Back to case studies



Audit dates:

Jun 12, 2023


Jul 14, 2023

Company Background

Dolomite Margin is a composable margin trading and lending protocol, forked from dYdX Solo, running on Arbitrum One L2.

In the past, DEX margin trading has limited you to trading ETH and WBTC against stablecoins. Now with Dolomite you can margin trade many of your favorite DeFi assets against stablecoins or even other DeFi assets.

Audit Summary


Lead Security Researchers
Bugs found


Audit Overview

With two of the Cyfrin co-founders coming from Chainlink and a top-in-class security research team, Cyfrin was an easy choice, positioned to dive into the codebase in-depth relatively quickly.

Lead auditors 0Kage, Giovanni di Siena, Hans, and Carlos Amarante performed a 25-day audit on the Dolomite Margin which heavily relies on Chainlink Oracles, finding 15 issues, 5 medium, 6 low, and 4 informational. It was found that deprecated functions were being used to fetch the latest asset prices.

Here you can read the full Dolomite security report.

Audit Details

High-level tech break-down

The Dolomite codebase consists of three layers:

  • Core layer: derived from the dY/dX solo margin protocol, proved robust during the audit.
  • Implementation layer: contains libraries that call functions from the core layer, categorized by underlying actions such as admin actions, trading, deposit, withdrawal, borrowing, liquidation, etc. The main contract, Dolomite Margin, utilizes the state defined in Storage and the implementation libraries to allow users to define generic operations.
  • Proxy layer: not proxies in the real sense we’re used to. Instead, it contains proxies for liquidation accounts as well as opening borrower positions and making deposits.

Dolomite is designed to embody the ethos of DeFi, utilizing an immutable base layer that can only change certain configuration parameters as well as retaining much-needed modularity to adapt to new environments, trends, and paradigms as DeFi continues to evolve.

This modularity allows for a clear upgrade path that preserves the core behavior of Dolomite while being able to introduce new features that don't conflict with previously deployed modules.

Notes by our auditors

Best in class Chainlink knowledge

With 2 of our co-founders coming from Chainlink, Cyfrin was well-positioned to dive into the codebase in-depth relatively quickly. Dolomite Margin relies heavily on Chainlink Oracles, but it was found that deprecated functions were being used to fetch the latest asset prices.

As always, Cyfrin focused on maintaining extensive communication with the Dolomite team throughout the process, to address, clarify and answer higher-level questions and concerns, beyond the documentation itself.

Thanks to the in-depth DeFi and economics experience of our security research team, Cyfrin was able to review all actions driving state changes in the Dolomite Margin, including deposit, withdraw, transfer, buy, sell, call, liquidate, and vaporise.

Our Auditing process

Given Dolomite’s vision of becoming a base layer for trading a wide range of tokens, the lack of systemic risk controls to hedge potential insolvency risks, particularly during black-swan liquidity freeze events, was important. We recommended additional risk controls to better handle contagion events.

Our audit further highlighted a potential insolvency risk stemming from the protocol admin’s unintentional withdrawal of excess tokens.

Additionally, there was a distinct concern regarding the protocol admin’s capacity to withdraw unsupported tokens with double entry points, which could lead to significant imbalances in Dolomite’s balances.


Cyfrin is on a mission to create a safer Web3 industry.

Our security review of Dolomite deepened our team’s knowledge of financial modular systems, Arbitrum infrastructure, and Chainlink Oracles.

Additionally, our extensive communication with the team proved fruitful in helping uncover vulnerabilities and understand the codebase faster.

-- Note: Cyfrin did not audit the Dolomite contracts hacked in March 2024. That attack happened to Dolomite contracts deployed in 2019 on Ethereum Mainnet, whereas Cyfrin audited the Dolomite Margin contracts in 2023 deployed on Arbitrum One.


Cyfrin has performed a thorough security review of the codebase in scope as of the date specified, which should not be construed as an endorsement of the protocol. Despite our comprehensive review, vulnerabilities may still exist, and we encourage users to conduct their own research before engaging.

Secure your protocol today

Join some of the biggest protocols and companies in creating a better internet. Our security researchers will help you throughout the whole process.
Stay on the bleeding edge of security
Carefully crafted, short smart contract security tips and news freshly delivered every week.