CertiK and Lien Finance’s Second Audit Engagement and Pen Test

CertiK | Sept 9, 2020

Article's Poster

Early last month, CertiK proudly announced a successful audit for Lien Finance’s iDOL, Fairswap, Oracle, and Token smart contracts. Details from the engagement can be found here. Recently, the CertiK team and Lien Finance team closed another audit engagement on the iDOL, Lien Token, and Oracle modules, and a penetration test on the wallet.

“Lien is a simple and elegant protocol that allows anyone to create a unique derivative contract. Depending on your prediction of the ETH price in the future, the protocol provides users with the opportunity to take advantage of its price development more effectively than just hodling ETH itself.”

Scope of Work

Audit Code Review

A second round of auditing was carried out in the following commit hashes that includes remediations as well as minor changes based on feedback from their mainnet launch. These commit hashes are as follows:

  1. iDOL
  2. Lien Token
  3. Oracle

During this second round of the two week audit, the CertiK team analyzed the code of the core protocol within iDOL and delved into greater depth on the Fairswap repository to identify any potential vulnerabilities, misalignments with the specification and unaccounted for functionalities / behaviors.

Penetration Test

At the start of the engagement, CertiK worked with Lien Finance to identify the target and set the limits on the scope of the test. A White Box type of testing approach was done where CertiK performed the test with the source code available from the shared GitHub repository.

The main objective of the engagement is to test the overall resiliency of the application to various real-world attacks against the application’s controls and functions, and thereby be able to identify its weaknesses and provide recommendations to fix and improve its overall security posture.

CertiK performed a full penetration test on the web application and tested it against different web vulnerabilities including the OWASP Top Ten.

Summary and Overview

During both tests, the CertiK team took an iterative approach with the Lien team to remediate most of the optimization findings pointed out, as well as all the vulnerabilities and mathematical discrepancies the engineers were able to identify within their codebase.

“Overall, the Lien team demonstrated an in-depth understanding of the mathematical formulas involved in the solution they aspire to launch, and showcased healthy code ethics within each project’s codebase,” said by the CertiK team.

We look forward to working with the Lien team and securing the DeFi ecosystem together.

About CertiK

CertiK is a technology-led blockchain security company founded by Computer Science professors from Yale University and Columbia University built to prove the security and correctness of smart contracts and blockchain protocols.

CertiK’s mission of every audit is to apply different approaches and detection methods, ranging from manual, static, and dynamic analysis to ensure that the project is checked against known attacks and potential vulnerabilities. CertiK leverages a team of seasoned engineers and security auditors to apply testing methodologies and verifications on the project, in turn creating a more secure and robust software system.

CertiK has serviced more than 100 clients with high quality auditing and consulting services, ranging from stablecoins such as Binance’s BGBP and Paxos Gold to decentralized oracles such as Band Protocol and Tellor.