# 33Audits audit report {% hint style="success" %} Audit completed on **2026-03-25**. **All 17 findings were fixed** by the team. {% endhint %} [Download the full audit PDF](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkohwqioQoDXaF3GIlgFJ%2Fuploads%2FLWF1UnGtsISGaRt4ewuH%2Flsteak-audit-report.pdf?alt=media\&token=eb3a4e2f-675f-4d86-a3fb-222d91b7d163) ### Audit details * Firm: **33Audits** * Researchers: **Samuel Dominguez (`samtdomi`)** and **Radev (`radeveth`)** * Repository reviewed: `BuildTheTech/LSteak-Contracts` * Commit reviewed: `aab54f50` * Scope: `BuildTheTech/LSteak-Contracts/*` ### Findings summary * Total findings: **17** * Critical: **1** * High: **2** * Medium: **11** * Low: **3** * Status: **All fixed** ### Critical * **\[C-01]** Treasury proposal double-vote allows single-signer approval ### High * **\[H-01]** YieldDrip uses `routeInternal` with `minOutput = 0` * **\[H-02]** `processStuckETH()` re-processes tracked ETH and breaks Treasury accounting ### Medium * **\[M-01]** YieldDrip sent backing ETH to `BackingManager.receive()` instead of `depositETH()` * **\[M-02]** `LSteak.mint()` used a tautological `validateMint` check * **\[M-03]** A blacklistable token could block an entire liquidation claim * **\[M-04]** `HedgeReserve.priceFeedStaleness` was declared but not enforced * **\[M-05]** `Treasury.getEthPriceUSD()` ignored Chainlink staleness * **\[M-06]** `MINTER_ROLE` could not be revoked from old routing engines * **\[M-07]** LSteak yield could become stranded when `accrueYield()` ran with zero total supply * **\[M-08]** LSteak could mint without backing when `bernardBonds` or `hedgeReserve` were unset * **\[M-09]** No holding period allowed atomic yield sniping around `drip()` * **\[M-10]** `_executeAutoAllocate()` could strand ETH when `externalHedgeWallet` was unset * **\[M-11]** `_getAssetPrice()` had no Chainlink staleness check ### Low * **\[L-01]** LSteak could burn for zero claim when direct LSteak supply at snapshot was zero * **\[L-02]** Internal discount POL ETH could become stuck if `polReceiver` was unset * **\[L-03]** `XLLSteak.mint()` could inflate backing without an LSteak deposit ### Main themes The most severe issue broke Treasury proposal approval thresholds. The two high-severity issues exposed yield routing to MEV and corrupted Treasury accounting. Several medium findings shared the same pattern: * silent failure paths * missing oracle staleness checks * stale privilege retention * ETH becoming untracked when destination addresses were unset ### Conclusion 33Audits concluded that the team addressed all reported findings. The report still recommends continued monitoring, periodic re-reviews, and a bug bounty program. ### Audit disclaimer A completed audit does **not** prove absence of vulnerabilities. It reduces risk. It does not eliminate it. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lsteak-protocol.gitbook.io/lsteak-protocol-docs/overview/security-and-audits/33audits-audit-report.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.