Overview

This article serves as a case study as to how Spearbit and Maple Finance partnered to conduct security reviews on the Maple Finance Protocol under Cantina - an open marketplace for blockchain security researchers and service providers.

Spearbit
Spearbit is a distributed industry-leading blockchain security services firm pairing protocols with top security researchers having deep subject matter expertise in Web3 security to identify vulnerabilities in an ever-evolving landscape. Spearbit serves as a node in the ever-expanding Cantina network.

Cantina
Through Cantina, companies, projects, and agencies alike are able to submit requests to a wide and open marketplace, quickly receive quotes from multiple parties, and hire freelance talent directly via a reputation system that allows individuals and groups to stand out on merit alone.

Maple Finance
Maple provides the infrastructure for credit experts to run on-chain lending businesses and connects institutional lenders and borrowers through a marketplace found at app.maple.finance. Built with both traditional financial institutions and decentralized finance leaders, Maple is transforming debt-capital markets by combining industry-standard compliance and due diligence with the transparent and frictionless lending enabled by smart contracts and blockchain technology.

Why does Maple Finance work with Cantina and Spearbit?

At the DeFi Security Summit, a panel discussion titled "Audits: Conventional vs. Community Panel" was held. During this discussion, Hari, Cofounder of Spearbit, claimed, "Once you get a taste of Spearbit, there is no going back." This has certainly proven to be the case for Maple Finance.

Maple Finance is a complex protocol, comprising more than 20 smart contracts.

When selecting a partner for Maple Finance’s security reviews, Maple sought to collaborate with the best security researchers in the field. Through Spearbit, which gathers some of the top security talents in the industry, Maple was able to engage leading security reviewers such as Christoph Michel (cmichel) and Liam Eastwood (0xleastwood). Maple also re-engaged these researchers for additional security reviews, thus allowing them to retain a deeper understanding of the protocol and maximize the value of the engagements.

Dissecting the Security Reviews

The first security review took place in Q4 2022, for V2 of the protocol, which constituted a complete rewrite of the smart contracts.For more information on Spearbit’s review process you may visit the Spearbook.

First Security Review

Maple Finance provided the security researchers with documentation, videos, and diagrams explaining the new protocol. Spearbit demonstrated the quality of their process through consistent engagement during the security review, frequently asking questions for clarification and informing the Maple team about their current exploration through clear comments on the code.

Issues were posted on a specially set up GitHub repo as they were discovered, allowing the Maple team to address them promptly, rather than waiting until the end of the security review as is the case with more traditional firms. Ultimately, Spearbit discovered 1 high-risk, 4 medium-risk, and 15 low-risk issues during the engagement.

Second Security Review

The second security review was conducted in early Q2 2023 for the launch of Open Term Loans and other enhancements to the already-audited V2 protocol. For this engagement, Maple Finance utilized the Cantina marketplace to re-engage Christoph Michel, Riley Holterhus, and Jonatas Martins, who participated in the original V2 audit.

They maintained the same level of rigor as in the initial audit, leading to the discovery of 1 high-risk, 1 medium-risk, and 6 low-risk findings during the engagement.

Review Retrospectives

After both engagements, the security researchers swiftly reviewed any implemented fixes, enabling the Maple team to ensure deployments were completed in a timely manner without compromising on security.

Throughout both engagements, the Maple team gained a deeper understanding of how to work most effectively with Spearbit and would recommend the following practices to other teams:

1. Provide clear documentation of the features/contracts being audited, along with expected behavior, threat models, and assumptions. (Refer to Maple Finance's documentation for an idea of the level of detail required).

2. Use diagrams to illustrate the architecture of the smart contracts and their relationships.

3. Highlight differences in contracts that are being updated, as this helps focus the security review.

4. Maintain an open line of communication with the security researchers to answer any questions.

5. Include NatSpec for all your contracts.

6. Include clear README files explaining how to start working with the codebase.

Documentation and Communication

Comprehensive documentation of the project was supplied including essential mathematical principles, key workflows, and pertinent diagrams. Furthermore, the provided code underwent rigorous testing and verification.

Visual Presentation

Beyond the conventional introductory meeting — wherein the Maple team walked through the code while security researchers probed with questions — the Maple team also presented a series of instructional videos. These videos encompassed critical subjects, such as:

• Early and late payments

• Withdrawals

• Defaults

• Advanced global payment accounting

These videos were described by Spearbit security researchers as being very helpful in understanding core functionality of the scope.

Results

Despite the well-tested code, the security reviews did uncover notable observations:

• First Review: Identified 1 high-risk and 4 medium-risk issues.

• Second Review: Discovered 1 high-risk and 1 medium-risk issue.

• Both Reviews: Included notations on low-risk, informational, and gas optimization issues.

Given the robustness of the coding structure, Spearbit did not identify any critical issues given the time limitations placed.

Collaboration and Communication

Engagement with the Maple team during the security review process was highly effective. Their responsiveness and cooperative approach greatly facilitated communication, enhancing the ability to tackle and resolve emerging issues. The Maple team also demonstrated consistent alignment in their objectives and expectations concerning the security reviews with Spearbit. Maple’s cooperative approach ensured that the evaluations were conducted in accord with shared standards and goals, thereby ensuring a productive and insightful review process.

Continued Partnership

Maple Finance plans to continue engaging with Spearbit security researchers via the new Cantina platform for upcoming projects as the quality of the security reviews is some of the best provided in the industry and strongly recommends that protocols and projects in the space follow suit.