Perennial: Securing a Shared Settlement Layer for DeFi Derivatives

‍

Perennial is a DeFi-native derivatives protocol built as a foundational settlement layer for leveraged markets. Rather than operating as a single application, it functions as a composable primitive that supports multiple trading products and integrations, enabling capital-efficient exposure to oracle-priced markets across a growing ecosystem.

‍

That design unlocks flexibility for traders, liquidity providers, and developers -but it also concentrates risk at the protocol layer. Any flaw in settlement logic, collateral accounting, or liquidation behavior would not be isolated to one interface or market. It would propagate across every product built on top of it.

‍

As Perennial prepared to deploy its V2 contracts, the team wanted assurance that subtle edge cases and systemic risks were identified before real capital was at stake. They engaged Sherlock to conduct a comprehensive security review focused on adversarial behavior, emergent risk, and real-world exploitability.

‍

‍

‍

The Challenge: Risk Emerges From Interaction, Not Isolation

‍

Perennial’s architecture is intentionally minimalist at the surface and sophisticated underneath. Trades are cash-settled, funding and interest rates adjust dynamically based on utilization and skew, and positions are ultimately resolved through a shared derivatives AMM. Takers, makers, and liquidity providers continuously settle against one another, with LPs stepping in to absorb imbalances when markets are uneven.

‍

In systems like this, risk rarely appears as a single broken function. It emerges from how incentives, leverage, oracle pricing, and delayed settlement interact—especially during periods of volatility. A scenario that looks acceptable under normal conditions can behave very differently when gas spikes, markets move quickly, or one side of the book becomes stressed.

‍

Catching those behaviors requires more than a narrow review. It requires pressure from many perspectives at once.

‍

‍

‍

Sherlock’s Approach: Parallel Adversarial Review

‍

Sherlock conducted a crowdsourced audit of Perennial’s V2 codebase over a three-week period. A global set of independent security researchers reviewed the contracts concurrently, each applying different heuristics, threat models, and areas of specialization.

‍

This parallel approach allowed the audit to explore far more of the protocol’s behavior space than a sequential review ever could. Findings were rigorously evaluated, deduplicated, and judged against strict validity standards. Issues were only included if they represented credible risk within Perennial’s intended design and operating assumptions.

‍

The result was a security assessment grounded in practical outcomes rather than inflated labels.

‍

‍

‍

What Sherlock Found

‍

Across the engagement, Sherlock identified sixteen valid vulnerabilities in the Perennial V2 contracts. Six were classified as high-severity risks with the potential to materially impact protocol safety if left unresolved. Ten additional medium-severity issues highlighted edge cases, incentive misalignments, or design behaviors that could degrade protocol performance under specific conditions.

‍

Several findings focused on liquidation mechanics and how collateral shortfalls could manifest when markets move rapidly. Others examined how settlement delays and leverage interacted with skewed markets. In many cases, identifying the issue required reasoning about system behavior across multiple components rather than inspecting a single contract in isolation.

‍

Just as importantly, Sherlock filtered out findings that lacked real-world relevance. Potential issues that were purely theoretical or aligned with explicit design choices were excluded, helping the Perennial team focus on fixes that actually reduced risk.

‍

‍

‍

Why It Mattered for Perennial

‍

For Perennial, the audit delivered clarity ahead of deployment. The team gained visibility into failure modes that would have been difficult to surface through limited review, along with a clear prioritization of what mattered most.

‍

Because Perennial serves as a shared settlement layer for multiple products and integrations, addressing these issues early reduced risk not just for a single application, but for the entire ecosystem built on top of the protocol.

‍

The process also validated key design decisions. Where potential concerns were raised but ultimately deemed invalid, the review confirmed that those behaviors were intentional, constrained, and acceptable within the protocol’s economic model.

‍

By the end of the engagement, Perennial entered its next phase with a more resilient codebase and a clearer understanding of its systemic risk profile.

‍

‍

‍

The Takeaway

‍

As DeFi protocols become more composable and capital-efficient, security failures are less likely to come from obvious bugs and more likely to arise from complex interactions under stress.

‍

For Perennial, Sherlock’s collective auditing model surfaced those risks before attackers could. The engagement demonstrated how parallel adversarial review can uncover blind spots, reduce uncertainty, and support confident deployment of shared infrastructure.

‍

When the protocol is the product, security has to operate at the same level of depth.

‍