[Asset Technical Assessment] wstETH on Aave V3 Monad
Author: Aave Labs
Date: 2026-06-30
Summary
Technical assessment of wstETH (Wrapped liquid staked Ether) for onboarding to Aave V3 Monad, following the Technical Asset Listing Framework.
Overall result:
MEDIUM ![]()
wstETH on Monad is a clean, standard ERC20 (OpenZeppelin AccessControl, 18 decimals, no fee on transfer, no rebase, no ERC777 or ERC1363 hooks) whose only mint and burn authority is a single Chainlink Cross-Chain Interoperability Protocol (CCIP) burn-and-mint token pool, with no externally owned account able to mint. On Monad wstETH is a bridged representation: the Monad supply exists only because canonical wstETH is locked on Ethereum, so the bridge’s governance, rate limits, and escrow accounting carry the listing. A live wstETH/USD market feed and a live wstETH/stETH exchange-rate feed are present on Monad alongside ETH/USD, so the asset is priceable, and the conditions that hold this at Medium are the bridge attestation, governance delay, and rate-limiter items described below.
Listing Recommendation
From a technical standpoint, wstETH on Aave V3 Monad is technically eligible for listing, with conditions. Several non-blocking items are recommended for the issuer to address and to revisit as exposure to the asset grows: the governing timelock on both the Monad token and the bridge pools enforces only a 3-hour delay, below the 24-hour standard expected for upgrade and configuration changes; and the entire governance root is a single Chainlink-operated signer mesh (MCMS) that owns the token admin, the proxy admin, and the bridge pool, with no separation between bridge, token, and upgrade authority. None of these is a blocker.
Asset under review
| Field | Value |
|---|---|
| Asset | Wrapped liquid staked Ether (wstETH) |
| Target chain | Monad (chain ID 143) |
| Target market | Aave V3 Monad |
| Token contract | 0x10Aeaf63194db8d453d4D85a06E5eFE1dd0b5417 |
| Native to target chain? | No. wstETH on Monad is a bridged representation; the Monad token is minted and burned by a Chainlink CCIP burn-and-mint token pool, while canonical wstETH is escrowed on Ethereum. |
| AAcA classification | Group 3 (yield-bearing, value-accruing liquid staking wrapper) |
wstETH is the non-rebasing wrapper of Lido’s staked ETH (stETH): a holder’s balance stays fixed while each token slowly becomes worth more stETH as staking rewards accrue. On its home chain, Ethereum, wstETH is the canonical token. On Monad it is a bridged representation: Chainlink’s Cross-Chain Token (CCT) framework over CCIP locks canonical wstETH on Ethereum and mints an equal amount on Monad, and sending it back burns the Monad token and releases the Ethereum escrow. There is no local staking or redemption on Monad, so the value and the exit path both depend on the Ethereum side and the bridge.
0. Pre-screening
wstETH is deployed on Monad at 0x10Aeaf63…5417 as a thin proxy carrying genuine contract code, reporting name “Wrapped liquid staked Ether 2.0”, symbol “wstETH”, 18 decimals, and a total supply of roughly 25,117 wstETH. It is classified Group 3 (yield-bearing wrapper) and is not in any non-approved or sanctioned category, and only one Monad token matches wstETH in official sources, confirmed on-chain because its bridge pool’s remote token on Ethereum resolves to canonical Lido wstETH. wstETH is listed on multiple live Aave V3 deployments on other chains, useful as a parameter reference for the same asset rather than as proof of this listing’s safety. The proxy, its implementation, and the bridge pool are source-verified on MonadScan as the standard Chainlink Cross-Chain Token contracts, with exact-match badges on the implementation and the pool.
Rating:
GOOD ![]()
1. ERC20 Compliance
The wstETH token on Monad is a standard OpenZeppelin 5.x ERC20 with 18 decimals: transfer() and approve() are declared returning bool and revert on invalid input with the OpenZeppelin custom errors, with no fee on transfer, no rebasing, no ERC777 or ERC1363 hooks, and no flash mint. There are no transfer restrictions and no allowlist or blocklist on the token, so smart contracts can hold and transfer it without restriction. The Monad token holds no Lido accounting (the exchange-rate getters revert on Monad), consistent with a bridged representation rather than the canonical Ethereum wrapper. The token implements ERC165 and OpenZeppelin AccessControl interfaces and exposes no EIP-2612 permit.
Rating:
GOOD ![]()
2. Oracle
A live Chainlink wstETH/USD market feed exists on Monad with a fresh timestamp at review, a 3,600-second heartbeat, and a 0.05% deviation threshold. A live Chainlink wstETH/stETH exchange-rate feed is also present, matching the canonical Ethereum rate and driven by deviation under a 24-hour heartbeat, alongside live ETH/USD and stETH/USD feeds. Both pricing strategies are therefore available on Monad: a direct wstETH/USD market feed, or a Correlated-Asset Price Oracle (CAPO) composition of ETH/USD combined with the wstETH/stETH exchange rate. The elements for the composition are present, and it is the design already used to price wstETH on other Aave instances, so it may suit this listing as well.
Rating:
GOOD ![]()
3. Access Control
Access control uses standard OpenZeppelin AccessControl, with the token’s default admin role, the bridge CCIP admin, the proxy admin owner, and the bridge pool owner all held by the same OpenZeppelin TimelockController, and no externally owned account anywhere in the control path. The sole holder of the mint and burn roles is the CCIP token pool, so no externally owned account can mint and there is no permissionless path to burn from an arbitrary wallet, and the token carries no pause and no blocklist (pause exists only at the bridge layer and cannot block an on-Monad liquidation). The token sits behind an OpenZeppelin Transparent proxy whose admin is owned by that timelock, and the timelock’s getMinDelay() returns 10,800 seconds (3 hours), below the 24-hour bar, with the timelock governed by a Chainlink-operated signer mesh (MCMS). Concentrating the token admin, proxy admin, bridge pool owner, and CCIP admin on that single signer mesh removes separation between bridge, token, and upgrade authority.
Rating:
MEDIUM
→ no externally owned account anywhere, but the 3-hour delay is below the 24-hour bar and the token admin, proxy admin, and bridge authority collapse onto a single governance root with no separation of duties.
4. Exchange Rate and Yield
wstETH is yield-bearing, so this section applies. The Monad token holds no Lido accounting, so the rate that matters for pricing comes from the live Chainlink wstETH/stETH exchange-rate feed on Monad, which tracks the canonical Ethereum rate set by Lido and cannot be moved by a donation or a flash loan in a single Monad transaction; the rate is monotonically non-decreasing under normal Lido operation and falls only on a net-negative validator event such as slashing, which would pass through to the Monad value. There is no native redemption on Monad: the exit paths are selling into a Monad decentralized exchange or bridging back to Ethereum (burn on Monad, release the Ethereum escrow, then unwrap and exit through Lido’s withdrawal queue), which is slow and rate-limited. A CAPO adapter is buildable from the live Monad feeds.
Rating:
MEDIUM
→ the rate is verifiably not manipulable in a single transaction and is monotonic under normal conditions, but there is no native redemption on Monad and the on-chain decentralized exchange backstop is thin, so the liquidation path depends on exchange depth or a slow, rate-limited bridge round trip.
5. Token Architecture
Supply on Monad rises only through verified inbound CCIP mints and falls only through outbound burns, both gated to the bridge pool, with no fixed cap at the token level and standard Transfer events emitted from and to the zero address for observability. There are no transfer restrictions on the token, and the privileged functions (mint, burn, role grants) all sit behind AccessControl. The token logic contains no tx.origin authorization and no application-level delegatecall beyond the Transparent proxy’s own delegation to its fixed implementation. There is a single token address, a single implementation, and a single bridge pool resolved by the CCIP registry, with no migration contract or duplicate path to the same supply.
Rating:
GOOD ![]()
6. Bridge and Cross-Chain Risk
Monad wstETH is a bridged representation that exists only because canonical wstETH is escrowed on Ethereum, bridged via Chainlink CCIP using the Cross-Chain Token standard: the Ethereum side locks and releases the canonical token in escrow, while the Monad side burns and mints the representation, over a single live route to Ethereum only (the Ink and Plasma routes documented elsewhere are not wired into the Monad pool). At assessment the Ethereum escrow held roughly 41,161 wstETH against a Monad supply of roughly 25,117 wstETH, so the Monad representation is fully backed with headroom, though that escrow is shared with other destination chains rather than dedicated to Monad. Inbound and outbound rate limiters are configured on both ends as refilling token buckets that refill to full over about 24 hours, with the inbound capacity (roughly 2,200 wstETH) capping the size of a single forged or erroneous inbound message. The route is governed by the 3-hour timelock and the single Chainlink-operated governance root noted in Section 3.
Rating:
MEDIUM
→ standard, current CCIP with rate limiters set on both ends and Monad supply fully covered by Ethereum escrow, held at Medium by the 3-hour timelock below the 24-hour bar, shared rather than dedicated escrow, and a single governance root over the pool, the token, and the upgrade path.
7. Audit and Security History
The deployed contracts derive from publicly audited Chainlink Cross-Chain Token code: the token is the standard CCT burn-and-mint ERC20 (OpenZeppelin 5.x ERC20 with AccessControl) behind an OpenZeppelin Transparent proxy, and the bridge pools are the standard CCT token pools, with the token-pool layer covered by a public Cyfrin CodeHawks competitive audit in 2024 (scope confirmed to include the deployed pool types) plus Code4rena reviews. The deployed Monad proxy, implementation, and bridge pool are source-verified on MonadScan, with exact-match badges on the implementation and the pool, and the proxy has run its original implementation since deployment with no logic swap. No unresolved Critical or High findings for the CCT pools were identified in public records, and the canonical Ethereum wstETH and the underlying Lido protocol are long-audited and long-live. The residual item is pinning the verified source to the exact audited Chainlink CCT release commit (the contest published no commit hash), while the audit scope excluded the owner and governance contracts that secure this deployment.
Rating:
MEDIUM
→ the token-pool stack and OpenZeppelin primitives are publicly audited and the deployed Monad contracts are source-verified, but the exact audited release commit is not pinned and the governance contracts sat outside the audit scope.
8. Dependencies
The asset rests on three production, on-chain governed dependencies: Lido staking on Ethereum (the ultimate backing, where value, yield, and slashing originate, with the Ethereum withdrawal queue applying to any exit to ETH), Chainlink CCIP (supply integrity of the Monad representation), and the Chainlink price feeds on Monad (valuation). None is controlled by an externally owned account or unaudited in the critical path, and changes on both Lido and the bridge are observable on-chain. The tightest governance window among them is the bridge’s 3-hour timelock, and the redemption path to ETH is slow because it combines a bridge round trip with Lido’s withdrawal queue.
Rating:
MEDIUM
→ all dependencies are audited and on-chain governed, but the bridge dependency carries a 3-hour governance delay below the 24-hour bar and the redemption path to ETH is slow.
9. Summary
Findings table
| Area | Key finding | Rating |
|---|---|---|
| 0. Pre-screening | Deployed at 0x10Aeaf63…5417, thin proxy, Group 3 yield-bearing wrapper; only one genuine wstETH token, confirmed against canonical Lido wstETH on Ethereum; proxy, implementation, and bridge pool source-verified on MonadScan (exact-match on impl and pool). |
Good |
| 1. ERC20 | Standard OpenZeppelin 5.x ERC20, 18 decimals; returns bool, no fee on transfer, no rebase, no ERC777 or ERC1363 hooks, no flash mint, no transfer restrictions. | Good |
| 2. Oracle | Both strategies available: a direct wstETH/USD market feed, or a CAPO composition (ETH/USD plus the wstETH/stETH exchange rate); the composition is the design already used on other Aave instances. All feeds live on Monad; Aave oracle wiring is a prerequisite, not yet done. | Good |
| 3. Access control | OpenZeppelin AccessControl, no externally owned account; sole minter and burner is the CCIP pool; but 3-hour timelock below the 24-hour bar and token, proxy, and bridge authority on a single governance root. | Medium |
| 4. Exchange rate / yield | Non-rebasing wrapper; rate set on Ethereum by Lido, not manipulable in one Monad transaction; no native redemption on Monad, exit is a thin decentralized exchange or a slow, rate-limited bridge round trip. | Medium |
| 5. Token architecture | Single token, single implementation, single bridge pool, no migration or duplicate supply path; supply only via gated mint and burn; no tx.origin, no application-level delegatecall. |
Good |
| 6. Bridge and cross-chain | Chainlink CCIP Cross-Chain Token, single route to Ethereum; Ethereum escrow (~41,161 wstETH) backs Monad supply (~25,117); rate limiters set both ends; 3-hour timelock; single governance root. | Medium |
| 7. Audit and security | CCT token-pool stack publicly audited (Cyfrin CodeHawks 2024 plus Code4rena); deployed Monad implementation and pool source-verified (exact-match); residual is pinning to the exact audited commit, ProxyAdmin unverified, governance contracts outside audit scope. | Medium |
| 8. Dependencies | Lido staking (Ethereum), Chainlink CCIP, and Chainlink feeds, all production and on-chain governed; bridge governance delay is 3 hours and the exit to ETH is slow. | Medium |
Disclaimer
Aave Labs has no formal or informal affiliation with Lido, Chainlink, or the wstETH issuer beyond this technical assessment. Aave Labs has not been compensated by Lido, Chainlink, or any related party in connection with this work.
Copyright
Copyright and related rights waived via CC0.