Best Practices for Technical Releases
Over time, Contributors to the Lido protocol have developed best practices for delivering technical releases. Basically, it’s a structured process with checkpoints, timelines, and governance steps that gets you to releases.
The checklist has seven stages from “we have an idea” to “on-chain vote is done, everything’s live, alerts are green”:
- Concept — idea, feasibility, business landscape, initial forum post.
- Drafting & Review — writing specs & LIP (Lido Improvement Proposal), design internal challenge.
- Implementation — development, tests, devnets/testnets, deploy plan.
- Review — audits, voting scripts, green lights from everyone.
- Deployment — mainnet deployment, bots, alerts, off-chain infra.
- Voting — DAO-wide vote with public materials.
- Take-off — on-chain enactment, docs, supervision, Bug Bounty.
Each stage has its own logic and key artifacts.
It’s not a minimal process. It’s a complete map of all possible steps that ensures you do not miss anything.
This process clarifies work, improves security, and speeds time to mainnet. It keeps teams aligned, makes handoffs explicit, and delivers the right governance artifacts at the right time, which raises stakeholder confidence and lets the DAO scale execution without losing quality.
Audits
The Lido protocol, from the very beginning, is built on trust in code, and that trust comes from careful and continuous verification. Every component of the Lido protocol has gone through multiple layers of independent review by leading blockchain security firms. Over the years, experts from Certora, MixBytes, Statemind, Ackee, OpenZeppelin Consensys Diligence, ChainSecurity, Oxorio, Hexens, and SigmaPrime have examined Lido protocol’s smart contracts, looking for ways to make them safer and more reliable. The results of these reviews are full audit reports and code-verification summaries, which are publicly available for anyone to explore here.
To make the audit process more structured and consistent, the Lido DAO formed the Audits Committee to coordinate all security reviews across the protocol, ensuring that every major code change receives proper review before deployment. The committee manages the schedule of audits, works with trusted security partners, and keeps a transparent record of all completed work. Its goal is not just to react to potential issues but to maintain a continuous cycle of prevention, verification, and improvement.
Through this combination of external expertise and internal oversight, Lido DAO aims to uphold a high standard of security and transparency. The auditing process isn’t just a checkbox, but rather an ongoing practice that helps keep the protocol resilient, trustworthy, and open for public review.
GRAPPA
As the scope of the protocol expands and the number of ecosystem collaborations, network integrations, and application launches grows, the Lido DAO recognized the need for another approach to reviews for these purposes — to make the review process more responsive, scalable, and transparent. To meet that need, the Audits Committee proposed the creation of The Guild for Review and Assessment of Protocols and Applications: GRAPPA. GRAPPA is envisioned as an annually pledged role (contingent on proven success) assigned to a reputable third-party auditing provider with deep expertise in DeFi and smart contract auditing and familiarity with the Lido on Ethereum protocol.
The role of GRAPPA includes manual security reviews of protocol-level changes, verification of deployments referred to as Lido Multichain, consultations on emerging features, and the publication of summary review reports for the community. The aim is to maintain high standards of security and deployment quality across its growing universe of activities, making it easier to scale confidently, launch faster, and keep the community informed.
Bug Bounty
As part of its ongoing commitment to security and community collaboration, the Lido DAO established a bug bounty program — a standing invitation for the broader security community to help keep the protocol safe. The program is hosted on the Immunefi platform, one of the most trusted hubs for DeFi security research.
Through this initiative, independent researchers are encouraged to identify and responsibly disclose vulnerabilities in the Lido protocol’s smart contracts and applications. Verified discoveries can earn rewards, with higher payouts reserved for issues of greater severity. The program’s scope covers a range of potential threats, including direct loss of user funds, denial-of-service risks, governance manipulation, and data exposure. To ensure ethical participation, all submissions must include a clear proof of concept, and testing must never disrupt production systems or fall outside the defined boundaries of responsible disclosure.
Through this open invitation to white-hat researchers worldwide, Lido DAO embraces a proactive model: rather than waiting for threats to emerge, Lido DAO asks the community to help discover and fix them. The result is a broader network of oversight, stronger safeguards, and a more resilient protocol overall.
Emergency Breaks & GateSeal
To strengthen the protocol’s security and resilience, the Lido DAO has implemented protective mechanisms that allow certain parts of the protocol to be paused in the event of an emergency without requiring a full DAO-wide vote.
Emergency Brakes committees are granted permissions to temporarily pause specific protocol components such as L2 bridges (disabling deposits and withdrawals for wstETH bridging to other networks), and Easy Track (preventing the creation and execution of motions). Resuming normal operations after pausing requires an on-chain DAO vote.
The more universal GateSeal mechanism serves as an on-chain panic button to pause crucial contracts for a limited duration. Each GateSeal is one-time use only and immediately becomes unusable once activated. After the pause period, the contract will resume itself without an explicit call.
These pause mechanisms allow sufficient time to analyze the issue, prevent further impact, and coordinate secure recovery actions.