Security

Last updated 13 days ago

Security

At maxAPY, security is our top priority. We have undergone multiple independent security audits to ensure our protocol remains safe, reliable, and resilient.

Every vulnerability identified has been resolved or mitigated, reinforcing our status as one of the most secure yield aggregation protocols.

How We Keep Things Safe

Security isn't just about audits – it's about building defenses at every level. maxAPY is designed with a multi-layered security model, ensuring proactive risk mitigation at all stages of protocol operation.

Here’s how we keep funds safe and the system resilient:

Smart Contract Security

Our contracts follow best-in-class security practices to eliminate vulnerabilities before they can be exploited.

Strict Role-Based Access Control (RBAC):
- All critical functions are gated with precise role permissions.
- Admin actions require explicit authorization and revocation of outdated permissions.
Reentrancy Protection & Call Validation:
- Every function that interacts with external contracts follows the Checks-Effects-Interactions (CEI) pattern.
- Unchecked calls are restricted to prevent external manipulation.
Gas-Optimized & Audited Solidity Code:
- No unnecessary complexity, reducing the potential attack surface.
- All logic paths undergo static analysis and automated fuzz testing.

Oracle & Pricing Protection

Yield aggregation relies on accurate, tamper-proof price data. We’ve built a robust pricing infrastructure to ensure that our vaults always make secure, informed decisions.

Multi-Feed Oracle System:
- Price data is aggregated from Chainlink, API3, Balancer, Uniswap V3, and other trusted sources.
- If one feed fails, fallback mechanisms ensure uninterrupted operation.
Staleness & Sequencer Downtime Detection:
- Time-sensitive pricing updates include automatic staleness checks.
- Layer 2 sequencer outages are actively monitored to prevent trading on outdated prices.
Cross-Network Price Validation:
- All inter-chain price feeds undergo cross-referencing before execution.
- Ensures fair execution across different blockchain environments.

Cross-Chain & Asset Safety

Cross-chain execution adds complexity, but our architecture is built for resilience. We’ve designed mechanisms to prevent loss of funds and ensure smooth transactions across multiple chains.

Automated Recovery Vaults:
- If a cross-chain transaction fails mid-process, assets are never lost.
- Recovery vaults automatically retry or return assets to users safely.
Secure Settlement Validation:
- Every cross-chain settlement undergoes multiple verification steps before execution.
- Prevents premature or malicious settlements that could result in missing funds.
Refined Refund Handling:
- Partial refund detection prevents miscalculations in vault balances.
- Strict validation checks before refunds are processed.

Live Monitoring & Active Threat Mitigation

Security isn’t just about preventing known threats – it’s about anticipating and neutralizing emerging risks. Our protocol integrates real-time security monitoring and failsafes to protect users 24/7.

On-Chain Anomaly Detection:
- Tracks unusual transaction patterns to detect suspicious activity early.
- Alerts are automatically triggered for any unexpected behavior.
Emergency Circuit Breakers:
- The system can pause critical functions in case of unexpected exploits.
- Protects user funds while a response plan is executed.
Bug Bounty Program & Ongoing Audits:
- Continuous third-party penetration testing to identify potential weaknesses.
- Open bug bounty program incentivizes external security researchers to find and report vulnerabilities.

Audits

To ensure maximum protocol integrity and depositor protection, all maxAPY smart contracts undergo continuous and comprehensive security audits conducted by top-tier firms including Zokyo and Rezolv. Every critical component - from MetaVault architecture to cross-chain bridging modules - is subjected to both manual line-by-line reviews and automated analysis prior to any deployment.

Full audit reports available for the detail-oriented degens among you:

maxAPY V1 Audits

Across the four latest audit rounds (March and April 2025), the protocol achieved perfect or near-perfect scores, with zero unresolved critical issues and all major findings either fully resolved or acknowledged with mitigation.

Each audit covered:

Access control and role permissions
Safe handling of asynchronous cross-chain deposits/withdrawals
Reentrancy and DoS protections
Oracle validation and fallback logic
ERC-7540 engine integrity
Accurate fund accounting and settlement safety

Audits were conducted on:

MetaVault.sol
ERC-7540 modules
Cross-chain Superform modules (invest, divest, liquidate)
SuperPositions and ERC20 receivers
Gateways, proxies, and asset managers

Audit scores:

Zokyo (Mar '25): 100/100 - all findings resolved
Zokyo (Apr '25): 98/100 - minor acknowledged low-risk issues
Rezolv (Feb & Apr '25): Full manual review, all high and critical issues resolved

This ongoing security process is part of maxAPY's commitment to transparent, robust, and production-grade yield infrastructure.

maxAPY BETA Audit

Since October 2024, we have been engaging with Zokyo for ongoing audits and reviews. Their thorough assessments cover various aspects of our security and operational protocols, ensuring continuous improvement and robustness of our platform.

✅ Beta Protocol Audit (October 28, 2024)

Resolved: 3 Medium, 4 Low, 7 Informational
Major Fixes
- Access Management Hierarchy
- Re-entrancy Protection
- Smart Contract Logic
- Transaction Safety
- Asset Security

Remember: Even with all this security, DeFi is still DeFi. Don't ape in with more than you can afford to lose. Not financial advice, but definitely common sense.

PreviousFees NextFAQs