Full Security Audit + Invariant Testing · 2024
Liquity
Liquity v2 (BOLD) is a decentralized borrowing protocol and one of the most anticipated DeFi launches. Recon's engagement combined deep manual code review with comprehensive invariant testing. The audit covered interest rate calculations, multi-collateral support, liquidation mechanics, and the stability pool. Several issues were found spanning arithmetic precision, economic edge cases, and protocol accounting. The Liquity cofounder noted the engagement exceeded expectations in both breadth and depth, particularly given the scope of coverage achieved.
The Challenge
The v2 codebase introduced novel mechanisms including batch-managed liquidity, continuous interest rate adjustments, and new redemption and liquidation logic. The arithmetic involved fixed-point math operations where precision errors compound across operations. Traditional auditing alone could not provide confidence that these calculations held under all edge cases, especially sequences involving many borrowers interacting simultaneously. The interaction between interest accrual, collateral ratio checks, and the stability pool created a large state space that manual review cannot exhaustively explore.
Our Approach
Properties were designed around core protocol guarantees: the system must remain solvent across all operations, interest must accrue correctly regardless of the sequence of opens, closes, and adjustments, liquidations must only affect undercollateralized positions, and the stability pool must always correctly distribute gains. The fuzzer explored sequences of opens, adjustments, repayments, liquidations, and redemptions across multiple collateral types and borrowers. Deep manual review complemented the invariant testing by identifying architectural concerns and guiding property design toward the highest-risk areas of the codebase.
Findings
Arithmetic precision errors in interest calculations
Invariant testing revealed edge cases in interest rate calculations where fixed-point math rounding errors compounded across multiple operations. Over long sequences of borrower interactions — opens, adjustments, and repayments — these small discrepancies could accumulate into material accounting differences between expected and actual interest owed.
Economic edge cases in liquidation mechanics
Fuzzing uncovered scenarios where specific sequences of market movements and borrower actions could lead to suboptimal liquidation outcomes. The edge cases involved interactions between batch-managed positions and the liquidation logic, where certain ordering of operations produced results that deviated from the intended economic guarantees of the protocol.
Results
Several arithmetic precision issues were identified in interest rate calculations that could accumulate discrepancies over time. Economic edge cases in the liquidation mechanics were surfaced where specific market movement sequences could produce suboptimal outcomes. The delivered invariant test suite continues to run against ongoing development, catching regressions as the team iterates toward launch. The combination of manual review and invariant testing provided a level of assurance that neither approach could have achieved independently. For a deep dive into a related class of bug found through fuzzing on a Liquity fork, read [The Bug That Was Missed](https://getrecon.substack.com/p/the-bug-that-was-missed) on the Recon Substack.
View full report →“We first met Alex during some excellent security discussions re: Liquity v1. The breadth and depth of his audit of our v2 exceeded expectations - particularly impressive for a solo effort. He uncovered several technical, arithmetic and economic issues and discussed them with us in detail. I'd highly recommend his manual reviews for any DeFi team that takes their security seriously.”
Rick, Cofounder at Liquity
Get the same level of protection
See how Recon's invariant testing can secure your protocol like it did for Liquity.