Motivation
The purpose of establishing these best practices is to ensure maximum transparency, safety, DeFi utility/composability, and the best overall user experience for BTC LST users. Questionable practices or a serious incident involving even one BTC LST may negatively impact every BTC LST issuer and the wider ecosystem. These best practices are voluntary guidelines and community created.
References
Contributors
Babylon Labs, Kairos, Bitcoin Layers, Lombard, Chainlink, RedStone, Nubit, pSTAKE Finance, Solv, Bedrock
Acknowledgements
EtherFi, PumpBTC, Bedrock, Kinza, LlamaRisk, Chaos Labs, Riema Labs, NEBRA, Coleman Maher, Xinshu Dong, Arnold Yau, Luke Lim, Janusz Grzegorz, Michał Konopka, Thodoris Karakostas, Maksym Repa, Marcin Kaźmierczak, Matt Marshall, Deian Stefan, Aditya Vandkar, Marc-Thomas Arjoon, Red Sheehan, Deian Stefan, Will Wang, Swordholder
Best Practices by Category
Open Source Contracts
- LST issuers shall open source all of their token contracts on every network they are deployed on.
- LST issuers shall leverage token contract and interoperability standards that give them full ownership of the asset and do not introduce lock-in with vendors to interact with those contracts.
Public Operators
- LST issuers shall publicly disclose their operator set, custodians, and any party that custodies, transfers, or stakes BTC, LST tokens, or any user funds in any form.
- These parties shall provide a public disclosure or attestation as to their involvement.
- Sufficient technical documentation shall be provided by all involved parties, clearly documenting the architecture of the LST, mint and redemption flows, and all security aspects of the system
Stake Attestations
- LST issuers shall sign weekly on-chain attestations that BTC deposited into LST vaults or wallets is staked to the Babylon Bitcoin staking protocol and that BTC held in reserves are held in wallets under their control.
- This attestation should be signed using the private key corresponding to the deposit address or a clearly identifiable attestation key. This attestation should include: the amount staked, a timestamp or block height indicating when the staking occurred, metadata such as the staking batch identifier, and some randomness such as btc-block-hash (to ensure these attestations were not pre-generated).
Proof of Reserves
- LST issuers shall support a publicly available website that lists the wallet addresses of BTC custodied by them on behalf of users as well as all of the addresses of contracts issuing LSTs.
- Both LST issuers and a trusted independent third party shall calculate the ratio between the supply of LST tokens and BTC held in custody/reserve that is staked to the Babylon protocol. The algorithm or formula to arrive at this ratio should be clearly explained and published. These two ratio calculations should be publicly compared against each other by both parties.
- This ratio is required to be ≤ 1 or within a tight range, such as 1 ± δ, where δ is 0.01% of the supply of BTC held in custody. The exact conditions for this ratio requirement will be dependent on the design of the LST protocol (for example, if the LST appreciates in value or there is a separated yield token) and should be clearly defined and published.
- This ratio shall be verified, signed, and published to the public in an attestation at least hourly by a trusted third party.
- This ratio shall also be published on chain by a decentralized or trusted third party for utilization in decentralized applications and smart contracts.
Key Management
- LST issuers shall disclose their key management protocol (which must include multiple steps) including disclosure of which individuals or groups have signing authority over any portion of the BTC held. This must be accompanied by a public attestation.
- Key management shall be done using a battle-tested and proven MPC protocol or HSM.
Withdrawals & Redemptions
- LST issuers shall enable withdrawals and redemptions as soon as possible but no later than Babylon mainnet Phase 2.
- The withdrawal or redemption process/mechanism must be publicly disclosed and open sourced.
- The total supply of BTC subject to private LP or staking agreements or any BTC staked outside of normal operations shall be disclosed.
Audits
- All LST issuers shall publish at least two complete audits of their protocol (including off chain code) and smart contracts.
- Any changes to the protocol or smart contracts must be audited if user funds are potentially affected or put at risk.
Security Practices
- All LST issuers shall maintain or operate a public bug bounty program or, at the very minimum, vulnerability disclosure procedures.
- All LST issuers shall disclose that issuing an LST is subject to additional smart contract, custodian, and financial/economic risks compared to direct, self-custodial staking.
Incident Response Plan
- LST issuers should have a publicly communicated incident response plan, with details of expected communications, escalation, complaint, and recourse procedures.
Disclaimer
These best practices are provided for informational purposes only and do not constitute legal, financial, or regulatory advice, nor do they establish any binding standards or obligations. LST issuers should conduct their own due diligence, seek independent professional advice, and comply with all applicable laws and regulations in their jurisdictions. While every effort has been made to ensure the relevance of these best practices, neither Babylon Labs nor its affiliates makes any representations or warranties, express or implied, regarding their completeness, reliability, or fitness for any particular purpose. The implementation of these practices is at the sole discretion of LST issuers, and Babylon Labs and its affiliates shall not be liable for any direct, indirect, incidental, or consequential damages arising from their use. An LST issuer’s voluntary compliance with these standards does not represent any form of endorsement from Babylon Labs or its affiliates. By referencing or adopting any of these best practices, LST issuers acknowledge that they remain fully responsible for their own compliance, risk management, and operational decisions. For further guidance, we encourage operators to consult with legal, financial, and technical experts as appropriate.
.png)