LlamaRisk does not recommend onboarding rstETH as ETH-correlated collateral in the Aave V3 Prime instance. We suggest reassessing this asset once two key conditions are met: improved liquidity depth and activation of asset delegation.
The Mellow protocol demonstrates robust security architecture through advanced control systems, multiple multisigs, timelocks, and an emergency system with Hypernative integration. However, neither Mellow nor Symbiotic maintain an ongoing bug bounty program - Mellow only ran a brief three-week contest with limited rewards that do not match its protocol TVL (>$700M) or codebase complexity. At the same time, Symbiotic has not conducted any bug bounty initiatives.
If liquidity conditions improve, we recommend implementing rstETH’s internal rate with CAPO, aligning with our steakLRT assessment. While Symbiotic has announced integration of 14 networks in September 2024, asset delegation launch is scheduled for January 28, 2025. Current yields combine Lido APR with points rewards (Symbiotic and Mellow). A new risk assessment will be required post-delegation activation to evaluate potential slashing impacts.
Expand to see our comprehensive asset review
1. Asset Fundamental Characteristics
1.1 Asset
Restaking Vault ETH (rstETH) is an ERC-20 liquid restaking token (LRT) minted on Mellow Protocol and curated by P2P, a professional staking service provider. The Mellow Protocol is a modular infrastructure for issuing LRTs and deploying collateral to Symbiotic, the second biggest restaking protocol after EigenLayer.
Symbiotic allows for the creation of restaking vaults whose deposited assets can be delegated to operators who run Actively Validated Services (AVSs) infrastructure. Mellow accepts various tokens such as wstETH, WBTC, tBTC, or sUSDe. However, because Mellow stems from Lido and is part of the so-called Lido Alliance, it only accepts wstETH as Ethereum LSTs and not other ETH-based LSTs. P2P will select the Actively Validated Services (AVSs) and operators to restake collateral on Symbiotic and set the LRT’s ratios (e.g., reward generation fees). At the time of writing, the deposited collateral has not yet been delegated to AVSs and operators on Symbiotic, meaning that the underlying wstETH is not being actively re-staked.
To mint rstETH, users can provide ETH, WETH, stETH, and wstETH. ETH, WETH, and stETH deposits will be automatically converted to wstETH by internal interaction with the Lido contracts. The internal exchange rate for rstETH is maintained in the RatiosOracle contract. At the same time, deposited assets are kept in an ERC-4626 vault whose shares represent ownership of the underlying assets and accumulated rewards. The rstETH supply is currently limited to 80,000 wstETH in the vault, presently standing at 46,214 wstETH. This limit will be lifted once Symbiotic goes live with network delegation (scheduled for January 28, 2025).
1.2 Architecture
The general architecture of rstETH resolves around wstETH or approved assets (ETH, WETH, and stETH) being converted into wstETH and deposited into the vault contract. Once delegation is activated, deposits will be managed by P2P: most of it will be allocated to Symbiotic operators and AVSs, while a liquidity reserve fund will help to bootstrap liquidity. We previously did a complete risk assessment of Symbiotic on August 15, 2024.
Withdrawals from the vault are handled through the processWithdrawals() function of the Vault contract and processed manually by the vault operator P2P. Therefore, the completion of withdrawals can vary depending on how responsive P2P is to withdrawal requests from users. The Mellow team plans on automating withdrawals after January 28, 2025.
Source: Mellow Protocol Docs, January 10th, 2025
Mellow LRT components relevant to rstETH include a set of contracts that manage vault operations, strategy management, and system parameters. They include:
Vault: ERC-2646 contract that handles asset deposits, issuing of LP tokens, withdrawal management, and underlying token administration (adding and removing accepted tokens).VaultConfigurator: Determines parameters and access control for the Vault contract.ManagedValidator: Role-based validator for smart contract functions, permitting or revoking permissions to functions and interactions with contracts.DefaultBondStrategy: Allocates deposited funds to bond strategies (i.e., LRT strategies) and facilitates withdrawals.DepositWrapper: Allows the Vault to accept ETH, WETH, and stETH deposits and convert them into underlying wstETH.Curator: P2P 2/3 Safe multisig with the OPERATOR role, manages liquidity allocations to different strategies and processes requested withdrawal through DefaultBondStrategy (see section 4.2 for more on OPERATOR role).Erc20TvlModule: Standardizes calculation of ERC20 tokens TVL in a vault.DefaultBondTvlModule: Calculates TVL of bond-based assets in a vault, i.e., restaked wstETH in Symbiotic.ManagedRatiosOracle: Manages the vaults’ underlying token ratios for deposit and withdrawal. The contract allows for updating and retrieving target ratios.PriceOracle: Sources Chainlink price feeds for vault pricing set to a base token.
Mellow LRT contracts are open source on Github.
1.3 Tokenomics
No governance token has been issued yet for Mellow Protocol; their Lido Alliance proposal communicated plans for one in the form of MLW.
Source: Lido DAO Gov, May 27th, 2024
Mellow employs a loyalty points system for vaults, distributing Mellow and Symbiotic points to users and curators per hour on a linear TVL basis. More details can be found here.
1.3.1 Token Holder Concentration
| Description |
Value |
| Total Holders |
7,796 |
| Total rstETH Supply |
48,930.12 (~$197m) |
| Top 10 Address Holdings |
85.72% |
| Largest Holder |
MellowDepositWstETHStrategy (~42%) |
Source: Etherscan, January 8th, 2025
The top 10 addresses hold a high concentration of rstETH, approximately 85.72% of the total supply. Of the top 10 holders, 6 are EOAs, 3 are contracts, and 1 is a multisig. As of January 8, 2025, 48 930 wstETH (~$197m) has been deposited into the vault. The first address by TVL (~42%), the MellowDepositWstETHStrategy contract, is a strategy managed by StakeStone for its STONE product: 23.3% of StakeStone’s TVL is currently being deposited in this strategy. The StakeStone team controls this strategy and can decide to pull liquidity unilaterally.
2. Market Risk
2.1 Liquidity
A Balancer 5pool (trenSTETH) is the only source of DEX liquidity for rstETH. The Composable Stable Pool consists of other Mellow LRTs and wstETH. rstETH amounts to approximately 25% of the pool’s liquidity. A liquidator willing to swap rstETH for stables would first have to swap for one of the other assets in the pool before swapping for stables. WstETH will likely be used because of its higher stable liquidity.
Source: Balancer V2, Janurary 8th, 2025
Over 90 days, between October 2024 and January 2025, the pool’s liquidity has hovered around $600k, which is relatively low given the 5 different assets it is made of.
Source: Balancer V2, January 8th, 2025
A Uniswap rstETH/wstETH pool was another DEX source of liquidity—albeit for a short period—but liquidity has since been removed.
Source: Dextools, rstETH/wstETH pool, January 8th, 2025
DEX aggregators are unaware of this BalancerV2 pool, and liquidity for rstETH is only accessible through a direct swap into this pool using the expert option. When doing so, only 25 rstETH ($97k) were available within a 7.5% price impact.
Source: Balancer V2, January 8th, 2025
2.1.1 Liquidity Venue Concentration
The BalancerV2 trenSTETH pool is the only liquidity venue for rstETH.
2.1.2 DEX LP Concentration
The ComposableStablePool contract pre-mints Balancer Pool Tokens (BPT) and holds them in the Balancer Vault as the LP token. To determine LP concentration, the circulating supply is calculated using the getActualSupply function (the value returned also includes protocol fees due). Analyzing the circulating supply and LP holders, a Gauge deposit contract (allows LPs to stake their BPT to claim BAL from liquidity mining) holds over 162 of the total 177.75 trenSTETH supply.
Source: BalancerV2 trenSTETH Gauge deposit contract, January 8th, 2025
The largest single account holds over 15.3% (24 trenSTETH), followed by numerous other liquidity providers with decreasing participation. Although this diversity is reassuring, one must remember that one of those wallets might still be providing the entire liquidity for one of the five assets in the pool.
2.2 Volatility
Relative to ETH, rstETH has exhibited nominal fluctuations, trading close to ETH at a slight discount. Over the past 90 days, the discount/premium differential ranged from -0.48% to +0.041%, which is acceptable.
Source: Dune, January 8th, 2025
2.3 Exchanges
No CEX currently supports rstETH.
2.4 Growth
Until August 2024, rstETH saw impressive early growth but has since stagnated. As the largest Mellow LRT, rstETH accounts for ~32% ($198m) of all Mellow vault TVL ($622m) and represents the third largest LRT TVL by ETH on Symbiotic (as of January 8, 2025).
rstETH wstETH TVL. Source: Dune, January 8th, 2025
We can see that rstETH’s share of all Symbiotic LRTs by TVL has gotten smaller and smaller.
Symbiotic LRT TVL. Source: Dune, January 8th, 2025
User activity, measured using unique receivers and senders, has declined overall. The graph below shows a spike in activity between October 18th and 26th, possibly due to a Zircuit L2 staking rewards program launch: the Zircuit L2 announced a staking partnership with Mellow, offering additional rewards in Zircuit Points and Project Airdrops.
rstETH user activitySource: Etherscan Analytics, January 8th, 2025
3. Technological Risk
3.1 Smart Contract Risk
The Mellow protocol has been audited by 2 professional auditing firms, as well as by the Sherlock Community:
- StateMind (May 27, 2024): 4 medium risks findings, no critical or high risks findings.
- ChainSecurity (August 12th, 2024): 2 medium risks findings. No critical or high-risk findings.
- Sherlock Community (June 27, 2024): 4 medium risks findings, no high-risk findings.
Although the audits revealed some vulnerabilities in the smart contracts, primarily related to reentrancy attacks and improper access controls, the development team promptly addressed these issues. Symbiotic has been audited by ChainSecurity and StateMind. Low-severity issues were identified and resolved, with no critical, high, or medium issues found.
3.2 Bug Bounty Program
Mellow’s bug bounty contest on Immunefi ran from August 15 to September 5, 2024, and the reward pool was $100k. Key results from the report; 38 submitted reports, 0 valid vulnerabilities, 1 insight report, and a total payout of $1,000.
In our steakLRT assessment, we noted that for Symbiotic’s bug bounty on Immunefi:
“This sum is inadequate considering the protocol’s 1,281 lines of code across 12 smart contracts and the potential value at stake.”
On September 11, Symbiotic announced a three-week bug bounty program on Cantina with a total reward pool of $120k. A total of 39 prize winners received $50k. No high-severity findings were reported, and the highest number of medium-severity findings in a report was 3.
3.3 Price Feed Risk
The VaultConfigurator contract uses a Chainlink Oracle for price feeds. Mellow employs a custom ChainlinkOracle that enforces cross-oracle price checks.
Chainlink Aggregators, ConstantAggregatorV3 and WStethRatiosAggregatorV3, are used to fetch accurate pricing data for WETH (the vault base token) and wstETH respectively using the getPrice() function. Relative pricing is computed in terms of WETH with the priceX96() method.
We recommend using the internal exchange rate of the protocol for rstETH together with a CAPO oracle.
3.4 Dependency Risk
The security of rstETH depends on various protocols upon which the LRT is built. The first is Lido with wstETH, a liquid staking token representing ETH staked through permisioned validators. Lido wstETH boasts a $33b TVL and is generally regarded as the most liquid and well-maintained LST there is. The audit report from ChainSecurity notes:
“Lido.depositBufferedEther is expected to work correctly as documented. Curators of a vault should continuously monitor and take measures if Lido’s oracle is inactive or reports incorrect data. Obol staking module and Lido’s Deposit Security Committee are assumed to be trusted. Similarly, Chainlink oracles are considered trusted.”
Mellow also depends on Symbiotic to participate in the economic security of various off-chain services through restaking. Symbiotic, the second largest restaking protocol after EigenLayer, has not yet activated the delegation of the deposited assets to operators to secure AVSs. As such, no added rewards are generated, and the deposited assets are not yet at risk of being slashed. The audit report from ChainSecurity notes:
“The bonds used (at the time of this review) are DefaultCollateral of Symbiotic. These contracts are fully trusted to work as expected (i.e., no slippage on minting and withdrawal, and the conversion rate is always 1:1).”
When delegation is activated in the future, carefully selecting the operator and AVSs that are being secured will be important. As per the Mellow vault’s description, P2P aims to allocate wstETH to multiple networks. No further selection criteria are publicly available at this time.
4. Counterparty Risk
4.1 Governance and Regulatory Risk
Mellow Protocol incorporates a hierarchical system of governance for Protocol and Vault parameters. Different roles manage these parameters: Admin, AdminDelegate, and Operator (see section 4.2.).
Protocol Governance manages the global parameters of the protocol (e.g., maxTokensPerVault). Mellow plans on transitioning to a DAO governance model, but at the time of writing, only speculative plans were found in Mellow’s Lido Alliance proposal.
A Vault Governance contract manages mellow vaults, each with its own set of parameters (e.g., managementFee), which are governed by a Strategist, which in the case of rstETH is P2P. In our Operator Assessment of P2P, we pointed out the following on the regulatory side:
“P2P Terms of Use lack clarity regarding the operating entity responsible for providing a wide range of services, including validator services.”
“While the Pitchbook profile of P2P and the Web3 Foundation grants program also reference the Cayman Islands as the country of establishment, we are unable to freely access and validate incorporation details due to the fee-gated nature of the business registry in the Cayman Islands.”
4.2 Access Control Risk
The Mellow architecture uses the DefaultAccessControl contract for role-based access control.
Controlling wallets
Roles
- ADMIN : assigned to Multisig A, can update parameters and assign ADMIN and ADMIN_DELEGATE roles.
- ADMIN_DELEGATE : assigned to Multisig A, can update any parameters.
- OPERATOR: assigned to Timelock A, which can perform certain actions related to restaking through Symbiotic.
Because ADMIN_DELEGATE has fewer rights than ADMIN, we believe it should be assigned to a different wallet.
4.2.1 Contract Modification Options
All Mellow vaults, including the one for rstETH, are deployed behind TransparentUpgradeableProxy contracts, which are all owned by Multisig A, a 5/8 Safe multisig that can perform role changes and contract upgrades.
Vault contract:
- addToken(): restricted to ADMIN and ADMIN_DELEGATE roles
- removeToken(): restricted to ADMIN and ADMIN_DELEGATE roles
- addTvlModule(): restricted to ADMIN and ADMIN_DELEGATE roles
- removeTvlModule(): restricted to ADMIN and ADMIN_DELEGATE roles
- emergencyWithdraw(): regular users can make an emergency withdrawal request at the risk of receiving fewer funds than expected.
- grantRole(): restricted to the ADMIN role
- renounceRole(): restricted to the role holder
- revokeRole(): restricted to the ADMIN role
- processWithdrawals(): accessible by regular users once withdrawal requests are ready to be finalized
- registerWithdrawal(): used to initiate a withdrawal request, accessible by regular users
- cancelWithdrawalRequest(): only the one making the withdrawal request can cancel the request
VaultConfigurator contract contains a custom built-in timelock implementation with various delays ranging from 24 hours to 30 days — which complexifies the codebase, in our opinion. Only the ADMIN and ADMION_DELEGATE can change the following parameters through this mechanism:
- delegateModuleApproval: the approved delegation modules
- transfersLock: whether or not transfers are locked
- maximalTotalSupply: the maximum total supply that can be minted
- depositCallback: the deposit callback address
- withdrawalCallback: the withdrawal callback address
- withdrawalFeeD9: the withdrawal fee
- baseDelay: the base delay for any change of parameters
- depositCallbackDelay: the deposit callback delay
- withdrawalCallbackDelay: the withdrawal callback delay
- withdrawalFeeD9Delay: the withdrawal fee change delay
- depositsLockedDelay: the deposits locked change delay
- transfersLockedDelay: the transfers locked delay
- delegateModuleApprovalDelay: delegate module approval delay
- maximalTotalSupplyDelay: the maximal total supply change delay
- ratiosOracle: the ratio oracle address
- priceOracle: the price oracle address
- validator: the validator address
- validatorDelay: the delay for changing the validator address
StakingModule contract:
- convert() is restricted to delegate calls only
- convertAndDeposit() is restricted to delegate calls only
4.2.2 Timelock Duration and Function
A TimelockController contract from OpenZeppelin is used with a Hypernative bot that automates threat detection and response to on-chain attacks. The emergency shutdown system disables all vault deposits if a threat is detected. Multisig A is both ADMIN and PROPOSER of the Timelock A, while both Multisig B and the Hypernative bot are assigned the EXECUTOR role of Timelock A.
Mellow Security Fuse, Source: Mellow documentation, January 8, 2025
Timelock A has a delay of 0 seconds, which essentially disables it: this is because its use is restricted to pausing the protocol in case of threat detected by the Hypernative bot. In that case, all contracts will be paused with a single transaction thanks to the executeBatch() method of Timelock A.
Deposits can be disabled in two steps with the stageDepositsLock() and commitDepositsLock() methods in the VaultConfigurator contract, with a 1-hour delay between the calls.
4.2.3 Multisig Threshold / Signer identity
Multisig A, which administrates the Mellow protocol, has signers from Mellow itself, Gearbox, and Lido contributors (details). It can perform critical operations such as configuration changes and withdrawal processing.
Mellow also manages Multisig B used as the EXECUTOR of Timelock A, which has the OPERATOR role of the VaultConfigurator contracts.
Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.
This review was independently prepared by LlamaRisk, a community-led non-profit decentralized organization funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.
The information provided should not be construed as legal, financial, tax, or professional advice.
January 17th, 2025: After feedback from the Mellow team, we added a justification for the 0-second timelock and removed mention of the Etherscan verification issue since it is due to Etherscan itself.
