Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.
Maple Finance is an institutional crypto‐capital network built on Ethereum. It provides on‐chain infrastructure that connects institutional and individual lenders to vetted, blue‐chip borrowers. Maple’s V2 Private protocol enables credit experts to create and manage private lending pools with customizable terms. Key features include:
Fixed‐Term and Open‐Term Loans, borrowers receive capital under pre‐agreed schedules and interest terms, with automated repayment tracking.
PoolManager Architecture, delegates set up, fund, and oversee lending pools; funds are routed through a manager contract that enforces fee, payout, and liquidation logic.
Governance & Globals, a central MapleGlobals contract holds protocol‐wide parameters (e.g., fee limits, role assignments), ensuring consistent configuration across pools.
Why Did They Need an Audit?
Because Maple Finance handles large institutional capital flows, any serious flaw, particularly in loan creation, fee management, or withdrawal logic, could lead to irreversible fund loss. The V2 Private release introduced several new contracts and upgrade flows:
New MapleLoanInitializer logic for deploying loans with correct fee managers.
LoanManager upgrades to enforce storage and access‐control changes.
PoolManager functions that allow delegates to adjust withdrawal managers and fee rates on the fly.
Scope of the Engagement
Team: 3 auditors — 6 person‐weeks
Platform: Ethereum
Audit Date: 2023-04-06
Language: Solidity
Type: Code Audit
Results and Findings
Notable High-Severity Issues:
Fixed‐Term Loans Can Be Deployed with a Malicious Fee Manager
Description: The MapleLoanInitializer did not verify that the supplied fee‐manager address was a whitelisted instance. An attacker could monitor a legitimate loan‐creation transaction, replay it with an arbitrary fee‐manager address (potentially choosing a constructor salt that yields the same bytecode hash prefix), and cause the pool delegate to fund a malicious contract. All loan funds would then be sent to the attacker’s address.
Resolution: Added an isInstanceOf check in MapleGlobals to ensure that any fee‐manager being set during initialization is on the approved whitelist. The initializer now reverts if an untrusted fee manager is provided.
Delegates Can Set an Unbounded Origination Fee and Drain Pool Funds
Description: Within MapleLoanInitializer, the pool delegate could arbitrarily set the origination fee to 100% (minus any platform fee). Because anyone can deploy a loan for a funded pool, an attacker delegate could create a loan with an origination fee equal to the entire pool balance, fund it, and immediately collect all funds as fees upon loan creation.
Resolution: Imposed an upper bound on origination fees in MapleGlobals so that delegates cannot exceed a configurable maximum. Additionally, updates were made to require governor approval or timelock for any fee changes beyond a safe threshold.
Pool Delegates Can Steal All Funds by Swapping in a Malicious WithdrawalManager
Description: The PoolManager contract allowed delegates to call setWithdrawalManager() without any whitelist or pause mechanism. A malicious delegate could point this reference to a contract that returns the entire pool balance for a single share. By depositing just one token to receive one share, then swapping in the malicious WithdrawalManager, the delegate could redeem that share and drain every asset in the pool.
Resolution: Removed the public setWithdrawalManager() method from PoolManager and replaced it with a governor‐controlled, timelocked setter. As a stopgap, the function is paused by default and only the governor (after a delay) can change the withdrawal manager address.
Severity Issues
critical
high
3
informational
Several
medium
9
low
9
Audit Period
6 PW
Report
Audit Period
6 PW
Severity Issues
critical
high
3
medium
9
low
9
informational
Several
Report
In conclusion
During the Maple Finance V2 Private audit, Three Sigma Labs identified three high‐severity vulnerabilities that would have allowed malicious actors to:
Deploy loans with bogus fee managers to redirect funds (3S-MAPLE-H01).
Set origination fees arbitrarily high and withdraw the entire pool balance as fees (3S-MAPLE-H02).
Replace the withdrawal manager with a malicious contract and drain all pool assets (3S-MAPLE-H03).
All three issues were promptly addressed before mainnet release. With these critical fixes, Maple’s private lending pools now enforce strict whitelisting of fee managers, cap delegate fees, and lock down withdrawal‐manager updates under governor control.
Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.
