[ARFC] Onboard syrupUSDC to Aave V3 Core Instance

AL Technical Analysis of syrupUSDC for Aave V3 on Core

Date: 2026-04-16

Discussions: Original ARFC · BGD post #8 · BGD post #10

Base precedent: Direct-to-AIP: syrupUSDC on Aave V3 Base

Summary

This is a technical analysis of the smart contracts of the syrupUSDC asset and its main dependencies.

Disclosure: This is not an exhaustive security review of the asset, but an analysis from an Aave technical service provider on aspects considered critical to review before a new type of listing. Consequently, as with any security review, this is not an absolute statement that the asset is flawless, only that, in our opinion, we do not see significant problems with its integration with Aave apart from the trust assumptions and conditions described below.

Analysis

syrupUSDC is classified under AACA as Group 3, subclass 3c, a yield-bearing stablecoin approved on a case-by-case basis. It is a non-rebasing ERC-4626 vault share over USDC. Value accrues through the exchange rate, and the relevant review surface is the full Maple system that determines redemption value and pricing.

The key onchain contracts and dependencies relevant to Aave are the following:

Component Address Role
syrupUSDC 0x80ac24aA929eaF5013f6436cdA2a7ba190f5Cc0b ERC-4626 vault share / listed asset
USDC 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48 Underlying asset
PoolManager 0x7aD5fFa5fdF509E30186F4609c2f6269f4B6158F Maple pool manager proxy
Globals 0x804a6F5F667170F545Bf14e5DDB48C70B788390C Maple protocol role registry / control surface
Governor Timelock 0x2eFFf88747EB5a3FF00d4d8d0f0800E306C0426b Governance execution layer
Governor Safe 0xd6d4Bcde6c816F17889f1Dd3000aF0261B03a196 Proposer, 4-of-7 Safe
SecurityAdmin Safe 0x6b1A78C1943b03086F7Ee53360f9b0672bD60818 Emergency admin, 3-of-6 Safe
OperationalAdmin Safe 0xCe1cE7c7F436DCc4E28Bc8bf86115514d3DC34E8 Operations admin, 3-of-5 Safe
PoolDelegate 0xC1e18FFD8825FfB286D177DDEbeba345EC70B49f Loan management

The token contract is verified, uses 6 decimals, and is not upgradeable. Proxy detection returned zero values for the standard EIP-1967 implementation and admin slots. At the reviewed block height, totalSupply() was 1,445,304,572,289,555, totalAssets() was 1,675,820,590,031,123, convertToAssets(1_000_000) returned 1,159,493, and unrealizedLosses() returned zero.

The token passes standard ERC-20 and wrapper-level integration checks. No fee-on-transfer behavior, ERC-777-style hooks, token-level blacklist, whitelist, transfer restriction, or flash mint capability was identified. EIP-2612 support is present through DOMAIN_SEPARATOR(). Minting and burning are bounded by the ERC-4626 deposit and redeem path.

Oracle compatibility

The Ethereum syrupUSDT listing uses a CAPO adapter with the wrapper as RATIO_PROVIDER, and a capped USDT/USD capped feed. On Ethereum, we propose using PriceCapAdapter CAPO adapter, with syrupUSDC as the ratio provider and a capped USDC/USD feed as the base aggregator.

CAPO bounds upward moves caused by donations. Downward moves caused by credit losses reduce value as expected for a credit-backed wrapper. Downward moves caused by administrative impairment actions also reduce the oracle-observable value and connect Maple’s control surface directly to the Aave pricing path.

Upgradeability and control surface

The listed token is not upgradeable, but the surrounding system is not static. The PoolManager is a minimal proxy, and Globals is upgradeable and controls protocol roles. The Governor Timelock was deployed in September 2025 and audited by Sherlock and 0xMacro. Maple documentation states a minimum delay of one day, although the timelock does not expose standard OpenZeppelin getMinDelay() behavior.

The main control surface sits at the Maple governance and admin layer. The Governor Safe holds PROPOSER_ROLE. The Timelock ROLE_ADMIN set includes an EOA. EXECUTOR_ROLE includes both an EOA and the OperationalAdmin Safe. SecurityAdmin holds emergency pause authority. OperationalAdmin can impair or disable lending strategies without timelock protection. From an Aave integration perspective, this is the most important admin path because strategy impairment can increase unrealizedLosses() and reduce the syrupUSDC exchange rate observed through the oracle path.

Role Holder(s) Functions Criticality Risk
ROLE_ADMIN Includes EOA 0xa04bddfb5bce1afc0a939749dc721ba762019b2a Grant / revoke proposer and executor permissions; broader timelock role administration CRITICAL :orange_circle:
Governor Safe 0xd6d4Bcde6c816F17889f1Dd3000aF0261B03a196 (4-of-7) Proposal scheduling / governance proposal path via PROPOSER_ROLE HIGH :green_circle:
SecurityAdmin Safe 0x6b1A78C1943b03086F7Ee53360f9b0672bD60818 (3-of-6) Emergency pause actions HIGH :green_circle:
OperationalAdmin Safe 0xCe1cE7c7F436DCc4E28Bc8bf86115514d3DC34E8 (3-of-5) Strategy impairment / disablement and related operational actions outside timelock protection CRITICAL :orange_circle:
PoolDelegate Role-based operational actor Day-to-day loan origination and management MEDIUM :green_circle:

Governor Timelock

Maple uses a proprietary Governor Timelock contract at 0x2eFFf88747EB5a3FF00d4d8d0f0800E306C0426b as the governance execution layer. Maple documentation states a minimum delay of one day, although the contract does not expose standard OpenZeppelin getMinDelay() behavior onchain. The timelock is role-based and sits at the center of the Maple governance and admin control surface.

Permission Owner Functions Criticality Risk
Governor Timelock Governance execution layer with delayed execution HIGH :green_circle:
ROLE_ADMIN: Governor 4-of-7, EOA 0xa04bddfb5bce1afc0a939749dc721ba762019b2a Can alter proposer and executor permissions CRITICAL :orange_circle:
PROPOSER_ROLE: Governor 4-of-7 Can schedule governance proposals HIGH :green_circle:
EXECUTOR_ROLE: OperationalAdmin 3-of-5, EOA Can execute proposals HIGH :yellow_circle:
SecurityAdmin 3-of-6 Emergency pause actions HIGH :yellow_circle:
PoolDelegate Day-to-day loan origination and management MEDIUM :yellow_circle:

The signer sets are:

Governor Safe — 4-of-7
0xd6d4Bcde6c816F17889f1Dd3000aF0261B03a196

  • 0x690A5aCa4E6c2f0c9880e582c2AA9913586e12BF

  • 0x0f4430f1cEc6b976a9358EFfa95399EE8fc8BD40

  • 0xF4b33586ee31DC6db89DA7Fb64b853E99F984B7F

  • 0xd9c66fc2b01Bb6d72e8884d2AA1e2DDA2995ecD6

  • 0x96481CB0fCd7673254eBccC42DcE9B92da10ea04

  • 0x04eBB8201BC767BD96932D33b12BD2EaA661E918

  • 0x588C6eb6E68F3Cb03243835c1c67864C84dF85bD

SecurityAdmin Safe — 3-of-6
0x6b1A78C1943b03086F7Ee53360f9b0672bD60818

  • 0x4E107C30a68C9fe7236F0091160198ddad074E4b

  • 0x8Ce4D92CE97B4e970f95281C8Fd75c90d2808624

  • 0x4109372c415E383814a73E1DE65fc631A93C1ED1

  • 0x54cCAB4D3E6694A092B0Db186e5150B3669E3B74

  • 0x44A6dd2749309691d0912258245de288FD3733CA

  • 0x063087CFa971cC237d7Bf5810d7ce64aDF894FF8

OperationalAdmin Safe — 3-of-5
0xCe1cE7c7F436DCc4E28Bc8bf86115514d3DC34E8

  • 0x57d1b1d5271390e161155A4594657fAcF05ccc7c

  • 0x8be3Eb3C4F748F0Ec660B996ef7E1d44f5D89736

  • 0x4024b08D3fFEF9F7bCED48C820E53edbC983307b

  • 0xF5703815842E06cE68940FA64eAa5bf36817D827

  • 0x7371Da5AC817C05547da65a84EACd72D653027AF

Exchange-rate mechanism

The wrapper uses standard ERC-4626 accounting through convertToAssets(). Under normal operation, the exchange rate increases as Maple’s lending portfolio generates yield. Because the token is non-rebasing, value accrual is reflected in the exchange rate rather than in balances.

Borrower defaults increase unrealizedLosses() and reduce redemption value. OperationalAdmin can also impair strategies, which can increase unrealizedLosses() and reduce the oracle-observable exchange rate. The accounting path is straightforward. The relevant risk is the control surface that can affect that path.

Withdrawals are handled through a two-step FIFO queue. Average completion is stated as under one hour. The reviewed material also notes instant liquidity through Uniswap V4 and Balancer with approximately $20M of combined DEX depth. There is no slashing model. Losses pass through the exchange rate.

Dependency analysis

The relevant dependencies are Maple protocol contracts and governance, USDC as the underlying asset, the CAPO adapter, Chainlink’s USDC/USD feed, DEX liquidity, the Maple withdrawal queue, and the institutional borrower set.

totalAssets() is driven by outstanding loan balances rather than by passively held base assets. Borrower default that is not stabilized or liquidated in time increases unrealizedLosses() and reduces the exchange rate. The reviewed material describes the mitigants as overcollateralized loans, active margin monitoring, onchain liquidation processes, and borrower concentration limits, with no single borrower representing more than 20% of pool exposure.

USDC adds standard centralized issuer risk at the underlying layer, including blacklist and pause risk.

Audit coverage

The reviewed audits include coverage from Trail of Bits, Spearbit, Three Sigma, 0xMacro, Sherlock, Dedaub, and Sigma Prime across Maple Core V2, later protocol updates, the Syrup Router, the Governor Timelock, the Withdrawal Manager, and the CCIP Receiver. No unresolved critical findings are identified in those audits. Maple also maintains an Immunefi bug bounty with a maximum reward of $500,000.

The historical record includes Maple defaults in late 2022, including Orthogonal Trading, under the earlier delegated-pool model rather than the current Maple Direct architecture. Maple Direct was introduced in 2024. syrupUSDC launched in May 2024 under that model, with no defaults noted in the reviewed period.

Risk summary

The token contract is verified, non-rebasing, and non-upgradeable. The remaining risks sit at the Maple governance and admin layer and in the fragility of the share-price accounting.

Maple has clarified that the EOA address retaining ROLE_ADMIN role in the timelock control surface is a MPC wallet with strict multisig rules. Roles capable of affecting unrealizedLosses() and the oracle-observed exchange rate are clearly documented and tightly constrained.

syrupUSDC is eligible with conditions. It should not be borrowable. Strategy impairment or disablement can increase unrealizedLosses() and reduce the exchange rate, which connects Maple’s control surface directly to the Aave pricing path.