Skip to content

Methodology

DISCLAIMER // NFA // DYOR

This analysis is based on observations of the contract behavior. We are not smart contract security experts. This document aims to explain what the contract appears to do based on the code. It should not be considered a comprehensive security audit or financial advice. Always verify critical information independently and consult with blockchain security professionals for important decisions.

⊙ generated by robots | curated by humans

METADATA
Contract Address 0x00000000...768E22 (etherscan)
Network Ethereum Mainnet
Analysis Date 2026-04-13

Overview

Analysis proceeded top-down from verified source because the contract is Exact-Match verified on Etherscan. We confirmed verification status, pulled the full source and ABI, read current state from on-chain via cast, decoded recent transactions to understand real-world usage, and mapped each external/configurable dependency to a labelled address. The contract is small (~100 lines, 15 functions) so the analysis proceeded primarily from reading the source, with on-chain reads used to corroborate storage layout and observed operational intent.

Thought Process

%%{init: {'theme': 'base'}}%%
mindmap
  root((LidoHarvester Analysis))
    Source
      Verified on Etherscan
      GitHub repo z0r0z/lido-harvester
      README
    On-Chain State
      Owner EOA
      Target - Curve stETH/ETH
      Asset - ZORG
      Holder - Gnosis Safe
      staked basis
      slipBps
    Mechanisms
      Basis-counter yield
      Transient reentrancy flag
      Packed slipBps + owner
      CREATE2 vanity deployment
      Infinite stETH approval
    Risks
      Sole-owner custody
      Unlimited target approval
      Unrestricted withdraw calldata
      tx.origin constructor
      No events on state changes
      No oracle in slippage
    External Deps
      Lido stETH - hardcoded
      target - mutable
      asset + holder - mutable

Verification Guide

Analysis used Etherscan's v2 API for source, ABI, creation metadata, and transaction history; Foundry's cast for on-chain reads; and direct reading of the authoritative Solidity source to avoid inferring behavior from comments.

External Resources

Commandline Tools

Tip

Commands below use cast from the Foundry Toolkit. To run the commands below, you must set the RPC URL environment variable:

export ETH_RPC_URL=https://eth.llamarpc.com

Verify deployment metadata

Used to confirm verification, compiler version, and creator details.

# FETCH VERIFIED SOURCE METADATA
curl -s "https://api.etherscan.io/v2/api?chainid=1&module=contract&action=getsourcecode\
&address=0x0000000000BB8A44A568Ff0a9ef0E7fc20768E22&apikey=$ETHERSCAN_API_KEY"

# FETCH CREATION TX AND DEPLOYER
curl -s "https://api.etherscan.io/v2/api?chainid=1&module=contract&action=getcontractcreation\
&contractaddresses=0x0000000000BB8A44A568Ff0a9ef0E7fc20768E22&apikey=$ETHERSCAN_API_KEY"

Read current on-chain state

Used to populate the storage layout and related-addresses table.

C=0x0000000000BB8A44A568Ff0a9ef0E7fc20768E22

# READ EACH STORAGE-BACKED GETTER
cast call $C "staked()(uint256)"
cast call $C "slipBps()(uint16)"
cast call $C "owner()(address)"
cast call $C "target()(address)"
cast call $C "asset()(address)"
cast call $C "holder()(address)"

# READ ETH AND STETH BALANCES
cast balance $C
cast call 0xae7ab96520DE3A18E5e111B5EaAb095312D7fE84 "balanceOf(address)(uint256)" $C

Identify configured addresses

Used to label target, asset, and holder with human-readable context.

# TARGET - IS A VYPER CURVE POOL
curl -s "https://api.etherscan.io/v2/api?chainid=1&module=contract&action=getsourcecode\
&address=0xDC24316b9AE028F1497c275EB9192a3Ea0f67022&apikey=$ETHERSCAN_API_KEY"

# ASSET - IS ZORG ("ZORG SHARES")
cast call 0x00a6bA94BBb5474725515De88fE04F854f2dCb12 "symbol()(string)"
cast call 0x00a6bA94BBb5474725515De88fE04F854f2dCb12 "name()(string)"

# HOLDER - IS A SAFE PROXY
cast code 0xd14a07B5c61dfBe050d98d41AC8Ce8A8075013aa | head -c 40
curl -s "https://api.etherscan.io/v2/api?chainid=1&module=contract&action=getsourcecode\
&address=0xd14a07B5c61dfBe050d98d41AC8Ce8A8075013aa&apikey=$ETHERSCAN_API_KEY"

Decode observed transactions

Used to verify that the contract is being operated as the README describes.

# LIST EXTERNAL TXS
curl -s "https://api.etherscan.io/v2/api?chainid=1&module=account&action=txlist\
&address=$C&sort=desc&apikey=$ETHERSCAN_API_KEY"

# INSPECT THE ONE HARVEST AND ONE WITHDRAW
cast tx 0x9b2aa0df9bafd0628630f8bb18852775b6cbc8383ce545f58c2c2d748552cbfb
cast tx 0x2bd2dd1b1bec6fedd68a239bc1d1da137e910300b7b02ed5c4526f9e66d943cf input

Confirm function selectors

Used to cross-check the functions table against bytecode.

for s in "staked()" "slipBps()" "owner()" "target()" "asset()" "holder()" \
         "transferOwnership(address)" "setSlippage(uint16)" "setTarget(address)" \
         "setCondition(address,address)" "deposit(uint256)" \
         "withdraw(address,uint256,bytes,uint256)" "stake(uint256)" \
         "withdrawStETH(address,uint256)" "harvest(bytes)"; do
  printf "%s  %s\n" "$(cast sig "$s")" "$s"
done

Token Cost Breakdown

PHASE DESCRIPTION TOKENS
Phase 0 Obtain the Contract — fetch source, creation metadata, stored artifacts 8 tok
Phase 1 Discovery & Understanding — source read, selector map, on-chain state, address labelling 14 tok
Phase 2 Deep Dive Analysis — per-function documentation, flow diagrams, bytecode cross-check 22 tok
Phase 3 Risk & Trust Analysis — risk enumeration and severity classification 12 tok
Phase 4 Documentation Generation — all six output files, glossary, mkdocs, changelog 24 tok
TOTAL Complete Contract Analysis 80 tok

Note: Token costs are estimates based on typical conversation lengths and complexity. Actual consumption may vary by ±10-15% depending on API responses, iterative refinement, and verification steps.