✨ New!✨  C4 Cosmos leagueRead more »

Contest ran 2 December 20218 December 2021

6 day contest

Maple Finance contest

Institutional capital marketplace powered by blockchain technology.

$75,000 USDC

Total Awards

Maple Finance contest details

Audit Scope

This scope of this audit includes the following repos, all with corresponding release tags:

These contracts include inheritance, so the scope of the audit will be expressed as the contracts at the lowest end of the hierarchy, as these are what will be deployed to mainnet. Since there are no external libraries used, all of the code that these flattened contracts use is in scope for audit.


  • DebtLocker.sol
  • DebtLockerFactory.sol
  • DebtLockerInitializer.sol


  • Liquidator.sol
  • SushiswapStrategy.sol
  • UniswapV2Strategy.sol


  • MapleLoan.sol
  • MapleLoanFactory.sol
  • MapleLoanInitializer.sol
  • Refinancer.sol

Focus Areas

  • Proxy patterns: Ensure that there are no vulnerabilities, exploit paths, or unexpected behaviors in any of the proxy patterns used.
  • Liquidation module: Ensure that there are no attack vectors to drain funds from the Liquidator in an unexpected way.
  • Loan accounting: Ensure that there is no way to manipulate Loan accounting, mainly focusing on the _getUnaccountedAmount functionality.
  • Locked funds: Ensure that there is no way for funds to get locked in the DebtLocker, Liquidator or Loan smart contracts.
  • Stoten funds: Ensure that any funds that are held custody by contracts cannot be withdrawn maliciously.
  • Refinancing: Ensure that the Refinancer contract cannot be used maliciously to exploit the Loan.

It is recommended to clone our integration testing repo contract-test-suite locally in order to provide clearer context with how these contracts interact with the rest of the protocol.

In all repos, all dependencies can be found in the ./modules directory. All repo READMEs include instructions on how to get the environment up and running for testing. All repos have their own unit testing suite, including verbose unit testing fuzz testing, and symbolic execution.

All technical documentation related to this release will be located in the maple-labs/loan wiki. We HIGHLY recommend reviewing this wiki before beginning the audit.

There is also a wiki for our V1 protocol if any further context is needed on how deployed V1 contracts work (Pools, StakeLocker, etc.)


In the wiki, there's a page called List of Assumptions which outlines some basic conditions/assumptions that we assume that will always hold true. Therefore any issue that does not abide by these assumptions will likely be considered invalid.