Audits

BitVault C4 audit: Liquity V2 Audit (BitVault is a friendly fork of Liquity V2)

• , December 2024

• , August 2024

• , November 2024

• , December 2024

• , December 2024

• , January 2025

• , January 2025

• , August 2024

• , November 2024

• , January 2025

• , October 2024

Liquity V2 Updates as of May 19, 2025

Pull Request : this fix removes the collateral compensation parameter in order to reduce the incentive that an attacker might have to trigger liquidation via redistributions of collateral instead of via the stability pool.

In BitVault's setup, opening a trove and borrowing bvUSD will be subject to whitelisting, and allowed parties will have to keep high Collateralization Ratio (> 150%), thus reducing the probability of liquidation events at all.

Furthermore, whitelisting is applied to liquidations as well, so we really don’t see this as an attack surface given liquidations will be carried out by known partners that don’t intend to manipulate the system for profit.

Pull Request & : access control for addManager/removeManagers.

This fix introduces a shortcut on how managers (entities that can perform operations on behalf of a trove owner), are set. Specifically, a removeManager (an entity that can withdraw collateral/debt from the position) is now automatically assumed to be addManager (an entity that can add collateral/repay debt) as well.

This is purely a QOL update, before that, you would need to explicitly set both add and remove managers, with no different behavior.

This isn’t really an issue as it can be easily mitigated by having one position with minimal debt/collateral open to allow bigger branches to get closed.

As Liquity stated, this is purely informational and not a bug, as a check for colliding troveId when opening a trove existed already, so there is no risk of overwriting open positions.