# Security

At maxAPY, security is our top priority. We have undergone **multiple independent security audits** to ensure our protocol remains **safe, reliable, and resilient**. 

Every vulnerability identified has been **resolved or mitigated**, reinforcing our status as one of the most secure yield aggregation protocols.

***

## How We Keep Things Safe

Security isn't just about audits – it's about **building defenses at every level**. maxAPY is designed with a **multi-layered security model**, ensuring **proactive risk mitigation** at all stages of protocol operation.

Here’s how we keep funds safe and the system resilient:

<figure><img src="https://3599765343-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWVNWPzkoPn3NLZyaaxkJ%2Fuploads%2FBPAhOr67fWxR6qRzAe88%2Fimage.png?alt=media&#x26;token=ed640fa7-5a53-4b8b-9010-5f61207825ab" alt=""><figcaption></figcaption></figure>

### Smart Contract Security

Our contracts follow **best-in-class security practices** to eliminate vulnerabilities before they can be exploited.

* **Strict Role-Based Access Control (RBAC):**
  * All critical functions are gated with **precise role permissions**.
  * Admin actions require **explicit authorization** and **revocation of outdated permissions**.
* **Reentrancy Protection & Call Validation:**
  * Every function that interacts with external contracts follows the **Checks-Effects-Interactions (CEI) pattern**.
  * **Unchecked calls are restricted** to prevent **external manipulation**.
* **Gas-Optimized & Audited Solidity Code:**
  * **No unnecessary complexity**, reducing the potential attack surface.
  * **All logic paths** undergo **static analysis and automated fuzz testing**.

### Oracle & Pricing Protection

Yield aggregation relies on **accurate, tamper-proof price data**. We’ve built a **robust pricing infrastructure** to ensure that our vaults always make **secure, informed decisions**.

* **Multi-Feed Oracle System:**
  * Price data is aggregated from **Chainlink, API3, Balancer, Uniswap V3, and other trusted sources**.
  * If one feed fails, **fallback mechanisms** ensure uninterrupted operation.
* **Staleness & Sequencer Downtime Detection:**
  * Time-sensitive pricing updates include **automatic staleness checks**.
  * Layer 2 **sequencer outages are actively monitored** to prevent **trading on outdated prices**.
* **Cross-Network Price Validation:**
  * All inter-chain price feeds **undergo cross-referencing** before execution.
  * Ensures **fair execution** across different blockchain environments.

### Cross-Chain & Asset Safety

Cross-chain execution adds complexity, but **our architecture is built for resilience**. We’ve designed mechanisms to **prevent loss of funds and ensure smooth transactions** across multiple chains.

* **Automated Recovery Vaults:**
  * If a cross-chain transaction **fails mid-process**, assets are **never lost**.
  * Recovery vaults automatically retry or **return assets to users safely**.
* **Secure Settlement Validation:**
  * Every cross-chain **settlement undergoes multiple verification steps** before execution.
  * Prevents **premature or malicious settlements** that could result in missing funds.
* **Refined Refund Handling:**
  * **Partial refund detection** prevents miscalculations in vault balances.
  * **Strict validation checks** before refunds are processed.

### **Live Monitoring & Active Threat Mitigation**

Security isn’t just about preventing known threats – it’s about **anticipating and neutralizing emerging risks**. Our protocol integrates **real-time security monitoring** and **failsafes** to protect users 24/7.

* **On-Chain Anomaly Detection:**
  * Tracks unusual transaction patterns to detect **suspicious activity early**.
  * Alerts are **automatically triggered** for any unexpected behavior.
* **Emergency Circuit Breakers:**
  * The system can **pause critical functions** in case of unexpected exploits.
  * Protects user funds while a response plan is executed.
* **Bug Bounty Program & Ongoing Audits:**
  * Continuous third-party **penetration testing** to identify potential weaknesses.
  * Open bug bounty program **incentivizes external security researchers** to find and report vulnerabilities.

***

## Audits

To ensure maximum protocol integrity and depositor protection, all maxAPY smart contracts undergo continuous and comprehensive security audits conducted by top-tier firms including **Zokyo** and **Rezolv**. Every critical component - from MetaVault architecture to cross-chain bridging modules - is subjected to both **manual line-by-line reviews** and **automated analysis** prior to any deployment.

Full audit reports available for the detail-oriented degens among you:&#x20;

{% @github-files/github-code-block url="<https://github.com/VerisLabs/MetaVault/tree/main/audit>" %}

### maxAPY V1 Audits

Across the four latest audit rounds (March and April 2025), the protocol achieved **perfect or near-perfect scores**, with **zero unresolved critical issues** and all major findings either **fully resolved** or **acknowledged with mitigation**.&#x20;

Each audit covered:

* Access control and role permissions
* Safe handling of asynchronous cross-chain deposits/withdrawals
* Reentrancy and DoS protections
* Oracle validation and fallback logic
* ERC-7540 engine integrity
* Accurate fund accounting and settlement safety

Audits were conducted on:

* `MetaVault.sol`
* ERC-7540 modules
* Cross-chain Superform modules (invest, divest, liquidate)
* SuperPositions and ERC20 receivers
* Gateways, proxies, and asset managers​​​​

Audit scores:

* **Zokyo (Mar '25):** 100/100 - all findings resolved​
* **Zokyo (Apr '25):** 98/100 - minor acknowledged low-risk issues​
* **Rezolv (Feb & Apr '25):** Full manual review, all high and critical issues resolved​​

This ongoing security process is part of maxAPY's commitment to transparent, robust, and production-grade yield infrastructure.

### maxAPY BETA Audit

Since October 2024, we have been engaging with Zokyo for ongoing audits and reviews. Their thorough assessments cover various aspects of our security and operational protocols, ensuring continuous improvement and robustness of our platform.&#x20;

#### **✅** Beta Protocol Audit (October 28, 2024)

* **Resolved**: 3 Medium, 4 Low, 7 Informational
* **Major Fixes**
  * [x] Access Management Hierarchy
  * [x] Re-entrancy Protection
  * [x] Smart Contract Logic
  * [x] Transaction Safety
  * [x] Asset Security

{% @github-files/github-code-block url="<https://github.com/VerisLabs/maxapy/blob/development/audits/zokyoAudit.pdf>" %}

***

{% hint style="info" %}
*Remember: Even with all this security, DeFi is still DeFi. Don't ape in with more than you can afford to lose. Not financial advice, but definitely common sense.*
{% endhint %}