MaxFiMaxFi

Security

Transparency about how we protect your funds

SECURITY AUDIT STATUS

Comprehensive Security Review Complete

February 2026 — 20 contracts, 6,500+ lines audited

0
Critical
0
High
0
Medium
3
Low
5
Informational
167
Tests Passing
20
Contracts Audited
6,500+
Lines of Code
10/10
OWASP SC Top 10

Contract Architecture

MaxFi is powered by the battle-tested Snuggle smart contract suite — the same contracts securing Snuggle's production deployment on Base mainnet.

ContractLinesCategoryStatus
SnuggleVault.sol1,413Core vaultBattle-Tested
StakingManager.sol440Fee distributionBattle-Tested
FeeTransferHelper.sol101Token transfersBattle-Tested
KeepersHelper.sol180AutomationBattle-Tested
ViewHelper.sol182Read-only queriesBattle-Tested
ReferralTracker.sol221Referral trackingBattle-Tested
UniswapV3Adapter.sol237Position mgmtBattle-Tested
AerodromePositionAdapter.sol269Position mgmtBattle-Tested
AerodromeRewardAdapter.sol422Staking/rewardsBattle-Tested
PancakeSwapPositionAdapter.sol250Position mgmtBattle-Tested
PancakeSwapRewardAdapter.sol475Staking/rewardsBattle-Tested

+ 8 additional files (libraries, interfaces, admin satellite, upgradeable variant) — all audited

OWASP Smart Contract Top 10 Assessment

Every category from the OWASP Smart Contract Top 10 (2026) was assessed and passed. This standard covers 122 historical incidents totaling $905.4M in losses.

SC01
Access Control
PASS
SC02
Business Logic
PASS
SC03
Price Oracle Manipulation
PASS
SC04
Flash Loan Attacks
PASS
SC05
Input Validation
PASS
SC06
Unchecked External Calls
PASS
SC07
Arithmetic Errors
PASS
SC08
Reentrancy Attacks
PASS
SC09
Integer Overflow/Underflow
PASS
SC10
Proxy & Upgradeability
PASS

Tested against real-world DeFi exploits including Gamma Strategies ($4.5M) and Visor Finance ($450K).

Testing Methodology

Our smart contracts undergo rigorous multi-layered testing to ensure reliability and security.

167

Unit Tests

Comprehensive test coverage across all contracts with fuzz testing

10

Invariant Tests

Property-based tests verifying critical security properties hold under any operation sequence

40K+

Randomized Calls

Invariant tests execute ~40,000 randomized function calls to find edge cases

Invariants Verified

Protocol fees never exceed 1% maximum
Referral fees never exceed protocol fees
Position range widths stay within bounds
Rebalance delays stay within 1h-7d limits
Treasury is set when fees are active
Tick ranges are always valid
Position ownership remains consistent
Fee accounting: no tokens lost or created
Deposit timestamps are valid
Internal accounting matches expected state

Security Features Implemented

ReentrancyGuard

All state-changing functions protected against reentrancy attacks

Checks-Effects-Interactions

Storage updates before external calls to prevent exploits

Ownable2Step

Two-step ownership transfer prevents accidental lockout

Pausable

Emergency stop capability for incident response

SafeERC20

Safe token transfer patterns for all ERC20 operations

TWAP Oracle

5-minute price oracle prevents manipulation attacks

Flash Loan Protection

1-minute minimum hold time prevents flash loan exploits

Position Limits

Configurable limits prevent gas griefing (500/user, 100K total)

Read-Only Reentrancy Protection

Withdrawal flags in adapters prevent view function exploits

Zero-Swap Architecture

Rebalancing without swaps eliminates sandwich attacks and MEV extraction

Audit Reports

About Our Security Audits

MaxFi's smart contracts have undergone comprehensive AI-assisted security review using industry-standard methodologies including OWASP Smart Contract Top 10, Trail of Bits security patterns, Spearbit audit frameworks, and analysis of historical DeFi exploits (Gamma Strategies, Visor Finance, and others).

The core contract suite is identical to Snuggle's production deployment which has been through 10+ audit iterations and is live on Base mainnet.

Transparency Note: These audits were conducted using AI security analysis tools, not a traditional third-party audit firm. While the methodology is rigorous and comprehensive, we plan to commission a brand-name security firm audit as the protocol grows. Always do your own research and only deposit what you can afford to lose.

Deployed Contracts

MaxFi contracts are audited and ready for Base mainnet deployment. Contract addresses will be published here once deployed. All contracts will be verified on BaseScan for full transparency.

Report a Security Issue

Found a vulnerability? We take security seriously and appreciate responsible disclosure. Reach out to us through any of these channels:

EmailTwitter

Future Security Plans

  • Commission audit from recognized security firm (Trail of Bits, OpenZeppelin, etc.)
  • Launch formal bug bounty program with rewards
  • Implement time-locked admin functions
  • Add multi-sig requirement for protocol upgrades

Important: Despite our security measures, all DeFi protocols carry inherent risks. Smart contract bugs, economic exploits, and unforeseen vulnerabilities can result in loss of funds. Never deposit more than you can afford to lose. Please read our full risk disclosure before using MaxFi.