Many DeFi project CTOs are just writing code and doing architecture, but Lorenzo's co-founder and CTO Fan Sang has a different background. He holds a PhD from Georgia Tech, with a research focus on blockchain security, and he is not just talking theory; he actually presents smart contract attack techniques at hacker conferences like DEF CON.
What is DEF CON? It is the world's top hacker conference held every year in Las Vegas. The attendees are various security researchers and white hat hackers. Those who can present topics there are not to be underestimated. Fan Sang conducted a workshop on smart contract hacking at DEF CON 30, specifically teaching how to find contract vulnerabilities and how to attack.
With such a background, how can someone be the CTO of a DeFi protocol without prioritizing security? Lorenzo's current security architecture clearly shows the influence of Fan Sang. It's not just about finding an audit company to go through the motions, but considering various attack scenarios from the bottom-up design.
First, regarding audits, Lorenzo has done more than 15 independent audits so far. The most recent one was an OTF vault audit conducted by CertiK in October 2025. In November, CertiK deployed a real-time monitoring system, Skynet, for Lorenzo, scoring 91.36. This score is considered high among DeFi protocols.
But the key is not the number of audits, but Lorenzo's serious attitude towards the issues identified during the audit. For example, when Zellic discovered 1 high-risk and 2 low-risk issues during the stBTC audit in April 2024, Lorenzo fixed all of them before going live, rather than just marking the issues in the audit report and leaving it at that, like some projects do.
The custody solution Lorenzo uses is also carefully considered. Cobo and Ceffu are two institutions where Cobo employs MPC multi-party computation technology. The private keys are not stored in one place but are dispersed across multiple nodes, meaning even if one node is compromised, the complete private key cannot be obtained. This design corresponds perfectly with Fan Sang's research on trusted execution environments.
Fan Sang published a paper during his PhD at Georgia Tech at the Usenix ATC. The paper is titled Pridwen and discusses using hardware security modules to protect distributed systems. This idea is consistent with the logic of MPC custody, both using technical means to disperse single-point risks.
Ceffu is a custody service under Binance, using a combination of cold wallets and MPC. Most assets are stored in cold wallets, and only transferred to hot wallets when transactions are needed. While this method sacrifices some flexibility, it indeed offers high security.
Looking at the choice of cross-chain bridges, Lorenzo uses three solutions: Wormhole, LayerZero, and Chainlink CCIP. Why use three? Because different bridges are suitable for different chains, and a multi-bridge strategy can hedge against risks. In case one bridge has issues, users can choose other bridges.
Wormhole uses a guardian network to validate cross-chain messages, with 19 guardian nodes distributed across different organizations. Each cross-chain transaction requires over 2/3 of the guardians' signatures to execute. This security model is much stronger than a single-node bridge.
LayerZero's support for EVM chains is particularly good, while Chainlink CCIP has advantages on BNB Chain and some new chains. By integrating these three bridges, Lorenzo allows users to choose the safest and cheapest path available.
But what makes Fan Sang most impressive may not be the security tools he chose, but the depth of his understanding of security. General DeFi developers may only know that audits and multi-signature wallets are necessary, but may not fully understand the mindset of attackers. Fan Sang truly understands how hackers think because he is researching attack techniques himself.
This ability to balance offense and defense is extremely rare in the DeFi space. Most protocols wait to be hacked before they patch vulnerabilities. Lorenzo considers possible attack paths during the design phase, such as the 1:1 reserve proof of enzoBTC, which employs Chainlink's PoR system.
This system will validate in real-time whether the amount of BTC locked by Lorenzo corresponds to the amount of enzoBTC issued, and the verification is decentralized—not solely determined by Lorenzo. This prevents the risk of protocol malfeasance or reserve funds being misappropriated.
Fan Sang volunteered at USC and spent 6 years pursuing a PhD at Georgia Tech. People with such an academic background tend to be meticulous, not sacrificing security for the sake of speed. Although Lorenzo's product launch pace is not fast, each product undergoes thorough testing and auditing before going live.
From Lorenzo's GitHub, it can be seen that their codebase is open to the public. Anyone can review it. This level of transparency is not something all projects in DeFi can achieve, as public code means exposing vulnerabilities to potential attackers. But Lorenzo chooses transparency, which shows their confidence in the quality of their code.
CertiK's Skynet monitoring system went live in November. This system will monitor Lorenzo's smart contract status 24/7. Once it detects abnormal transactions or potential vulnerabilities, it will immediately raise an alarm. The monitoring is multidimensional, covering code vulnerabilities, governance risks, liquidity anomalies, and the status of verification nodes.
How is the score of 91.36 obtained? CertiK scores based on dimensions like the quality of smart contract code, whether there are known vulnerabilities, whether the governance mechanism is reasonable, and whether liquidity is sufficient. Lorenzo achieving over 91 points indicates good performance across these basic dimensions.
But one issue is that CertiK's score can only reflect the state at a certain point in time and cannot guarantee that issues won't arise in the future. Many risks are dynamic, such as market fluctuations, updates in hacking techniques, and changes in team members—these cannot be completely prevented by code audits.
Therefore, Lorenzo has also set up a bug bounty program to encourage white-hat hackers to find bugs. Those who discover high-risk vulnerabilities can receive a reward. This crowdsourced security approach is popular in the Ethereum community, and Lorenzo has adopted this mechanism.
From the perspective of security investments, Lorenzo must have spent quite a bit of money on audits, having conducted more than 15, with each audit costing at least tens of thousands to over a hundred thousand dollars. Chainlink's PoR system and CertiK's real-time monitoring are ongoing costs, along with the custody fees for Cobo and Ceffu, making the total security expenditure a significant part of the budget.
But this investment is worthwhile because the biggest risk in DeFi is security incidents. Once an issue arises, the protocol's reputation is ruined, and users cannot retrieve their funds. Lorenzo's choice to heavily invest in security is building a moat for themselves in the long run.
Fan Sang's technical ability and security awareness, combined with Lorenzo's investment in security infrastructure, create a distinct advantage for Lorenzo in the BTCFi space. At least in terms of security, many competitors cannot match them.@Lorenzo Protocol $BANK
