three sigma logo
Maple Finance

Code Audit

Maple Finance

A decentralized credit marketplace for institutional borrowers and lenders.

Audit Report

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

Introduction

Syrup is a permissionless lending aggregator built by Maple. Users deposit USDC into Syrup and receive syrupUSDC LP tokens, earning yield generated from fully collateralized institutional loans. All loans on Syrup are backed by digital assets held in secure vaults, ensuring creditors’ funds are protected against default.

Why Did They Need an Audit?

Although Syrup leverages established lending patterns, its core functionality revolves around:

  • permit‐enabled deposits: Users can deposit USDC using EIP-2612 permits, reducing transaction count but introducing front‐running vectors.
  • LP‐token minting: syrupUSDC must accurately track deposited USDC and accrued yield.
  • Permissioned router logic: The SyrupRouter orchestrates deposits, withdrawals, and fee accounting across multiple institutional pools.

Because the SyrupRouter coordinates all user deposits and uses EIP-2612 permits, even minor issues, such as permit mismanagement or front-running, could disrupt deposits or yield calculations. The two-day audit focused on ensuring:

  • EIP-2612 permit flows cannot be front-run or otherwise abused.
  • Deposit and withdrawal logic maintains correct accounting at every step.
  • Administrative functions are restricted to the intended roles.

Scope of the Engagement

image
  • Team: 2 auditors · 4 person-weeks
  • Chain: Ethereum

Audit Date: 2024-05-21

Language: Solidity

Type: Code Audit

Results and Findings

Notable Low-Severity Issues:

Frontrunnable depositWithPermit Griefing

  • Description: An attacker could front-run a pending depositWithPermit transaction by reusing its permit signature but substituting arbitrary metadata, misleading off-chain indexers.
  • Resolution: Removed the free-form metadata parameter from depositWithPermit, ensuring permit signatures only authorize the USDC transfer and LP-token mint.

DoS via Front-run of ERC20 permit Nonce

  • Description: A malicious actor could front-run the router’s permit(...) call to consume the permit nonce, causing the original transaction to revert when it tries to use the same signature.
  • Resolution: Added a pre-check of the existing allowance and wrapped permit(...) in a try/catch. If allowance is already sufficient, skip permit; otherwise, revert immediately on a failed nonce.

Severity Issues

critical
high

0

informational

3

medium

0

low

2

Audit Period

2 Days

Report

In conclusion

No critical, high, or medium vulnerabilities were found in MapleSyrupRouter.sol. Two low-severity issues related to EIP-2612 permit usage and front-running vectors were identified and resolved. Informational findings (signature formatting, hardcoded constants, permission comments) were either fixed or acknowledged without impacting security.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today
Follow us on