Thunderhead

Introduction

Thunderhead Labs developed stHype, a modular liquid staking protocol enabling networks to deploy Ethereum-grade LST ecosystems with decentralized operator sets, deep liquidity, and instant staking rewards. Supports governance, non-custodial staking, and price aggregation for efficient LST trading.

Why Did They Need an Audit?

Given the complexity of liquid staking mechanisms and the critical role they play in managing user funds, Thunderhead Labs sought a comprehensive security audit to identify potential vulnerabilities, particularly related to delegation and staking logic, as well as token minting and burning processes.

Scope of the Engagement

• Team: 2 auditors - 6 days

Key Objectives:

• Assess potential reward loss during unstaking and delegation operations.
• Identify vulnerabilities related to minting, burning, and token inflation.
• Evaluate safe delegation management to prevent disruptions in staking cycles.
• Ensure robust handling of staking and unstaking events to avoid DoS risks.

Results and Findings

Notable Low-Severity Issue:

• Minting to Zero Address: The mint function did not prevent minting to the zero address, posing an inflation attack risk. The function was updated to revert when called with a zero address.

In conclusion

The Three Sigma audit of stHype identified key issues in minting security. Addressing these vulnerabilities has strengthened the protocol's reliability and user trust, ensuring efficient staking and secure token operations.