three sigma logo
Maple Finance

Code Audit

Maple Finance

A decentralized credit marketplace for institutional borrowers and lenders.

Audit Report

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

Introduction

Maple Finance is an institutional-grade, on-chain credit market. It connects accredited pool delegates, who curate loan books and price risk, to institutional borrowers seeking under-collateralised working-capital loans, while liquidity providers (LPs) supply capital and earn interest.

Core mechanics include:

  • Delegate-managed lending pools with configurable fees, lock-up cycles, and withdrawal windows.
  • Under-collateralised MapleLoans that stream interest and principal to lenders and the Maple treasury.
  • Smart-withdrawal manager that queues LP exits into cyclic windows and enforces pro-rata liquidity distribution.
  • Upgradeable, factory-based architecture with global governance and migration helpers for contract evolutions.

Why Did They Need an Audit?

The V2 launch introduced:

  1. On-chain liquidity migration from V1 pools, an irreversible step that had to preserve every LP share.
  2. Pool-share maths rewrite to use ERC-4626-style accounting. A single rounding bug could let a front-runner siphon first-depositor value.
  3. Complex withdrawal queues and delegate upgrade paths that, if mis-wired, could freeze capital or silently favour one class of lender.

Because the protocol already custodied >$500 m of institutional liquidity, Maple engaged Three Sigma for a focused review of the migration helpers and the new V2 core contracts before main-net deployment.

Scope of the Engagement

image
  • Team: 2 auditors , 5 person-weeks
  • Chain: Ethereum

Audit Date: 2022-11-08

Language: Solidity

Type: Code Audit

Results and Findings

Notable High-Severity Issues

Loss of funds possible via first-deposit share inflation

  • Description: Pool.deposit() mints shares as:
1shares = (totalSupply == 0) ? assets : assets * totalSupply / totalAssets;

A front-runner can deposit 1 wei first, inflate totalAssets with a flash-loaned transfer, then let the victim deposit. Rounding down mints zero shares for the victim; the attacker removes the flash loan and redeems the victim’s assets.

  • Recommendation: Enforce a minimum-shares requirement on the first mint (e.g., ≥ 1 e18) and disallow deposits that round to zero. Implemented in PRs #219 (pool-v2) and maple-globals PR #40.

Severity Issues

critical
high

1

informational

Several

medium

0

low

2

Audit Period

5 PW

Report

In conclusion

The review found no critical vulnerabilities, but it highlighted a high-severity share-inflation bug that could drain early deposits and two low-severity inconsistencies that might confuse off-chain systems or hamper delegate rotation. All severe issues were fixed, and Maple incorporated naming, gas, and design suggestions into its development backlog.

With the first-mint guard in place and event / delegate logic clarified, Maple Finance V2 is positioned to migrate V1 liquidity safely and continue offering under-collateralised credit to institutional borrowers while protecting LP capital.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today