{"id":1115,"date":"2025-08-25T17:22:08","date_gmt":"2025-08-25T15:22:08","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=1115"},"modified":"2025-08-25T23:37:32","modified_gmt":"2025-08-25T21:37:32","slug":"lombard-liquid-bitcoin-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/lombard-liquid-bitcoin-audit-summary\/","title":{"rendered":"Lombard Liquid Bitcoin Audit Summary"},"content":{"rendered":"<p class=\"p1\">Lombard Finance&#8217;s Liquid Bitcoin protocol allows users to obtain bridged Bitcoin in the form of Solana SPL Tokens (referred to as <code class=\"codehl\">LBTC<\/code>).<\/p>\n<p class=\"p1\">Lombard Finance engaged Ackee Blockchain Security to perform a security review with a total time donation of 12 engineering days in a period between March 3 and March 18, 2025.<\/p>\n<p>A second, fix review was performed on the fixes from the previous revision.<\/p>\n<p>Lombard Finance then engaged Ackee Blockchain Security to perform another security review of the Liquid Bitcoin protocol with a total time donation of 3 engineering days in a period between March 25 and March 28, 2025.<\/p>\n<p>A fix review of the second Revision was then performed on the fixes from Revision 2.0 including an extension to the scope as detailed below.<\/p>\n<h2><span style=\"font-weight: 400;\">METHODOLOGY<\/span><\/h2>\n<p class=\"p1\">We began our review by familiarizing ourselves with the codebase and the business logic of the scope. A significant amount of time was spent reviewing the documentation and researching the broader scope of the protocol (e.g., Babylon Bitcoin staking).<\/p>\n<p class=\"p1\">After completing the initial research, we proceeded with the manual review of the codebase. The manual review consisted of multiple stages, with the first stage focusing on understanding the codebase in general:<\/p>\n<ul>\n<li class=\"p1\">the components of the Solana program;<\/li>\n<li class=\"p1\">all instructions the program accepts;<\/li>\n<li class=\"p1\">the architecture and structure of the codebase; and<\/li>\n<li class=\"p1\">all information the project stores on-chain.<\/li>\n<\/ul>\n<p>After establishing this initial understanding, we moved forward with the second stage, where we performed a line-by-line code review. This consisted of more in-depth analysis of the code, examining potential issues, bugs, and security concerns.<\/p>\n<p>During the manual review, we paid special attention to:<\/p>\n<ul>\n<li>ensuring the project is correctly initialized and configured;<\/li>\n<li>verifying the minting of LBTC is securely handled;<\/li>\n<li>confirming the validation process cannot be bypassed;<\/li>\n<li>ensuring the protocol behaves transparently and as expected;<\/li>\n<li>verifying there are no mechanisms which could be used against users; and<\/li>\n<li>looking for common issues which could occur in the codebase.<\/li>\n<\/ul>\n<p>During review of the Bascule program, we tested that the protocol works as intended by proof of concept tests. The review continued with a deeper understanding of the program, during which we ensured that:<\/p>\n<ul>\n<li>it is correctly used during the Cross-Program Invocation (CPI) from the LBTC program;<\/li>\n<li>only the appointed reporter can submit new deposits;<\/li>\n<li>only the appointed validator can validate the deposits;<\/li>\n<li>all potential scenarios are correctly covered (for example, scenarios where the deposit is under the threshold of validation); and<\/li>\n<li>all mint requests are still correctly validated and cannot be bypassed.<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">SCOPE<\/span><\/h2>\n<p>The first audit was performed on commit <code class=\"codehl\">9171ae4<\/code> and the scope was the following:<\/p>\n<ul>\n<li>Lombard Finance Solana Contracts, excluding external dependencies<\/li>\n<\/ul>\n<p>Revision 1.1 was performed on the given commit <code class=\"codehl\">ca1ccb2<\/code> and focused on the fixes from the first audit.<\/p>\n<p>Revision 2.0 was performed on the commit <code class=\"codehl\">c96dc36<\/code> and the scope was the following:<\/p>\n<ul>\n<li>Lombard Finance Solana Contracts, excluding external dependencies;<\/li>\n<li>Bascule program, excluding external dependencies.<\/li>\n<\/ul>\n<p>Revision 2.1 was then performed on commit <code class=\"codehl\">9001c77<\/code> on the fixes provided in Revision 2.0. The scope contained additions to the source code (e.g., <code class=\"codehl\">change_mint_auth<\/code>) that were not reviewed, as these additions were not in the scope during Revision 2.0.<\/p>\n<h2><span style=\"font-weight: 400;\">FINDINGS<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The classification of a security finding is determined by two ratings: <\/span><b>impact<\/b><span style=\"font-weight: 400;\"> and <\/span><b>likelihood<\/b><span style=\"font-weight: 400;\">. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as <\/span><i><span style=\"font-weight: 400;\">medium<\/span><\/i><span style=\"font-weight: 400;\"> severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the <em>W<\/em><\/span><i><span style=\"font-weight: 400;\">arning<\/span><\/i><span style=\"font-weight: 400;\"> or <em>I<\/em><\/span><i><span style=\"font-weight: 400;\">nformational<\/span><\/i><span style=\"font-weight: 400;\"> severity ratings.<\/span><\/p>\n<p class=\"p1\">Our review resulted in <strong>22 findings<\/strong>, ranging from Info to High severity.\u00a0The issues were either fixed or acknowledged by the client. Read the full report linked below for the complete overview.<\/p>\n<h3><span style=\"font-weight: 400;\">Critical severity<\/span><\/h3>\n<p>No critical severity issues were found.<\/p>\n<h3><span style=\"font-weight: 400;\">High severity<\/span><\/h3>\n<p>H1: Possible unauthorized LBTC minting<\/p>\n<h3><span style=\"font-weight: 400;\">Medium severity<\/span><\/h3>\n<p>M1: Possible inadequate fees<\/p>\n<p>M2: Possible initialization front-running<\/p>\n<p>M3: Redeem does not allow for assets refund<\/p>\n<p>M4: Minters are a security hazard<\/p>\n<p>M5: Inability to execute Cross Program Invocation due to Config account being Rent payer<\/p>\n<p>M6: Inability to execute Cross Program Invocation due to immutable account<\/p>\n<h3><span style=\"font-weight: 400;\">Low severity<\/span><\/h3>\n<p>L1: Uniqueness of Role-based Access Control is not guaranteed<\/p>\n<h3><span style=\"font-weight: 400;\">Warning severity<\/span><\/h3>\n<p>W1: Inability to transfer Config authority<\/p>\n<p>W2: Treasury could make protocol non-operational<\/p>\n<p>W3: Weighted validator signatures<\/p>\n<p>W4: Deprecated Cross Program Invocation call<\/p>\n<p>W5: Fields might be uninitialized<\/p>\n<p>W6: <code class=\"codehl\">UnstakeRequest<\/code> does not take fee into consideration<\/p>\n<p>W7: Potential panicking due to arithmetic overflow<\/p>\n<p>W8: Unexpected behavior in vector boundaries<\/p>\n<p>W9: Unfinished code may trigger undesired behavior<\/p>\n<p>W10: Bascule Initialization front-running<\/p>\n<p>W11: Inability to transfer <code class=\"codehl\">BasculeData<\/code> authority<\/p>\n<h3><span style=\"font-weight: 400;\">Informational severity<\/span><\/h3>\n<p>I1: Inaccurate comment<\/p>\n<p>I2: Code quality can be improved<\/p>\n<p>I3: Unnecessary storage of the Bascule program in the Config account<\/p>\n<h2><span style=\"font-weight: 400;\">TRUST MODEL<\/span><\/h2>\n<p class=\"p1\">Although the protocol implements Role-Based Access Control (RBAC) with multiple permission levels and message validation process is correctly implemented, users must trust:<\/p>\n<ul>\n<li class=\"p1\">the Config admin to set appropriate operational fees;<\/li>\n<li class=\"p1\">the Config admin to assign minters with security considerations, as minters can mint new tokens into circulation on the Solana blockchain (described in M4);<\/li>\n<li class=\"p1\">the protocol to maintain adequate validation, since the minimum limit for off-chain validators is set to 1 (enabling potential centralization, described in W3); and<\/li>\n<li class=\"p1\">the protocol to correctly initialize the <code class=\"codehl\">LBTC<\/code> token, which means not misusing the <code class=\"codehl\">freeze_authority<\/code> or available Token-2022 extensions.<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">CONCLUSION<\/span><\/h2>\n<p class=\"p1\"><a href=\"https:\/\/ackee.xyz\">Ackee Blockchain Security<\/a> recommended Lombard Finance to address all reported issues.<\/p>\n<p><b>Ackee Blockchain Security\u2019s full Lombard Finance Liquid Bitcoin audit report can be found <\/b><a href=\"https:\/\/github.com\/lombard-finance\/sol-svm-contracts\/blob\/main\/docs\/audit\/Ackee_V1.pdf\"><b>here<\/b><\/a><b>.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We were delighted to audit Lombard Finance and look forward to working with them again.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lombard Finance&#8217;s Liquid Bitcoin protocol allows users to obtain bridged Bitcoin in the form of Solana SPL Tokens (referred to as LBTC). Lombard Finance engaged Ackee Blockchain Security to perform a security review with a total time donation of 12 engineering days in a period between March 3 and March 18, 2025. A second, fix review was performed on the fixes from&hellip;<\/p>\n","protected":false},"author":30,"featured_media":1117,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,5,113],"tags":[21,89,6,114],"class_list":["post-1115","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-solana","category-trident","tag-audit","tag-audit-summary","tag-solana","tag-trident"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/08\/Lombard-cover-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/08\/Lombard-cover-600x600.png","author_info":{"display_name":"Tom\u00e1\u0161 Kova\u0159\u00edk","author_link":"https:\/\/ackee.xyz\/blog\/author\/tomas-kovarik\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=1115"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1115\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/1117"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=1115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=1115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=1115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}