This article is more than nine months old

Demand surge for $16b Ether staking raises ‘mass slashing’ and code bug risks

Demand surge for $16b Ether staking raises ‘mass slashing’ and code bug risks
Deposits to Ether liquid staking protocols have soared this year.
  • Demand for Ethereum liquid staking is soaring.
  • But some are worried that the risks have been downplayed amid the euphoria.
  • Bugs in protocol code or a ‘mass slashing event’ could threaten the $16 billion liquid staking market.

Liquid staking protocols, a term for protocols enabling Ether staking, have quickly become the biggest sector in DeFi, topping $16 billion worth of deposits in May.

But unlike staking Ethereum directly, using liquid staking protocols presents unique risks in the form of protocol code bugs or a “mass slashing event.”

Around 42% of all staked Ether is staked through liquid staking protocols like Lido and Rocket Pool. And since the start of the year, the amount of Ether deposited into these protocols has jumped 43% to over $16 billion.

But with such a colossal amount of money being pumped into liquid staking, some are worried that the dangers associated with such protocols have been downplayed amid the euphoria.

“Liquid staking protocols are getting hyped so much,” Pascal Caversaccio, an independent security researcher, told DL News. “There are new projects entering the space that simply want to capitalise on this hype and thus make compromises on code quality.”

“Changing one single line of code can make a protocol vulnerable, but too few understand this until it hurts,” Caversaccio said.

NOW READ: Aragon’s $200m activist battle ignites DAO debate

Currently over $39.8 billion worth of Ether is locked up in Ethereum’s staking contract earning its holders around 5% annually. Another $5.5 billion worth is queued up to start staking.

Join the community to get our latest stories and updates

The April Shapella upgrade of Ethereum greatly reduced the risks associated with Ether staking. That’s because before Shapella, many potential stakers worried that they may never be able to withdraw their Ether after staking it. But now that they can, demand for staking, an activity that not only enhances the security of the Ethereum network but also provides participants with lucrative returns, has surged.

Bugs in the code

Liquid staking protocols are subject to the same kinds of code-related risks that have cost other DeFi protocols billions of dollars. Just last year, hackers stole an eye-watering $3.2 billion by targeting the lucrative sums deposited into DeFi protocols. Many exploits were the result of vulnerabilities in DeFi protocol code.

To reduce the possibility of code-related bugs, protocols hire crypto security firms to audit their code. The hope is that these firms will catch vulnerabilities before the protocol launches and lets users deposit their assets.

“We’ve noticed a massive influx of requests to review liquid staking protocols over the past couple of months, which indicates how competitive this space is about to become,” Mehdi Zerouali, co-founder and director of blockchain security firm Sigma Prime, told DL News.

Zerouali said he’s “glad development teams understand the importance of external security reviews,” but said he wishes that projects would also “invest more time and resources into thorough internal end-to-end testing.”

NOW READ: How the SEC’s showdown with Coinbase will change the crypto market for everyone

“The biggest risk is that someone mints liquid staking tokens without depositing and then redeems them,” Sebastian Banescu and Joseph Xu, two executives at crypto insurance provider Chainproof, told DL News in a joint statement.

Such an exploit could occur if a hacker finds a crafty way to exploit a vulnerability in a protocol’s code. The hacker could then exchange these fake tokens for real Ether, draining users’ funds in the process.

So far that hasn’t happened. But that doesn’t mean it can’t happen. Auditing doesn’t guarantee no shoddy lines of code that could let in a malicious actor.

And it’s not just the liquid staking protocols themselves that could be affected.

As staking deposits balloon, DeFi protocols building on top of liquid staking protocols — dubbed LSDFi — are also attracting attention. If the underlying protocol is hacked, any additional protocols that use its liquid staking tokens may also be in danger.

‘A mass slashing event’

However, according to Zerouali, the biggest code-related risks with liquid staking protocols may not come from opportunistic hackers but the Ethereum network itself. “An obvious risk that comes to mind is a mass slashing event,” he said.

“Slashing” refers to the Ethereum network taking away some Ether from validators who either act maliciously, or don’t do their job correctly, like being offline when they should be checking transactions. It’s a way Ethereum keeps its system safe by punishing those who don’t follow the rules.

NOW READ: Users in $39b SafeDAO call for unlock of governance tokens: ‘For the love of God, let this pass’

Liquid staking protocols run thousands of validators to stake depositor’s Ether. Zerouali said that a bug or misconfiguration with a protocol’s validators could cause the network to slash all their validators for not reporting transactions properly.

“Liquid staking protocols have the potential to amplify the damages that would occur,” he said. Such an event would burn a large portion of a liquid staking protocol’s Ether. If the slashed amount were large enough, the protocol’s liquid staking tokens would no longer be backed by enough Ether, likely causing them to plummet in value.

Buying insurance

One way DeFi protocols can offset some of the risks associated with slashing is through buying insurance. While the market for DeFi insurance is still in its infancy, many newer, smaller protocols are choosing to buy cover to protect themselves.

But according to Banescu and Xu, many liquid staking protocols choose not to. “We don’t see a lot of liquid staking protocols buying any insurance themselves,” they said. “They typically leave it up to their users to decide if they want to buy.”

Lido, currently the biggest liquid staking protocol with over $12 billion of deposits, previously bought insurance against slashing. However, members of Lido’s DAO voted to drop the coverage in 2021. Posts on the Lido governance forum show many voters felt the cost of the insurance — estimated at 25% of Lido’s revenue — was excessive.

Other liquid staking protocols may also struggle to find insurance at the right price. Because DeFi is relatively new, it’s difficult for insurance providers to price risk accurately — even more so in the rapidly evolving sector of liquid staking protocols.

NOW READ: DeFi insurer Sherlock teeters on the edge after reserves fall 90%

However, Swell, a newer liquid staking protocol launched in April, may be an outlier in this regard. Daniel Dizon, Swell founder and CEO, told DL News that in addition to its code audit, the protocol is working towards obtaining insurance to cover user deposits against slashing. As an extra precaution, the protocol also requires its validator operators to post collateral in case they get slashed.

While insurance can afford users additional peace of mind, for many, rigorous code checking through audits is still the best defence.

“Go with the protocols that have published audit reports,” Caversaccio said, although he also noted that even with an audit, there is “no 100% security guarantee.”