Confidential — Singapore DeFi Protocol
Smart Contract Stack for a DeFi Lending Protocol
- 0
- Critical audit findings
- 5
- Chains supported
- 12
- Contracts deployed
- 14 weeks
- Build duration
Project details
The Challenge
The client is a Singapore-based DeFi team building an isolated-market lending protocol — Morpho or Euler v2 in spirit, focused on long-tail collateral assets that the larger money markets won't touch. They had a working Solidity prototype from a previous contractor, a seed round closed, and a launch window tied to a major chain's incentive programme. What they didn't have was a contract suite they could responsibly point real user funds at.
The audit pre-review on the inherited code returned dozens of findings, several critical — including a textbook reentrancy in the liquidation path and an oracle that read spot prices straight from a Uniswap v2 pair. The original team's testing was a handful of Foundry unit tests, no fuzzing, no invariant testing, no formal documentation of the protocol's economic assumptions. Going to mainnet on that codebase would have ended the project.
Our Approach
We rewrote the protocol from the ground up over fourteen weeks, with the explicit goal of passing two independent audits without a critical finding. The new architecture is twelve contracts deployed per chain: a singleton Pool Manager (Uniswap v4-style), an Interest Rate Model registry, isolated Market contracts per collateral pair, a Liquidation engine, and supporting periphery for permits, routing, and bad-debt socialisation.
Key architectural decisions:
- Singleton storage with transient flash-accounting (EIP-1153) — reduces gas on multi-market interactions versus a per-market deployment pattern.
- Chainlink Data Feeds as the primary oracle, with a TWAP-based circuit breaker that pauses a market if the Chainlink price deviates more than 2% from a 30-minute Uniswap v3 TWAP.
- Timelocked governance via OpenZeppelin Governor, with a 48-hour delay on any parameter change and a hard cap on liquidation-bonus and collateral-factor adjustments per epoch.
- EIP-7702-aware periphery so account-abstracted wallets get the same UX as EOAs — important for the team's mobile launch partner.
Testing was where we invested most. We ran Foundry invariant tests at millions of sequence depths, Echidna property-based fuzzing on the liquidation and interest-accrual paths, and Halmos symbolic execution on the core accounting math. Every economic invariant the protocol relies on — solvency, no-free-borrow, monotonic interest — is encoded as a machine-checkable property, not a comment.
For deployment, we used a multi-chain rollout (Ethereum, Arbitrum, Base, Optimism, Polygon zkEVM) with the same audited bytecode on each, deterministic addresses via CREATE2, and a multisig-managed pause guardian that can halt any market within a single block in an emergency.
The Outcome
The protocol was audited independently by two firms (one on-chain reputation house, one boutique formal-methods shop) over a four-week window. Zero critical or high-severity findings in either report — a handful of informational notes and one medium that we fixed and re-attested. Liquidity onboarded steadily through the first months post-launch, with the protocol live across five chains.
Beyond the headline, the architecture has held up under stress: a depeg event on a long-tail stablecoin asset triggered the TWAP circuit breaker exactly as designed, pausing one isolated market and preventing what would have been meaningful bad-debt accrual. The protocol team has since licensed the codebase to two other teams and is using the same testing harness as a marketing asset in their institutional pitches.
Capabilities used
Services that powered this project
Next project
Confidential — Regional Banking SaaS