DeFi audits

Smart contract audit for DeFi protocols

DeFi systems fail at the edges — oracle assumptions, accounting invariants, flash loan vectors, and permission gaps. Guardix understands protocol-level architecture before looking for issues.

Start free audit All audit features

DeFi coverage

Protocol-specific vulnerability detection.

Beyond generic smart contract checks — Guardix targets DeFi-specific failure modes including oracle manipulation, reentrancy in callback flows, and state drift between accounting and token balances.

DeFi-specific coverageowner/vault-core

Oracle manipulation

Price feed staleness, sandwich attacks, and flash-loan-inflated prices that break liquidation math.

Reentrancy paths

Cross-function and cross-contract reentrant calls in vault, router, and callback flows.

Accounting drift

Invariant violations between deposit/withdrawal accounting and actual token balances.

Access control gaps

Unprotected admin functions, missing timelocks, and guardian role escalation paths.

Protocol types

Built for integration-heavy DeFi systems.

Lending & borrowing

Collateral management, liquidation math, interest rate models, and bad debt scenarios.

DEX & AMM

Swap logic, LP token accounting, fee distribution, and concentrated liquidity edge cases.

Vaults & yield

Deposit/withdrawal invariants, strategy composition, and share price manipulation.

Bridges & cross-chain

Message verification, relay assumptions, and withdrawal proofs.

Governance & DAOs

Proposal execution, timelock bypasses, vote delegation, and quorum manipulation.

Stablecoins & RWA

Peg maintenance, reserve accounting, and regulatory compliance controls.

Finding detailowner/vault-core

Unchecked external callback before balance update

The withdraw function calls an external contract before updating internal state, enabling reentrant calls to drain funds.

Vault.sollines 142–158
function withdraw(uint256 amount) external {
  require(balances[msg.sender] >= amount);
  // ⚠ external call before state update
  token.transfer(msg.sender, amount);
  balances[msg.sender] -= amount;
}

Severity

critical

Risk type

security bug

Confidence

high

Status

validated

Component

Vault.sol

Real findings

DeFi findings with code, context, and confidence.

Each finding includes the exact code location, a Solidity snippet, severity assessment, and multi-model validation confidence. Not generic warnings — specific, actionable issues.

First DeFi audit free.

Connect your protocol repository, review validated findings, and share reports with your team.

Start free auditCompare with manual audits