Invariant Testing Engagement · 2024
Badger
Badger DAO manages hundreds of millions in TVL across yield-generating vault strategies. Recon's invariant testing of the remBADGER vault identified a critical accounting desynchronization that could have led to protocol insolvency. The bug existed in a subtle interaction between deposit and reward distribution accounting that a previous manual audit had reviewed without catching. The finding demonstrated that invariant testing can surface issues that escape even careful manual review.
The Challenge
The remBADGER vault system tracks depositor shares across multiple underlying yield strategies. Rewards flow in from external sources and must be distributed proportionally across all shareholders. The accounting must correctly handle deposits, withdrawals, and reward distributions in any order, including edge cases where these operations happen in rapid succession or within the same block. A single accounting error in this system puts the entire vault TVL at risk, making correctness of the share pricing mechanism a critical requirement.
Our Approach
The invariant test suite targeted the core accounting relationship: total shares multiplied by the price per share must never exceed total assets held by the vault. Additional properties verified that reward distributions could not create share/asset desynchronization, that no depositor could withdraw more than their proportional share, and that the vault remained solvent after any sequence of operations. The fuzzer was configured with multiple actors depositing and withdrawing concurrently to simulate realistic usage patterns and adversarial interactions.
Findings
Insolvency due to Incorrect Accounting
The remBADGER accounting system had a bug where reward distribution updated the price per share, but subsequent deposits used a slightly stale conversion rate. This created a small accounting gap between the shares issued and the assets backing them. Over repeated deposit/withdraw cycles timed around reward distribution events, the gap accumulated, causing total share-implied value to exceed actual vault assets — a path to insolvency exploitable by automated bots.
Results
After approximately 40 transactions in a specific sequence, the fuzzer triggered the solvency invariant. The root cause was a subtle interaction where reward distribution updated the price per share, but subsequent deposits used a slightly stale conversion rate, creating a small accounting gap that accumulated over repeated cycles. The bug would have been exploitable by any automated bot performing repeated deposit/withdraw cycles around reward distribution events. Badger's Lead Dev noted that Recon Pro significantly accelerated test development and provided confidence in the fix.
View full report →“Recon has allowed us to speed up the development of invariant tests immensely. We are able to create and execute test suites in the cloud effortlessly with virtually no boilerplate code. I highly recommend using Recon to automate your fuzzing setup.”
James, Lead Dev at Badger DAO
Get the same level of protection
See how Recon's invariant testing can secure your protocol like it did for Badger.