Security of Syrup
June 23, 2024

Introduction

The Syrup Protocol is a layer built on top of Maple Finance, leveraging the same underlying smart contract infrastructure that has facilitated over $4B in loans to institutional borrowers. To create a compliant protocol accessible to a wider user base, excluding geo-blocked regions, Maple introduced a new global permissioning system (more information in this blog post). By leveraging this new permissioning system, users who meet our requirements can interact with the Syrup Protocol. This same system enables permission-less transfers, which, for the first time, allows the 4626 pool tokens to be used across DeFi.

Security First Development Lifecycle

The Maple Labs team that developed the Maple and Syrup smart contracts places the highest emphasis on security. While audits (of which there are numerous) are important, we believe developing a secure protocol requires a security-first mindset to be embedded and enacted at every stage of the development lifecycle. Our development lifecycle includes:

Pre-Build

  • Gathering product requirements
  • Technical design discussions
  • Threat modelling

Build

  • Unit tests
  • Integration tests
  • Fuzzing tests and campaigns
  • Invariant tests
  • Formal verification (when applicable)
  • Internal audits
  • Red team exercises (attempting to break the code)

Pre-Deployment

  • External audits with top firms
  • Incident response plans
  • Simulated deployments

Post-Deployment / Operations

  • Informational monitoring
  • Critical monitoring (ensuring invariants hold)
  • Bug bounty programs

The Maple-Core V2 protocol has undergone 7+ audits, all of which can be found here. These audits have been completed by top-tier firms like Spearbit/Cantina, Three Sigma, and 0xMacro. Additionally, the Syrup Protocol’s main contract, the Syrup Router, has undergone an audit by Three Sigma, which can be found here.

The Maple-Core V2 protocol also has extensive testing, with thousands of tests across all the submodules and the main mono-repository that integrates the protocol. Furthermore, with the use of Tenderly Web3 actions, we monitor the protocol invariants at every block, which would trigger our incident response plans in the event of a failure.


Conclusion

Syrup has a well-established security posture, built on top of Maple’s extensively tested and audited codebase. This has enable Maple to secure over $4B in loans and over $10B in value over the protocol’s lifetime.

We're excited to offer reliable and innovative smart contract infrastructure to the wider DeFi community.

Tags: