-
Notifications
You must be signed in to change notification settings - Fork 19
Security
Security is of the utmost importance in the Maple protocol. In order to ensure the safety of the capital held within the system, multiple measures have been taken.
The Maple protocol considers Pool Delegates to be trusted actors. Pool Delegates must be validated by the Maple protocol, have a public reputation, and LPs and Stakers are electing them to manage their funds in a safe and responsible way.
The Maple protocol has extensive testing of all functionality, using HEVM to perform native Solidity unit and fuzz testing against a fork of Ethereum mainnet.
A full scope protocol audit with external auditors was performed on the Maple protocol prior to launch. Post launch, each protocol upgrade must also undergo external auditing. The final reports from these audits are posted below:
| Auditor | Date | Modules | Report link |
|---|---|---|---|
| Dedaub | March 12, 2021 |
maple-core maple-token |
Dedaub-Audit-Report-Maple-Core.pdf Dedaub-Audit-Report-MPL-ERC20.pdf |
| PeckShield | May 2, 2021 |
maple-core maple-token |
PeckShield-Audit-Report-Maple-v1.0.1.pdf PeckShield-Audit-Report-MPL-ERC20.pdf |
| Trail of Bits | Dec 28, 2021 |
debt-locker erc20-helper liquidations loan maple-proxy-factory proxy-factory |
Maple.Finance.-.Final.Report_v3.pdf |
| Code 4rena | Jan 5, 2022 |
debt-locker erc20-helper liquidations loan maple-proxy-factory proxy-factory |
https://code4rena.com/reports/2021-12-maple/ |
| Trail of Bits | April 12, 2022 |
debt-locker erc20 loan mpl-migration revenue-distribution-token xMPL |
Maple.Finance.-.Final.Report.-.Fixes.pdf |
| Code 4rena | April 20, 2022 |
erc20 loan mpl-migration revenue-distribution-token xMPL |
https://code4rena.com/reports/2022-03-maple/ |
Once the audits from Peckshield were complete, a two-week dedicated internal audit was performed by the smart contracts team.
After both the external audits and the internal audit were finished, maple-core and maple-token were audited by Code Arena. The report from that audit competition can be found here: Code Arena April 2021 Audit.
A full end-to-end simulation of various outcomes of the first three months of protocol launch was performed using HEVM. Financial outcomes were modeled for specific scenarios and were compared to financial models from the Finance team and were found to match exactly.
All smart contracts on mainnet are monitored using OpenZeppelin Defender, integrated with PagerDuty emergency response notifications and Discord webhooks for severe and informational alerts respectively.
In the event of an oracle outage, all transactions requesting asset prices will be reverted. This behaviour will immediately be reported through the smart contract monitoring tool. To address the issue, the Security Multisig can temporarily provide a manual override on the oracle price for a given asset.
In the event of a protocol or contract exploit, two emergency fallbacks exist.
The first is various admin accounts, which have the following abilities (outside of oracles):
- Pause
LoanFactory.createLoan()- prevents the creation of new Loans (and dedicated Lockers) (only if Governor grants permission to such an admin in advance) - Pause
Loan.fundLoan()- prevents new capital from entering Loans (only if Borrower grants permission to such an admin in advance) - Pause
PoolFactory.createPool()- prevents the creation of new Pools (and dedicated Lockers) (only if Governor grants permission to such an admin in advance) - Pause
StakeLocker.stake()- prevents new capital from entering StakeLocker (only if the Pool Delegate grants permission to such an admin in advance)
Once again, it is highly encouraged that such admin accounts are multisig wallets.
In the case of a more serious exploit where immediate emergency action must be taken to prevent a loss of funds, the Global Admin can step in. This account (which will be a multisig wallet from the start) has the simple ability to call setProtocolPause, which sets Globals.protocolPaused() to true, which stops all external facing functions in the Maple protocol, besides ERC-20 transfer and transferFrom functionality. It is acknowledged that this is a highly powerful feature, so once the protocol is deemed to be in a stable and safe state, the globalAdmin of Globals will be set to address(0), by the Governor, after which it cannot be added back.
All smart contracts that are deployed to mainnet as part of the v1.0.0 release are immutable, meaning their smart contract logic cannot be altered in any way.