Maple
  • Welcome to Maple
  • Maple for Lenders
    • Introduction
    • Lending
    • Defaults and Impairments
    • Margin Calls and Liquidations
    • Risk
    • Withdrawal Process
  • syrupUSDC for Lenders
    • Powered by Maple
    • Lending in syrupUSDC and syrupUSDT
    • Commitments
    • Drips Rewards
    • Withdrawals
    • Monthly Updates
    • Pendle Integration
  • SyrupUSDC Rewards Prize Draw Program Summary
  • FAQ
  • Maple for Borrowers
    • Introduction
    • Loan Management
  • Maple for Token Holders
    • Introduction to SYRUP
      • MPL to SYRUP Conversion
      • FAQs
    • SYRUP Tokenomics
      • Staking
      • Staking Smart Contract Details
    • Governance and Voting
    • Drips Rewards
    • Research and Media
      • Podcasts
      • News Articles
      • TV Segments
      • Research Reports
      • Data Dashboards
    • Additional Resources
  • Technical Resources
    • Protocol Overview
      • Background
      • Protocol Actors
      • Smart Contract Architecture
      • Glossary
      • Smart Contract Addresses
      • Fees
      • Composability
      • Proxies and Upgradeability
    • Security
      • Security
      • List of Assumptions
      • External Entry Points
      • Emergency Protocol Pause
      • Protocol Invariants
      • Test Report
    • Loans
      • Loans
      • Fixed Term Loans
      • Open Term Loans
      • Refinancing
      • Impairments
      • Defaults
    • Pools
      • Pools
      • Pool Creation
      • PoolManager
      • PoolDelegateCover
      • Accounting
        • Pool Accounting
        • Pool Exchange Rates
    • Strategies
      • Fixed Term Loan Manager
        • Overview
        • Claims
        • Advance Payment Accounting
        • Accounting Examples
      • Open Term Loan Manager
      • DeFi Strategies
    • Withdrawal Managers
      • WithdrawalManager (Cyclical)
      • WithdrawalManager (Queue)
    • Singletons
      • Globals
      • MapleTreasury
      • Oracles
      • Pool Permission Manager
    • Admin Functions
      • Governor Admin Actions
        • Operational Admin Actions
      • Pool Delegate Admin Actions
      • Timelocks
    • Operations
      • Protocol Deployment
      • Open Term Loan Deployment
      • December 2023 Deployment & Upgrade Procedure
      • Strategies Release Deployment Procedure
    • Interfaces
      • FixedTermLoan
      • FixedTermLoanFactory
      • FixedTermLoanFeeManager
      • FixedTermLoanInitializer
      • FixedTermLoanManager
      • FixedTermLoanManagerFactory
      • FixedTermLoanManagerInitializer
      • FixedTermLoanRefinancer
      • Globals
      • Liquidator
      • LiquidatorFactory
      • LiquidatorInitializer
      • OpenTermLoan
      • OpenTermLoanFactory
      • OpenTermLoanInitializer
      • OpenTermLoanManager
      • OpenTermLoanManagerFactory
      • OpenTermLoanManagerInitializer
      • OpenTermLoanRefinancer
      • Pool
      • PoolDelegateCover
      • PoolDeployer
      • PoolManager
      • PoolManagerFactory
      • PoolManagerInitializer
      • PoolPermissionManager
      • WithdrawalManager (Cyclical)
      • WithdrawalManagerFactory (Cyclical)
      • WithdrawalManagerInitializer (Cyclical)
      • WithdrawalManager (Queue)
      • WithdrawalManagerFactory (Queue)
      • WithdrawalManagerInitializer (Queue)
    • SYRUP Token
      • Architectural Overview
      • Base ERC20 Structure
      • Upgradability
      • Modules
      • Time Locks
      • Recapitalization Module
      • Emergency Module
      • Deployment and Migration Procedure
    • GraphQL API
    • SDK
      • Introduction
      • Installation
      • Protocol Actors
      • Usage Guide
  • Troubleshooting & Support
    • Intercom
  • Maple 1.0
    • Access to deprecated Maple 1.0
  • Legal
    • Borrower MLA
    • KYC
    • Interface Terms of Use
    • Privacy Policy
    • syrupUSDC and syrupUSDT - Risks
    • syrupUSDC and syrupUSDT - Defaults and Impairments
    • syrupUSDC and syrupUSDT - Available Jurisdictions
    • Interface Terms of Use [syrupUSDC and syrupUSDT]
    • Interface Terms of Use [Syrup.fi/convert/ and Syrup.fi/stake/]
    • syrupUSDC and syrupUSDT- Privacy Policy
    • SyrupUSDC Rewards Prize Draw Terms & Conditions
Powered by GitBook
On this page
  • Audits
  • December 2022 Release
  • June 2023 Release
  • December 2023 Release
  • August 2024 Release
  • December 2024 Release
  • Bug Bounty
  • Critical Monitoring
  • Informational Monitoring
  • Emergency Pause Function
  • Oracle/Flash Loan Protections
  • Front-Running Protections
  1. Technical Resources
  2. Security

Security

Audits

December 2022 Release

The Maple protocol contracts went through 3 audits during its development for the December 2022 release, details of which you can find below. All relevant issues identified by auditors were addressed prior to the launch of V2.

Auditor
Report Link

Trail of Bits

Spearbit

Three Sigma

June 2023 Release

The Maple protocol contracts went through 2 audits during its development for the June 2023 release, details of which you can find below. All relevant issues identified by auditors were addressed prior to release.

Auditor
Report Link

Spearbit Auditors via Cantina

Three Sigma

December 2023 Release

The Maple protocol contracts went through 2 audits during its development for the December 2023 release. Details of these audits can be found below, and all relevant issues identified by auditors were addressed prior to release.

Auditor
Report Link

Three Sigma

0xMacro

August 2024 Release

The Maple & Syrup protocol contracts went through 2 audits during its development for the August 2024 release. Details of these audits can be found below, and all relevant issues identified by auditors were addressed prior to release.

Auditor
Report Link

Three Sigma

0xMacro

ThreeSigma (Router)

December 2024 Release

The Maple & Syrup protocol contracts went through 2 audits during its development for the December 2024 release. Details of these audits can be found below, and all relevant issues identified by auditors were addressed prior to release.

Auditor
Report Link

Three Sigma

0xMacro

Bug Bounty

Critical Monitoring

Informational Monitoring

Similarly to critical monitoring, Tenderly is used to notify the team whenever transactions are made against any of the protocols contracts in order to have real-time insights into protocol usage. Examples would include a Loan being funded or a Pool Delegate changing a withdrawal configuration.

Additionally all smart contracts get programmatically verified on Etherscan via the use of custom Tenderly web3 actions.

Emergency Pause Function

Oracle/Flash Loan Protections

Maple Finance has implemented a number of protections to mitigate the risk of flash loans and front-running attacks. These protections are outlined below.

  2. Oracle Wrappers - Maple Finance uses oracle wrappers to provide additional security and reliability to the Chainlink oracles. Oracle wrappers are designed to prevent oracle outages and oracle manipulation from causing issues in the protocol, specifically during liquidations.

  3. Minimum Liquidation Price - The minimum liquidation price is a parameter that is set by the Pool Delegate. This parameter is used to prevent liquidations from occurring when the price of the collateral is too low. This is done to prevent flash loan attacks from being able to liquidate collateral at unfair prices.

  4. Withdrawal Cooldowns - With withdrawal cooldowns, LPs are required to wait a certain amount of time before they can withdraw their funds. This is done to prevent flash loan attacks from being able to front-run LPs and deposit and withdraw funds to profit unfairly from discrete increases in pool value.

Front-Running Protections

PreviousSecurityNextList of Assumptions

Last updated 2 months ago

The Maple protocol has an active bug bounty to incentive whitehat hackers to report any issues discovered in the protocol to allow for the opportunity for a patch to be made before the exploit is performed by a malicious actor. For all information related to the ongoing bug bounty for these contracts run by , please visit this .

Maple Finance makes use of a custom smart contract to check invariants on-chain, using data from both smart contracts and sub-graph to assert invariants on a Loan, Pool and LP level. This is all managed using . Every block, all invariants are checked atomically using the deployed contract. If any of the invariants fail, a critical is created. This will notify all on-call members of the incident response team immediately, and also includes a pre-defined escalation policy. In addition, Tenderly will use webhooks to send a message to the team's internal Slack channel with further information about how the invariant has failed.

In the case of a critical incident, a multisig is able to trigger a protocol pause. This function can temporarily disable almost all functions in the Maple protocol. This will allow for the incident response team to address the situation and minimize any potential harm that would be done. More information on the Emergency Pause function is outlined on this .

Chainlink Oracles - Maple Finance uses Chainlink oracles to provide price feeds for the protocol. Chainlink oracles are decentralized and provide a high level of security and reliability. In addition, Chainlink oracles are designed to be resistant to flash loan attacks since they provide price data from off-chain sources. More information on Chainlink oracles can be found .

Every ERC-20 asset has a bootstrapMint amount that is set by the Governor. This is to prevent attackers from front-running the first depositor in a Pool to get an unfair distribution of Pool value. Outlines of this exploit can be found under finding 5.1.1.

Immunefi
site
Tenderly Web3 Actions
Pager Duty incident
page
here
here
2022-08-24 - Trail of Bits Report
2022-10-17 - Spearbit Report
2022-10-24 - Three Sigma Report
2023-06-05 - Cantina Report
2023-04-10 - Three Sigma Report
2023-11-06 - Three Sigma Report
2023-11-27 - 0xMacro Report
2024-08-23 - Three Sigma Report
2024-08-14 - 0xMacro Report
2024-05-23 - Three Sigma Report
2024-12-10 - Three Sigma Report
2024-12-20 - 0xMacro Report