security
Security
How is Stader secure?
Stader takes multiple steps to keep the user funds safe
- Continuous review and testing of all code
- Regular audits of smart contract (2 completed by Halborn and Immunebytes)
- Integrated with Forta to monitor smart contract health on-chain
- Bug Bounty ($250k) on Immunnefi
- Use of Multi-sig admin accounts for changing smart contract parameters
What are the risks of staking with Stader?
There exist a number of potential risks when staking MATIC using liquid staking protocols.
Smart contract risk Although the Stader code is thoroughly vetted and audited there exists a possibility of malicious users exploiting a vulnerability or a bug in the contract or the Polygon platform
Wallet and downstream apps Wallets and third party apps may have to be used to access staking. Users should evaluate the security of the wallets and other third party apps independently, Stader does not hold any responsibility for the security of the wallets or third party applications used to access the staking solution
Exchange Rate Manipulation The MaticX to Matic exchange rate ensures that users get an appropriate amount of MaticX (when staking Matic) and Matic (when unstaking MaticX). If this value is manipulated by malicious users then MaticX holders could potentially be able to withdraw much higher Matic by unstaking through stader or mint MaticX for very low Matic (on stader) and then swap for higher Matic on exchanges
Does Stader have smart contract audits?
The Polygon smart contracts developed by Stader have been audited by Immunebytes and Halborn
- Here is the link to the Audit completed by Halborn
- Here is the link to the Audit completed by Immunebytes
What does the Stader contract admin control?
Stader's contracts for MaticX are controlled by a multi-sig account (0x91B4139A2FAeaCD4CdbFc3F7B1663F91a54be237) managed by the following parties. The confirmation count is 3 out of 5 signatures required
- Key 1 - Dheeraj B (https://www.linkedin.com/in/dheeraj-borra/ , Stader Labs Co-Founder)
- Key 2 - Sidhartha D (https://www.linkedin.com/in/siddoddipalli/ ,Stader Labs Co-Founder)
- Key 3 - DefiDad (@DeFi_Dad, Active Web3 Community Member)
- Key 4 - Accel Partners (@Accel, Venture Capital Firm)
- Key 5 - CA Aishwary (@Crypto_Wildwest, Marketing Lead at Polygon Network)
The responsibilities of the above multi-sig are as follows:
- setBotRoleAdmin (Admin for off-chain bots to update the exchange rate of MaticX periodically)
- setFeePercent (Set Stader's commission of the staking rewards. Set to 10% currently)
- setInstantPoolOwner (Set Stader's instant pool owner. Instant pool enables minting of MaticX on Polygon network)
- setValidatorRegistry (Set the address to point to the contract wrapper for validator operations)
- setFxStateRootTunnel (Set the Polygon root tunnel used for communication of exchange rate of MaticX/Matic from Ethereum onto Polygon)
- setVersion (Used for marking a version of code)
- PauseContract (Pause deposits, withdrawals, claims. Only meant to be used in critical situations)
- Upgrade Contracts (Only meant to be used in critical bug fixes)