Back

Guardian - Poolshark
Case Study

“Guardian treated Poolshark Limit and Cover as if the protocol was theirs. […] This is how auditing DeFi protocols should be.”

Poolshark Protocol

Overview

This document serves as an exposition of the Guardian security review process, detailing two engagements between the Guardian team and Poolshark protocol.

Guardian

Guardian is a Smart Contract security service provider re-imagining the traditional audit model with two competing internal Guardian teams, Smart Contract fuzzing, and a Pay-Per-Vulnerability pricing alternative. Guardian’s novel approach effectively incentivizes their security team to uncover as many vulnerabilities as possible and leave no stone unturned.

Poolshark

Poolshark protocol is a concentrated liquidity AMM which enables on-chain spot, limit, and stop-loss orders through it’s novel directional AMM technology.

Why Guardian?

Guardian boasts a security team with extensive experience in banking, DeFi, economics, trading, and software correctness. With a protocol as novel and complex as Poolshark’s Cover & Limit pools, it was paramount that Poolshark engaged a highly specialized team offering rigorous attention to detail. Guardian was exactly that team.

“10/10 They are hands down some of the absolute best security minds in the space.”

”Do not fade Guardian Audits”

Alphak3y

Poolshark

The Reports

Github.com:

Reports Link

Dissecting The Security Reviews

In March of 2023 Guardian conducted a security assessment of Poolshark’s first protocol, Cover. The auditing approach championed manual analysis to uncover novel exploits and verify intended behavior with ancillary verification from formal methods such as fuzzing and symbolic execution.

Given the results of the first engagement, four months later Poolshark engaged Guardian a second time to review their Limit protocol.

Review #1, Poolshark Cover — Superior Communication and Collaboration

A team of three security researchers, with two Lead Security Researchers, began a 4-week Guardian review on the 17th of March. The review began with a kickoff call, where the Poolshark team detailed the Cover implementation and the Guardian team stress tested the design with precise questions.

Throughout the review, findings and recommendations were shared with the Poolshark team as they were uncovered by Guardian. Explicit written PoC (proof-of-concept) tests accompanied High and Critical issues. At the end of each week, the Guardian and Poolshark teams convened to discuss the findings uncovered, potential remediations, and design improvements.

Finally, Guardian scrutinized remediations made by the Poolshark team and included these updates in the scope of the ongoing audit.

During the 4 week review a total of 11 Critical, 5 High, 7 Medium, and 13 Low findings were uncovered by Guardian, confirmed and promptly remediated by Poolshark, and these remediations were finally reviewed by Guardian.

Review #2, Poolshark Limit — Invariant Testing 22 Critical Invariants

A team of six security researchers, with two Lead Security Researchers, began a 4-week Guardian review on the 18th of July. Similarly to the first review, Guardian held a kickoff call to understand and stress test the Limit codebase design.

Guardian continued to share findings and PoC tests as they were unearthed and discuss potential remediations in a weekly correspondence with the Poolshark team.

Additionally, during the weekly meetings Guardian worked with Poolshark to identify core protocol invariants and implement these in an Echidna fuzzing suite for the Limit protocol. Throughout the engagement 22 critical invariants were assessed with over a half a billion combined fuzzing runs.

During the 4 week review a total of 15 Critical, 9 High, 13 Medium, and 38 Low findings were uncovered by Guardian confirmed and promptly remediated by Poolshark, and these remediations were finally reviewed by Guardian.

At the end of the engagement, Guardian delivered a fully functioning Echidna fuzzing harness that Poolshark continues to use to provide invariant verification upon updates and modifications made to the protocol.

Results

During both reviews a combined 111 findings, 40 of which being High or Critical severity, were reported, remediated, and confirmed to be resolved.

Throughout both the Cover and Limit engagements the code coverage and edge case coverage of the repository tests improved dramatically, with additions of Guardian’s own test cases and PoCs.

Guardian directly assessed 22 core protocol invariants with a prepared Echidna harness for the Limit codebase. But more importantly, Guardian transferred Echidna fuzzing expertise to the Poolshark team who has gone on to implement and assess dozens of additional invariants across both the Cover and Limit codebases.

After engaging Guardian several times, the Poolshark team has significantly improved their security as a result of resolving over 40 pressing issues uncovered. Not only has Poolshark benefitted from periods of review from Guardian, but they will continue to develop with a security guided approach as a result of new testing and fuzzing practices moving forward.