Back

Guardian - Orderly Case Study

“As a security audit company, Guardian's approach to security and overall effectiveness is truly exceptional. Working with them has been a revelation – their auditors are among the best we've ever collaborated with.”

Slava Gerashanko

Orderly Network

Overview

This document serves as an exposition of the Guardian security review process, detailing an engagement between the Guardian team and Orderly Network.

Guardian

Guardian is a Smart Contract security service provider re-imagining the traditional audit model with two competing internal Guardian teams, Smart Contract fuzzing, and a Pay-Per-Vulnerability pricing alternative. Guardian’s novel approach effectively incentivizes their security team to uncover as many vulnerabilities as possible and leave no stone unturned.

Orderly

    Orderly is a white label Orderbook trading infrastructure on the NEAR, Arbitrum, and Optimism networks boasting over $500,000,000 in total trading volume and 70,000+ active traders.

    Why Guardian?

    Guardian boasts a security team with extensive experience in banking, DeFi, economics, trading, and software correctness. As Orderly Network was launching the Smart Contract infrastructure for their EVM compatible perpetual derivatives offering, it was paramount to engage a team with rigorous experience with perpetual products. Having spent over a year performing security analysis on the GMX V2 perpetuals system among other perpetual derivatives protocols, Guardian was a clear choice.

    Some of the best auditors we have worked with. The team is very prompt with communication, their domain expertise in DeFi, specifically derivatives, is unparalleled.

    Slava Gerashanko

    Orderly Network

    The Report

    Github.com:

    Report Link

    Dissecting The Security Review

    In the 2 week period from October 1st to October 13th, Orderly engaged Guardian to perform a security review of their perpetuals protocol utilizing an off-chain order book. During the engagement 3 security researchers spent a total of 6 person weeks to uncover multiple Critical & High severity findings in the project.

      The Kickoff Call

      The engagement officially began on October 1st with a kickoff call between Guardian and Orderly. During the kickoff call, members from Orderly Network shared an overview of the perpetuals system and answered probing questions from Guardian security researchers.

      While on the kickoff call, members from Guardian confirmed the first finding with the Orderly team, a Critical logic error in the system Ledger contract, LGR-1.

      “During the kickoff, the Guardian team came prepared with precise questions, instilling confidence in their capabilities.”

      Slava Gerashanko

      Orderly Network

      The Research

      Following the kickoff call, the Guardian team focused first on gaining a deep understanding of the codebase, constructing diagrams and carrying out internal discussions on the behavior of the system.

      Following these discussions, Guardian identified several key points in the Orderly system which were vulnerable to exploitation. These findings were immediately shared with the Orderly team using a shared Notion database for the engagement.

      The Testing

      After gaining a strong understanding of the logic of Orderly’s Smart Contract system and having battle tested it against manual efforts, Guardian elected to conduct further assurance on the system with both stateful and stateless fuzzing efforts.

      Guardian’s fuzzing efforts proved to be fruitful as they uncovered more findings such as ATPH-2 & ATPH-4 which were promptly shared with the Orderly team.

      The Remediation

      While Guardian continued to conduct the security review, Orderly engineers were able to implement the recommendations made — as these findings and recommendations were shared throughout the engagement.

      After completing the two week period focusing on the frozen commit, Guardian conducted a comprehensive review of the remediations made by Orderly. Systematically, Guardian verified that the remediations made resolved the issues uncovered and did not introduce any new issues.

      ”From the very beginning, it was a seamless process. Within just a few days, they uncovered all issues, and their rapid review of fixes further underscores their efficiency.”

      Slava Gerashanko

      Orderly Network

      Results

      Throughout the 2 week engagement, Guardian uncovered 3 Critical, 2 High, 17 Medium, and 19 Low findings which were remediated by the Orderly team and promptly reviewed by Guardian.

      Guardian’s attention to detail and immense verification efforts were key in preparing the codebase for a successful launch, garnering 8 figures of TVL seamlessly.

      “Guardian’s swift and clear communication is a testament to their commitment, and their unparalleled domain expertise in DeFi sets them apart.”

      Slava Gerashanko

      Orderly Network