Back
This document serves as an exposition of the Guardian security review process, detailing an engagement between the Guardian team and Abracadabra Money.
Guardian has conducted several reviews with the Abracadabra Money team, including their GMX V2 cauldrons and MultiRewards Staking contract. This case study focuses on the recent review of Abracadabra’s new MIMSwap product.
Guardian is a Smart Contract security service provider re-imagining the traditional audit model with two competing internal Guardian teams, Smart Contract fuzzing, and a Pay-Per-Vulnerability pricing alternative. Guardian’s novel approach effectively incentivizes their security team to uncover as many vulnerabilities as possible and leave no stone unturned.
MIMSwap is an automated-market-maker solution utilizing the PMM concept from DODO stable pools. The engagement focused on adaptations from the original DODO codebase as well as potential edge cases in the original implementation.
Guardian boasts a security team with extensive experience in banking, DeFi, economics, trading, and software correctness. As the Abracadabra team was bringing an adapted version of a novel AMM to market, it was paramount to engage a team with rigorous experience in AMM protocols and a strong background in fuzzing techniques.
Having conducted several reviews of novel concentrated liquidity AMM products and constructed dozens of professional fuzzing suites, Guardian was a clear choice.
In the 1.5 week period from the 29th of February to the 11th of March, Abracadabra Money engaged Guardian to perform a security review of their PMM exchange.
During the engagement 6 security researchers spent a total of 9 person weeks to uncover multiple Critical & High severity findings in the project as well as to construct a comprehensive fuzzing suite to battle-test 25 key invariants.
To begin the review, each Guardian team focused first on gaining a deep understanding of the codebase, graphing the relevant PMM formula, creating diagrams, and carrying out internal discussions on the behavior of the system.
Following these discussions, Guardian identified several key bugs in the adaptation from DODO, such as H-02, M-02, and M-03. These findings were immediately shared with the MIMSwap team using a shared findings database for the engagement.
Both Guardian teams continued to scrutinize the code in scope, shifting focus towards the Blast deployment details and ultimately came to uncover several core issues with the Blast Native Yield claiming logic. These findings include C-01, H-04, and H-05.
While both Guardian teams conducted a manual review of the Smart Contracts in scope, a dedicated fuzzing engineer constructed a comprehensive fuzzing suite for the MagicLP, Router, and MagicLPFactory contracts.
The constructed fuzzing suite included 25 invariants assessed over 65 Million runs. Guardian’s comprehensive fuzzing suite successfully identified that tokens with 24 decimals and large totalSupply amounts are incompatible with the MagicLP system. Furthermore, Guardian’s fuzzing suite successfully detected a Critical bug which was introduced during remediations for the original findings.
Finally, after completing the engagement, the Guardian team opened a PR on the abracadabra-money-contracts repository to add the constructed fuzzing suite.
The PR, with over 3,000 lines of additions for the fuzzing suite, can be seen here:
https://github.com/Abracadabra-money/abracadabra-money-contracts/pull/142/files
Throughout the 2 week engagement, Guardian uncovered 1 Critical, 5 High, 7 Medium, and 15 Low findings which were remediated by the Abracadabra team and promptly reviewed by Guardian.
Additionally, after engaging Guardian the Abracadabra team now has a comprehensive fuzzing suite to continually provide assurance to future updates made to the MagicLP system.
Guardian’s attention to detail and immense verification efforts were key in preparing the MIMSwap codebase for a successful launch, garnering 8 figures of TVL seamlessly.
