How a DeFi Lending Protocol Validated Their Security Before Mainnet Launch
Challenge
Rheo's complexity presented unique security challenges. The protocol's APR validation logic, rate provider collections, and liquidation reward configurations all needed thorough analysis. A single bug in the pricing flow could lead to stuck transactions, failed liquidations, or worse—exploitable conditions that could drain user funds.
Solution
AuditBase delivered deep technical analysis covering APR pricing flow, credit lifecycle, factory pattern assessment, authorization framework, and external integration analysis—all within the team's launch timeline.
“AuditBase delivered a fast turnaround with a low false positive rate. Their AI confirmed known limitations we had already documented, while also identifying a valid issue we hadn't caught. Clean findings, no noise—exactly what we needed before launch.”
Antonio Viggiano
Security Researcher, Rheo
The Client
Rheo (formerly Size Protocol) is a sophisticated DeFi lending platform that enables fixed-rate credit markets through an innovative order book system. The protocol uses a factory-based deployment pattern with UUPS upgradeable proxies, managing complex credit positions, liquidations, and yield generation through Aave integration.
With their mainnet launch approaching, the Rheo team needed comprehensive security validation of their intricate protocol architecture—particularly the APR pricing mechanisms and credit lifecycle management that form the core of their product.
What We Did
- APR pricing flow analysis examining the complete validation pipeline from rate providers through to final pricing calculations
- Credit lifecycle review tracing positions from creation through active management to liquidation, validating state transitions at each step
- Factory pattern assessment analyzing the UUPS proxy deployment system for upgrade safety and initialization vulnerabilities
- Authorization framework audit reviewing the delegation system and permission mappings across all privileged operations
- External integration analysis examining Aave yield generation integration points for composability risks
What We Found
Our audit identified three low-severity issues—no critical or high-severity vulnerabilities. Two findings confirmed known limitations already documented by the Rheo team, while one new valid issue was identified:
LOW — Gas Optimization in APR Validation Identified potential gas optimization in the APR validation logic when processing large rate provider collections. A known limitation the team had already documented.
LOW — Edge Case in Offset Calculation An edge case in the offset calculation logic under specific conditions. A known limitation the team had already documented.
LOW — Liquidation Bounds Validation The liquidation reward configuration could benefit from additional bound checks. A new valid finding identified by our analysis.
The Result
Rheo fixed all three issues before launch. The gas exhaustion bug, in particular, could have caused significant user experience problems or enabled denial-of-service attacks on the protocol. By catching it pre-launch, they avoided what could have been a costly post-deployment fix.