Maple Finance
About
Maple Finance is a digital asset lending platform that connects institutional borrowers to liquidity providers through secured, overcollateralized loans managed onchain. It offers two primary yield products: syrupUSDC and syrupUSDT for individuals (non-US) seeking institutional-quality yields in a single liquid asset, and Maple Institutional for sophisticated allocators seeking professionally managed, permissioned secured lending. The platform combines traditional credit underwriting and risk management with real-time smart contract monitoring for transparent, verifiable loan operations.
Where Does Yield Come From?
Where the yield comes from
Most of the yield on Maple comes from fixed-rate loans to institutional crypto borrowers. These loans are overcollateralized — meaning borrowers must put up more digital assets (like BTC or ETH) than the amount they borrow. This extra collateral helps protect lenders if the borrower defaults.
How loans are managed
Maple Direct (the lending arm) does the credit checks, structures the loans, and manages them over time. Smart contracts watch each loan in real time to make sure the collateral stays at the required level.
Extra strategies for syrup pools
On top of institutional lending, syrupUSDC and syrupUSDT pools also put money into two additional strategies:
- Futures basis trading — a "cash-and-carry" approach that captures the price gap between current (spot) prices and futures contracts
- DeFi liquidity provision — placing capital into liquidity pools across chains like Ethereum, Solana, and Plasma
All of these allocations can be seen on-chain (publicly verifiable).
Who earns what (the fee flow)
Borrowers pay several fees:
- Origination fee — charged when the loan is funded
- Service fee — charged during loan payments
- Management fee — a share of the gross interest
These fees are split between Pool Delegates and the Maple Treasury. There's also a performance fee on yield from DeFi strategies, tracked through a snapshot-based system.
After all fees are paid, the net interest flows to liquidity providers (LPs) — the people who supply capital to the pools.
Token buybacks and risk separation
Under the SYRUP token design, 25% of protocol revenue is used for token buybacks. Crucially, syrupUSDC and syrupUSDT pools are kept legally and contractually separate from Maple's institutional pools — this risk segmentation means problems in one set of pools don't spill into the other.
Persons
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
Trail of Bits29-08-2022 - 30-09-2022 |
| The audit uncovered no critical or high-severity issues, and all findings except one acknowledged low-severity EIP-4626 non-compliance were remediated by the Maple team, indicating a well-hardened codebase prior to deployment with residual low-level specification gaps. |
Spearbit02-12-2022 |
| The audit identified one critical-value high-risk issue (first-depositor front-running) that was fixed before deployment, and four medium-risk findings of which three were fixed; most low-severity findings were addressed or acknowledged with operational mitigations, leaving residual design risks (unrealized-loss deposit window, withdrawal griefing) that are documented and managed off-chain. |
Three Sigma24-10-2022 - 09-11-2022 |
| The audit found no critical vulnerabilities and the single high-severity inflation attack was remediated by the team. Residual risks center on the protocol's acknowledged centralization, where governors and delegates retain significant privileges over pools and funds. |
Cantina Managed (Christoph Michel, Riley Holterhus, Jonatas Martins)24-04-2023 - 05-05-2023 |
| One High-severity issue (borrower-controlled loan migration) was fixed before release, and the sole Medium-severity finding (reentrant tokens) was acknowledged with no current exposure. The audit indicates a well-scoped security posture for Maple V2's Open Term Loan release, though integrators should note the acknowledged reentrancy caveat if future tokens with callbacks are listed. |
Three Sigma10-04-2023 - 21-04-2023 |
| Three Sigma uncovered three critical-severity attack vectors that could have let malicious pool delegates or front-runners drain pool funds, all of which were addressed by the Maple team prior to deployment. The remaining medium and low findings, while partially addressed, underscore centralization risks inherent in the delegate-governed model that LPs must trust. |
Three Sigma Labs06-11-2023 - 17-11-2023 |
| The audit found no critical, high, or medium severity vulnerabilities, with only three low-severity issues (two addressed) and four informational items, indicating that the Maple Finance V2 Q4 update was in solid security condition at the time of review. |
0xMacro27-11-2023 - 11-12-2023 |
| The audit identified no critical or high severity vulnerabilities, and the two medium-severity issues were either fixed or acknowledged with operational mitigations, reflecting a solid security posture for the audited contract set. |
Three Sigma19-08-2024 - 23-08-2024 |
| The audit found no critical, high, or medium severity vulnerabilities, with only one low-severity MEV-related issue that was promptly addressed, indicating a solid security posture for the Syrup protocol. |
0xMacro05-08-2024 - 08-08-2024 |
| The audit found no critical, high, or medium severity vulnerabilities, with only one acknowledged low-severity edge case and two code quality improvements that were already fixed, reflecting strong overall security of the audited contracts. |
Three Sigma Labs21-05-2024 - 22-05-2024 |
| This audit found no high-severity or critical vulnerabilities, with only two low-severity frontrunning/griefing issues that were promptly addressed, indicating the Syrup protocol's core security posture is sound for deployment. |
Three Sigma25-11-2024 - 06-12-2024 |
| The audit found no critical, high, or medium severity issues, with only two low-severity findings (both acknowledged) and 13 informational suggestions, indicating the protocol's core logic is well-engineered and the new strategy layer introduces manageable residual risks that can be handled operationally. |
0xMacro09-12-2024 - 19-12-2024 |
| The audit found only two issues (one medium, one low), both of which were fixed by the Maple Finance team, resulting in a clean security posture for the audited scope with no unresolved vulnerabilities. |
| The Sherlock audit report for Maple Finance's GovernorTimelock contracts could not be retrieved in a readable format, so no assessment of protocol safety can be made from it. | |
0xMacro15-09-2025 - 18-09-2025 |
| The audit identified a single low-severity issue concerning the irrecoverability of a compromised token withdrawer, which was already addressed. The overall design of the GovernorTimelock contract, with its separation of duties and role-based safeguards, appears sound. |
Spearbit25-11-2025 |
| The audit identified one High-severity issue (redeem-queue bricking) which was acknowledged and fixed in subsequent commits, with no Critical or Medium findings, indicating that the withdrawal-manager-queue v2.0.0-rc.1 code is reasonably sound for deployment provided the remediations are incorporated. |
Sherlock22-10-2025 - 29-10-2025 |
| No critical, high, or medium vulnerabilities were identified; the sole low-severity finding was acknowledged and accepted as a non-critical design limitation. The audit indicates the withdrawal manager upgrade is safe to deploy from a security standpoint. |
Dedaub17-11-2025 - 19-11-2025 |
| The audit found zero exploitable vulnerabilities across all severity bands, indicating that the Maple CCIP Receiver contracts are well-constructed for their intended deposit and redemption flows. The identified advisory issues and centralization risks were either resolved or acknowledged, posing no material threat to core protocol safety. |
| The audit found no critical or high-severity vulnerabilities; all 13 findings were Low or Informational, with 7 resolved in retesting and 6 acknowledged as acceptable design choices, indicating a solid security posture for the cross-chain receiver contracts. |
Backers
According to Maple Finance's official website (maple.finance/about), the protocol lists its backers under "Backed by the Best" including: BlockTower, Circle, Tioga Capital, Spartan Group, Castle Island VC, Framework Ventures, and Veris Ventures. No specific funding round amounts, dates, or series (e.g. seed, Series A, etc.) are disclosed on the publicly available pages of the official website.
Legal
Legal form
Pty Ltd (Proprietary Limited Company)
Registration jurisdiction
Australia (Victoria, Melbourne). Registered address: Maple Labs Pty Ltd, c/o Valles Accountants, 452 Flinders Street, Melbourne Vic 3000, Australia.
Status and notes
The operator of the Maple interface is Maple Labs Pty Ltd, an Australian proprietary limited company, as disclosed in the Interface Terms of Use (last modified April 14, 2025) and Privacy Policy (last modified September 15, 2024). The Terms of Use are governed by the laws of the State of Florida, USA for dispute resolution purposes, while the entity itself is registered in Australia. The website footer includes a disclaimer stating Maple is a technology services provider, that the Maple Protocol is provided "as is" and "as available," and disclaiming liability. A comprehensive set of legal documents is available in the Maple documentation, including Interface Terms of Use, Privacy Policy, Borrower Master Loan Agreement, KYC policy, syrupUSDC/USDT Risk Disclosures, Available Jurisdictions (which restricts access from the US, Australia, and many other countries), a MiCA Whitepaper, and product-specific terms. The protocol also has a DAO component (Maple DAO) mentioned in the trademark section of the Terms.