Table of Contents
Researcher
Related Projects
On May 6, Lido announced that it had received Web3SOC certification from the security firm Cantina. The certification is the result of a point-in-time assessment covering governance, financial resilience, security, and legal and compliance domains, and it stands as one of the first such cases for a liquid staking protocol.
What deserves attention in this announcement is not so much the certification itself but the context in which it came about. With more than $21 billion worth of ETH staked through Lido, institutional teams looking to integrate the protocol need consistent due diligence materials that allow them to review not only product risk but also how the organization operates. Yet a standardized due diligence framework capable of evaluating these factors in a comprehensive way for DeFi protocols has not been sufficiently in place. Web3SOC is a framework proposed to fill this gap alongside existing evaluation frameworks, and Lido's certification serves as an early case for gauging how this attempt works in practice.
1. What Web3SOC Is, and Why It Is Needed
Existing due diligence frameworks such as SOC 2 and ISO 27001 are designed on the assumption of a centralized organization. At their core, they are models in which someone within a specific organization exercises control over the system, and the way that control is exercised is what gets evaluated. In DeFi protocols, however, governance is on-chain, operations are distributed, and technical considerations span a relatively broader scope including smart contracts, validator infrastructure, and key management. Applying SOC 2 directly to such a structure is therefore difficult. As a result, institutional teams have repeatedly had to take on the non-standard work of either adapting their existing due diligence processes for DeFi or rebuilding them from scratch for each protocol.
Web3SOC is a security certification framework first introduced in June 2025 by Cantina, in collaboration with DeFi protocols and security firms including Uniswap Labs, Morpho, Maple Finance, Kiln, Steakhouse Financial, L1D, and Secureum, in order to address this inefficiency. Since its release, Coinbase, Ethena, Euler, and Lido have joined as additional collaborators. This certification follows the pattern of how standards take shape in DeFi, where early collaborators who took part in the framework's design also become recipients of the certification.
Web3SOC evaluates four domains.
- Operational: Governance processes, coordination among contributors, and other general operational practices
- Financial: Economic design mechanisms, capital resilience, and related financial controls
- Security: Smart contract security, application robustness, infrastructure redundancy, resistance to attacks, and security incident response procedures
- Regulatory: Legal and compliance posture, and considerations from an institutional standpoint
Based on a comprehensive evaluation across these domains, Web3SOC assigns projects to one of four maturity tiers. Lido's announcement, however, did not publicly state which tier it received, which appears to reflect the fact that Web3SOC itself is structured to separate the public certification badge from a private, detailed report. Detailed assessment results are shared privately only upon request.
2. Lido's Existing External Assessments
Source: Staking Rewards
Source: Credora
The Web3SOC certification is not the only external assessment of Lido. stETH has already received high ratings under both the Staking Rewards risk framework and the Credora DeFi evaluation framework. That said, these three assessments, including Web3SOC, differ in what they actually evaluate.
- Staking Rewards Risk Assessment: Focuses on a risk score for the staking asset itself. It quantifies risks primarily from the asset holder's perspective, such as slashing risk, decentralization, and operational risk.
- Credora DeFi Assessment: A comprehensive evaluation of the protocol, the market, and DeFi risks. It focuses on risk exposure at the protocol and market level rather than at the asset level.
- Cantina Web3SOC Certification: Focuses on whether the organization's maturity meets institutional due diligence standards rather than on the risk assessment of the product itself. It reviews the operational, financial, security, and regulatory domains in an integrated manner.
To summarize, while Staking Rewards and Credora measure asset and protocol risks both quantitatively and qualitatively, Web3SOC sits closer to an assessment of the organization's own due diligence readiness. Its point of differentiation is that it is designed to plug directly into the internal risk, compliance, and counterparty review processes that institutional teams already use when integrating Lido. As a result, with all three assessments now in hand, Lido has become a DeFi protocol that holds external evaluations across all three dimensions: the asset, the protocol, and the organization.
3. Implications
In our view, Lido's Web3SOC certification carries more weight as a signal of the broader trend surrounding it than as the impact of a single announcement. It suggests that the infrastructure DeFi protocols need to take in institutional capital is entering a phase where it is built on common standards, rather than relying on the efforts of individual protocols.
This trend takes on added significance at a time when operational-level security incidents continue to occur. Across the broader DeFi ecosystem, large-scale asset losses are being caused by breaches at the organizational and operational layer rather than in smart contracts, and the operational security control environment Lido was evaluated on under Web3SOC stands as one of the early cases that directly addresses the attack vectors the crypto ecosystem currently faces. Because this case can serve as a representative reference for other protocols looking to firm up their own operational maturity, it carries industry-wide value beyond being just a single protocol's certification.
The arrival of a standardized due diligence framework cuts both ways. As reference materials for institutions become more readily available, the barrier to DeFi adoption could come down, but there is also the possibility that a gap will widen between larger protocols equipped with the resources and compliance infrastructure to respond quickly to such standards and smaller protocols that are not. It is similar to how institutional sales tend to diverge between SaaS companies that hold SOC 2 certification and those that do not. For Lido, this certification adds a formalized credential on top of the external assessments it already had, making it one of the DeFi protocols best equipped at this point with standard materials for institutional due diligence. This points to the possibility that stETH could gain momentum to be integrated through a wider range of institutional channels.
The author of this report may have personal holdings or financial interests in assets or tokens discussed herein. However, the author affirms that no transactions have conducted using material non-public information obtained in the course of research or drafting. This report is intended solely for general information purposes and does not constitute legal, business, investment, or tax advice. It should not be used as a basis for making any investment decisions or as guidance for accounting, legal, or tax matters. Any references to specific assets or securities are made for informational purposes only and should not be construed as an offer, solicitation, or recommendation to invest. The opinions expressed herein are those of the author and may not reflect the views of any affiliated institutions, organizations, or individuals. The opinions and analyses expressed herein are subject to change without prior notice. In addition, beyond the individual disclosures included in each report, Four Pillars, may hold existing or prospective investments in some of the assets or protocols discussed herein. Furthermore, FP Validated, a division of Four Pillars, may already be operating as a node in certain networks or protocols discussed herein or may do so in the future. Please see below links in the footer for FP Validated's participating network disclosures and for broader disclosure details.
