Liquid Collective aims to meet high standards of excellence for operations and service by acting with accountability, urgency, and integrity. We recognize the importance of protecting participants' security when using the protocol, and understand that security is primordial to maintaining participants' trust.
Liquid Collective has engaged independent security firms including Spearbit, Quantstamp, and Halborn to perform security audits of the protocol. Every protocol feature deployed to mainnet has previously been reviewed by at least one of those teams. View all audits
We welcome the community to review the Liquid Collective protocol's code and report any bug or security vulnerability discovered. View the policy
Any key product or security announcements, including the publication of code audits and security reviews, will be communicated promptly on Liquid Collective’s X profile along with the Liquid Collective Updates newsletter. In addition, Liquid Collective’s code audits and security reviews are published on the Security Audits page of this site and in the code repository.
Liquid Collective was designed from the start with a regulatory-focused mindset. Liquid Collective is the only decentralized liquid staking protocol that requires KYC/AML on all participants interacting with the protocol directly, ensuring known staking counterparties and limiting the surface area for direct attacks on the protocol's smart contracts.
The LsETH user agreement is contractually structured as a bailment, offering a clear legal framework for staking activities. And, at its core, the protocol is built with a direct staking model, designed to expand direct staking through liquid staking tokens (LSTs), which represent legal and beneficial ownership of a staker's tokens and any network rewards the tokens accrue.
The Liquid Collective protocol is a layer of code written on top of the Ethereum Deposit contract. Similar to any protocol providing a service, there is a potential for code vulnerabilities that are missed by third-party auditors
Relative to a DeFi lending protocol, where the entire TVL is held in smart contracts, the Liquid Collective smart contracts only hold value as it flows through to the ETH Deposit contract. Additionally, multiple third-party service providers have been engaged to conduct audits of the protocol’s code. In addition to conducting third party audits, the strategy to deliver multi-chain liquid staking involves collaborating with existing liquid staking technology providers and leveraging their already battle-tested code.
As is the case in all proof of stake networks, validators may be penalized for failing to perform their job efficiently. This most commonly results from validator downtime and from a double signing event.
Part of Liquid Collective’s strategy to provide a secure and enterprise-grade liquid staking solution involves conducting sanctions checks on the protocol’s active validator set. Liquid Collective leverages the support of security-focused Node Operators that institute best practices, including multi-cloud, multi-region infrastructure, technical support teams, and security posturing (including double-sign protection).
Although the protocol’s validator set consists of prominent Node Operators, in the event that a slashing event occurs the protocol provides a robust Slashing Coverage Program, including Nexus Mutual cover, to mitigate the risk of Node Operator failures and network outages. This Slashing Coverage is provided to every LsETH holder via the LsETH user agreement.
A significant risk would be a hack where the minting functionality for LsETH is compromised.
Protocol activity, such as LsETH supply updates, will be monitored and analyzed. In case of any anomalies, a first incident response plan will be executed to remedy the issue, which may result in pausing the protocol to temporarily disable all types of activities.
→ Read the Litepaper
We are continuously seeking to improve this diligence resource, including implementing tooling and integrations such as live status reporting.
Participation in any onchain solution comes with the risks associated with its smart contracts and/or technology stacks. Some of the participation risks to consider include:
Liquid Collective encourages everyone to understand these risks and perform their own due diligence before participating with LsTokens on any L2 or DeFi platform. All third-party integrations are subject to their own terms of service. Please review their security measures and terms of service prior to using their solutions.
You can learn more about how the security and risk considerations for liquid staking differ from other technologies, like DeFi platforms, and the ways that Liquid Collective is built to meet high security standards, in our post here.
Liquid Collective is non-custodial. Ethereum deposited to Liquid Collective is custodied by the Ethereum deposit contract.
The Liquid Collective protocol sets a validator's withdrawal credentials to the Liquid Collective Withdrawal contract address when the protocol initiates a deposit transaction for the validator. Once set, this withdrawal address can't be changed, as is governed by the Ethereum protocol when setting Type 1 (0x01) address.
Validator public addresses are submitted to the Liquid Collective Node Operators Registry. Validator private keys are owned and securely managed by the Node Operators.
Liquid Collective has partnered with exceptional third party providers to conduct audits on the KYC review process of participating LsETH Platforms. Once approved, KYC’d users of participating Platforms can be Allowlisted to deposit to Liquid Collective. Learn more in the permissioning documentation here.
Liquid Collective’s Service Providers include Node Operators running the protocol’s validator infrastructure. Liquid Collective does not run validator infrastructure, but delegates the task to a set of operators. Part of Liquid Collective’s strategy to provide a secure and enterprise-grade liquid staking solution involves conducting sanctions checks on the protocol’s active validator set. Liquid Collective leverages the support of security-focused Node Operators that institute best practices, including redundant infrastructure, technical support teams, and security posturing (including double-sign protection). You can learn more about the individual compliance resources of the distributed Node Operators supporting Liquid Collective, including any physical access control statements, on their respective websites.
Liquid Collective’s Service Providers include teams providing development and technological services to the Liquid Collective, collaborating in the development of Liquid Collective’s liquid staking offering. Liquid Collective's Service Providers ensure the smooth functioning of the protocol for a seamless and secure Ethereum staking experience. You can learn more about the individual compliance resources of the distributed Service Providers supporting Liquid Collective on their respective websites.
Liquid Collective's Service Providers include teams providing development and technological services to the Liquid Collective, collaborating in the development of Liquid Collective's liquid staking offering. Liquid Collective's Service Providers ensure the smooth functioning of the protocol for a seamless and secure Ethereum staking experience. You can learn more about the individual compliance resources of the distributed Service Providers supporting Liquid Collective on their respective websites.
