Maple Finance

Introduction

Maple Finance is an institutional credit marketplace that matches professional pool delegates and under-collateralized borrowers with on-chain lenders. The Q4 2023 update augments Maple V2 with:

• FIFO Withdrawal Manager – a queue-based exit module for permissioned pools.
• Pool Permission Manager – enforces allow-lists for LP deposits.
• Operational Admin – a new governance actor with limited emergency powers.
• Fixed-Term Loan Factory redeployment – adds granular access control.
• Cyclical Withdrawal Manager tweak – lets pool delegates choose a custom first-cycle start-time.

Why Did They Need an Audit?

The new withdrawal logic directly controls redemption pricing and queue order; a bug could strand LP funds or enable share-price griefing. Permission gates, admin roles, and factory migrations also touch critical access paths. Maple engaged Three Sigma for a rapid 4-person-week review before main-net rollout.

Scope of the Engagement

Results and Findings

Key Low-Severity Issues

• FIFO Withdrawal Manager can revert if shares removed or manual redeem front-runs
• Unbounded loops may OOG with tiny cycle windows
• Loan migrator allows updates with old factory

In conclusion

Three Sigma’s 4-week review of Maple Finance’s Q4 2023 contracts found no critical or high-impact vulnerabilities. Two low-severity bugs in withdrawal queue math and loan factory migration were patched; one loop-limit concern is logged for roadmap improvement. Documentation, gas efficiencies, and role semantics were refined across four additional informational items.

With guarded queue redemptions, stricter migrator checks, and clarified operational-admin scopes, Maple Finance can confidently deploy its V2 Q4 feature set to production pools.