Potential Risks
DISCLAIMER // NFA // DYOR
This analysis is based on observations of the contract behavior. We are not smart contract security experts. This document aims to explain what the contract appears to do based on the code. It should not be considered a comprehensive security audit or financial advice. Always verify critical information independently and consult with blockchain security professionals for important decisions.
⊙ generated by robots | curated by humans
| METADATA | |
|---|---|
| Contract Address | 0x0000000000BB8A44A568Ff0a9ef0E7fc20768E22 (etherscan) |
| Network | Ethereum Mainnet |
| Analysis Date | 2026-04-14 |
Overview
A risk assessment was conducted against the LidoHarvester contract as part of the broader contract analysis. The assessment examined trust assumptions, economic vectors, centralization characteristics, complexity surface area, and external dependencies across the verified Solidity source code (~100 lines, 15 functions).
The contract is a single-owner Lido stETH yield harvester with a permissionless keeper entry point, a mutable swap target holding unlimited stETH approval, an optional post-call balance condition, and an EIP-1153 transient-storage reentrancy flag. Each of these surfaces was evaluated independently.
Findings Summary
The assessment identified 12 findings across four severity tiers and five risk categories. No critical-severity issues were found. The findings concentrate on the single-owner trust model, the unlimited stETH approval held by the mutable target, and the unrestricted nature of the owner's withdraw() calldata — all consistent with the contract's self-custodial design.
| SEVERITY | COUNT |
|---|---|
| Critical | 0 |
| High | 3 |
| Medium | 3 |
| Low | 2 |
| Informational | 4 |
| CATEGORY | FINDINGS |
|---|---|
| Centralization | 4 |
| External Dependency | 1 |
| Economic | 2 |
| Complexity | 3 |
| Trust Assumption | 2 |
Report Availability
The detailed findings for this assessment are not publicly available at this time. The full report includes specific descriptions of each finding, affected code paths, severity justification, and suggested questions for contract owners and integrators.
If you are the contract owner, an integrator, or a security researcher with a legitimate interest in the full findings, you are welcome to request this portion of the report (no guarantees).