The 0xMacro Library

Audited a small code change to boring solvers allowing solvers to cover a deficit if they so choose.

Repository

We reviewed Citrus's custom Safe Module that allows them to execute a configuration task across multiple chains using only a single signature.

Website

Repository

Github Organization | Private Repo

Website

We reviewed several Account updates, including refactors and a new feature that allows users to transfer their tokens (native, ERC20, ERC721, and ERC1155) from their Infinex account to any specified destination address.

Website

GitHub Organization - Repo private as of December 16, 2024

Website

Github Organization | Private Repo

Audited the AaveV3 and LombardBtc decoders, allowing boring vaults to claim rewards with AaveV3, as well as mint LBTC and swap CBBTC for LBTC.

Repository

Focus of the audit was on reviewing redemption fee logic for Superstate tokens, as well as verifying logic for obtaining Superstate tokens onchain. In addition, during audit we reviewed several smaller incremental changes across Superstate system components

Repository: Onchain Redemptions

Repository: USTB

Website

We reviewed SevenSeas's Solana program – running on Eclipse.xyz – that holds deposited tokens to bridge to Ethereum mainnet via Hyperlane.xyz.

Repository

We audited the token distribution contract that uses a merkle tree to validate claims for users to claim owed Rekt tokens.

Private Repo and Organization

Website

Audit scope included review of the custom real time price oracle for Superstate's tokens associated with different funds. Also we reviewed transition to upgradeable system contracts together with liquidation logic integration for Morpho project.

Repository: Liquidation

Repository: Onchain Redemptions

Repository: USTB

Website

We audited functionality that added interacting with the new Zap contract allowing users to deposit, withdraw, unwind, and modify collateral utilizing Zap.

Repository

Website

We reviewed the initial version of PatronVesting, which allows the owner to manage different tiers that define the conditions for users claiming their Patron NFTs.

Website

GitHub Organization - Repo private as of December 16, 2024

We reviewed RewardCampaign, which allows the owner to create campaigns where users can claim rewards based on pre-defined vesting entries.

Website

GitHub Organization - Repo private as of December 16, 2024

We reviewed various protocols and their associated decoders allowing boringVaults to integrate them, including Bitcorn, Usual Money, Satlayer, Frax staking, and Lido bridging. Additionally a new withdrawal queue and solver was audited, allowing for anyone to solve requests and trading shares from one boring vault for another.

Repository

We reviewed several changes to thirdweb's modular contracts, including support for signature-based minting and maxMintPerWallet limits for claimable modules. We also reviewed the Paymaster contract, which now accommodates payment tokens with non-standard decimal places.

Repository

Website

PatronNFT, a ERC721A NFT contract that utilizes new batch transfer functionality to allow for cheaper transfers of consecutive token ids, allowing for distribution of multiple tokens to cost less gas.

Website

GitHub Organization - Repo private as of November 8th, 2024

We reviewed the PayGateway contract that is now supporting thirdweb’s modular architecture. Additionally, we have reviewed changes on the Royalty modules, which have been changed to support the “creator token standard."

Repository

Website

We audited GuessOurBlock contracts, a betting game that allows users to place bets on blocks that will be validated by a Heroglyphs validator, and include this ticker in their graffiti.

Github Organization

Website

We audited the Zora mints functionality, allowing for purchasing mints tokens which can be used to mint NFTs in the Zora protocol at a standard rate.

Repository

Website

We reviewed the Governance Points (GP) distributor contract, a trusted and straightforward contract for sending tokens to users, and some minimal changes to the GP token contract. Additionally, we audited some feature abstractions to base contracts to avoid duplicated code and included further view helper functions in contracts.

Website

GitHub Organization - Repo private as of October 7, 2024

We audited Kwenta's reimbursement contracts, which are used to reimburse users with high trade volume over the past 30 days. The audit also involved reviewing ZK-circuits written in Go using the Brevis service.

Repository

Website

We audited the Infinex Cardrun game, a card pack opening game using Pyth Entropy randomness requests to decide the card's content.

Website

GitHub Organization - Repo private as of September 16, 2024

We audited Infinex Patron point of purchase, App, Beacon and Vaults contracts. Allowing users to use authorized signatures to access a Patron token purchase, register the proper on-chain receipt, and manage payments.

Website

GitHub Organization - Repo private as of September 2, 2024

Reviewed Orange migration contract, a pre-audited and deployed contract previously used as a bridge repurposed for their token migration. Allows users to burn old tokens by providing a valid authorized signature and claiming their new tokens.

Repository

Website

Audited new bridging integrations and a "Drone" contract controlled by the boring vault to allow interacting with protocols with multiple addresses when necessary.

Repository

We audited the protocol token migration from the MPL token to the new Syrup token as part of Maple's upgrade. This includes the Syrup Merkle tree distribution, the MPLUserActions contract that facilitates user migration to Syrup and xSyrup, and the SyrupUserActions contract that allows syrupUSDC swaps into DAI or USDC. Additionally, minor changes to the fixed and open loan terms were added.

Github Organization - Private Repo

Website

We reviewed Infinex account changes with some refactors and two feature additions: Enabling users to sync their fund's recovery address using CCQ integration and direct CCTP bridging and recovery.

Website

GitHub Organization - Repo private as of September 2, 2024

We audited Kwenta's MarginPaymaster contract, an ERC-4337-compliant custom Paymaster contract that optimistically sponsors transactions signed by a privileged actor, attempting to recoup gas costs in USDC or SNX-V3 margin.

Repository

Website

Audited the update that added the ability to reward USDC along with KWENTA tokens in their staking contract.

Repository

Website

Reviewed the integration of bridging functionality with SocketDotTech's bridge, allowing USDC to be bridged to the polynomial network and simultaneously allow for the creation of polynomial accounts and staking of the bridged assets.

GitHub Organization (private repo)

Website

Inverter is a protocol and a modular framework for no-code solutions on Ethereum enabling customizable and dynamic token issuance and asset flow management. We have reviewed contracts related to core modules such as orchestrator and many use case specific modules handling staking, payments, authorization and many others.

Repository

Website

Review of improvements for MagicSwap V2 (custom UniswapV2 DEX) and of Staking Rewards implementation contract.

Githhub Organization | Private Repo

Magicswap Website

TreasureDAO Website

Added decoders allowing bridging assets from boring vaults to and from Arbritrum and Optimism chains. Additionally added ability for vaults to interact with pancake swap v3.

Repository

Added decoders to interact with the Reserve protocol through Into the Block's specialized position manager.

Repository

We performed a security review on the Superstate USTB repo, which mainly focused on USCC and SuperstateToken contracts, an allowlisted ERC20 token implementation with Permit and ERC-7246 encumbered balances extension.

Repository

Website

Repository

Website

System of contracts for providing multiple mechanisms for bridging XERC20 compatible tokens using the Arbitrum canonical bridge.

Repository

Website

We reviewed onchain redemption system relying on Chainlink price feed for exchanging USTB (Superstate token) for USDC. System features also several admin controlled configuration features.

Repository

Website

We reviewed Mintra's ERC721 and ERC1155 collection contracts that support customization on maximum supply, time-boxed minting, fee logic, token gating, etc.

Repository

Website

We reviewed Thirdweb's Modular Contracts framework, a set of core and extension contracts to support customization of minting, burning, token metadata, etc.

Repository

Website

We conducted an audit of the Curve App, focusing on the implementation of the app and its proper integration with Curve NG pools. We also reviewed changes in the management App Module in the core Infinex Account system.

Website

GitHub Organization - Repo private as of June 24, 2024

Reviewed this fork of Synthetix V3 with minor changes, and their cannon deployment scripts.

GitHub Organization (private repo)

Website

On-chain registry for software packages, similar to node. Users can register a package name, and give permissions to users to update packages. Usable on mainnet ethereum and optimism.

Repo

Website

We audited the Shroom community currency token implementation, adding custom fee logic to the standard ERC-20 implementation using Thirdweb's audited contracts.

Source Code on Polygon

Website

Repository

We reviewed Infinex's governance system, which is composed of a set of contracts used to elect council members and assign them to designated GnosisSafe wallets. Cross-chain communication is utilized to determine the voting power and propagate the elected members to different chains.

Website

GitHub Organization - Repo private as of June 24, 2024

Repository

Website

We audited Quark Wallets' new additions and modifications, which now support multi-Quark operations. Users can now sign multiple Quark operations or a single operation to be executed cross-chain. The new Paycall and Quotecall scripts were also audited in this round.

Repository

Website

Repository

We reviewed the Titan Node PaymentStream contract, a streamlined payment management system that enables payees to claim ERC20 tokens released linearly over time. The contract also includes safeguard mechanisms allowing for the finalization of payments if necessary.

Website

Repo

We conducted an audit of Infinex's Governance Points contract and its staking mechanism to reward users of Infinex accounts across the many chains they are deployed on.

Website

Cannon Package

GitHub Organization - Repo private as of May 13, 2024

We conducted an audit of Infinex Accounts, focusing on its innovative use of a proxy beacon, upgradable architecture with multiple modules, and customizable key management system. This design empowers users to manage their accounts independently without relying on external parties. Additionally, the upgradable structure allows for seamless implementation of new features and updating configuration parameters, provided users opt in.

Website

Cannon Package

GitHub Organization - Repo private as of May 13, 2024

We reviewed a vesting contract that rewards users with ERC20 tokens based on a defined vesting tier.

Website

We reviewed an update on Thirdweb's smart wallet contract to support Seaport bulk orders for EIP-1271.

Repository

Website

Repository

Review of thirdweb's Airdrop contract, which encompasses push, claimable, and signature-based airdrops in a single contract. We also audited the PaymentsGateway contract, a component of thirdweb Pay. It serves as the entry point for pay transactions and handles fee management, logging, and routing the transaction to the swap provider.

Repository: Main Contracts

Repository: Gateway Contract

Website

We reviewed an UUPS upgradable ERC-20 implementation with role-based access control and pausing capability.

Website

Audited a new vault protocol, the Boring Vault, which is a simplistic contract itself, but is managed by a contract that requires calls to be pre-approved via a merkle tree, and the vaults share exchange rate and withdrawals are managed and handled by the protocol.

Repository

Audited a Pendle adaptor and its corresponding Pendle pricing extension, to allow cellars to interact the Pendle protocol and hold various Pendle tokens as positions, including LP, YT, PT, and SY tokens.

Repository

Audited an adjustment to the vote escrow curve function and adjustments to the governance contracts setup.

Repository

Website

Audit of changes made to the core protocol including margin requirement changes, support for pending deposit, a new EscrowContract has been added, support for quote token migration, and other minor refactors.

Website

Github Organization

We reviewed the new Connext's connector for Scroll L2. Scope included both ScrollHubConnector and ScrollSpokeConnector contracts.

Repository

Website

Covenant is a decentralized, non-custodial debt market, built on perpetual debt. It is a lending protocol based on Aave architecture with interest rate calculation externalized to AMM markets for particular debt asset. Macro audited their core protocol implementation prior to their beta release.

Website

Github Organization

Audited Sommelier's multichain contracts that allow assets to be shared between different chains using Chainlink's CCIP protocol. Additionally, we audited the Compound v3 adapter as well as the support for various staking adapters including EtherFi, KelpDAO, Lido, Renzo, Stader, Swell.

Repository

Website

Patchwork protocol was refactored and new functionality was added to the core system contract for managing and charging various fees related to different system operations. We have reviewed these changes and additional updates that were introduced to extract assignment functionality into a specific contract

Repository

Twitter

Audited the new addition to cellars to support multi-asset deposits as well as the support for MorphoBlue adapters.

Repository

Website

The ability to have a sequencer check was added to the price router to be used for cellars on layer 2 chains, preventing pricing when the sequencer is down.

Repository

Website

Audit of Zap, a contract that allows the feeless exchange of USDC to sUSD and vice versa via SynthetixV3 spot markets.

Repository

Website

Kwenta V3 smart margin contract was made upgradeable and implemented Zap functionality to exchange USDC to uUSD and back. The ability for USDC to be converted to sUSD and used as collateral, or have collateral be withdrawn and converted to USDC was added.

Repository

Website

Audit of Mintra’s marketplace contract, a fork of Thirdweb's direct listing marketplace, with changes being made to permissions, royalty logic, and support for bulk buy.

Repository

Website

Audited Mento's new governance contracts using vote escrowed mento tokens to vote, as well as a immutable factory to deploy and setup relevant contracts.

Repository

Website

We audited Compound Quark Wallet, a flexible, trustless, custom smart contract account that allows entitled users to execute Quark Operations through direct execution or signatures. The system design allows for any arbitrary code execution, deploying new scripts atomically during a Quark Operation execution or re-using deployed scripts. Additionally, we audited specific scripts, such as Ethcall, Multicall, UniswapFlashLoan, and UniswapFlashSwapExactOut.

Repository

Website

Audit of the following additions by Sommelier: A Curve adaptor and Convex curve adaptor allowing cellars to have a curve pool and Convex Curve positions. A pricing extension to price curve 2 pools. A slippage router to allow for deposits and withdrawals with specified slippage. A withdrawal queue, allowing users to specify withdrawal conditions and for a solver to bundle and execute withdrawal orders on their behalf.

Repository

Website

An audit of incremental updates to Maple V2 contracts packaged into the Q4 release. These included a new FIFO queue-based withdrawal manager submodule, a new pool permission manager submodule, and additional smaller changes and improvements for the rest of the system.

Github Organization - Private Repo

Website

Kwenta made conditional orders payable with ETH, allowing deposits and withdraws of ETH used for payment. Integration with EIP7412 was also added to allow price oracles to be updated when needed via off-chain verification.

Repository

Website

Audit of Farcaster v3.1 contracts. Updates implement new manager pattern to simplify future migrations, and adding additional mitigations to event spamming vectors

Repository

Website

Audited the new Aura position adaptor, Curve and Redstone pricing extensions, and small updates to the Frax adaptors.

Repository

Website

Audited upgrades to support an optimistic system on Spoke Connectors.

Repository

Website

Audited BurnToClaimERC721 as well as changes made to MarketplaceV3 since the previous audit.

Repository

Website

Finished the second part of auditing core Nori contracts such as Market, Certificate, Removal, RestrictedNORI, and library helpers

Repository

Website

Small audit to review addition of a command that allows callers to update Synthetix keeper fee.

Repository

Website

KIP-80: Smart Margin Account Upgrade

KIP-87: Public Conditional Order Execution

SIP-2013: Dynamic Gas Fee Module

Patchwork protocol enables new onchain use cases by defining and utilising new composition capabilities for ERC721 and ERC1155 tokens. We have reviewed a contract which enforces compliance and manages token transfers with these extra capabilities, including additional access controlled functionality for enabling cross token associations. In addition we have performed review of a set of abstract contracts that are meant to be inherited and reused for implementing specific token composition behaviors in a Patchwork compliant way.

Repository

Twitter

Audited an update to the Aave, Yearn, and Compound portfolios to inherit from the updated Portfolio contract.

Github Organization

Website

Audited V5 Prize Pool and V5 TWAB Controller contracts.

Github Organization

Website

Audit of Kwenta's Smart Margin v3 contract, which leverages Synthetix v3's account-based architecture and offers improved tools for trading Synthetix derivatives.

Repository

Website

Audit of the V2 version of Kwenta's staking rewards and rewards escrow contracts, as well as V1 -> V2 escrow migrator contract.

Repository

Website

KIP-42: Implement getRewardOnBehalf and stakeEscrowOnBehalf methods to KWENTA staking contracts

KIP-58: Staking V2

KIP-62: Escrow V2 (Escrow Transferrability)

KIP-77: Make Staking V2 Upgradeable

KIP-86: Staking V2 Integrator Contract Support

Audited the addition of Frax collateral and debt adaptors, and changes to the AxelarProxy contract.

Repository

Website

Audit of two new features in the KeyRegistry and IdRegistry contracts.

Repository

Website

Audited the EvolvingNFT and LoyaltyPoints contracts, as well as changes to the smart contract wallet account contracts and their factories.

Repository

Website

Audit of Farcaster's core L1 and L2 contracts.

Repository

Website

Audited multiple contracts for the v2.2 Mento protocol release. Adding Oracle circuit breakers and updating the constant sum pricing module, pool manager, and a new and simpler ERC20 token implementation for stable tokens.

Repository

Website

The CellarAdaptor was audited again with the added scope of using SavingsDai ERC4626 vault as a position, and no issues were found.

Repository

Website

Audited the addition of the SharePriceOracle contract that uses Chainlink automation to update the share price of a cellar in order to reduce gas costs and lower share price volatility, as well as cellars that integrate this oracle.

Repository

Website

Audit of smart-margin V2.10 on the code changes from the prior audit of smart-margin V2.02, including a command that allows whitelisted token swaps to and from sUSD.

Repository

Website

KIP-80: Smart Margin Account Upgrade

KIP-87: Public Conditional Order Execution

We audited the core smart contracts, including their exchange and governance protocols.

Website

Github Organization

Audit scope included, among other things, new connectors to support additional chains, templatized IXReceiver contracts, updates to the Optimism connector to support Bedrock, and adding initial implementation of Optimistic roots to avoid the direct use of AMBs to propagate messages to the RootManage.

Repository

Website

Audit of Wormhole hub and spoke connectors.

Repository

Website

We audited Bitcone's ERC20 token contract deployed on the Polygon blockchain.

Deployed Contract

We audited two new contracts being deployed by thirdWeb: Dynamic Drops and Loyalty Cards.

Repository

Website

Audited the updated PriceRouter to include pricing extensions as well as the corresponding price extensions for balancer pools and lido wsETH. Added Frax and Morpho position adapters, as well as using Axelar to bridge transaction from the sommelier chain.

Repository

Website

We audited minor refactors, a new auth strategy for delegatecash, and improved events among other things

Citadel Game Docs

GitHub Organization - Private Repo

Re-audited Kwenta's accounts and events functionality.

Repository

Website

KIP-18: Cross Margin

KIP-19: Advanced Orders

We reviewed Fuji's full platform, including their lending, cross-chain, and permits functionality.

Repository

We audited their staking and bridge contracts that are used to manage staking and rewards logic.

Repository

Website

Audit of two separate features, the Smart Accounts and Open Edition ERC-721 Accounts.

Repository

Website

We reviewed the token contract, including access controls and core ERC-20 functionality.

Repository

Website

We audited the Kwenta smart margin accounts functionality and related contracts.

Repository

Website

KIP-18: Cross Margin

KIP-19: Advanced Orders

We audited two separate features for thirdWeb, including PackVFR and the Extension Registry contracts.

Repository

Website

The Cellar, Registry, CellarFactory, PriceRouter, and SwapRouter contracts were audited, as well as position adaptors integrating Aave, compound, uniswapV3, one inch and 0x.

Repository

Website

Audit of Bueno.art's deployed 1155Drop contract deployed on Ethereum, as well as the clone factory contract used to deploy the 1155Drop contract.

Deployed Contract - Bueno1155Drop.sol

Deployed Contract - BuenoFactory.sol

Website

We audited Bueno.art's deployed 1155Drop contract, specifically looking at the differences between solidity contracts and the deployed version on Ethereum mainnet referenced in the previous Bueno.art audit.

Deployed Contract - Bueno1155Drop.sol

Deployed Contract - BuenoFactory.sol

Website

System for fractionalizing NFTs using custom Nft Vaults and providing liquidity by relying on customized UniswapV2 DEX.

Githhub Organization | Private Repo

Magicswap Website

TreasureDAO Website

Audit of thirdWeb's Airdrop and Multichain Registry functionality.

Repository

Website

Macro audited three separate parts of the Synthetix V3 infrastructure: ERC standard tokens (20 and 721), Hardhat Router and Hardhat Storage

Repository

Website

We audited the Synthetix V3 contracts, specifically focusing on the core functionaltiy of the Synthetix V3 protocol.

Repository

Website

Re-audit of the Synthetix V3 contracts, specifically focusing on the core functionaltiy of the Synthetix V3 protocol. This was a second audit of similar functionality that was reviewed in the Synthetix-2 audit.

Repository

Website

We audited a collection of token extensions related to ERC721 tokens. This included functionality for ownership, permissions, sales, royalties, and more. We also reviewed the routing functionality for the contract.

Repository

Website

Audit of The Graph's subscription contract, which allows users to pay for their service with ETH for their services

Repository

Website

Audited their Euler Debt and E token adapters.

Repository

Website

We re-audited Nori's core contracts, which are used to manage their carbon offsetting platform.

Repository

Website

Audit of the xDonations donation contract.

xDonations Explainer

Repository

Our review included their core protocol and market contracts.

Repository

Website

We audited Connext's messaging layer contracts, responsible for coordinating state updates between various Connext modules.

Repository

Website

Audit of their wallet accounts and signature drop 1155 contracts.

Repository

Website

Audited Double core vaults, reward distribution, and UniswapV2 liquidity provider and migratory contracts

Website

GitHub Organization - Private Repo

Audit of mStable's MetaVaults, which are based on EIP-4626 vaults. We reviewed the underlying logic that allows users to deposit and withdraw assets from these vaults.

Repository

Website

Audited the core Sommelier contracts, including the contract factory, router, staking, and 3rd party integrations.

Repository

Website

Audit of MakerDAO's dss-kiln module, which is used to manage liquidations. We reviewed its core functionality, including the mathematical logic underlying the liquidations functions.

Repository

Website

We audited Nori's core contracts, which are used to manage their carbon offsetting platform. This included access controls, bridging functionality and certificate minting functions.

Repository

Website

Audit of Bueno.art's deployed 721Drop contract on Polygon, including their contract proxy and administrative functions.

Deployed Contract

Website

We audited three new staking contracts for thirdweb: TokenStake, a contract for staking ERC20 tokens; NFTStake, a contract for staking ERC721 NFTs; and EditionStake, a contract for staking ERC1155 tokens. Each contract supports configurable staking rewards.

Repository

Website

We audited their main contracts, ZK ConstructionBay contract and Deployment scripts.

Citadel Game Docs

GitHub Organization - Private Repo

Audit of Marketplace and TieredDrop contracts.

Repository

Website

Audit of their ERC20, ERC721 and ERC1155 drop contracts.

Repository

Website

Audit of PartDAO's core contracts, which are used to manage their governance and treasury.

Repository

Website

Audit of the smart margin contracts, including the future's market and interfaces.

Repository

Website

KIP-18: Cross Margin

KIP-19: Advanced Orders

Macro is excited to continue its ongoing engagement with Sommelier Finance as they realize their vision of algorithmic, automated DeFi yield optimization strategies. Cellars support dynamic management and balancing across multiple asset types: ERC20s, other ERC4626s, and other Cellars – which are themselves ERC4626 vaults. They utilize governance and control mechanisms for management; Uniswap V2/V3 for asset rebalancing; and Chainlink price oracles for asset valuation.

Repository

Website

Audit of their ERC20, ERC721 and ERC1155 token contracts.

Repository

Website

We audited thirdWeb's Pack functionality and subsequent extensions and interfaces for the contract.

Repository

Website

We reviewed upcoming Kwenta feature designs to give their team confidence in the direction they were going.

SEE REPORT HERE: Due to the nature of this audit, a formal report was not created so the link above does not work.

Repository

Website

KIP-18: Cross Margin

KIP-19: Advanced Orders

We audited three new exciting features for thirdweb: Multiwrap, a contract that allows transferring and trading of multiple assets as a single unit; DropERC1155, a contract that allows users to easily mint multiple sets of NFTs with no redeployment; and SignatureDrop, a contract that allows facilitating both drops and mints via signatures.

Repository

Website

Multiwrap launch thread