search

Audits

Lombard audits all major releases before deployment. Every piece of code that reaches production undergoes review by independent security firms, plus multiple internal reviews by Lombard's full-time contributors. Major releases also go through competitive audit contests where dozens of security researchers battle-test the code simultaneously.

This multi-layered approach reflects the protocol's position as custodian of over $1.5 billion in Bitcoin. When users stake BTC through Lombard, they trust the protocol with significant value. That trust demands rigorous verification at every stage of development.

hashtag
Audit Partners

Lombard maintains long-term auditing relationships with industry-leading security firms. Each brings different methodologies and expertise to the review process.

OpenZeppelin is one of the most recognized names in smart contract security. Their team has audited protocols holding tens of billions in value and maintains the widely-used OpenZeppelin Contracts library. OpenZeppelin reviewed Lombard's V2 release including the LBTC token, bridge/OFT implementations, and consortium contracts.

Halborn specializes in penetration testing and offensive security. Their engineers approach audits from an attacker's perspective, actively attempting to exploit vulnerabilities rather than just identifying theoretical risks. Halborn has conducted multiple audits for Lombard covering the V1 release, BTC.b PMM integration, and FBTC integration.

Veridise focuses on formal verification and mathematical proofs of contract correctness. Their approach goes beyond code review to prove that contracts behave exactly as specified under all possible conditions. Veridise audited Lombard's initial LBTC contracts, cross-chain bridge logic, and the comprehensive V2 release.

Cantina brings elite security researchers together for focused assessments. Their auditors have discovered critical vulnerabilities across major DeFi protocols.

Sherlock operates an audit marketplace where multiple independent auditors compete to find issues. This competitive structure surfaces vulnerabilities that single-firm audits might miss.

hashtag
Completed Audits

All audit reports are publicly available on GitHub at github.com/lombard-finance/evm-smart-contracts/tree/main/docs/audit.

Audit Purpose
Scope
Report
Firm
Date

V1 Release

consortium, LBTC, libs, bascule

pdfarrow-up-right

Halbornarrow-up-right

05.08.2024

V1 Release

consortium, LBTC, libs

pdfarrow-up-right

Veridisearrow-up-right

21.08.2024

BTCB PMM release

LBTC, pmm, libs

pdfarrow-up-right

Halbornarrow-up-right

10.10.2024

FBTC integration

fbtc

pdfarrow-up-right

Halbornarrow-up-right

09.12.2024

V2 Release

LBTC, bridge/oft, consortium, libs

pdfarrow-up-right

OpenZeppelinarrow-up-right

13.12.2024

V2 Release

LBTC, BasculeV2, bridge, consortium, factory, libs, pmm

pdfarrow-up-right

Veridisearrow-up-right

17.12.2024

Yield Bearing

LBTC/NativeLBTC, AssetRouter, GMP, oracle, libs , bridgev2

pdfarrow-up-right

OpenZeppelinarrow-up-right

25.07.2025

Yield Bearing

LBTC/NativeLBTC, AssetRouter, GMP, oracle, libs

pdfarrow-up-right

Sherlockarrow-up-right

25.07.2025

StakeAndBake

StakeAndBake, iDepositor

pdfarrow-up-right

ABDKarrow-up-right

22.09.2025

BTC.b & BridgeV2

BridgeV2, LombardTokenPoolV2, BridgeTokenPool, BridgeTokenAdapter

pdfarrow-up-right

OpenZeppelinarrow-up-right

24.10.2025

Some contracts were modified after their initial audits. The GitHub repository notes which contracts have been updated since their last review. Lombard re-audits any significant changes before deployment.

hashtag
What Auditors Review

Security audits cover multiple dimensions of smart contract safety.

Code correctness verifies that contracts behave as intended. Auditors trace through every function to confirm logic matches specifications. They check edge cases, boundary conditions, and unexpected input combinations.

Access control examines who can call which functions. Auditors verify that privileged operations require appropriate permissions and that permission checks cannot be bypassed.

Economic attacks assess whether the protocol can be exploited through market manipulation, flash loans, or other financial mechanisms. This includes analyzing oracle dependencies and liquidation mechanisms.

Reentrancy and ordering looks for vulnerabilities where external calls could allow attackers to manipulate contract state. Auditors verify that state changes happen in the correct sequence.

Upgrade safety reviews proxy patterns and upgrade mechanisms. For upgradeable contracts like Lombard's, auditors ensure that upgrades cannot corrupt storage or introduce vulnerabilities.

Integration risks examine how contracts interact with external protocols. This includes bridges, oracles, and DeFi integrations.

hashtag
Continuous Security

Audits represent point-in-time assessments. Lombard maintains ongoing security through several additional mechanisms.

Runtime monitoring through Hexagate provides 24/7 threat detection. The system monitors for anomalies, suspicious transactions, and potential exploits in real-time. Automated pause functions can halt the protocol before an attack causes damage.

Bug bounty program on Immunefi offers up to $250,000 for vulnerability discoveries. This creates ongoing incentive for security researchers to review the codebase even after audits conclude.

Internal security includes a full-time security engineer who reviews all code changes before deployment. The team follows secure development practices and maintains comprehensive test coverage.

Proof of reserves through Chainlink and Redstone oracles provides real-time verification that BTC backing equals LBTC supply. This transparency layer lets anyone verify protocol solvency at any time.

hashtag
What's Next

PreviousConsortium MembersNextBug Bounty Program

Last updated