Lombard Finance’s Liquid Bitcoin protocol allows users to obtain bridged Bitcoin in the form of Solana SPL Tokens (referred to as LBTC).
Lombard Finance engaged Ackee Blockchain Security to perform a security review with a total time donation of 12 engineering days in a period between March 3 and March 18, 2025.
A second, fix review was performed on the fixes from the previous revision.
Lombard Finance then engaged Ackee Blockchain Security to perform another security review of the Liquid Bitcoin protocol with a total time donation of 3 engineering days in a period between March 25 and March 28, 2025.
A fix review of the second Revision was then performed on the fixes from Revision 2.0 including an extension to the scope as detailed below.
METHODOLOGY
We began our review by familiarizing ourselves with the codebase and the business logic of the scope. A significant amount of time was spent reviewing the documentation and researching the broader scope of the protocol (e.g., Babylon Bitcoin staking).
After completing the initial research, we proceeded with the manual review of the codebase. The manual review consisted of multiple stages, with the first stage focusing on understanding the codebase in general:
- the components of the Solana program;
- all instructions the program accepts;
- the architecture and structure of the codebase; and
- all information the project stores on-chain.
After establishing this initial understanding, we moved forward with the second stage, where we performed a line-by-line code review. This consisted of more in-depth analysis of the code, examining potential issues, bugs, and security concerns.
During the manual review, we paid special attention to:
- ensuring the project is correctly initialized and configured;
- verifying the minting of LBTC is securely handled;
- confirming the validation process cannot be bypassed;
- ensuring the protocol behaves transparently and as expected;
- verifying there are no mechanisms which could be used against users; and
- looking for common issues which could occur in the codebase.
During review of the Bascule program, we tested that the protocol works as intended by proof of concept tests. The review continued with a deeper understanding of the program, during which we ensured that:
- it is correctly used during the Cross-Program Invocation (CPI) from the LBTC program;
- only the appointed reporter can submit new deposits;
- only the appointed validator can validate the deposits;
- all potential scenarios are correctly covered (for example, scenarios where the deposit is under the threshold of validation); and
- all mint requests are still correctly validated and cannot be bypassed.
SCOPE
The first audit was performed on commit 9171ae4 and the scope was the following:
- Lombard Finance Solana Contracts, excluding external dependencies
Revision 1.1 was performed on the given commit ca1ccb2 and focused on the fixes from the first audit.
Revision 2.0 was performed on the commit c96dc36 and the scope was the following:
- Lombard Finance Solana Contracts, excluding external dependencies;
- Bascule program, excluding external dependencies.
Revision 2.1 was then performed on commit 9001c77 on the fixes provided in Revision 2.0. The scope contained additions to the source code (e.g., change_mint_auth) that were not reviewed, as these additions were not in the scope during Revision 2.0.
FINDINGS
The classification of a security finding is determined by two ratings: impact and likelihood. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as medium severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the Warning or Informational severity ratings.
Our review resulted in 22 findings, ranging from Info to High severity. The issues were either fixed or acknowledged by the client. Read the full report linked below for the complete overview.
Critical severity
No critical severity issues were found.
High severity
H1: Possible unauthorized LBTC minting
Medium severity
M1: Possible inadequate fees
M2: Possible initialization front-running
M3: Redeem does not allow for assets refund
M4: Minters are a security hazard
M5: Inability to execute Cross Program Invocation due to Config account being Rent payer
M6: Inability to execute Cross Program Invocation due to immutable account
Low severity
L1: Uniqueness of Role-based Access Control is not guaranteed
Warning severity
W1: Inability to transfer Config authority
W2: Treasury could make protocol non-operational
W3: Weighted validator signatures
W4: Deprecated Cross Program Invocation call
W5: Fields might be uninitialized
W6: UnstakeRequest does not take fee into consideration
W7: Potential panicking due to arithmetic overflow
W8: Unexpected behavior in vector boundaries
W9: Unfinished code may trigger undesired behavior
W10: Bascule Initialization front-running
W11: Inability to transfer BasculeData authority
Informational severity
I1: Inaccurate comment
I2: Code quality can be improved
I3: Unnecessary storage of the Bascule program in the Config account
TRUST MODEL
Although the protocol implements Role-Based Access Control (RBAC) with multiple permission levels and message validation process is correctly implemented, users must trust:
- the Config admin to set appropriate operational fees;
- the Config admin to assign minters with security considerations, as minters can mint new tokens into circulation on the Solana blockchain (described in M4);
- the protocol to maintain adequate validation, since the minimum limit for off-chain validators is set to 1 (enabling potential centralization, described in W3); and
- the protocol to correctly initialize the
LBTCtoken, which means not misusing thefreeze_authorityor available Token-2022 extensions.
CONCLUSION
Ackee Blockchain Security recommended Lombard Finance to address all reported issues.
Ackee Blockchain Security’s full Lombard Finance Liquid Bitcoin audit report can be found here.
We were delighted to audit Lombard Finance and look forward to working with them again.
