Bug Bounty Comp | Lido V3

Build Commands, Test Commands, and How to Run Them

https://github.com/lidofinance/core/blob/feat/vaults/CONTRIBUTING.md

Is this an upgrade of an existing system? If so, which? And what are the main differences?

Lido V3 represents a fundamental expansion of the Lido staking protocol through the introduction of Staking Vaults (stVaults) – isolated vault contracts that enable specialized staking arrangements between stakers and node operators. stVaults allow stETH to be minted not only from the main Lido pool but also from ETH held in these external contracts. All stVaults are coordinated and monitored by a central VaultHub contract that ensures proper collateralization and operational health.

The upgrade implements EIP-7002 support for triggerable withdrawals for stVaults, enabling more flexible exit mechanisms for staked ETH.

To handle the increased complexity of managing multiple isolated vaults, the oracle system has been significantly enhanced with a "Lazy Oracle" design that reports vault-specific data and processes updates asynchronously rather than requiring synchronous updates for all vaults simultaneously, improving scalability and reducing on-chain overhead.

New Node Operator Predeposit Guarantee mechanism addresses deposit frontrunning vulnerabilities by requiring node operators to pre-commit their deposit data on-chain before actual deposits occur. This system includes on-chain BLS signature verification to cryptographically validate the deposit credentials, ensuring that operators cannot substitute malicious validator keys at deposit time.

All new components – core protocol accounting upgrade, stVaults architecture, oracle enhancements, and predeposit guarantees are included within the competition scope.

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?

• Hoodi tokens:

  • [ERC20] stETH
    • https://hoodi.etherscan.io/token/0x3508A952176b3c15387C97BE809eaffB1982176a
  • [ERC20] wstETH
    • https://hoodi.etherscan.io/token/0x7E99eE3C66636DE415D2d7C880938F2f40f94De4
  • [ERC721] unstETH
    • https://hoodi.etherscan.io/token/0xfe56573178f1bcdf53F01A6E9977670dcBBD9186

• Mainnet tokens:

  • [ERC20] stETH
    • https://etherscan.io/token/0xae7ab96520DE3A18E5e111B5EaAb095312D7fE84
  • [ERC20] wstETH
    • https://etherscan.io/token/0x7f39c581f595b53c5cb19bd0b3f8da6c935e2ca0
  • [ERC721] unstETH
    • https://etherscan.io/token/0x889edC2eDab5f40e902b864aD4d7AdE8E412F9B1

Which chains and/or networks will the code in scope be deployed to?

• Ethereum Hoodi Testnet (chainId: 560048)
• Ethereum Mainned (chainId: 1)

What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)

Lido’s codebase can be found at

• Smart contracts: https://github.com/lidofinance/core/releases/tag/v3.0.0-rc.4
• Oracle: https://github.com/lidofinance/lido-oracle/releases/tag/7.0.0-beta.3

Documentation and further resources can be found on:

• Lido V3 Hoodi Testnet contracts: https://docs.lido.fi/deployed-contracts/hoodi
• Lido V3 Whitepaper: https://hackmd.io/@lido/B1NuB15-gx
• Lido V3 Technical Design: https://hackmd.io/@lido/stVaults-design
• Lido V3 — Design & Implementation Proposal
  • https://research.lido.fi/t/lido-v3-design-implementation-proposal/10665
• Risk Assessment Framework for stVaults
  • https://research.lido.fi/t/risk-assessment-framework-for-stvaults/9978
• Default risk assessment framework and fee parameters for stVaults
  • https://research.lido.fi/t/default-risk-assessment-framework-and-fees-parameters-for-lido-v3-stvaults/10504