StakeStone
About
StakeStone is a crypto-native neo bank providing self-custodied accounts with automated yield generation for both individual users and AI agents. The platform offers borderless payments, gasless transactions, and institutional-grade yield strategies through blockchain infrastructure, serving as a programmable financial network for the autonomous economy.
Where Does Yield Come From?
StakeStone's Yield Layer connects money on the blockchain with many different ways to earn returns — both inside decentralized finance (DeFi, or finance run by smart contracts) and through centralized finance (CeFi, or traditional crypto exchanges).
For assets like Bitcoin (BTC) and stablecoins that normally sit idle: yield is generated using "market-neutral" strategies — trades that aim to profit from small price differences without betting on market direction. These trades are run through institutional custodians like Ceffu and exchange partners such as Binance, OKX, and Bybit. Money is spread across special sub-accounts on those exchanges for executing the strategy, with regular performance reports and on-chain record-keeping.
For ETH assets: yield comes from staking (locking up ETH to help secure a blockchain) and restaking protocols like EigenLayer and Symbiotic, all handled through smart contract deployments.
The system creates yield-bearing tokens (STONEUSD, STONEBTC, STONE) that represent your share in the yield pools. Their exchange rates (called R-values) are updated weekly based on actual earnings, new deposits, withdrawals, and profit calculations.
Settlements happen on the blockchain with transparent net asset value (NAV) calculations and coordination across three layers:
- Layer 1 (main blockchain layer) — handles pricing and issuing tokens
- Layer 2 / appchains (faster secondary networks) — handles everyday user transactions
- Custodial / exchange layer — handles the actual yield-generating activity
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
Quantstamp02-10-2025 - 09-10-2025 |
| The audit found no critical or high-severity vulnerabilities, with all identified low-severity issues fixed prior to the final report. The protocol's security posture appears robust, though operational complexities around withdrawal processing and oracle management require careful monitoring. |
Quantstamp02-10-2025 - 08-10-2025 |
| The audit identified 8 issues, all of low severity or informational, with 7 fixed and 1 acknowledged. The protocol demonstrates robust security practices with no high or medium severity vulnerabilities found. |
Quantstamp24-06-2024 - 12-07-2024 |
| Quantstamp's audit revealed no critical or high-severity issues, with all medium findings addressed; the protocol's main risks involve governance design choices and strategy manager privileges that have been mitigated or acknowledged. |
Quantstamp24-06-2024 - 12-07-2024 |
| The audit identified 11 findings with no critical or high-severity issues; all medium and lower findings were either fixed, mitigated, or acknowledged by the StakeStone team before the final report, indicating responsible remediation of identified risks. |
SlowMist07-12-2023 - 18-12-2023 |
| The audit revealed several high-severity design logic flaws, most of which were fixed, but acknowledged issues around governance centralization and parameter validation leave the protocol at a medium risk level. |
SlowMist07-03-2024 - 11-03-2024 |
| The audit uncovered two high-severity logic errors and one medium-risk authority issue, all of which were either fixed or acknowledged, but the project remains at medium risk because core administrative permissions are still centralized and not yet under community governance. |
SlowMist07-03-2024 - 11-03-2024 |
| The audit uncovered two high-severity logic flaws that were fixed before deployment, but centralised governance retains excessive authority, resulting in a medium-risk rating until community control is implemented. |
SlowMist06-05-2024 - 07-05-2024 |
| The audit identified one high-risk and one medium-risk vulnerability, both of which were addressed prior to deployment, resulting in a medium-risk overall assessment due to residual centralization concerns. |
SlowMist24-06-2024 |
| The audit identified only low-severity and informational issues, all of which were fixed or acknowledged before deployment, indicating a relatively secure codebase for the staking strategies. |
SlowMist24-06-2024 - 24-06-2024 |
| The audit identified two low-risk and two suggestion-level issues, all of which were fixed or acknowledged before deployment, indicating a thorough review with no critical vulnerabilities remaining. |
SlowMist08-07-2024 - 08-07-2024 |
| The audit identified only one informational issue regarding ignored return values, which the project team acknowledged as low risk. The code passed the audit and was not yet deployed to mainnet at the time of the report. |
SlowMist08-07-2024 |
| The audit identified a single informational issue regarding ignored return values, which the project team acknowledged as low risk. No critical or high severity vulnerabilities were found, and the audit concluded with a pass. |
SlowMist09-10-2024 - 12-10-2024 |
| The audit revealed one high‑severity logic flaw and several medium‑risk issues, all of which have been addressed or acknowledged; however, the project remains at medium risk until administrative privileges are decentralized and the system is deployed on mainnet. |
SlowMist11-12-2024 - 12-12-2024 |
| The audit identified two medium-risk issues related to asset removal balance verification and excessive authority, both acknowledged by the team, plus one low-risk and two informational suggestions. Overall security posture is medium risk with privileged roles planned for multisig governance. |
SlowMist23-12-2024 - 24-12-2024 |
| The audit identified a critical design flaw that was fixed, leaving a medium-risk excessive authority issue to be managed via multi-sig governance, resulting in an overall medium-risk assessment for the SBTC Bera Vault. |
Secure318-03-2023 |
| The audit uncovered one critical vulnerability that would have prevented ETH withdrawals, along with several low-risk issues, all of which were fixed prior to deployment, resulting in a secure implementation. |
Secure314-08-2023 |
| The audit uncovered multiple critical logic flaws that could have resulted in asset loss, but the majority were fixed prior to deployment. However, residual medium-severity governance risks and acknowledged low-severity issues remain, requiring ongoing vigilance. |
Secure314-08-2023 |
| Unable to review the audit findings due to access restrictions; the report's contents remain unknown. |
Veridise08-12-2023 - 15-12-2023 |
| The audit identified a critical reentrancy vulnerability that was fixed, along with several medium and low-severity issues; the protocol team acknowledged all findings, reducing residual risk. |
QuantStamp03-09-2024 - 06-09-2024 |
| The audit identified one medium-risk depeg vulnerability and several lower-severity issues, all acknowledged by the client; the test suite remains underdeveloped and the protocol relies on LayerZero's security for cross-chain operations. |
SlowMist30-08-2024 - 03-09-2024 |
| The audit revealed one high-severity denial-of-service vulnerability and a medium-severity excessive privilege risk, both acknowledged; however, the protocol remains at medium risk until administrative controls are transferred to a multisig or community governance. |
SlowMist09-10-2024 - 12-10-2024 |
| The audit revealed several design and implementation issues, including a high‑severity pricing flaw and medium‑risk oracle validation gaps, all of which were addressed or acknowledged before mainnet deployment, resulting in a medium‑risk overall assessment. |
SlowMist28-03-2025 - 01-04-2025 |
| The audit identified medium-risk privilege escalation concerns where minting and burning roles could arbitrarily manipulate veSTO token supply; all other tested vulnerability classes passed. StakeStone DAO's contracts exhibit controlled centralization risks but no critical security flaws in the audited scope. |
Legal
Legal form
Company (Cayman Islands)
Registration jurisdiction
Cayman Islands
Status and notes
Operating entity disclosed as StakeStone, a Cayman Islands company and its subsidiaries in Privacy Policy. Terms of Service and Privacy Policy available in documentation.