three sigma logo
Maple Finance

Code Audit

Maple Finance

A decentralized credit marketplace for institutional borrowers and lenders.

Audit Report

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

Introduction

Maple Finance is an institutional credit marketplace that matches professional pool delegates and under-collateralized borrowers with on-chain lenders. The Q4 2023 update augments Maple V2 with:

  • FIFO Withdrawal Manager – a queue-based exit module for permissioned pools.
  • Pool Permission Manager – enforces allow-lists for LP deposits.
  • Operational Admin – a new governance actor with limited emergency powers.
  • Fixed-Term Loan Factory redeployment – adds granular access control.
  • Cyclical Withdrawal Manager tweak – lets pool delegates choose a custom first-cycle start-time.

Why Did They Need an Audit?

The new withdrawal logic directly controls redemption pricing and queue order; a bug could strand LP funds or enable share-price griefing. Permission gates, admin roles, and factory migrations also touch critical access paths. Maple engaged Three Sigma for a rapid 4-person-week review before main-net rollout.

Scope of the Engagement

image

Audit Date: 2023-12-22

Language: Solidity

Type: Code Audit

Results and Findings

Key Low-Severity Issues

  • FIFO Withdrawal Manager can revert if shares removed or manual redeem front-runs
  • Unbounded loops may OOG with tiny cycle windows
  • Loan migrator allows updates with old factory

Severity Issues

critical
high

0

informational

4

medium

0

low

3

Audit Period

4 PW

Report

In conclusion

Three Sigma’s 4-week review of Maple Finance’s Q4 2023 contracts found no critical or high-impact vulnerabilities. Two low-severity bugs in withdrawal queue math and loan factory migration were patched; one loop-limit concern is logged for roadmap improvement. Documentation, gas efficiencies, and role semantics were refined across four additional informational items.

With guarded queue redemptions, stricter migrator checks, and clarified operational-admin scopes, Maple Finance can confidently deploy its V2 Q4 feature set to production pools.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today