Summary
LlamaRisks supports the onboarding of wstETH to the Plasma instance. Onchain supply at the time of writing remains minimal with no sufficient presence on DEXs. Both the asset and the network were launched recently, and therefore, historical data is limited. In addition, Chainlink does not yet provide a wstETH/stETH price feed for Plasma. We will post an update when this is completed to be able to continue the onboarding of wstETH on the Plasma instance.
The parameters were aligned with @ChaosLabs and posted above.
1. Asset Fundamental Characteristics
1.1 Asset
wstETH is the non-rebasing wrapped form of Lido’s stETH. It represents a claim on staked ETH plus accrued staking rewards via a share-based exchange rate. On Plasma specifically, liquidity for wstETH is still low and there is not yet an active Chainlink oracle feed, which increases reliance on bridging and pricing assumptions until native infrastructure matures. The token has also proven itself to have a strong market presence across most chains where it has been deployed, including active usage on Aave, which provides relevant benchmarks for parameter setting.
1.2 Architecture
wstETH on Plasma is a bridged ERC-20 representation of Lido wstETH from Ethereum. Supply is managed through Chainlink CCIP: inbound messages mint via a token pool, outbound transfers burn and release on Ethereum. The token itself does not store an exchange rate and valuation must come from external oracles and liquidity. Core security depends on the token’s admin roles, the CCIP pool, and the router/off-ramp infrastructure.
All CCIP configuration changes pass through a Role-based Access Control Timelock. Proposals originate from a ManyChainMultiSig and either wait out a review window or receive explicit fast-track approval by a quorum of independent signers for urgent fixes. After a successful review, anyone can execute the change via a timelock worker.
2. Market Risk
2.1 Liquidity
Based on current on-chain data, wstETH on Plasma has no meaningful liquidity. The total supply is only 0.0008231 wstETH, held by a single address, with no active markets, pools, or price feeds available. This indicates that, while the token contract is deployed and functional, it is not yet integrated into DEX liquidity pools or other trading venues on Plasma.
Source:
Plasma explorer, October 3, 2025
2.2 Volatility
Price history for wstETH is limited, given the network’s recent launch (September 25th).
2.3 Growth
The assets’ growth on the chain is too early to determine, given its recent deployment.
3. Technological Risk
3.1 Smart Contract Risk
wstETH has been subject to extensive security review, with more than 72 protocol audits and 18 audits covering its deployments on other chains. These reviews include core contract assessments, oracle checks, bridge security, and deployment verifications. At present, however, there has been no audit of the Plasma deployment, which means its security has not yet been independently reviewed in the same way as on other networks.
3.2 Bug Bounty Program
Lido operates a bug bounty program through Immunefi with rewards of up to $2,000,000 for critical smart-contract vulnerabilities. Critical severity findings are rewarded at 10% of directly at-risk funds, with payouts ranging between a $50,000 minimum and a $2,000,000 at the top.
3.3 Price Feed Risk
Chainlink does not currently publish a wstETH price feed on Plasma. The Plasma wstETH token is a CCIP-bridged wrapper controlled by the contract admin, and it does not maintain an on-chain exchange rate.
The absence of a Chainlink feed introduces risks around price accuracy, reliability, and potential manipulation, making collateral use less secure until a native feed is available.
4. Counterparty Risk
4.1 Access Control Risk
wstETH contract has the following roles:
BurnMintTokenPool is owned by RBACTimelock. The owner can invoke/authorize functions that govern minting/burning behavior for wstETH on Plasma.
RBACTimelock has the following roles:
- ADMIN_ROLE: can assign roles, unpause the contract, and change parameters, e.g., minting limit, fees. Assigned to the same address RBACTimelock.
- BYPASSER_ROLE: permitted to move funds controlled by the timelock for bridging workflows and to withdraw accrued fees when applicable.. Assigned to Multisig C.
- CANCELLER_ROLE: permitted to cancel queued operations within the timelock’s queue. Assigned to Multisig A, Multisig B and Multisig C.
- EXECUTOR_ROLE: permitted to execute queued and ready operations after delay elapses. Assigned to Proxy contract.
- PROPOSER_ROLE: permitted to submit/queue new operations to the timelock. Assigned to Multisig B.
The main concern we noted is that control over wstETH minting and burning on Plasma ultimately depends on the RBACTimelock, which also governs the owner roles assigned to all related multisigs, creating a concentrated governance and operational risk, as compromise or misconfiguration at this layer could enable malicious minting, parameter manipulation, or cross-chain contagion.
4.1.1 Timelock Duration and Function
The RBACTimelock contract acts as a timelocked admin able to propose operations and execute them after a delay. Currently, the minimum delay is set to 3 hours.
4.1.2 Multisig Threshold
The governor contracts utilize ManyChainMultiSig (MCMS), a specialized multi-signature framework developed to coordinate governance and control across multiple blockchains. Unlike a traditional multisig that collects direct signatures on each transaction, MCMS aggregates signatures off-chain into a Merkle tree of operations. This tree contains all proposed actions, their metadata (chain ID, target contract, nonce), and is anchored on-chain by registering a single Merkle root.
- Multisig A has 60 signers. The root quorum is 1, with child groups g1=4, g2=2, g3=6; g3 fans out to g4–g19 (each quorum 1), while g20–g31 are disabled. Approval can be satisfied by 4 signers from g1, or 2 from g2, or any 6 distinct groups across g4–g19. The full signer list and group assignments are recorded in the latest ConfigSet event.
- Multisig B has 34 signers. The root quorum is 2, with five child groups g0–g4 each requiring 2 signatures. This structure means approval can be reached with as few as 4 signers (2 in each of 2 groups), though in practice threshold scales up if signatures are distributed across more groups. All other groups are disabled. The full signer list and group mapping are recorded in the latest ConfigSet event.
- Multisig C has 58 signers. The root group quorum is 3, with one major child group (g1) requiring 3 signatures, and a second branch (g19) with multiple sub-groups. Groups g2–g15 each have quorum 1, while g16–g19 require 2 each. Root approval can therefore be reached through different combinations, such as 3 signers in g1 plus 2 signatures in each of two subgroups under g19. Minimum workable threshold is around 7 signers, though effective approval depends on the specific distribution across groups. The full signer list and mapping is recorded in the latest ConfigSet event.
Price feed Recommendation
After a native Chainlink wstETH/ETH exchange rate feed is live on Plasma, pricing of wstETH will be done via the canonical wstETH/ETH share rate combined with an ETH/USD feed on Plasma, wrapped in CAPO with strict upward deviation checks.
Disclaimer
This review was independently prepared by LlamaRisk, a DeFi risk service provider funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.
The information provided should not be construed as legal, financial, tax, or professional advice.
