Back

Synthetix Auto-Compound LP Vault Case Study | Guardian

“Having seen many audits over many years, no one even comes close to Guardian's approach, and the quality of their audit is unmatched.”

Kaleb

Synthetix Core Contributor

Overview


This case study highlights Guardian's security review of Synthetix's Auto-Compound LP Vault and its Keeper infrastructure, a critical component of their vault-based architecture on the Base network. The full audit report is available here.


Guardian


Guardian provides leading web3 teams with institutional-grade security, redefining audits with dual independent security teams, specialized fuzzing engineers, and an aggressive vulnerability discovery methodology. This approach consistently drives maximum issue discovery, ensuring projects ship with unmatched confidence.


Synthetix


Synthetix is a leading web3 derivatives protocol offering perps, tokenized strategies, and vaults. Their Auto-Compound LP Vault automates yield strategies for depositors by combining Aave yield with Synthetix reward flows and compounding logic, secured through complex onchain and keeper-managed infrastructure.


Why Guardian?


As a trusted security partner for Synthetix - with expertise in both vault architecture and keeper-based execution flows, Guardian was uniquely suited to assess the nuanced logic, external dependencies, and cross-layer security challenges present in the Auto-Compound LP Vault. The combination of fuzzing, state validation, and dual-team review was critical in identifying and remediating edge-case vulnerabilities.


Audit Methodology


Guardian's audit approach combined dual-team smart contract analysis, invariant testing, web2 security coverage, and more:


Dual-team code review, conducted by independent teams of Guardian SR's to maximize vulnerability discovery

Fuzzing and invariant testing, with over 20 million runs to validate critical protocol behaviors and edge-case failures

Web2 infrastructure review, including keeper logic, AWS IAM roles, API Gateway exposure, Lambda configuration, and secret management

Comprehensive attack surface modeling, focused on cross-chain flows, vault accounting, slippage edge cases, and rate manipulation risks


Key Findings & Remediations


Guardian identified 65 total vulnerabilities, including 1 Critical and 4 High severity issues. All have been fully resolved by the SNX team.


Below is a breakdown of the highest-impact findings:


Critical: Unauthorized Rewards Claiming


Impact: Any user could drain rewards from the Synthetix registry, permanently locking them and breaking vault yield flows.

Fix: Rewards claiming function was made internal and restricted.


High: Meta-Transaction Incompatibility with ERC2771


Impact: Forwarder-based transfers would fail silently, breaking UX and vault composability.

Fix: Corrected context usage for _msgSender().


High: USDC Reward Misaccounting


Impact: Decimal mismatch would break reward claiming for USDC, leading to vault-wide DoS.

Fix: Added proper decimal conversions to align reward tokens with vault expectations.


High: Keeper Swaps Unconfigured Tokens


Impact: Swapping SNX and unknown tokens could cause reward spikes or sandwich risk.

Fix: Added strict token allowlist and alerting logic.


Web2 Security Findings


As part of Guardian's full-stack security model, we conducted a thorough review of the offchain infrastructure powering the Auto-Compound LP Keeper, including AWS Lambda, API Gateway, and IAM configurations.


Web2 components are often the weakest link in Web3 systems. With deep expertise in both cloud and application-layer security, Guardian ensures that infrastructure risks - like exposed APIs, leaked secrets, and misconfigured permissions - are surfaced and addressed alongside smart contract vulnerabilities.


Key Web2 Vulnerabilities Identified:


Public API Gateway Without Authentication

• Anyone could trigger vault actions via a public endpoint.

Remediation: Partially resolved with improved access control; additional auth recommended.


Plaintext Secrets & Hardcoded Keys

• Sensitive credentials and RPC keys were embedded in source files.

Remediation: Migrated to AWS Secrets Manager with access controls.


Over-Permissive IAM Roles

• Default Lambda roles had excessive permissions.

Remediation: Guardian recommended least-privilege custom roles.


No Throttling / Rate Limits

• The API gateway was vulnerable to denial-of-service through traffic flooding.

Remediation: Rate limiting partially implemented; usage plans advised.


Sensitive Logging and Short Retention

• Full payload logs including private keys were written to CloudWatch with only 1-week retention.

Remediation: Log filtering and longer retention periods implemented.


Unvalidated External API Responses

• Keeper trusted ODOS responses without verifying expiration or token outputs.

Remediation: Added response validation and timeout handling.


These findings illustrate the critical role of Web2 infrastructure in maintaining the integrity and security of modern DeFi systems. Guardian's full-stack security approach ensured both smart contracts and supporting cloud systems were thoroughly vetted.


Results & Impact


In addition to manual review, we provided the SNX team with:


• A hardened invariant fuzzing suite for continued assurance

• More secure AWS configurations across IAM roles, secret management, and API authorization

• Greater resilience in vault reward accounting and migratory logic


Guardian's unique approach ensured high coverage across both smart contract and cloud execution layers.


Key Metrics


Total Findings: 65

Critical/High Resolved: 5 / 5

Web2 Security Issues: 20+

Fuzzing Runs: 20,000,000+

Audit Duration: 10 Days

Network: Base