Audit Works Library

Yield generating stablecoin pegged to USD. Interacts with trusted lending protocols, distributing yield to stakers. Audited the V2 contracts associated with minting and redeeming lvlUSD using multiple collaterals, and the contracts associated with interacting with lending protocols such as Aave and Morpho.

We audited several contracts from thirdweb, including UniversalBridgeV1 and UniversalBridgeProxy (refactors of PaymentsGateway), MinimalAccountNew (a modular account implementation supporting EIP7702), and multiple paymaster contracts for different entrypoint versions and ZKSync⁠ chain.

Audit of an off-chain variant to limit orders and async orders.

We reviewed the added ability to make limit orders, requiring both sides of an order to be found before executing.

As part of Clanker system audit we have reviewed the onchain code utilized by the clanker agent for token deployment and LP fee distribution. In addition, the review included ClankerVault functionality for locking predefined ClankerToken portion for specific time, LP fee splits between clanker team, token creator, and deployment partner, and cross chain ClankerToken functionality based on Optimism's Superchain specification.

We performed a review of Towns token functionality update, examining the implementation of Superchain integration functionality and ensuring proper universal deployment across Superchain compatible chains

We reviewed the Odos protocols and its associated decoder allowing boringVault to interact with the protocol.

We reviewed various protocols and their associated decoders allowing boringVault to integrate them, including Spectra, Resolv, Uniswap V4, and EulerEVK.

We audited the Solana version of the Boring Vault that already launched in the EVM chains

We reviewed various protocols and their associated decoders allowing boringVault to integrate them, including UniswapV2, Royco, Dolomite, Kodiak Island, Honey, Infrared, BeraETH, and Goldilocks.

We reviewed a new feature within the Maple Finance system which allows MapleBorrowerActions contract to be whitelisted to interact with loan contracts on behalf of all borrowers.

Review of bridge and redeem request functionality. Actual bridging and redeeming is performed offchain (out of scope).

We reviewed various protocols and their associated decoders allowing boringVault to integrate them, including Symbiotic, Morpho, Teller, and Silo. Additionally, we reviewed changes to the BoringOnChainQueue that added support for withdraw capacity.

We reviewed various protocols and their associated decoders allowing boringVault to integrate them, including Usual Money, Sky Money, Royco, Sonic Gateway, Sonic Deposit, and Euler EVK. Additionally, we reviewed the Zeroland protocol for compatibility with the AaveeV3DecoderAndSanitizer.

We performed a comprehensive audit of the Maple Core protocol update, examining the implementation of three new yield-generating strategies (MapleBasicStrategy for ERC4626 vaults, MapleSkyStrategy for Sky Savings Rate via sUSDS, and MapleAaveStrategy for Aave Pool deployments).

We reviewed changes to the PatronVesting contract that added two capabilities: allowing the owner to claim on behalf of users and enabling allocation transfers from the zero address to another address.

We reviewed Citrus's custom Safe Module that allows them to execute a configuration task across multiple chains using only a single signature.

We reviewed several Account updates, including refactors and a new feature that allows users to transfer their tokens (native, ERC20, ERC721, and ERC1155) from their Infinex account to any specified destination address.

We audited Staked Derive Token, an adapted and simplified fork contract of Camelot's XGrail token with the addition of partial delegation

Audited the AaveV3 and LombardBtc decoders, allowing boring vaults to claim rewards with AaveV3, as well as mint LBTC and swap CBBTC for LBTC.

Focus of the audit was on reviewing redemption fee logic for Superstate tokens, as well as verifying logic for obtaining Superstate tokens onchain. In addition, during audit we reviewed several smaller incremental changes across Superstate system components

We reviewed SevenSeas's Solana program – running on Eclipse.xyz – that holds deposited tokens to bridge to Ethereum mainnet via Hyperlane.xyz.

We audited the token distribution contract that uses a merkle tree to validate claims for users to claim owed Rekt tokens.

Audit scope included review of the custom real time price oracle for Superstate's tokens associated with different funds. Also we reviewed transition to upgradeable system contracts together with liquidation logic integration for Morpho project.

We audited functionality that added interacting with the new Zap contract allowing users to deposit, withdraw, unwind, and modify collateral utilizing Zap.

We reviewed the initial version of PatronVesting, which allows the owner to manage different tiers that define the conditions for users claiming their Patron NFTs.

We reviewed RewardCampaign, which allows the owner to create campaigns where users can claim rewards based on pre-defined vesting entries.

We reviewed various protocols and their associated decoders allowing boringVaults to integrate them, including Bitcorn, Usual Money, Satlayer, Frax staking, and Lido bridging. Additionally a new withdrawal queue and solver was audited, allowing for anyone to solve requests and trading shares from one boring vault for another.

We reviewed several changes to thirdweb's modular contracts, including support for signature-based minting and maxMintPerWallet limits for claimable modules. We also reviewed the Paymaster contract, which now accommodates payment tokens with non-standard decimal places.

PatronNFT, a ERC721A NFT contract that utilizes new batch transfer functionality to allow for cheaper transfers of consecutive token ids, allowing for distribution of multiple tokens to cost less gas.

We reviewed the PayGateway contract that is now supporting thirdweb’s modular architecture. Additionally, we have reviewed changes on the Royalty modules, which have been changed to support the “creator token standard."

We audited GuessOurBlock contracts, a betting game that allows users to place bets on blocks that will be validated by a Heroglyphs validator, and include this ticker in their graffiti.

We audited the Zora mints functionality, allowing for purchasing mints tokens which can be used to mint NFTs in the Zora protocol at a standard rate.

We audited Kwenta's reimbursement contracts, which are used to reimburse users with high trade volume over the past 30 days. The audit also involved reviewing ZK-circuits written in Go using the Brevis service.

We audited the Infinex Cardrun game, a card pack opening game using Pyth Entropy randomness requests to decide the card's content.

We audited Infinex Patron point of purchase, App, Beacon and Vaults contracts. Allowing users to use authorized signatures to access a Patron token purchase, register the proper on-chain receipt, and manage payments.

Reviewed Orange migration contract, a pre-audited and deployed contract previously used as a bridge repurposed for their token migration. Allows users to burn old tokens by providing a valid authorized signature and claiming their new tokens.

Audited new bridging integrations and a "Drone" contract controlled by the boring vault to allow interacting with protocols with multiple addresses when necessary.

We audited the protocol token migration from the MPL token to the new Syrup token as part of Maple's upgrade. This includes the Syrup Merkle tree distribution, the MPLUserActions contract that facilitates user migration to Syrup and xSyrup, and the SyrupUserActions contract that allows syrupUSDC swaps into DAI or USDC. Additionally, minor changes to the fixed and open loan terms were added.

We reviewed Infinex account changes with some refactors and two feature additions: Enabling users to sync their fund's recovery address using CCQ integration and direct CCTP bridging and recovery.

We audited Kwenta's MarginPaymaster contract, an ERC-4337-compliant custom Paymaster contract that optimistically sponsors transactions signed by a privileged actor, attempting to recoup gas costs in USDC or SNX-V3 margin.

Audited the update that added the ability to reward USDC along with KWENTA tokens in their staking contract.

Reviewed the integration of bridging functionality with SocketDotTech's bridge, allowing USDC to be bridged to the polynomial network and simultaneously allow for the creation of polynomial accounts and staking of the bridged assets.

Inverter is a protocol and a modular framework for no-code solutions on Ethereum enabling customizable and dynamic token issuance and asset flow management. We have reviewed contracts related to core modules such as orchestrator and many use case specific modules handling staking, payments, authorization and many others.

Review of improvements for MagicSwap V2 (custom UniswapV2 DEX) and of Staking Rewards implementation contract.

Added decoders allowing bridging assets from boring vaults to and from Arbritrum and Optimism chains. Additionally added ability for vaults to interact with pancake swap v3.

Added decoders to interact with the Reserve protocol through Into the Block's specialized position manager.

We performed a security review on the Superstate USTB repo, which mainly focused on USCC and SuperstateToken contracts, an allowlisted ERC20 token implementation with Permit and ERC-7246 encumbered balances extension.

System of contracts for providing multiple mechanisms for bridging XERC20 compatible tokens using the Arbitrum canonical bridge.

We reviewed onchain redemption system relying on Chainlink price feed for exchanging USTB (Superstate token) for USDC. System features also several admin controlled configuration features.

We reviewed Mintra's ERC721 and ERC1155 collection contracts that support customization on maximum supply, time-boxed minting, fee logic, token gating, etc.

We reviewed Thirdweb's Modular Contracts framework, a set of core and extension contracts to support customization of minting, burning, token metadata, etc.

We conducted an audit of the Curve App, focusing on the implementation of the app and its proper integration with Curve NG pools. We also reviewed changes in the management App Module in the core Infinex Account system.

Reviewed this fork of Synthetix V3 with minor changes, and their cannon deployment scripts.

On-chain registry for software packages, similar to node. Users can register a package name, and give permissions to users to update packages. Usable on mainnet ethereum and optimism.

We audited the Shroom community currency token implementation, adding custom fee logic to the standard ERC-20 implementation using Thirdweb's audited contracts.

We reviewed Infinex's governance system, which is composed of a set of contracts used to elect council members and assign them to designated GnosisSafe wallets. Cross-chain communication is utilized to determine the voting power and propagate the elected members to different chains.

We audited Quark Wallets' new additions and modifications, which now support multi-Quark operations. Users can now sign multiple Quark operations or a single operation to be executed cross-chain. The new Paycall and Quotecall scripts were also audited in this round.

We reviewed the Titan Node PaymentStream contract, a streamlined payment management system that enables payees to claim ERC20 tokens released linearly over time. The contract also includes safeguard mechanisms allowing for the finalization of payments if necessary.

We conducted an audit of Infinex's Governance Points contract and its staking mechanism to reward users of Infinex accounts across the many chains they are deployed on.

We conducted an audit of Infinex Accounts, focusing on its innovative use of a proxy beacon, upgradable architecture with multiple modules, and customizable key management system. This design empowers users to manage their accounts independently without relying on external parties. Additionally, the upgradable structure allows for seamless implementation of new features and updating configuration parameters, provided users opt in.

We reviewed a vesting contract that rewards users with ERC20 tokens based on a defined vesting tier.

We reviewed an update on Thirdweb's smart wallet contract to support Seaport bulk orders for EIP-1271.

Review of thirdweb's Airdrop contract, which encompasses push, claimable, and signature-based airdrops in a single contract. We also audited the PaymentsGateway contract, a component of thirdweb Pay. It serves as the entry point for pay transactions and handles fee management, logging, and routing the transaction to the swap provider.

We reviewed an UUPS upgradable ERC-20 implementation with role-based access control and pausing capability.

Audited a new vault protocol, the Boring Vault, which is a simplistic contract itself, but is managed by a contract that requires calls to be pre-approved via a merkle tree, and the vaults share exchange rate and withdrawals are managed and handled by the protocol.

Audited a Pendle adaptor and its corresponding Pendle pricing extension, to allow cellars to interact the Pendle protocol and hold various Pendle tokens as positions, including LP, YT, PT, and SY tokens.

Audited an adjustment to the vote escrow curve function and adjustments to the governance contracts setup.

Audit of changes made to the core protocol including margin requirement changes, support for pending deposit, a new EscrowContract has been added, support for quote token migration, and other minor refactors.

We reviewed the new Connext's connector for Scroll L2. Scope included both ScrollHubConnector and ScrollSpokeConnector contracts.

Covenant is a decentralized, non-custodial debt market, built on perpetual debt. It is a lending protocol based on Aave architecture with interest rate calculation externalized to AMM markets for particular debt asset. Macro audited their core protocol implementation prior to their beta release.

Audited Sommelier's multichain contracts that allow assets to be shared between different chains using Chainlink's CCIP protocol. Additionally, we audited the Compound v3 adapter as well as the support for various staking adapters including EtherFi, KelpDAO, Lido, Renzo, Stader, Swell.

Patchwork protocol was refactored and new functionality was added to the core system contract for managing and charging various fees related to different system operations. We have reviewed these changes and additional updates that were introduced to extract assignment functionality into a specific contract

Audited the new addition to cellars to support multi-asset deposits as well as the support for MorphoBlue adapters.

The ability to have a sequencer check was added to the price router to be used for cellars on layer 2 chains, preventing pricing when the sequencer is down.

Audit of Zap, a contract that allows the feeless exchange of USDC to sUSD and vice versa via SynthetixV3 spot markets.

Kwenta V3 smart margin contract was made upgradeable and implemented Zap functionality to exchange USDC to uUSD and back. The ability for USDC to be converted to sUSD and used as collateral, or have collateral be withdrawn and converted to USDC was added.

Audit of Mintra’s marketplace contract, a fork of Thirdweb's direct listing marketplace, with changes being made to permissions, royalty logic, and support for bulk buy.

Audited Mento's new governance contracts using vote escrowed mento tokens to vote, as well as a immutable factory to deploy and setup relevant contracts.

We audited Compound Quark Wallet, a flexible, trustless, custom smart contract account that allows entitled users to execute Quark Operations through direct execution or signatures. The system design allows for any arbitrary code execution, deploying new scripts atomically during a Quark Operation execution or re-using deployed scripts. Additionally, we audited specific scripts, such as Ethcall, Multicall, UniswapFlashLoan, and UniswapFlashSwapExactOut.

Audit of the following additions by Sommelier: A Curve adaptor and Convex curve adaptor allowing cellars to have a curve pool and Convex Curve positions. A pricing extension to price curve 2 pools. A slippage router to allow for deposits and withdrawals with specified slippage. A withdrawal queue, allowing users to specify withdrawal conditions and for a solver to bundle and execute withdrawal orders on their behalf.

An audit of incremental updates to Maple V2 contracts packaged into the Q4 release. These included a new FIFO queue-based withdrawal manager submodule, a new pool permission manager submodule, and additional smaller changes and improvements for the rest of the system.

Kwenta made conditional orders payable with ETH, allowing deposits and withdraws of ETH used for payment. Integration with EIP7412 was also added to allow price oracles to be updated when needed via off-chain verification.

Audit of Farcaster v3.1 contracts. Updates implement new manager pattern to simplify future migrations, and adding additional mitigations to event spamming vectors

Audited the new Aura position adaptor, Curve and Redstone pricing extensions, and small updates to the Frax adaptors.

Audited upgrades to support an optimistic system on Spoke Connectors.

Audited BurnToClaimERC721 as well as changes made to MarketplaceV3 since the previous audit.

Finished the second part of auditing core Nori contracts such as Market, Certificate, Removal, RestrictedNORI, and library helpers

Small audit to review addition of a command that allows callers to update Synthetix keeper fee.

Patchwork protocol enables new onchain use cases by defining and utilising new composition capabilities for ERC721 and ERC1155 tokens. We have reviewed a contract which enforces compliance and manages token transfers with these extra capabilities, including additional access controlled functionality for enabling cross token associations. In addition we have performed review of a set of abstract contracts that are meant to be inherited and reused for implementing specific token composition behaviors in a Patchwork compliant way.

Audited an update to the Aave, Yearn, and Compound portfolios to inherit from the updated Portfolio contract.

Audited V5 Prize Pool and V5 TWAB Controller contracts.

Audit of Kwenta's Smart Margin v3 contract, which leverages Synthetix v3's account-based architecture and offers improved tools for trading Synthetix derivatives.

Audit of the V2 version of Kwenta's staking rewards and rewards escrow contracts, as well as V1 -> V2 escrow migrator contract.

Audited the addition of Frax collateral and debt adaptors, and changes to the AxelarProxy contract.

Audit of two new features in the KeyRegistry and IdRegistry contracts.

Audited the EvolvingNFT and LoyaltyPoints contracts, as well as changes to the smart contract wallet account contracts and their factories.

Audit of Farcaster's core L1 and L2 contracts.

Audited multiple contracts for the v2.2 Mento protocol release. Adding Oracle circuit breakers and updating the constant sum pricing module, pool manager, and a new and simpler ERC20 token implementation for stable tokens.

Audited the addition of the SharePriceOracle contract that uses Chainlink automation to update the share price of a cellar in order to reduce gas costs and lower share price volatility, as well as cellars that integrate this oracle.

Audit of smart-margin V2.10 on the code changes from the prior audit of smart-margin V2.02, including a command that allows whitelisted token swaps to and from sUSD.

We audited the core smart contracts, including their exchange and governance protocols.

Audit scope included, among other things, new connectors to support additional chains, templatized IXReceiver contracts, updates to the Optimism connector to support Bedrock, and adding initial implementation of Optimistic roots to avoid the direct use of AMBs to propagate messages to the RootManage.

Audit of Wormhole hub and spoke connectors.

We audited Bitcone's ERC20 token contract deployed on the Polygon blockchain.

We audited two new contracts being deployed by thirdWeb: Dynamic Drops and Loyalty Cards.

Audited the updated PriceRouter to include pricing extensions as well as the corresponding price extensions for balancer pools and lido wsETH. Added Frax and Morpho position adapters, as well as using Axelar to bridge transaction from the sommelier chain.

We audited minor refactors, a new auth strategy for delegatecash, and improved events among other things

Re-audited Kwenta's accounts and events functionality.

We reviewed Fuji's full platform, including their lending, cross-chain, and permits functionality.

We audited their staking and bridge contracts that are used to manage staking and rewards logic.

Audit of two separate features, the Smart Accounts and Open Edition ERC-721 Accounts.

We reviewed the token contract, including access controls and core ERC-20 functionality.

We audited the Kwenta smart margin accounts functionality and related contracts.

We audited two separate features for thirdWeb, including PackVFR and the Extension Registry contracts.

The Cellar, Registry, CellarFactory, PriceRouter, and SwapRouter contracts were audited, as well as position adaptors integrating Aave, compound, uniswapV3, one inch and 0x.

Audit of Bueno.art's deployed 1155Drop contract deployed on Ethereum, as well as the clone factory contract used to deploy the 1155Drop contract.

We audited Bueno.art's deployed 1155Drop contract, specifically looking at the differences between solidity contracts and the deployed version on Ethereum mainnet referenced in the previous Bueno.art audit.

System for fractionalizing NFTs using custom Nft Vaults and providing liquidity by relying on customized UniswapV2 DEX.

Audit of thirdWeb's Airdrop and Multichain Registry functionality.

Macro audited three separate parts of the Synthetix V3 infrastructure: ERC standard tokens (20 and 721), Hardhat Router and Hardhat Storage

We audited the Synthetix V3 contracts, specifically focusing on the core functionaltiy of the Synthetix V3 protocol.

Re-audit of the Synthetix V3 contracts, specifically focusing on the core functionaltiy of the Synthetix V3 protocol. This was a second audit of similar functionality that was reviewed in the Synthetix-2 audit.

We audited a collection of token extensions related to ERC721 tokens. This included functionality for ownership, permissions, sales, royalties, and more. We also reviewed the routing functionality for the contract.

Audit of The Graph's subscription contract, which allows users to pay for their service with ETH for their services

Audited their Euler Debt and E token adapters.

We re-audited Nori's core contracts, which are used to manage their carbon offsetting platform.

Audit of the xDonations donation contract.

Our review included their core protocol and market contracts.

We audited Connext's messaging layer contracts, responsible for coordinating state updates between various Connext modules.

Audit of their wallet accounts and signature drop 1155 contracts.

Audited Double core vaults, reward distribution, and UniswapV2 liquidity provider and migratory contracts

Audit of mStable's MetaVaults, which are based on EIP-4626 vaults. We reviewed the underlying logic that allows users to deposit and withdraw assets from these vaults.

Audited the core Sommelier contracts, including the contract factory, router, staking, and 3rd party integrations.

Audit of MakerDAO's dss-kiln module, which is used to manage liquidations. We reviewed its core functionality, including the mathematical logic underlying the liquidations functions.

We audited Nori's core contracts, which are used to manage their carbon offsetting platform. This included access controls, bridging functionality and certificate minting functions.

Audit of Bueno.art's deployed 721Drop contract on Polygon, including their contract proxy and administrative functions.

We audited three new staking contracts for thirdweb: TokenStake, a contract for staking ERC20 tokens; NFTStake, a contract for staking ERC721 NFTs; and EditionStake, a contract for staking ERC1155 tokens. Each contract supports configurable staking rewards.

We audited their main contracts, ZK ConstructionBay contract and Deployment scripts.

Audit of Marketplace and TieredDrop contracts.

Audit of their ERC20, ERC721 and ERC1155 drop contracts.

Audit of PartDAO's core contracts, which are used to manage their governance and treasury.

Audit of the smart margin contracts, including the future's market and interfaces.

Macro is excited to continue its ongoing engagement with Sommelier Finance as they realize their vision of algorithmic, automated DeFi yield optimization strategies. Cellars support dynamic management and balancing across multiple asset types: ERC20s, other ERC4626s, and other Cellars – which are themselves ERC4626 vaults. They utilize governance and control mechanisms for management; Uniswap V2/V3 for asset rebalancing; and Chainlink price oracles for asset valuation.

Audit of their ERC20, ERC721 and ERC1155 token contracts.

We audited thirdWeb's Pack functionality and subsequent extensions and interfaces for the contract.

We audited three new exciting features for thirdweb: Multiwrap, a contract that allows transferring and trading of multiple assets as a single unit; DropERC1155, a contract that allows users to easily mint multiple sets of NFTs with no redeployment; and SignatureDrop, a contract that allows facilitating both drops and mints via signatures.