Invariant Testing Engagement · 2024
Credit Coop
Credit Coop is a lending protocol where Recon delivered an invariant test suite that uncovered a high-severity vulnerability in the minting cap enforcement. The engagement demonstrated extremely high return on investment — the cost of the testing was a fraction of the potential loss the vulnerability could have caused. The success of the engagement led Credit Coop to adopt invariant testing as a core part of their smart contract development process going forward.
The Challenge
The protocol enforces caps on how much can be minted against each collateral type to limit protocol exposure. The cap enforcement interacts with interest accrual, collateral price updates, and partial repayments. Rounding in these calculations could theoretically allow users to mint slightly more than the cap permits through carefully sequenced operations. Testing this manually would require enumerating an impractical number of operation sequences across multiple collateral types and user states.
Our Approach
The invariant test suite defined properties requiring that the total minted amount for each collateral type must never exceed the configured cap. Additional properties covered interest accrual correctness — ensuring accrued interest is always non-negative and monotonically increasing — and collateral accounting consistency. The fuzzer tested combinations of borrows, repayments, liquidations, and interest accrual across multiple users and collateral types, exploring sequences that would be impractical to enumerate by hand.
Findings
Rounding allows bypassing minting cap
Invariant testing identified that specific sequences of small minting operations could exploit rounding in the cap check to incrementally exceed the intended minting cap. The vulnerability arose from the interaction between cap enforcement and interest accrual — as interest changed the effective utilization, the rounding in the cap calculation did not correctly account for the shift, allowing each small mint to slip slightly past the limit.
Results
The fuzzer discovered that sequences of small minting operations could exploit rounding in the cap check to incrementally exceed the intended limit. The vulnerability was in the interaction between the cap enforcement and interest accrual — as interest accrued, the effective utilization changed, and the rounding in the cap check did not account for this correctly. Credit Coop's CTO described the ROI as extremely high, noting that the cost of the engagement was negligible compared to the potential loss if the vulnerability had been exploited in production.
“The ROI on our engagement with Recon was extremely high. They built an invariant test suite that uncovered hard-to-spot high-severity issues and gave us a powerful tool to ship with confidence. Moving forward, invariant testing will be core to our smart contract development at Credit Coop. When we do our next audit, Recon will have to be a part of the picture.”
Thomas Hepner, Cofonder & CTO at Credit Coop
Get the same level of protection
See how Recon's invariant testing can secure your protocol like it did for Credit Coop.