Ion Protocol: Our Approach to Protocol Security

Introduction

Over a billion dollars has been lost from protocol hacks in 2023. Not only were recent entrants DeFi some of the most affected, but many of the most prominent protocols in the ecosystem including Curve, Euler, Kyber Network, Multichain, and more have experienced the shortfalls of security exploits. We are no longer in a time where depending on only security audits is sufficient to cover the risks and vulnerabilities that DeFi protocols are exposed to. We at Ion Protocol realize the inherent difficulty in building a protocol that can withstand the test of time, and we are dedicating ourselves to taking as many steps as possible to minimize the presence of contract risk in our architecture.

In anticipation of our Audit Competition with Hats Finance and our mainnet launch, we’re sharing some of our internal practices around smart contract risk mitigation and the public steps we’re taking in our protocol rollout to minimize user risk exposure as much as possible.

Stick to the end to read about how you can enter into our Audit Competition to contribute to the security of Ion Protocol!

Ion’s Internal Testing Suite

Our first line of defense is our internal team’s extensive testing and security reviews. We’ve developed an extensive internal testing suite to help us dial in on any vulnerabilities or attack vectors before initiating external codebase reviews from security researchers and auditors.

Unit Tests

The first step we take is unit testing. This ensures that each small part of the contract behaves as expected. Unit tests are specialized software tests that verify the smallest parts of an application, typically individual functions or methods. By isolating and testing individual functions, we can assert their correctness under various conditions, thereby building a strong foundation for the overall security of the system. The use of unit tests also facilitates easier maintenance and debugging since problems can be quickly identified and resolved at the unit level before they escalate into more complex issues.

Fuzzing

Given the dynamic and unpredictable nature of state variables in our contracts, such as rate accumulators, we employ extensive fuzzing on top of the baseline expectation of comprehensive unit testing. Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data as inputs to a codebase. This is achieved by automatically generating a wide range of inputs to ensure the program can handle unexpected or extreme cases. We use tools like Foundry invariant tests, which stress test contracts in randomized states. This approach is crucial for uncovering bugs that might slip past unit tests.

Additionally, we use Echidna for extended fuzzing campaigns — verifying invariants in a simulated long-term environment with randomized borrower and lender actions, along with fluctuating market conditions. An example of a common invariant in lending markets is ensuring that the total amount of WETH claimable by all lenders never exceeds the sum of idle lender liquidity plus the total amount of debt owed by borrowers at any given time.

wETHClaimable ≤ idleLenderLiquidity + totalDebtOwed

This method is particularly effective in complex systems like financial contracts, where the number of possible states can be vast, and traditional testing methods might not uncover every potential issue.

Fork Tests

Despite extensive unit and fuzz testing, it is not sufficient to test protocols like Ion in a vacuum. Fork tests play a critical role to provide more realistic simulations of market conditions. A fork test involves creating a copy, or a ‘fork,’ of the entire blockchain state, like Ethereum’s mainnet. This allows us to test Ion in an environment that closely mirrors the actual blockchain, including real-world data and interactions.

In addition to testing in isolated environments, we conduct fork tests to evaluate how Ion performs in conditions closer to reality. Testing on mainnet forks allows us to simulate actual integrations with our partner liquid staking providers and automated market makers (AMMs). By doing so, we can observe how the protocol behaves in an ecosystem with realistic data and assets, ensuring that our system is robust against not only theoretical issues but also practical challenges that could occur in a live environment with more protocol interactions.

For example, when users create leveraged staking positions on Ion, the protocol compares the cost of acquiring additional collateral—between directly minting an asset from a liquid staking provider and purchasing the asset on Uniswap—in order to calculate the cheapest route for each user. As these costs can rapidly shift due to other trading activites, fork tests allow us to simulate these external actors’ influence on real time liquidity and ensure that our strategies remain effective under real mainnet conditions.

As such, fork tests are crucial for identifying issues that might not surface in local testing environments, especially those related to external market conditions such as liquidity shortages, and helps us defend against liveness failures and increased consumer risk in time-sensitive scenarios.

Business Logic Reviews

While it is important to ensure that the code operates as intended, it’s equally crucial to assess if the economic and business logic is inherently secure. Even flawless code can’t compensate for a business model that is susceptible to financial attack vectors. Therefore, our security research includes a thorough examination of the economic and business logic related to lending ETH and borrowing it against staked and restaked assets. In this fashion, we can preemptively identify and mitigate any potential financial vulnerabilities that are not evident within the code itself.

By implementing these rigorous testing methodologies, we’re playing a large role in securing and safeguarding user assets within Ion. But this is just the start.

External Audits

In addition to the team’s efforts to test Ion internally, an extensive review of the protocol would not be complete without the help of external security researchers and auditors.

Security Audit

We partnered with OpenZepplin to audit the codebase and analyze the economic security for our first market, the LST/ETH market. In the future, we plan to continue auditing the protocol as we introduce new markets, strategies, and functionalities. Our next innovation taking priority for audits is the LRT/LST market, which will be the second market we launch on mainnet.

Audit Competitions

Hats Finance is set to host an audit competition to further bolster the security of the protocol before we launch the first market on mainnet. In audit competitions, security researchers and auditors compete to rigorously test and evaluate the safety of protocols for a portion of a prize pool. This gets more eyes on our contracts with the potential of someone catching a vulnerability that previously went unseen. Hats Finance has a great reputation for hosting audit competitions with protocols such as Ether.fi and Stakewise.

Our audit competition will begin on January 22, 2024, and it will require security researchers to use numerous tools and strategies to compete for their portion of the $40,000 prize pool. Security researchers will have the opportunity to be rewarded for identifying low-, medium-, and high-severity issues in the code base. While not required, we’re also supporting the option to use formal verification on a predefined set of contracts for additional rewards. Stay tuned for more announcements and updates as we approach the start date!

Conclusion

It’s clear that security is not a destination, but an ongoing journey. No checklist or audit can ever provide a foolproof guarantee against all risks. This is why, at Ion Protocol, our commitment to security is eclipsed by none. Post-deployment, our vigilance will be unwavering as we continue to monitor the protocol for any signs of invariant violations, ongoing attacks, and shifts in market conditions that could impact security.

The upcoming audit competition, in partnership with Certora and Hats Finance, marks the next critical phase in the journey toward our mainnet deployment.