I want to stake ETH with Trezor and I see that the partner is everstake.
This is the contract address of everstake:
0xd523794c879d9ec028960a231f866758e405be34
If I try to analize the contract with a security tool it seems there is a Proxy contract detected, I have used aegisweb3 for example and tells me:
This contract is an Admin Upgradeability Proxy. The proxy contract means the contract owner can modifiy the function of the token and could possibly effect the price.There is possibly a way for the team to Rug or Scam. Please confirm the details with the project team before buying.
For what I have understood this is normal for a staked contract but I want to ask the community for another opinion.
Many thanks
1 Like
I think your questions is very important.
Are there any staking smart contracts that are designed in such a way that the staking provider can’t steal the funds?
If not then isn’t it all fall under “not your keys, not your coins” ?
1 Like
I think so, but seems that nobody is answering me.
In the meantime I have discovered that Everstake is a Ukraine company.
So what happens if Ukraine will not exist anymore? And how much is affordable a company located in a country in war?
The presence of an Admin Upgradeability Proxy in Everstake’s staking contract suggests that the contract is upgradable, meaning the contract owner or admin has the ability to modify its functionality. This is a common feature in staking and DeFi protocols, as it allows for improvements, bug fixes, and upgrades without requiring users to migrate funds to a new contract.
What Does This Mean for Security?
- Pros:
- It allows the contract to be updated if vulnerabilities or inefficiencies are found.
- It enables future improvements without disrupting users’ funds.
- Cons:
- If the admin key is compromised or the project is malicious, they could alter the contract in a way that could be harmful (e.g., rug pull, changing withdrawal mechanics, blocking withdrawals, etc.).
- Trust is required in the Everstake team to act in good faith and not introduce harmful updates.
Should You Be Concerned?
- Normal for Staking? Yes, many staking services use proxy contracts for flexibility.
- Risk Level? The risk comes from the trust in Everstake. If they have a transparent history, audits, and governance mechanisms, the risk is lower. If the admin keys are centralized or controlled by a single entity, the risk is higher.
- What You Can Do:
- Check if the contract has been audited (by reputable firms like Certik, Trail of Bits, etc.).
- Look at Everstake’s reputation (any past issues, reviews from other users).
- See if the proxy is controlled by a multisig (which reduces the risk of a single point of failure).
- Verify governance mechanisms (Is there a DAO or some user control over changes?).
Final Thoughts
It is not inherently a scam but does introduce a level of trust risk. If Everstake is well-established, reputable, and has clear security measures, the risk is lower. However, if they have full control over upgrades without checks and balances, then it’s riskier.
(from chatgpt)
2 Likes
Thank you, for your definitive answer!
Than you for the answer.
So that mean that most staking providers include a trust risks even when there is a smart contract because there is a “backdoor like” proxy in the smart contract that allows for later changes?
Do this also apply for decentralized staking providers like Lido or Rocketpool?
Yes, to be honest, both decentralized and centralized systems can be hacked (e.g., smart contract hacks), although that doesn’t happen very often.
A malicious attacker can be an outsider—someone who analyzes smart contracts, finds a logic hole, and exploits it.
1 Like
So a smart contract without a proxy is more secure because the issuers can’t backdoor it, so an attack is only possible if there is an exploit?
They can’t backdoor it retroactively. You don’t know if there’s a backdoor built in from the start.
According to the statement:
I thought this was meaning that the contract has an option to be altered after it was made?
If the smart contract is immutable then i think its trustworthy when enough people audited it independently?