.svg){kind=icon}
.svg)
.svg)
.svg)
.svg)
.svg)
.svg){kind=icon}
.svg)
.svg)
.svg)
.svg)
This team focuses on applied audits, correctness checks, code reviews, L1/L2 risk, and more.
Now hiring!
•
Lagoon Protocol (by Hopper Labs) is tokenized vault infrastructure on Ethereum aligned with EIP-7540 (asynchronous ERC-4626 vaults), extending ERC-4626 with request-based deposits and withdrawals.
Unlike standard ERC-4626 vaults, which execute deposits and withdrawals atomically in a single transaction, Lagoon’s design separates user requests from final settlement. This introduces intermediate “pending” states that must remain correct across multiple blocks and settlement epochs.
This architecture enables request-based deposits and withdrawals, and later expanded to support synchronous deposits on top of the async base.
After the async vault rollout, Lagoon saw roughly 4x TVL growth, crossing $300M and briefly entering the top 100 DeFi protocols by TVL.
Lagoon’s design changed meaningfully over time, so a single snapshot audit would not have held up as the protocol evolved.
We reviewed Lagoon across multiple versions to:
This case study reflects Lagoon’s security journey across multiple reviews as the protocol evolved from V1 to V5, including major feature upgrades like vault factories and synchronous deposits layered on top of the async vault base.
Asynchronous and hybrid vault systems introduce failure modes that do not exist in standard ERC-4626 designs. These issues often live in the gap between request and settlement, where traditional testing and tooling can miss lifecycle-level inconsistencies.
Async vaults rely on correctly transitioning assets between “pending” and “settled” buckets. Small logic mistakes can cause premature movement of assets or incorrect settlement behavior.
One example we identified:
This class of issue can result in assets being processed under the wrong settlement cycle, creating user-impacting failures such as locked funds or incorrect fulfillment logic.
When Lagoon introduced synchronous deposits alongside the async base, the protocol needed to maintain accurate accounting while two different execution paths modified shared state.
One example we identified:
Without careful handling, synchronous deposits can occur during a valuation update window, creating incorrect pricing or overwriting valid asset accounting.
Hybrid systems can also create subtle economic edge cases where combining features produces unexpected outcomes.
One example we identified:
These issues tend to be hard to detect without mapping the full end-to-end lifecycle across actors and execution modes, including users, settlement logic, and valuation processes.
Repeated audits helped Lagoon ship new async and hybrid features while preserving accounting safety.
Outcomes included:
The Lagoon team incorporated design feedback early, and was willing to remove or redesign features when the risk outweighed the utility.
Async vault infrastructure changes the core security model for user funds. Between request and settlement, assets can sit in intermediate states while valuation updates occur, and small timing mistakes can cause users to be mispriced, locked out of exits, or settled incorrectly.
This engagement shows the kind of lifecycle-aware review required to secure ERC-7540 vaults and hybrid execution flows in production.
Trusted by leading protocols to audit complex systems across DeFi, tokenized vaults, and hybrid on-chain execution models. Get in touch to assess and strengthen your project’s security posture.
Building or upgrading async or hybrid vault infrastructure? We help teams review request, settlement, and valuation flows before they reach production. Contact Nethermind Security
The Leading Engineers of Blockchain Infrastructure
Nethermind © 2026
.png)
.svg)