MaxFiMaxFi

Security

Transparency about how we protect your funds

SECURITY AUDIT STATUS

V30 Comprehensive Security Audit Complete

Latest audit: February 16, 2026 — 22 Solidity files, ~6,500 lines reviewed

0
Critical
0
High
0
Medium
8
Low (Accepted)
448+
Tests Passing
30
Audit Iterations
16
Contracts Deployed

🏗️ Architectural Security

MaxFi's architecture eliminates entire classes of DeFi attacks by design, not just by adding guards.

Zero-Swap Design

No token swaps during rebalances. This eliminates MEV extraction, sandwich attacks, and slippage — the most costly vulnerability class in DeFi ($1.2B+ in 2024 alone).

Per-User NFT Positions

Each user owns their own concentrated liquidity NFT. No shared pool, no exchange rate to manipulate. Eliminates the entire class of ERC-4626 vault attacks (inflation, donation, rounding).

TWAP Hard Revert

The protocol NEVER falls back to manipulable spot prices. Unlike protocols that caused $52M+ in oracle manipulation losses in 2024, MaxFi reverts on TWAP failure.

🧪 Testing Methodology

Our smart contracts undergo rigorous multi-layered testing to ensure reliability and security.

448+

Unit & Fork Tests

Comprehensive test coverage for all contract functions and edge cases

10

Invariant Tests

Property-based tests verifying critical security properties hold under any operation sequence

40K+

Randomized Calls

Invariant tests execute ~40,000 randomized function calls to find edge cases

Invariants Verified

Performance fees never exceed 50% maximum
Referral fees never exceed protocol fees
Position range widths stay within bounds
Rebalance delays stay within 0-7d limits
Treasury is set when fees are active
Tick ranges are always valid
Position ownership remains consistent
Fee rate changes respect ±500 bps / 6h cooldown
Deposit timestamps are valid
Internal accounting matches expected state

🛡️ Exploit Resistance

Verified against known DeFi attack vectors from 2024-2026 ($2B+ in losses analyzed).

Reentrancy: nonReentrant on all entry points + read-only reentrancy flags
Oracle Manipulation: TWAP with hard revert — never falls back to spot price
Flash Loan Attacks: 1-minute hold time + TWAP oracle (not manipulable in single block)
MEV / Sandwich: Zero-swap architecture — no swaps means nothing to sandwich
First-Depositor Inflation: Per-user NFT positions — no shared vault to inflate
Donation Attacks: No ERC-4626 exchange rate to manipulate
Access Control: Ownable2Step + onlyVault + onlyAuthorized on all admin functions
Proxy Storage Collision: EIP-1967 + OpenZeppelin TransparentUpgradeableProxy + __gap[39]

🔍 About Our Security Audits

Our smart contracts have undergone 30 audit iterations using industry-standard methodologies including OWASP Smart Contract Top 10 (2026), EEA EthTrust Security Levels V3 (88 requirements), SWC Registry (SWC-100 through SWC-136), and analysis of 15+ major DeFi exploits from 2024-2026 totaling $2B+ in losses.

The methodology is informed by Trail of Bits, OpenZeppelin, Cyfrin, and Spearbit audit frameworks. All 22 Solidity files (~6,500 lines) have been reviewed line-by-line across multiple iterations with progressive remediation of all identified issues.

Transparency Note: These audits were conducted using AI security analysis tools, not a traditional third-party audit firm. While the methodology is rigorous and comprehensive, we plan to commission a brand-name security firm audit as the protocol grows. Always do your own research and only deposit what you can afford to lose.

Security Features Implemented

Zero-Swap Design

No token swaps during rebalances — eliminates MEV, sandwich attacks, and slippage

Per-User NFT Positions

Each user owns their own LP NFT — no shared vault, no inflation attacks

TWAP Oracle (Hard Revert)

5-minute TWAP with no spot price fallback — prevents oracle manipulation

ReentrancyGuard

All state-changing functions protected against reentrancy attacks

Ownable2Step

Two-step ownership transfer prevents accidental lockout across all contracts

Fee Rate Limiting

Fees can only change ±5% per 6 hours — 42 hours minimum to reach max

24h Timelocks

Treasury and staking manager changes require 24-hour timelock

Pausable

Emergency stop capability for incident response

SafeERC20

Safe token transfer patterns for all ERC20 operations

Flash Loan Protection

1-minute minimum hold time prevents flash loan exploits

Position Limits

Configurable limits prevent gas griefing (500/user, 100K total)

Read-Only Reentrancy Protection

Withdrawal flags in reward adapters prevent view function exploits

Audit Reports

Deployed Contracts (Base Mainnet)

All 15 contracts verified on BaseScan — compiled with solc 0.8.33, deterministic via_ir builds

ContractAddress
MaxFi Vault (Proxy)0x7d27cdfb...fd2afd55
MaxFi Vault Implementation0x359f90ee...06822d28
ProxyAdmin0x7885d796...25f486cb
AdminSatellite0xebae1f42...8e53ee36
StakingManager0x4994743d...81020638
FeeTransferHelper0xccbfba20...f02cced2
ReferralTracker0xe0cf9756...03ec8aad
ViewHelper0x28649062...d3ce18bd
KeepersHelper0x6cbfdf01...9f90b114
TreasurySplitter0xef9b9e02...957d9d98
UniswapV3Adapter0xca4cf963...b4debabd
AerodromePositionAdapter0x0aedeed5...559794d1
AerodromeRewardAdapter0xbb8ea00a...a264375a
PancakeSwapPositionAdapter0xad35ec92...edbf0a71
PancakeSwapRewardAdapter0x346cb3db...0ab08912

🐛 Report a Security Issue

Found a vulnerability? We take security seriously and appreciate responsible disclosure. Reach out to us through any of these channels:

📧 Email𝕏 Twitter💬 Discord

Future Security Plans

  • Commission audit from recognized security firm (Trail of Bits, OpenZeppelin, etc.)
  • Launch formal bug bounty program with rewards
  • Add multi-sig requirement for protocol upgrades

Important: Despite our security measures, all DeFi protocols carry inherent risks. Smart contract bugs, economic exploits, and unforeseen vulnerabilities can result in loss of funds. Never deposit more than you can afford to lose. Please read our full risk disclosure before using MaxFi.

Security Audit | MaxFi - Smart Contract Security