Jul 14, 2026

Safe Staking, From Doctrine to Code


Safe Staking, From Doctrine to Code

weETH earned the first independent A+ risk rating in liquid restaking, weeks after we redeemed a fifth of TVL under industry-wide stress. Now the doctrine behind it is compiled into the contracts: non-custodial by construction, safety enforced in code, active defense measured in seconds.


EtherFi is the largest liquid restaking protocol, securing more than three-quarters of the market. This spring weETH became the first liquid restaking token to earn an independent A+ risk rating from Credora. That rating came weeks after we redeemed almost a fifth of our TVL in 33 days during industry-wide stress, without missing a single withdrawal.

Last month we published our security doctrine: non-custodial and actively defended. A protocol that cannot take your funds, watched by defenses that respond in seconds. At the time it was a set of principles. Now, those principles are enforced in the contracts.

We conducted the largest security overhaul we have shipped: a ground-up redesign of the protocol’s security architecture. We built it because safe staking is the product. The safest place for your ETH should also be the easiest to verify.

What we have shipped?

EtherFi upgrades our core contracts in one coordinated release, audited by Certora. The protocol’s most important safety properties are no longer assumptions written in documentation, they are invariants written into the contracts themselves, checked on every transaction, and hammered continuously by invariant testing across millions of randomized scenarios.

Nothing changes in how you stake, hold, or withdraw. The redesign is in the trust model, not the experience.

It rests on three pillars: what EtherFi cannot do to your funds, safety enforced by math, and active defense measured in seconds.

1: Non-custodial, by construction

Most protocols ask you to trust that privileged keys will behave. We built on a stronger idea: remove the privilege entirely, so there is nothing to trust.

  • Claiming a finalized withdrawal is permissionless and cannot be paused. Once your withdrawal is finalized, the protocol cannot stand between you and your ETH. The claim function has no pause switch and no permission gate.
  • Finalized withdrawals cannot be invalidated or repriced. The moment your request is finalized, your ETH is set aside in a segregated escrow at a locked-in rate. Whatever happens afterward (i.e. rebases, incidents, slashing) your claim is untouchable.
  • If our oracle ever goes dark, withdrawals still finalize. Should reports stop arriving, any address on Ethereum can trigger finalization of pending withdrawals directly from pool balance after a 14 day staleness period.
  • Consensus drives the protocol, not a privileged key. Executing an oracle report requires no special role, only that the report has reached consensus by our decentralized committee and passes every onchain sanity check.

These aren’t policies. They’re properties of the bytecode.

2: Safety enforced in code

Parameters can be changed by whoever holds the right key. Invariants cannot be changed by anyone. We have moved the protocol’s core safety guarantees from the first category into the second.

  • The eETH exchange rate can never deflate. Every user-facing operation, deposits, withdrawals, burns, runs inside an onchain invariant that reverts the entire transaction if the rate would drop.
  • weETH can never be under-backed. Every mint and burn asserts the backing invariant between weETH supply and the eETH it wraps. If the equation doesn’t hold, the transaction reverts.
  • Hard ceilings are compiled in, not configured. Maximum exit fees, oracle quorum floors, and daily withdrawal-finalization limits are immutable, fixed at deployment.
  • Global circuit breakers bound the blast radius of the unexpected. Rate limits on minting and burning cap how fast supply can change to constraint any drain.

Every one of these properties is exercised by an invariant-testing suite that replays millions of adversarial scenarios against the live contract logic.

3: Active defense, measured in seconds

Non-custodial does not mean undefended. The second half of the doctrine is a security operation designed so that even a compromised operational key cannot reach user funds.

  • Detection to containment in seconds. Active monitoring feeds guardian keys that can pause an affected contract instantly, no multisig coordination sits in the critical path of an emergency.
  • Every emergency power expires on its own. A guardian pause lapses automatically; address-level containment expires in days unless the multisig deliberately extends it. A false positive costs hours, never your funds.
  • No single operational key can touch user funds. We collapse the protocol’s permissions into nine tiered roles with strict separation of duties: the key that queues a withdrawal is not the key that completes it.
  • A compromised key is cut off in one transaction. A dedicated revocation path lets governance instantly strip any operational or guardian key. The kill switch cannot be turned on the protocol.

Safe staking

Safe staking is what you get when non-custodial and actively defended stop being principles and become properties: a protocol that cannot take your funds, cannot be quietly repriced, and cannot be caught flat-footed. We published the doctrine. We proved it under fire. Now it’s compiled into the contracts.

Don’t take our word for it: the upgrade was audited by Certora, and the full audit report is public.