Conversation
Risk assessment for LBTC (Lombard Staked Bitcoin) on Ethereum, requested in issue #216 for use as Morpho collateral. Final score 2.75/5.0 (Medium Risk). Native-BTC-backed Bitcoin LST staked via Babylon; verified onchain: 24h upgrade timelock, MINTER_ROLE limited to AssetRouter + BridgeV2, 12-of-16 consortium notary set, dual mint attestation via Bascule. Key risks: off-chain custody, Babylon slashing, EOA timelock proposer, 2-of-11 pause multisig, modest DEX exit depth. Several follow-up TODOs left in the report (audit findings, PoR specifics, custodian names, legal entity, mint caps, TVL-history modifier). Refs #216 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Verified the open TODOs (most twice, on two RPCs): - Mint caps: no per-epoch/supply cap. AssetRouter depositMinAmount(LBTC) = type(uint256).max (deposit() path disabled on ETH; mints via notary- gated batchMint), maxMintCommission = 68 sats (fee cap). BridgeV2 has configurable per-token/per-source-chain rate limits but Sherlock H-1 (bridge deposits not rate-limited) is acknowledged-won't-fix. - PoR: confirmed onchain PoR address registry on Base (0xe7Ebc588...8018, impl `PoR`, Chainlink PoR-standard, 28,626 reserve addresses). ETH feeds are LBTC/BTC rate, not reserve-quantity. - Audit findings: 3 acknowledged-won't-fix HIGH (Sherlock H-1/H-2/H-5; H-5 affects LBTC redeemability/accounting) + OZ M-01 Medium unresolved. - Custody: no named third-party custodians; consortium notaries custody BTC via Cubist/CubeSigner HSM threshold (10-of-14 documented). - Legal: Lombard Finance Ltd, Cayman Islands law. - TVL: continuously >$500M since ~Oct 2024 (~19 months) per DefiLlama. - Consortium discrepancy: onchain 16 keys/threshold 12 vs docs 14/10-of-14 (flagged, not reconciled). - Third-party: Chaos Labs assessment found; no LlamaRisk/Steakhouse report. - SEAL Safe Harbor: not adopted. Score updated 2.75 -> 2.85 (Medium): Audits&Historical 1.75, Centralization 3.5 (unfixed bridge Highs), Funds 3.0, Liquidity 3.0, Operational 2.0. The -0.5 TVL-longevity modifier qualifies but is withheld given the unresolved High findings (noted for reviewer). Refs #216 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…minter proxies, roles Corrections from review (all re-verified onchain on RPC_1 and RPC_2): - High: add Supply vs Reserves Reconciliation subsection. Circulating LBTC 10,252.5 (all chains; 9,003.0 verified onchain EVM) vs DefiLlama staked-BTC ~$961M (~12,700 BTC). Aggregate shows no under-backing but is an upper bound (bundles LBTCv/BTC.b); exact 1:1 sum of the 28,626 PoR addresses not reproduced -> "Unverifiable reserves" gate downgraded to PASS (qualified), Provability rationale updated, exact proof left as TODO. - Medium: BridgeV2 IS rate-limited in the deployed contract (RateLimitsSet events configure ~100 LBTC / 3h per dest chain; source enforces RateLimits.updateLimit before mint). Corrected the "not throttled" claim; Sherlock H-1 reclassified as mitigated onchain (H-2/H-5 remain open). - Medium: AssetRouter and BridgeV2 are upgradeable minter proxies. Added their ProxyAdmins (0xBf42...6754, 0x6B06...cbB1, both owned by the timelock) to the address table, governance, monitoring, diagram, and reassessment triggers. - Low: deployer EOA is PROPOSER only (hasRole CANCELLER = false on both RPCs), not a canceller. Treasury Safe is 3-of-5 (was "3/N"). - Low: reworded "redeemable 1:1" to rate-based redemption (getRate ~1.0041) to match the value-accruing model. Score: Centralization 3.5->3.33 (Programmability back to 3.0 since H-1 mitigated); final 2.85 -> 2.80 (Medium). -0.5 TVL modifier still withheld. Refs #216 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Risk assessment for LBTC (Lombard Staked Bitcoin) on Ethereum, requested in #216 for evaluation as Morpho collateral.
reports/report/lombard-lbtc.mdLBTC is the largest BTC liquid-staking token (~$973M staked-BTC backing). BTC is staked via Babylon; LBTC is a non-rebasing, value-accruing token (
getRate() ≈ 1.0041).Verified onchain (May 26, 2026; key reads double-checked on two RPCs)
0x8236a87084f8B84306f72007F36F2618A5634494(TransparentUpgradeableProxy →StakedLBTC), Ethereum supply 8,717 LBTC.LombardTimeLock(24h) which owns ProxyAdmin and holdsDEFAULT_ADMIN_ROLE.MINTER_ROLElimited to two upgradeable protocol contracts: AssetRouter + BridgeV2 (ProxyAdmins0xBf42…6754/0x6B06…cbB1, both owned by the timelock). No AssetRouter supply cap; BridgeV2 mint path is rate-limited onchain (~100 LBTC / 3h per destination chain viaRateLimitsSet).PAUSER_ROLE= 2-of-11 Gnosis Safe. Timelock: Treasury Safe (3-of-5) = proposer/executor/canceller; deployer EOA = proposer only (not canceller, verified).PoRregistry on Base (0xe7Ebc588…8018, Chainlink PoR-standard) lists 28,626 BTC reserve addresses. ETH oracle feeds report LBTC/BTC rate, not reserve quantity.Review corrections (2nd pass, re-verified on two RPCs)
Key risks
Scoring note
Base weighted score 2.80. The −0.5 TVL-longevity modifier qualifies (TVL >$500M continuously since ~Oct 2024, ~19 months) — applying it gives 2.30 (Low Risk) — but it is withheld given the three unresolved High findings. Reviewer may choose to apply.
TODO status (verified this round)
Resolved: mint caps, PoR registry, audit findings, custody model, legal entity (Lombard Finance Ltd, Cayman), TVL history, consortium count (flagged discrepancy: onchain 16/12 vs docs 14/10), third-party coverage (Chaos Labs; no LlamaRisk/Steakhouse), SEAL Safe Harbor (not adopted).
Remaining open (low priority): identity of the 2 extra onchain notary keys; future remediation tracking of the H-findings; exact Cayman incorporation record; reserve-reconciliation cadence.
Closes #216
🤖 Generated with Claude Code