DField SolutionsMérnöki stúdió · Budapest
Loading · Töltődik
Skip to content
CASE STUDIES · fintech

DeFi lending protocol audit · 7 critical findings before mainnet

Pre-mainnet audit of a lending protocol on Ethereum L2. Invariant-based + fuzz + manual review. 7 critical, 12 high, 28 medium findings · all fixed before first tx.

Timeline3 weeks
Back to case studies
Reviewed by
017 Critical findings (4 reentrancy edge cases, 2 oracle-manipulation, 1 timelock-bypass).
0212 High findings · access control, precision-loss, event-log gaps.
0328 Medium findings · gas optimizations, NatSpec gaps, edge behaviours.
04All Critical + High remediated before mainnet; re-audit ran clean.
The problem01 / 03
  • 01Team had an internal review but wanted an independent pre-audit before the paid audit firm engagement.
  • 02Aggressive mainnet deadline (6 weeks out); couldn't block it but had to catch obvious stuff.
  • 03Protocol integrated with 3 external price oracles · high oracle-manipulation attack surface.
  • 04Upgradeable proxy pattern with a 48h timelock · timelock config was half-wrong.
The solution02 / 03
  • 01Threat model built on day 1 (template now in /resources/smart-contract-threat-model-template.md).
  • 02Foundry invariant tests · 34 invariants, 200k runs each, ~3 hours total.
  • 03Halmos symbolic execution on core accounting functions (accrueInterest, repay, liquidate).
  • 04Echidna property-based fuzzing on the oracle wrapper for 72 hours.
  • 05Manual review of 2,800 lines of Solidity across 11 contracts · 3 senior reviewers, 2 weeks.
The outcome03 / 03
  • 017 Critical findings (4 reentrancy edge cases, 2 oracle-manipulation, 1 timelock-bypass).
  • 0212 High findings · access control, precision-loss, event-log gaps.
  • 0328 Medium findings · gas optimizations, NatSpec gaps, edge behaviours.
  • 04All Critical + High remediated before mainnet; re-audit ran clean.
  • 05Post-deploy monitoring matrix shipped · TVL-delta alerts, oracle-staleness alerts, admin-call alerts.
CASE STUDIES

Let's get started.

Send an email or book a 30-minute call.

Back to case studies