings were either acknowledged by the Lido team or implemented, indicating a clean security posture for the Oracle V6 upgrade. |
Composable Security27-09-2025 |
| The fix correctly resolves the caching bug that prevented Accounting Oracle reports from being built; no other similar caching issues were found. This consultation was narrowly scoped to the specific fix and does not constitute a full security audit of the broader Oracle system. |
MixBytes22-07-2025 - 23-07-2025 |
| The audit found zero security vulnerabilities across all severity bands, indicating that the CSMSetVettedGateTree contract was well-designed with robust access controls and input validation at the time of review. |
Ackee Blockchain Security16-09-2025 |
| The two High-severity issues (deposits DoS and incorrect key accounting) were fully remediated in Revision 1.1, and subsequent review rounds (2.0 and 2.1) found no new vulnerabilities, confirming the CSM v2 codebase as safe and ready for mainnet deployment. |
Statemind06-06-2025 - 19-09-2025 |
| The audit found no critical or high severity vulnerabilities; the 5 medium findings were either fixed or acknowledged by the Lido team and do not pose an immediate threat to core protocol safety, and the 21 informational findings were largely resolved, indicating the Triggerable Withdrawals and CSM V2 codebase was in a strong security posture at the time of the final reviewed commits. |
Certora20-06-2025 - 08-01-2026 |
| The Lido V3 audit uncovered severe vulnerabilities—7 critical and 14 high—in vault accounting, access control, reentrancy, and cross-vault manipulation, all of which were fixed before deployment, substantially reducing the risk of fund loss or protocol insolvency. Residual acknowledged risks (e.g., smoothing ignoring bad debt, fee recipients absorbing bad debt) are design-level trade-offs that the Lido team has accepted, and the protocol benefits from strong remediation coverage (70 of 84 findings fixed). |
Certora20-06-2025 - 04-12-2025 |
| The Certora formal verification found 10 issues (1 critical, 3 medium), of which 6 were fixed and 4 acknowledged, with the critical locked-value-underflow bug resolved before deployment. The extensive suite of verified inductive invariants provides strong mathematical assurance for Lido V3's core safety properties under the stated assumptions and simplifications. |
Certora31-07-2025 - 10-12-2025 |
| The two high-severity findings that could have caused oracle denial-of-service via negative fee values and event double-counting were both fixed, eliminating the most critical risks to the stVaults reporting pipeline; the remaining acknowledged items represent either low-likelihood edge cases or operational configurations not intended for mainnet use. |
MixBytes17-06-2025 - 14-01-2026 |
| No critical vulnerabilities were found; the one high-severity finding (bunker mode timing) was acknowledged as low-likelihood with compensating off-chain monitoring, and most medium and low findings were either fixed during re-audit or accepted with reasoned justifications, reflecting a generally strong security posture for the Lido V3 upgrade. |
MixBytes23-07-2025 - 12-01-2026 |
| No critical, high, or medium vulnerabilities were identified, and all four low-severity findings were either fixed or acknowledged with operational mitigations, indicating the audited EVMScript factory code is safe for deployment within the Lido Easy Track governance framework. |
Consensys Diligence16-06-2025 - 14-11-2025 |
| The audit revealed severe architectural vulnerabilities in Lido V3's staking vaults, particularly around quarantine logic, report reuse, and disconnect/reconnect flows, all of which were remediated during the fix-review; however, the report notes ongoing code complexity and recommends delaying production deployment with continued bug-bounty engagement. |
Ackee Blockchain Security02-12-2025 - 24-02-2026 |
| The audit found no critical or high-severity issues; the single medium-severity flaw was resolved, and all other findings were fixed prior to mainnet deployment, with successful deployment verification confirming correct contract deployment. |
MixBytes20-12-2025 |
| With zero critical, high, or medium issues and only one low-severity finding that was acknowledged rather than fixed, the LDO Revesting contract poses minimal security risk for its narrow, well-scoped operation, though the acknowledged missing validation could cause revert-on-error rather than a clear error message. |
Composable Security12-12-2025 |
| All one high-risk and two medium-risk vulnerabilities were fixed during retesting, and no critical issues were found, meaning the audited code does not introduce exploitable severity threats to the Lido protocol in its final state. |
Sigma Prime01-01-2026 |
| The audit identified one low-severity vulnerability and five informational items, all of which were resolved by the Lido team, leaving no open or high-risk issues in the BLS Library scope. |
MixBytes24-12-2025 - 30-12-2025 |
| The audit found only one Low-severity issue (unprotected external functions, acknowledged) and no Critical, High, or Medium findings, indicating that the TwoPhaseFrameConfigUpdate contract is well-implemented with no exploitable security vulnerabilities in its current scope. |
MixBytes01-12-2025 - 29-01-2026 |
| The audit found no critical or high severity vulnerabilities, with only 2 medium and 22 low severity findings, most of which were fixed during the engagement; the codebase demonstrates a solid architecture with good test coverage, and the residual acknowledged items represent acceptable design trade-offs rather than material safety risks. |
Ackee Blockchain Security05-12-202527-01-202602-02-2026 |
| The Lido Vault Wrapper codebase was found to be well-written and thoroughly documented, with no critical, high, or medium severity vulnerabilities; all identified low-severity and informational issues were addressed through fixes or acknowledgments, and mainnet deployment was verified with an exact bytecode match. |
Composable Security04-02-2026 - 04-03-2026 |
| The audit yielded a clean result with no vulnerabilities found and one informational recommendation that was promptly implemented, posing minimal residual risk to protocol safety. |
MixBytes23-02-2026 - 11-03-2026 |
| The audit confirms the MellowStrategy implementation is production-ready with no critical or high-risk vulnerabilities; the two medium and most low findings were remediated before delivery, and the two acknowledged items present negligible operational risk. |
MixBytes25-06-2025 - 16-03-2026 |
| The audit found no critical, high, or medium severity issues, and all three low-severity findings were fixed, confirming a solid security posture for the Easy Track exit-request contracts. The re-audited authorization-gap fix further strengthens the access control guarantees. |
Certora18-03-2026 - 24-03-2026 |
| The audit found no critical or high-severity vulnerabilities; the single low-severity issue and one informational issue were remediated, while the remaining informational finding was acknowledged as an acceptable design risk. Overall the Lido V3 stVaults code appears in a secure state for the fix review scope. |
MixBytes19-03-2026 - 31-03-2026 |
| The targeted fixes are well-motivated, correctly implemented, and introduce no new vulnerabilities; however, the reactive nature of the jail-based protection means governance must act promptly to prevent repeated exploitation of the fee-avoidance vector. |
MixBytes19-03-2026 - 20-03-2026 |
| The audit found zero vulnerabilities across all severity bands, concluding the codebase is clean, well-structured, and the change is minimal and self-contained with no security issues identified. |
| All identified issues were fixed or acknowledged by Lido, and the report concludes the contracts are secure and ready for mainnet deployment; the two higher-severity risks are mitigated by contract upgradability and role-based access controls. | |
| The audit found no critical or major vulnerabilities; the two warnings and six informational items were all acknowledged by the team, and the auditor concluded the contracts are secure per their criteria and ready for mainnet deployment. | |
Verilog Solutions28-09-2023 |
| The audit found no critical, high, or medium severity vulnerabilities in the Mantle L2 ERC20 Token Bridge, with only two low-severity items (acknowledged) and three informational suggestions (all resolved), indicating a generally sound security posture at the time of review. |
Cantina19-10-2023 |
| All critical, medium, and low findings were either fixed or acknowledged by the zkSync team, with the most impactful issues (permissionless governance update, delegatecall removal, grace-period hardening) resolved before finalization. The review indicates a well-scoped, professional audit; residual risks are limited to trusted-actor assumptions (guardian, governance executor) and out-of-scope dependency updates. |
Consensys Diligence09-10-2023 - 11-10-2023 |
| The audit found no security vulnerabilities — the sole finding was a trivial NatSpec labeling error, which was promptly remediated. The Linea Cross-Chain Governance Executor contracts pose minimal residual risk for Lido's cross-chain governance use case. |
Consensys Diligence30-11-2023 - 01-12-2023 |
| The audit found no security issues in the CustomBridgedToken contract, making it safe to deploy as reviewed provided the deployer follows the documented initialization steps correctly. |
OpenZeppelin10-07-2023 - 02-08-2023 |
| The audit uncovered one critical reentrancy bug and three high-severity issues, with the most impactful ones (critical reentrancy and the address-collision fund-theft vector) resolved during the engagement; residual risks include acknowledged rate-limiter DOS exposure and ERC-721 token lock potential, but overall the codebase was found to be clear and well-documented by OpenZeppelin. |
Zellic16-01-2024 - 19-01-2024 |
| The audit found no material security vulnerabilities — the single informational finding was acknowledged and addressed by Scroll Foundation, leaving the Lido Gateway contracts with a clean security posture for deployment. |
Ackee Blockchain20-05-202405-06-202407-06-202418-06-2024 |
| The audit revealed no critical or high-severity vulnerabilities; the two Low-severity issues (token rate precision and event inconsistency) were fixed across revisions, and all Warning/Info items were either resolved or acknowledged, indicating a reasonably sound security posture for the stETH-on-Optimism bridging system. |
MixBytes23-04-2024 - 21-06-2024 |
| The audit found one high-severity insolvency risk and one medium-severity rounding issue, both fixed during reaudit, alongside 18 low-severity items resolved or acknowledged; the report concludes the contracts are secure with no remaining critical issues. |
Cantina18-07-2024 |
| This is a deployment verification report, not a security audit; it confirms the wstETH contracts on Mode are bytecode- and storage-equivalent to the proven Base implementation with only expected network-specific parameter differences. No security vulnerabilities were identified in this verification exercise. |
MixBytes02-04-2024 - 04-07-2024 |
| The audit found no critical or high-severity vulnerabilities, and both medium-severity issues were acknowledged with acceptable mitigations, indicating the Lido a.DI protocol is well-secured for cross-chain governance message delivery on BSC. |
Oxorio01-08-2024 |
| The deployment verification confirms that contracts deployed on BNB match their audited source code counterparts on Ethereum, with bytecode differences limited to expected immutable-value substitutions. The main residual concern is incomplete documentation for some initialization parameters, which does not indicate active vulnerabilities but reduces transparency for external reviewers. |
| This deployment verification report confirms that Lido's wstETH contracts on BNB Chain were deployed correctly and match the audited source code, with only minor expected bytecode differences due to immutable variables and compiler versions. No security vulnerabilities were identified, and the single recommendation (R-1) pertains to source verification formatting rather than any code defect. | |
Quantstamp23-09-2024 |
| This deployment verification audit confirmed that all deployed wstETH bridge contracts on Zircuit exactly match their audited code and proposal specifications, with zero findings identified. The engagement provides strong assurance that the deployment was correctly executed as intended with no security discrepancies. |
Nethermind Security14-11-2024 |
| The deployment verification confirms that the Lido wstETH Starknet deployment aligns with prior audit remediations and follows expected role model and state configurations, though the unverified L2 token contract and the absence of native pause and ERC-2612/EIP-1271 support represent transparency and functional gaps worth monitoring. |
| This deployment verification confirms that all Lido stETH contracts on Soneium were deployed correctly with bytecode matching the audited versions, proper initialization, and correctly assigned roles, with no new vulnerabilities identified. | |
| This deployment verification by MixBytes confirms that all Lido stETH contracts on Unichain match their audited code, are correctly initialized with proper role assignments, and that Unichain's faster block times pose no risk to the protocol's operation. | |
MixBytes21-04-2025 |
| The deployment verification confirms that all wstETH contracts on Lisk match their audited versions, are correctly initialized, and have proper role assignments with no identified security issues relevant to this deployment. |
Cantina04-03-2026 - 05-03-2026 |
| The PR 85 fix review confirmed that the patch correctly addresses the prior claimFailedDeposit vulnerability, and no new issues were identified, indicating the fix is sound for the scoped contract. |
| The audit found no security vulnerabilities in the PR#69 changes for Lido on Polygon; all 9 findings were informational recommendations focused on code clarity and best practices. The contracts are considered safe from a security standpoint. | |
| Oxorio found no critical or major vulnerabilities; the 14 medium-severity warnings were all fixed by the Lido on Polygon team, and the report concludes the contracts are secure for mainnet deployment. |
Legal
Legal form
Decentralised Autonomous Organisation (DAO); interface maintained by a community of contributors (no disclosed incorporated entity)
Registration jurisdiction
Cayman Islands (stated as governing law and deemed base of the Interface in Terms of Use); no entity name or registration number disclosed
Status and notes
The lido.fi Interface Terms of Use (last updated Dec 19, 2025) state that the Interface is "deemed to be based solely in the Cayman Islands" and that Cayman Islands law governs the Terms. The operators are described as "a community of contributors" (Interface maintainers) with no revenue model or business plan; no named company, foundation, or other legal entity is disclosed as the operator. The Lido protocol itself is governed by the Lido DAO (an Aragon-based DAO on Ethereum using LDO governance tokens). A Privacy Notice is published (last updated Oct 23, 2025) referencing GDPR/UK ICO standards. Contact email: [email protected]. No imprint/disclosure page exists (/imprint returns 404). No registry number, foundation name, or statutory seat is disclosed on any page examined.