Zilliqa

We express our gratitude to the Zilliqa team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

​Zilliqa's Delegated Staking system enables ZIL holders to participate in network security and earn rewards by delegating their assets to validator nodes.

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional requirements are detailed.

• • Project overview is detailed

  • All roles in the system are described.

  • Use cases are described and detailed.

  • For each contract, all futures are described.

  • All interactions are described.

• Technical description is detailed.

• • Run instructions are provided.

  • Technical specification is provided.

  • The NatSpec documentation is sufficient.

Code quality

• The development environment is configured.

Test coverage

Code coverage of the project is 30.09% (branch coverage).

• Deployment and basic user interactions are covered with tests.

• Interactions by several users are tested thoroughly.

• Not all branches are covered by tests.

The Delegated Staking system comprises several core smart contracts, each fulfilling specific roles to facilitate staking operations:​

• BaseDelegation.sol: This abstract contract serves as the foundation for staking functionalities. It defines common behaviors and structures that both liquid and non-liquid staking contracts inherit, ensuring consistency across different staking implementations.

• LiquidDelegation.sol: Extending from BaseDelegation, this contract implements liquid staking. Delegators receive a non-rebasing Liquid Staking Token (LST) proportional to their staked amount. The LST represents the staked ZIL and accumulates rewards over time. Delegators can transfer LSTs, providing liquidity, and redeem them to withdraw their stake along with accrued rewards.

• NonLiquidDelegation.sol: Also extending from BaseDelegation, this contract facilitates non-liquid staking. Delegators stake their ZIL without receiving transferable tokens. Instead, they can manually claim their rewards periodically and withdraw their principal stake after a specified unbonding period.​

• NonRebasingLST.sol: This contract manages the Liquid Staking Tokens issued in the liquid staking model. As a non-rebasing token, its supply remains constant, but its value appreciates over time, reflecting the accrued staking rewards.

• WithdrawalQueue.sol: This library handles the queuing mechanism for stake withdrawals. It ensures that withdrawal requests are processed in an orderly manner, adhering to the protocol's unbonding periods.

Privileged roles

NonRebasingLST.sol:

• Owner (LiquidDelegation contract):

• • Can mint tokens to any address, reflecting deposits/stakes.

  • Can burn tokens from any address, reflecting withdrawals/unstakes.

BaseDelegation.sol(shared privileges for both NonLiquidDelegation & LiquidDelegation):

• Owner:

• • Can upgrade contracts (_authorizeUpgrade).

  • Can add validators to staking pools (_addToPool).

  • Can set commission rates (setCommissionNumerator).

  • Can set commission receiver addresses (setCommissionReceiver).

LiquidDelegation.sol:

• Owner:

• • Can deposit ZIL directly into validator pools (depositFromPool).

  • Can onboard validators into the pool (joinPool).

  • Can stake accrued rewards from the contract balance (stakeRewards).

  • Can collect outstanding commissions (collectCommission).

NonLiquidDelegation.sol:

• Owner:

• • Can deposit ZIL directly into validator pools (depositFromPool).

  • Can onboard validators into the pool (joinPool).

  • Can collect outstanding commissions (collectCommission).

The scope of the project includes the following smart contracts from the provided repository: