All reports

Maple Finance

Syrup — Live Infrastructure Audit (Pillars 1–3)

July 15, 2026Ethereum · Base
LendingPillar 1Pillar 2Pillar 3Cross-chain

Overview

Stabilytics reviewed the live deployment of Maple Finance / Syrup across Ethereum and Base77 contracts spanning governance, the upgrade factories, the five active pools (syrupUSDC, syrupUSDT, syrupUSDG, Maple Institutional Secured-Lending, and the Base Cash-Management pool), and the cross-chain surface — inventorying every privileged role and classifying each holder by address type (EOA, multisig, or contract) against live on-chain state.

This is a Live Infrastructure Audit (LIA) across all three pillars — the layer code audits don't reach: what your roles actually empower, who holds them, how your signer sets are structured, and how your cross-chain integrations are wired on-chain.

Scope

  • Chains audited: Ethereum mainnet (authoritative) and Base
  • Contracts in scope: 77 — governance actors, MapleGlobals, PoolPermissionManager, the version factories, the five active pools and their managers, the SyrupToken, the Syrup LayerZero OFT, and the Chainlink CCIP receiver
  • Pillar 1 — Roles & Power: governors, timelocks, security / operational admins, proxy upgrade authorities, and per-pool delegates
  • Pillar 2 — Signer Trust: the six governance Safes, their thresholds, and cross-chain signer overlap
  • Pillar 3 — Integrations: the Syrup LayerZero OFT (delegate + owner), the CCIP receiver, the Aave and Sky yield strategies, and the Chainlink price feeds

Out of scope

  • Smart-contract code correctness (refer to Maple's existing code audits)
  • Credit and underwriting risk
  • The 11 inactive / deprecated pools and the non-EVM (Solana) deployment
  • Off-chain key custody and signer identity attribution

Headline

Maple's Ethereum core is mature: upgrades route through an on-chain GovernorTimelock and the top-level authority is an independent 4-of-7 Safe. The material findings are cross-chain and operational — the Base deployment replicates the same roles without the timelock or a multi-party treasury, and the four Ethereum pool delegates are single externally-owned keys. No critical or high on-chain exposure was found.

How to read this report

Open the full report below for the complete role inventory, the Ethereum↔Base parity matrix, signer-overlap analysis, integration configuration, severity-ranked findings, and a prioritized remediation plan — available as an interactive web page and a downloadable PDF.

Protection

Find every weak link before they do.

LZCheck surfaces ownership and DVN risks on-chain. Full Stabilytics coverage maps every social engineering vector and hidden single point of failure across your entire project.