DESCRIPTION
The target of this audit is the code repository of the pufETH Contracts from the Puffer Finance. Puffer is a decentralized native liquid restaking protocol (nLRP) built on Eigenlayer. It makes native restaking on Eigenlayer more accessible, allowing anyone to run an Ethereum Proof of Stake (PoS) validator while supercharging their rewards. Puffer's mission is to define a new industry standard for secure validator operations, with the primary objective of preserving the decentralization of Ethereum.
The pufETH Contracts serve as a native liquid restaking token. Before the mainnet launch of Puffer, users could deposit stETH into the PufferVault and receive pufETH in return. In the protocol, three different multisignature wallets control sensitive operations via the Timelock contract. These operations include modifying system configurations, suspending core contract functionality, depositing user-deposited stETH into EigenLayer, and initiating withdrawals from EigenLayer and Lido.
The core contracts covered in this audit include PufferDepositor, PufferVault, Timelock and DeployPuffETH in the code repository. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we did not find any critical issues within the audited codebase. However, we have identified some non-critical issues that should be addressed. Additionally, we have put forth recommendations to further strengthen the code logic, along with notes that should be taken into consideration. It is important to note that the scope of our audit was strictly limited to the specific code versions mentioned in the report. Any updates made subsequent to our review would require a re-evaluation.
KEY FINDINGS
In total, we find 1 potential issues in the smart contract. We also have 4 recommendations and 4 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | Low | Potential txHash conflicts in the Timelock contract's pending queue |
Software Security | Fixed |
| 2 | - | Remove duplicated code | Recommendation | Fixed |
| 3 | - | Revise the compiler version | Recommendation | Fixed |
| 4 | - | Add a sanity check on newPauser |
Recommendation | Fixed |
| 5 | - | Revise the inconsistent access controls on deposit logic | Recommendation | Fixed |
| 6 | - | Potential risks of MEV attacks | Note | - |
| 7 | - | Ensure the standard implementation of accessManager |
Note | - |
| 8 | - | Necessity to implement a fair EigenLayer airdrop distribution mechansim |
Note | - |
| 9 | - | Ensure no stETH tokens remain in the PufferDepositor contract |
Note | - |
More details are provided in the audit report.