Overview
Stabilytics reviewed the live deployment of Maple Finance / Syrup across Ethereum and Base — 77 contracts spanning governance, the upgrade factories, the five active pools (syrupUSDC, syrupUSDT, syrupUSDG, Maple Institutional Secured-Lending, and the Base Cash-Management pool), and the cross-chain surface — inventorying every privileged role and classifying each holder by address type (EOA, multisig, or contract) against live on-chain state.
This is a Live Infrastructure Audit (LIA) across all three pillars — the layer code audits don't reach: what your roles actually empower, who holds them, how your signer sets are structured, and how your cross-chain integrations are wired on-chain.
Scope
- Chains audited: Ethereum mainnet (authoritative) and Base
- Contracts in scope: 77 — governance actors, MapleGlobals, PoolPermissionManager, the version factories, the five active pools and their managers, the SyrupToken, the Syrup LayerZero OFT, and the Chainlink CCIP receiver
- Pillar 1 — Roles & Power: governors, timelocks, security / operational admins, proxy upgrade authorities, and per-pool delegates
- Pillar 2 — Signer Trust: the six governance Safes, their thresholds, and cross-chain signer overlap
- Pillar 3 — Integrations: the Syrup LayerZero OFT (delegate + owner), the CCIP receiver, the Aave and Sky yield strategies, and the Chainlink price feeds
Out of scope
- Smart-contract code correctness (refer to Maple's existing code audits)
- Credit and underwriting risk
- The 11 inactive / deprecated pools and the non-EVM (Solana) deployment
- Off-chain key custody and signer identity attribution
Headline
Maple's Ethereum core is mature: upgrades route through an on-chain GovernorTimelock and the top-level authority is an independent 4-of-7 Safe. The material findings are cross-chain and operational — the Base deployment replicates the same roles without the timelock or a multi-party treasury, and the four Ethereum pool delegates are single externally-owned keys. No critical or high on-chain exposure was found.
How to read this report
Open the full report below for the complete role inventory, the Ethereum↔Base parity matrix, signer-overlap analysis, integration configuration, severity-ranked findings, and a prioritized remediation plan — available as an interactive web page and a downloadable PDF.