Skip to content

Security

Erick edited this page May 7, 2022 · 16 revisions

Security is of the utmost importance in the Maple protocol. In order to ensure the safety of the capital held within the system, multiple measures have been taken.

Trust Assumptions

The Maple protocol considers Pool Delegates to be trusted actors. Pool Delegates must be validated by the Maple protocol, have a public reputation, and LPs and Stakers are electing them to manage their funds in a safe and responsible way.

Unit and Fuzz Testing

The Maple protocol has extensive testing of all functionality, using HEVM to perform native Solidity unit and fuzz testing against a fork of Ethereum mainnet.

External Smart Contract Audits

A full scope protocol audit with external auditors was performed on the Maple protocol prior to launch. Post launch, each protocol upgrade must also undergo external auditing. The final reports from these audits are posted below:

Auditor Date Modules Report link
Dedaub March 12, 2021 maple-core
maple-token
Dedaub-Audit-Report-Maple-Core.pdf
Dedaub-Audit-Report-MPL-ERC20.pdf
PeckShield May 2, 2021 maple-core
maple-token
PeckShield-Audit-Report-Maple-v1.0.1.pdf
PeckShield-Audit-Report-MPL-ERC20.pdf
Trail of Bits Dec 28, 2021 debt-locker
erc20-helper
liquidations
loan
maple-proxy-factory
proxy-factory
Maple.Finance.-.Final.Report_v3.pdf
Code 4rena Jan 5, 2022 debt-locker
erc20-helper
liquidations
loan
maple-proxy-factory
proxy-factory
https://code4rena.com/reports/2021-12-maple/
Trail of Bits April 12, 2022 debt-locker
erc20
loan
mpl-migration
revenue-distribution-token
xMPL
Maple.Finance.-.Final.Report.-.Fixes.pdf
Code 4rena April 20, 2022 erc20
loan
mpl-migration
revenue-distribution-token
xMPL
https://code4rena.com/reports/2022-03-maple/

Internal Audit

Once the audits from Peckshield were complete, a two-week dedicated internal audit was performed by the smart contracts team.

Code Arena Competition

After both the external audits and the internal audit were finished, maple-core and maple-token were audited by Code Arena. The report from that audit competition can be found here: Code Arena April 2021 Audit.

HEVM Simulation

A full end-to-end simulation of various outcomes of the first three months of protocol launch was performed using HEVM. Financial outcomes were modeled for specific scenarios and were compared to financial models from the Finance team and were found to match exactly.

Smart Contract Monitoring System

All smart contracts on mainnet are monitored using OpenZeppelin Defender, integrated with PagerDuty emergency response notifications and Discord webhooks for severe and informational alerts respectively.

Chainlink Oracle Wrapper

In the event of an oracle outage, all transactions requesting asset prices will be reverted. This behaviour will immediately be reported through the smart contract monitoring tool. To address the issue, the Security Multisig can temporarily provide a manual override on the oracle price for a given asset.

Emergencies

In the event of a protocol or contract exploit, two emergency fallbacks exist.

Factory, Pool, and Loan Admins

The first is various admin accounts, which have the following abilities (outside of oracles):

  • Pause LoanFactory.createLoan() - prevents the creation of new Loans (and dedicated Lockers) (only if Governor grants permission to such an admin in advance)
  • Pause Loan.fundLoan() - prevents new capital from entering Loans (only if Borrower grants permission to such an admin in advance)
  • Pause PoolFactory.createPool() - prevents the creation of new Pools (and dedicated Lockers) (only if Governor grants permission to such an admin in advance)
  • Pause StakeLocker.stake() - prevents new capital from entering StakeLocker (only if the Pool Delegate grants permission to such an admin in advance)

Once again, it is highly encouraged that such admin accounts are multisig wallets.

Emergency Multisig

In the case of a more serious exploit where immediate emergency action must be taken to prevent a loss of funds, the Global Admin can step in. This account (which will be a multisig wallet from the start) has the simple ability to call setProtocolPause, which sets Globals.protocolPaused() to true, which stops all external facing functions in the Maple protocol, besides ERC-20 transfer and transferFrom functionality. It is acknowledged that this is a highly powerful feature, so once the protocol is deemed to be in a stable and safe state, the globalAdmin of Globals will be set to address(0), by the Governor, after which it cannot be added back.

Upgradeability

All smart contracts that are deployed to mainnet as part of the v1.0.0 release are immutable, meaning their smart contract logic cannot be altered in any way.