Back
“Having seen many audits over many years, no one even comes close to Guardian's approach, and the quality of their audit is unmatched.”
Kaleb
Synthetix Core Contributor
This case study highlights Guardian's security review of Synthetix's Auto-Compound LP Vault and its Keeper infrastructure, a critical component of their vault-based architecture on the Base network. The full audit report is available here.
Guardian provides leading web3 teams with institutional-grade security, redefining audits with dual independent security teams, specialized fuzzing engineers, and an aggressive vulnerability discovery methodology. This approach consistently drives maximum issue discovery, ensuring projects ship with unmatched confidence.
Synthetix is a leading web3 derivatives protocol offering perps, tokenized strategies, and vaults. Their Auto-Compound LP Vault automates yield strategies for depositors by combining Aave yield with Synthetix reward flows and compounding logic, secured through complex onchain and keeper-managed infrastructure.
As a trusted security partner for Synthetix - with expertise in both vault architecture and keeper-based execution flows, Guardian was uniquely suited to assess the nuanced logic, external dependencies, and cross-layer security challenges present in the Auto-Compound LP Vault. The combination of fuzzing, state validation, and dual-team review was critical in identifying and remediating edge-case vulnerabilities.
Guardian's audit approach combined dual-team smart contract analysis, invariant testing, web2 security coverage, and more:
• Dual-team code review, conducted by independent teams of Guardian SR's to maximize vulnerability discovery
• Fuzzing and invariant testing, with over 20 million runs to validate critical protocol behaviors and edge-case failures
• Web2 infrastructure review, including keeper logic, AWS IAM roles, API Gateway exposure, Lambda configuration, and secret management
• Comprehensive attack surface modeling, focused on cross-chain flows, vault accounting, slippage edge cases, and rate manipulation risks
Guardian identified 65 total vulnerabilities, including 1 Critical and 4 High severity issues. All have been fully resolved by the SNX team.
Below is a breakdown of the highest-impact findings:
• Impact: Any user could drain rewards from the Synthetix registry, permanently locking them and breaking vault yield flows.
• Fix: Rewards claiming function was made internal and restricted.
• Impact: Forwarder-based transfers would fail silently, breaking UX and vault composability.
• Fix: Corrected context usage for _msgSender().
• Impact: Decimal mismatch would break reward claiming for USDC, leading to vault-wide DoS.
• Fix: Added proper decimal conversions to align reward tokens with vault expectations.
• Impact: Swapping SNX and unknown tokens could cause reward spikes or sandwich risk.
• Fix: Added strict token allowlist and alerting logic.
As part of Guardian's full-stack security model, we conducted a thorough review of the offchain infrastructure powering the Auto-Compound LP Keeper, including AWS Lambda, API Gateway, and IAM configurations.
Web2 components are often the weakest link in Web3 systems. With deep expertise in both cloud and application-layer security, Guardian ensures that infrastructure risks - like exposed APIs, leaked secrets, and misconfigured permissions - are surfaced and addressed alongside smart contract vulnerabilities.
Public API Gateway Without Authentication
• Anyone could trigger vault actions via a public endpoint.
• Remediation: Partially resolved with improved access control; additional auth recommended.
Plaintext Secrets & Hardcoded Keys
• Sensitive credentials and RPC keys were embedded in source files.
• Remediation: Migrated to AWS Secrets Manager with access controls.
Over-Permissive IAM Roles
• Default Lambda roles had excessive permissions.
• Remediation: Guardian recommended least-privilege custom roles.
No Throttling / Rate Limits
• The API gateway was vulnerable to denial-of-service through traffic flooding.
• Remediation: Rate limiting partially implemented; usage plans advised.
Sensitive Logging and Short Retention
• Full payload logs including private keys were written to CloudWatch with only 1-week retention.
• Remediation: Log filtering and longer retention periods implemented.
Unvalidated External API Responses
• Keeper trusted ODOS responses without verifying expiration or token outputs.
• Remediation: Added response validation and timeout handling.
These findings illustrate the critical role of Web2 infrastructure in maintaining the integrity and security of modern DeFi systems. Guardian's full-stack security approach ensured both smart contracts and supporting cloud systems were thoroughly vetted.
In addition to manual review, we provided the SNX team with:
• A hardened invariant fuzzing suite for continued assurance
• More secure AWS configurations across IAM roles, secret management, and API authorization
• Greater resilience in vault reward accounting and migratory logic
Guardian's unique approach ensured high coverage across both smart contract and cloud execution layers.
Total Findings: 65
Critical/High Resolved: 5 / 5
Web2 Security Issues: 20+
Fuzzing Runs: 20,000,000+
Audit Duration: 10 Days
Network: Base