Back
“Our experience with Guardian has been amazing, the level of detail they went to in reviewing the code as well as understanding the conceptual ideas enabled them to highlight important security considerations throughout the codebase. All security researchers on the team were exceptional at understanding all intricacies of the design and the team is well suited to audit any novel DeFi product that comes their way.”
Umami Chan
Umami DAO
This document serves as an exposition of the Guardian security review process, detailing an engagement between the Guardian team and Umami Finance.
Guardian is a Smart Contract security service provider re-imagining the traditional audit model with two competing internal Guardian teams, Smart Contract fuzzing, and a Pay-Per-Vulnerability pricing alternative. Guardian’s novel approach effectively incentivizes their security team to uncover as many vulnerabilities as possible and leave no stone unturned.
Umami is a is a hybrid Decentralized Finance (DeFi) protocol pioneering the institutional adoption of DeFi. Umami offers yield vaults which employ a capital efficient hedging strategy that mitigates depositors’ exposure to unwanted market delta in GMX V2 markets while continuing to pass on nearly all of its highly-competitive APR.
Guardian boasts a security team with extensive experience in banking, DeFi, economics, trading, and software correctness. As Umami was launching the Smart Contract infrastructure for their delta-neutral GM vaults, it was paramount to engage a team with rigorous experience with GMX. Having spent over a year performing security analysis on the GMX V2 perpetuals system, Guardian was a clear choice.
"The Guardian team was responsive and thorough in their approach to reviewing and testing the code. Any questions we had were answered promptly and they gave advice on different aspects of the code even before the audit began."
Umami Chan
Umami DAO
github.com:
Report Link
In the 3 week period from December 11th to December 29th, Umami engaged Guardian to perform a security review of their GM vaults using their unique internal hedging mechanisms. During the engagement 6 security researchers uncovered multiple Critical & High severity findings in the project.
The engagement officially began on December 11th with a kickoff call between Guardian and Umami the day prior. During the kickoff call, members from Umami team shared an overview of their vaults and answered probing questions from Guardian security researchers.
"Any questions we had were answered promptly and they gave advice on different aspects of the code even before the audit began."
Umami Chan
Umami DAO
Following the kickoff call, the Guardian team focused first on gaining a deep understanding of the codebase, constructing diagrams and carrying out internal discussions on the behavior of the system.
Following these discussions, Guardian identified several key points in the Umami system which were vulnerable to exploitation. These findings were immediately shared with the Umami team using a shared Notion database for the engagement.
After gaining a strong understanding of the logic of Umami’s Smart Contract system and having battle tested it against manual efforts, Guardian elected to conduct further assurance on the system with both stateful and stateless fuzzing efforts.
Guardian’s fuzzing efforts proved to be fruitful as they uncovered findings such as "AV-1" & "LCY-1" which were promptly shared with the Umami team.
While Guardian continued to conduct the security review, Umami engineers were able to implement the recommendations made — as these findings and recommendations were shared throughout the engagement.
After completing the two week period focusing on the frozen commit, Guardian conducted a comprehensive review of the remediations made by Umami. Systematically, Guardian verified that the remediations made resolved the issues uncovered and did not introduce any new issues.
”Guardian discovered notable vulnerabilities which would of greatly impacted the protocol security if not uncovered. They did a good job at uncovering these early.”
Umami Chan
Umami DAO
Throughout the 3 week engagement, Guardian uncovered 3 Critical, 6 High, 8 Medium, and 41 Low findings which were remediated by the Umami team and promptly reviewed by Guardian.
Guardian’s attention to detail and immense verification efforts were key in preparing the codebase for a successful launch.
“I would recommend Guardian to others looking for a comprehensive audit specifically for complex projects.”
Umami Chan
Umami DAO