V1 is live! DeFi on Autopilot with better security, higher returns, and lower fees.
Deposit now
LogoLogo
maxAPY V1
maxAPY V1
  • Overview
    • 💡What is maxAPY
    • 📈How to start earning
  • PROTOCOL
    • Yield
    • Cross-Chain Farming
    • Vaults
    • Strategies
      • Ecosystem
    • Withdrawals
    • Notifications
    • Fees
    • Security
  • RESOURCES
    • FAQs
    • Community
    • Incentives
    • maxAPY for Devs
Powered by GitBook
LogoLogo

Kind of serious stuff

  • T & C 's
  • Privacy Policy

Join the chatter

  • Twitter
  • Discord
  • Telegram

Protocol

  • Testnet
  • ETH Mainnet

The most optimized DeFi strategies on autopilot. Peak performance, cross-chain, non-stop.

On this page
  • How We Keep Things Safe
  • Smart Contract Security
  • Oracle & Pricing Protection
  • Cross-Chain & Asset Safety
  • Live Monitoring & Active Threat Mitigation
  • Audits
  • maxAPY V1 Audits
  • maxAPY BETA Audit
  1. PROTOCOL

Security

PreviousFeesNextFAQs

Last updated 1 month ago

At maxAPY, security is our top priority. We have undergone multiple independent security audits to ensure our protocol remains safe, reliable, and resilient.

Every vulnerability identified has been resolved or mitigated, reinforcing our status as one of the most secure yield aggregation protocols.


How We Keep Things Safe

Security isn't just about audits – it's about building defenses at every level. maxAPY is designed with a multi-layered security model, ensuring proactive risk mitigation at all stages of protocol operation.

Here’s how we keep funds safe and the system resilient:

Smart Contract Security

Our contracts follow best-in-class security practices to eliminate vulnerabilities before they can be exploited.

  • Strict Role-Based Access Control (RBAC):

    • All critical functions are gated with precise role permissions.

    • Admin actions require explicit authorization and revocation of outdated permissions.

  • Reentrancy Protection & Call Validation:

    • Every function that interacts with external contracts follows the Checks-Effects-Interactions (CEI) pattern.

    • Unchecked calls are restricted to prevent external manipulation.

  • Gas-Optimized & Audited Solidity Code:

    • No unnecessary complexity, reducing the potential attack surface.

    • All logic paths undergo static analysis and automated fuzz testing.

Oracle & Pricing Protection

Yield aggregation relies on accurate, tamper-proof price data. We’ve built a robust pricing infrastructure to ensure that our vaults always make secure, informed decisions.

  • Multi-Feed Oracle System:

    • Price data is aggregated from Chainlink, API3, Balancer, Uniswap V3, and other trusted sources.

    • If one feed fails, fallback mechanisms ensure uninterrupted operation.

  • Staleness & Sequencer Downtime Detection:

    • Time-sensitive pricing updates include automatic staleness checks.

    • Layer 2 sequencer outages are actively monitored to prevent trading on outdated prices.

  • Cross-Network Price Validation:

    • All inter-chain price feeds undergo cross-referencing before execution.

    • Ensures fair execution across different blockchain environments.

Cross-Chain & Asset Safety

Cross-chain execution adds complexity, but our architecture is built for resilience. We’ve designed mechanisms to prevent loss of funds and ensure smooth transactions across multiple chains.

  • Automated Recovery Vaults:

    • If a cross-chain transaction fails mid-process, assets are never lost.

    • Recovery vaults automatically retry or return assets to users safely.

  • Secure Settlement Validation:

    • Every cross-chain settlement undergoes multiple verification steps before execution.

    • Prevents premature or malicious settlements that could result in missing funds.

  • Refined Refund Handling:

    • Partial refund detection prevents miscalculations in vault balances.

    • Strict validation checks before refunds are processed.

Live Monitoring & Active Threat Mitigation

Security isn’t just about preventing known threats – it’s about anticipating and neutralizing emerging risks. Our protocol integrates real-time security monitoring and failsafes to protect users 24/7.

  • On-Chain Anomaly Detection:

    • Tracks unusual transaction patterns to detect suspicious activity early.

    • Alerts are automatically triggered for any unexpected behavior.

  • Emergency Circuit Breakers:

    • The system can pause critical functions in case of unexpected exploits.

    • Protects user funds while a response plan is executed.

  • Bug Bounty Program & Ongoing Audits:

    • Continuous third-party penetration testing to identify potential weaknesses.

    • Open bug bounty program incentivizes external security researchers to find and report vulnerabilities.


Audits

To ensure maximum protocol integrity and depositor protection, all maxAPY smart contracts undergo continuous and comprehensive security audits conducted by top-tier firms including Zokyo and Rezolv. Every critical component - from MetaVault architecture to cross-chain bridging modules - is subjected to both manual line-by-line reviews and automated analysis prior to any deployment.

Full audit reports available for the detail-oriented degens among you:

maxAPY V1 Audits

Across the four latest audit rounds (March and April 2025), the protocol achieved perfect or near-perfect scores, with zero unresolved critical issues and all major findings either fully resolved or acknowledged with mitigation.

Each audit covered:

  • Access control and role permissions

  • Safe handling of asynchronous cross-chain deposits/withdrawals

  • Reentrancy and DoS protections

  • Oracle validation and fallback logic

  • ERC-7540 engine integrity

  • Accurate fund accounting and settlement safety

Audits were conducted on:

  • MetaVault.sol

  • ERC-7540 modules

  • Cross-chain Superform modules (invest, divest, liquidate)

  • SuperPositions and ERC20 receivers

  • Gateways, proxies, and asset managers​​​​

Audit scores:

  • Zokyo (Mar '25): 100/100 - all findings resolved​

  • Zokyo (Apr '25): 98/100 - minor acknowledged low-risk issues​

  • Rezolv (Feb & Apr '25): Full manual review, all high and critical issues resolved​​

This ongoing security process is part of maxAPY's commitment to transparent, robust, and production-grade yield infrastructure.

maxAPY BETA Audit

Since October 2024, we have been engaging with Zokyo for ongoing audits and reviews. Their thorough assessments cover various aspects of our security and operational protocols, ensuring continuous improvement and robustness of our platform.

✅ Beta Protocol Audit (October 28, 2024)

  • Resolved: 3 Medium, 4 Low, 7 Informational

  • Major Fixes


Remember: Even with all this security, DeFi is still DeFi. Don't ape in with more than you can afford to lose. Not financial advice, but definitely common sense.

Page cover image
https://github.com/VerisLabs/MetaVault/tree/main/audit
https://github.com/VerisLabs/maxapy/blob/development/audits/zokyoAudit.pdf