Mystic Finance, a Plume-based money market offering liquid staking and RWA lending, opted for a full CI/CD integration with Octane after our offensive security engine uncovered a critical accounting bug during our initial AI code analysis.
Mystic Finance Enhances Security Posture with Octane’s CI/CD Integration
Mystic Finance, a Plume-based money market offering liquid staking and RWA lending, opted for a full CI/CD integration with Octane after our offensive security engine uncovered a critical accounting bug during our initial AI code analysis.
Continuous Code Security
As one of the leading protocols on the Plume network, Mystic Finance has made security a top priority from the start. The team recognized that protecting user funds requires more than a one-time review. It demands ongoing, integrated vulnerability detection built directly into the development process.
To put this into practice, Mystic engaged Octane for an initial AI code analysis of its liquid staking contracts. That analysis uncovered a critical accounting bug capable of desyncing protocol balances, locking funds, and causing permanent losses for users. The finding served as a clear proof point for the value of continuous, automated security.
Following this discovery, Mystic chose to fully integrate Octane into its CI/CD pipeline. This shift-left approach ensures every pull request is analyzed for vulnerabilities before it’s merged, reducing mean time to remediation and preventing the same class of issue from re-entering the codebase.
Incorrect State Update Bug
Mystic’s liquid-staking module manages two key balances:
- currentWithheldETH: the buffer of ETH withheld in-protocol to cover immediate withdrawals.
- totalInstantUnstaked: the amount the protocol owes users when the validator can’t instantly fulfill an unstake.
In the withdraw() flow, these balances must remain synchronized across normal and cooldown-period withdrawals to prevent accounting mismatches. If the two values fell out of sync, the protocol could cause valid withdrawals to revert, thus locking user assets.
In the “immediate withdrawal” path, the code correctly subtracts amount from both values (currentWithheldETH and totalInstantUnstaked). But later, in the same flow, it also subtracts the deficit (totalAmount - amount) again, creating a double-decrement.
This becomes dangerous when deposits arrive during the cooldown period. The increased buffer (currentWithheldETH) makes it appear that more ETH can be withdrawn instantly, but totalInstantUnstaked is still decremented as if the original deficit remained.
If exploited, this bug could bleed the withheld buffer until it’s out of alignment with actual validator-backed funds, leaving the protocol unable to satisfy its obligations. In practical terms, this means legitimate withdrawals could start reverting, freezing user funds.
It’s Right to Shift Left
By upgrading to Octane’s full CI/CD integration, Mystic transformed security from a reactive step into a proactive, continuous part of their development process. Every pull request is now analyzed before merging, so the team can detect and remediate issues from the start.
Over time, Octane’s detectors adapt to Mystic’s codebase, learning its unique patterns and assumptions. This continuous feedback loop strengthens detection, reduces noise, and delivers increasingly precise results as the protocol evolves.
From Proof Points to Pipeline Protection
The discovery of the accounting bug in Mystic’s initial AI code analysis highlighted the need for continuous, automated protection embedded directly into the development lifecycle.
With Octane now fully integrated into its CI/CD pipeline, Mystic benefits from ongoing vulnerability detection and real-time code fixes. Every protocol update, feature, and change ships with proactive security built in from the start.
Want to see how Octane’s CI/CD integration can upgrade your security posture? Schedule a demo today to experience it in action.