# 80 — Hardening index This chapter is the cross-reference from finding to fix. The hardening index is the chapter we use most in real audits. It is short by design. The format is one entry per identified finding. Each entry lists the case study where the finding originates, a one-paragraph statement of the fix at protocol level, and a list of the protocols whose published audit reports we have read that include a fix in the same family. The audit references are the most useful part for a working engineer; reading someone else's resolved finding is faster than designing a fix from first principles. | ID | Finding | Case study | Fix family | | ------------------- | -------------------------------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------------- | | `STALE-ORACLE-1` | Reads from an oracle without freshness check | [10](/economicfuzz-docs/case-studies/10-case-stale-oracle.md) | Staleness threshold on `publish_time` | | `SANDWICH-1` | Mint computes shares from spot reserves without slippage | [20](/economicfuzz-docs/case-studies/20-case-sandwich-around-mint.md) | User-supplied `min_out` on every mint and burn | | `FLASHLOAN-REENT-1` | `total_assets` reads from a manipulable pool | [30](/economicfuzz-docs/case-studies/30-case-flashloan-reentrancy.md) | TWAP, independent valuation, or single-instruction commit | | `GRIEF-1` | Submission cost is fixed; defensive cost scales | [40](/economicfuzz-docs/case-studies/40-case-governance-grief.md) | Slashable deposit, sponsor requirement, rate-limit | | `JIT-1` | Liquidation fee is captured by JIT operators | [50](/economicfuzz-docs/case-studies/50-case-jit-liquidity-drain.md) | Time-in-range rebates or private routing | ## `STALE-ORACLE-1` Enforce a maximum staleness on every read of every oracle the protocol depends on. The threshold must be a constant pinned in the protocol's source, not a parameter. ```rust let now = Clock::get()?.unix_timestamp; require!(now - feed.publish_time < STALENESS_S, ProtocolError::StaleOracle); ``` We have read fixes in this family in: * Marginfi v2's account-valuation rewrite (Q3 2024 audit) * Drift's perp-engine post-mortem (May 2023 incident) * Kamino's borrow-rate publication (the only published reference we have for a 5-second threshold) ## `SANDWICH-1` Every mint, burn, and swap that touches a public AMM must accept a user-supplied minimum output and revert if the actual output falls below it. The minimum must come from the user's transaction, not from a contract-side constant. ```rust require!(actual_out >= min_out, ProtocolError::Slippage); ``` Audit references: every Anchor-based AMM front-end we have audited has needed this fix at least once. Public references include the Mango v3 mint-flow rewrite and the original Orca Whirlpools post-launch patch. ## `FLASHLOAN-REENT-1` The fix is composite. Pick at least one of three strategies; in our experience the combination of TWAP plus single-instruction commit covers most cases, with independent valuation reserved for vaults whose underlying is illiquid. The case study (chapter 30) explains the trade-offs in detail. Audit references in this family: too many to list. Notable ones include Solend's flash-loan post-mortem, Sanctum's LST valuation rewrite, and the Drift insurance-fund audit. ## `GRIEF-1` Compose at least two of: slashable submission deposit, distinct-sponsor requirement, per-submitter rate limit. A single defence is always defeatable; two defences scale linearly in the adversary's cost; three is usually overkill. Audit references: the Realms quadratic-voting modification, Squads' multisig-grief mitigation, the Tribeca governance v2 spec. ## `JIT-1` Either accept JIT and disclose it, or route around it. Hybrid solutions exist (time-in-range rebates) but are operationally complex. Audit references: drift v2's liquidation-routing rewrite, jupiter-perps's RFQ engine, and the Phoenix v1 spec for an example of a venue that priced JIT in from day one. ## How to use this index When the report from `economicfuzz` lists a finding, look up its ID in the table above. Read the corresponding case study to understand the *why*. Read the audit references to see the *how* in production code. Implement. Re-run the scenario to confirm. We do not recommend implementing a fix without reading the corresponding case study. Every fix listed above has at least one footgun that becomes obvious only when the case is fully understood. Rolling out a TWAP without knowing why the TWAP is needed is how protocols ship a defence that does nothing. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://economicfuzz.gitbook.io/economicfuzz-docs/reference/80-hardening-index.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.