Liqwid Protocol Security Audit

If you want to invest in DeFi, but are concerned about protocol failures, this proposal from Liqwid Finance will interest you.

In the DeFi ecosystem there are a lot of failures due to faulty designs. We have read news of some liquidity pools with losses in the millions, in Ethereum and Binance Smart Chain, where currently the largest amount of decentralized finance contracts are traded.

Both in financial engineering, as well as in the development of computer code, errors or weaknesses are present. The latter are the target of dishonest actors, who attack the protocol to steal funds, thus harming investors and the entire p2p ecosystem.

There are 5 types of generic risks in the decentralized finance ecosystem: 

  1. Coding risk: errors in the code allow attack vectors that can be exploited in the protocol. 
  2. Centralization risk: oracles, whether hardware or software, channel real-world data to smart contracts. Liquidity pools using automated marketplaces (AMMs), or decentralized exchanges (DEX), which generally receive data from a single source, are vulnerable to attacks on that source of information.
  3. Financial risk: refers to flaws or miscalculations in economic design and asset management, within the protocol. 
  4. Regulatory risk: the blockchain industry is under intense scrutiny by regulators, who may limit or even prohibit the development of the platform in a country, according to their own legislation.
  5. Underlying risk: DeFi protocols are instruments that are executed on public blockchains, so they can be affected by technical problems, as well as by the fluctuation of the exchange rate of the currencies they take as collateral.

How does Liqwid Work?

Before explaining the proposal for this FUND5, presented at Catalyst, I want to summarize how Liqwid is structured, to give it the framework of importance it deserves.

Liqwid is an open source, non-custodial DeFi protocol, under development on the Cardano blockchain, to create money markets through liquidity pools, with algorithmically set interest rates, calculated by the lender’s supply and the borrower’s demand for the asset. 

The Liqwid protocol concepts and its White Paper were initially created in Q4 2020, and development of the protocol began in Q1 2021, after the technical architecture, smart contract design pattern and interest rate curve models were completed.

Having submitted proposals in the previous FUNDs, they obtained funding for the following projects:

FUND2: Liqwid:Cardano DeFi Lending Markets.

FUND3: Liqwid:Cardano DeFi Liquidity Pools and Liqwid Developer Portal:Cardano SDK

FUND4: Haskell Devs for Liqwid Plutus SC’s 

Lenders and borrowers will connect directly to the marketplace smart contract within the protocol, charging and paying a variable interest rate on each block, without the need to set the contract terms in advance, built on top of the extended UTxO smart contract layer, from Plutus. 

Each liquidity pool is unique to a native Cardano asset (e.g., ADA or a stablecoin), which includes an archive of all transactions, and the interest rate index for that market.

The protocol’s trading functionality will be available on the Plutus mainnet, shortly after the final Goguen update, on the Cardano blockchain.

The core team is working to build a composable UTxO liquidity protocol on Cardano to allow any developer to build interest and liquidity directly into their application.

Liqwid v1.0 is scheduled for release on Plutus in September, depending on the Alonzo hard fork, and will include: Markets, Yield Farming (Hydroponics), User Distribution (Aquifer) and LiqwiDAO Governance.

Initial assets supported: ADA, USDC (or Cardano stablecoin equivalent), and LQ. Additional markets will be added through governance proposals.


LQ is Liqwid’s governance token. It may be used to propose and vote on proposals made by the Liqwid team or other community members holding tokens. The total amount of LQ tokens is, and will always be, 21,000,000. Single minting is the logic programmed into the LQ monetary policy.

Liqwid will be managed by a decentralized community of LQ token holders who will propose and vote on protocol updates, or request project funding from the LiqwiDAO Treasury.

The lending marketplace activity will be realized from the funds, minting tokens of interest when generating loans, called qTokens, and will be burned when users withdraw the funds. The qTokens will be linked 1:1 to the value of the underlying asset, provided in the Liqwid protocol.

By minting qTokens, users earn interest through the exchange rate of the qToken, which continuously increases in value relative to the underlying asset, using the qTokens as collateral, to borrow from the Liqwid protocol instantly, with no trading fees and directly on the Cardano blockchain.

While the underlying asset is lent to borrowers, the qTokens accrue interest in real time, directly in the lenders’ wallet.

The FUND5 Proposal

DeFi protocols, programmed in Plutus, are new, untested design patterns for building eUTXO smart contracts, which will soon have billions in total value locked (TVL).

To get a handle on bugs, the team wants to integrate continuous code review of Liqwid smart contracts, and perform a security audit of the protocol before the v1.0 release.

Do you remember the 5 generic risk types I told you about, at the beginning of this article? ok, this proposal focuses mainly on coding risk, which is currently the most exploited in the ecosystem.

Liqwid Labs is building an open source lending protocol on Plutus with a team of 6 senior Haskell developers and development partner MLabs.

MLabs Haskell developers have been selected as one of the software companies working with the IOHK Plutus delivery team on the private testnet. 

MLabs Consulting has worked extensively in the fintech and payments space, and for the past two months on building Liqwid protocol contracts. Its clients include Juspay and Tillit, which are B2C and B2B payments companies, respectively, in India and Europe.

These developers have also committed to training other Haskell developers, and producing open source DeFi tools, to open up Cardano DeFi development to non-Haskell developers.

The development team is working with two major Haskell companies to complete the proposal deliverables, Well-Typed and Tweag.

Ongoing code review and advisory services will be with the expert Haskell software consultants, Well-Typed:

Well-Typed is a premier Haskell consultancy led by Duncan Coutts, who brings extensive Cardano experience as a senior technical architect at IOHK. The team has extensive experience with Haskell tools, libraries and development techniques, and their consultants will work alongside our core development team in both reviewing code, and advising on tools, best practices and development approaches, which the Liqwid Labs team should use, during development.

The protocol security audit of all Liqwid smart contracts will be advised by part of the team that designed Cardano’s Plutus platform, Tweag:

Tweag is a software innovation lab specializing in Haskell development for fintech applications and platforms. They are best known for their work on the architecture and design of Cardano’s Plutus platform.

MLabs developers met with Duncan Coutts, from Well-Typed for the first code review and advisory session, on DAO modeling and Liqwid governance, in the eUTXO Plutus environment.

All development will be open source, under the Apache 2.0 license. A final version of the security audit report will be made public. Thus, both the best practice design patterns, tools, and test resources that emerge from this proposal, will be open source.

The Team and Development metrics

This proposal has 6 senior fullstack Haskell developers: 4 full-time devs, 2 part-time devs.

The progress of the proposal will be measured by:

  • Number of mentoring or code review sessions with Well-Typed engineers.
  • Number of high-level design patterns or models established from Well-Typed advisory or code review sessions.
  • Number of issues found during smart contract security audit by Tweag engineers.
  • Number of Plutus development best practice approaches established from code reviews and security audit.

Code review sessions with Well-Typed have begun, and will continue for the duration of protocol development, the next 3.5 months. Plutus’ best practice approaches, for DeFi smart contracts, will become open source after these sessions.

The development team is targeting an external security audit of the Plutus contract protocol to be conducted by Tweag in early July.

The team of architects and maintainers of the Liqwid protocol, is composed of Cardano veterans, experts in financial auditing, asset/risk management, and IT/devops and Haskell.


They have divided the budget among all deliverables:

Deliverable 1. They estimate that the Well-Typed team will spend ~40 engineering hours over the next 4 months of protocol development and 1-2 full-time equivalents (FTE) for Haskell engineers.

Cost: $52,500 

Deliverable 2. Estimate that the Tweag team will spend ~78 engineering hours to complete the Plutus contract security audit starting in early July and 2-3 full-time equivalents (FTE) for Haskell engineers.

Cost: $56,500

Liqwid Labs has engaged the legal services of Dunsmoor Law to analyze the regulatory landscape in which we are developing and maintaining the Liqwid protocol, as a Wyoming-based entity.

Cost: USD 10,000 

Funds Requested: USD 119,000


You can see the proposal in its original presentation at Catalyst FUND5: Liqwid Protocol Security Audit.

1 comment
Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts