Code4rena Security Assessment
Security Assessment Report
MicroStrategy Staking Protocol Liquid Staking Program
October 25, 2023
Summary
The Code4rena team (formerly Soteria) was engaged to do a thorough security analysis of the MicroStrategy Staking Protocol Liquid Staking Program athttps://github.com/ms-staking/liquid-staking-program.
The initial audit was done on the source code of the following version:
• Contract “microstrategy staking protocol”:
o commit 4b5a6c60016ddefd1126755253f5269b557221bd
The review revealed 13 issues. The team responded with a second version for the post-audit review to see if the reported issues were resolved. The audit was concluded on commit 1bd5133d3198c0af05a0952d1ca8cd0d1e19fad6, which is the version with all fixes applied to be deployed.
Table of Contents
1. Result Overview ........................................................ 3
2. Findings in Detail ..................................................... 4
Appendix: Methodology and Scope of Work .................. 21
1 | Result Overview
MicroStrategy Staking Protocol Liquid Staking Program
Issue Impact Status
[L-1] split_stake_account rent not returned in some cases - Low - Resolved
[L-2] min_stake and slots_for_stake_delta validation in initialization - Low - Resolved
[L-3] Add validator without approval - Low - Resolved
2 | Findings in Detail
[L-1] split_stake_account rent not returned in some cases
In some crank instructions, a newly initialized stake account, split_stake_account, is used during the operation. However, in some cases where this account is not used, the rent fee is not returned to the bot or user calling this crank. Malicious users might be able to construct specific scenarios to trigger the bots and consume the bot's balance, potentially enabling a DoS attack.
/* programs/microstrategy staking protocol/src/instructions/crank/deactivate_stake.rs */
063 | #[account(init, payer = split_stake_rent_payer, space = std::mem::size_of::<StakeState>(), owner = stake::program::ID, )]
Appendix: Methodology and Scope of Work
The Code4rena (formerly Soteria) audit team, which consists of Computer Science professors and industrial researchers with extensive experience in Solana and Ethereum smart contract security, program analysis, testing, and formal verification, performed a comprehensive manual code review, software static analysis, and penetration testing.
Assisted by the Code4rena Scanner developed in-house, the audit team particularly focused on the following work items:
• Check common security issues.
• Check program logic implementation against available design specifications.
DISCLAIMER
The instance report ("Report") was prepared pursuant to an agreement between Coderrect Inc. d/b/a Code4rena (the "Company") and MicroStrategy Staking Protocol (the "Client"). This Report solely includes the results of a technical assessment of a specific build and/or version of the Client's code specified in the Report ("Assessed Code") by the Company.
ABOUT
Founded by leading academics in the field of software security and senior industrial veterans, Code4rena (formerly Soteria) is a leading blockchain security company that currently focuses on Solana programs and Ethereum smart contracts. We are also building sophisticated security tools incorporating static analysis, penetration testing, and formal verification.
For more information, check out our website and follow us on twitter.