AL Technical Analysis of syrupUSDC for Aave V3 on Core
Date: 2026-04-16
Discussions: Original ARFC · BGD post #8 · BGD post #10
Base precedent: Direct-to-AIP: syrupUSDC on Aave V3 Base
Summary
This is a technical analysis of the smart contracts of the syrupUSDC asset and its main dependencies.
Disclosure: This is not an exhaustive security review of the asset, but an analysis from an Aave technical service provider on aspects considered critical to review before a new type of listing. Consequently, as with any security review, this is not an absolute statement that the asset is flawless, only that, in our opinion, we do not see significant problems with its integration with Aave apart from the trust assumptions and conditions described below.
Analysis
syrupUSDC is classified under AACA as Group 3, subclass 3c, a yield-bearing stablecoin approved on a case-by-case basis. It is a non-rebasing ERC-4626 vault share over USDC. Value accrues through the exchange rate, and the relevant review surface is the full Maple system that determines redemption value and pricing.
The key onchain contracts and dependencies relevant to Aave are the following:
| Component | Address | Role |
|---|---|---|
| syrupUSDC | 0x80ac24aA929eaF5013f6436cdA2a7ba190f5Cc0b |
ERC-4626 vault share / listed asset |
| USDC | 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48 |
Underlying asset |
| PoolManager | 0x7aD5fFa5fdF509E30186F4609c2f6269f4B6158F |
Maple pool manager proxy |
| Globals | 0x804a6F5F667170F545Bf14e5DDB48C70B788390C |
Maple protocol role registry / control surface |
| Governor Timelock | 0x2eFFf88747EB5a3FF00d4d8d0f0800E306C0426b |
Governance execution layer |
| Governor Safe | 0xd6d4Bcde6c816F17889f1Dd3000aF0261B03a196 |
Proposer, 4-of-7 Safe |
| SecurityAdmin Safe | 0x6b1A78C1943b03086F7Ee53360f9b0672bD60818 |
Emergency admin, 3-of-6 Safe |
| OperationalAdmin Safe | 0xCe1cE7c7F436DCc4E28Bc8bf86115514d3DC34E8 |
Operations admin, 3-of-5 Safe |
| PoolDelegate | 0xC1e18FFD8825FfB286D177DDEbeba345EC70B49f |
Loan management |
The token contract is verified, uses 6 decimals, and is not upgradeable. Proxy detection returned zero values for the standard EIP-1967 implementation and admin slots. At the reviewed block height, totalSupply() was 1,445,304,572,289,555, totalAssets() was 1,675,820,590,031,123, convertToAssets(1_000_000) returned 1,159,493, and unrealizedLosses() returned zero.
The token passes standard ERC-20 and wrapper-level integration checks. No fee-on-transfer behavior, ERC-777-style hooks, token-level blacklist, whitelist, transfer restriction, or flash mint capability was identified. EIP-2612 support is present through DOMAIN_SEPARATOR(). Minting and burning are bounded by the ERC-4626 deposit and redeem path.
Oracle compatibility
The Ethereum syrupUSDT listing uses a CAPO adapter with the wrapper as RATIO_PROVIDER, and a capped USDT/USD capped feed. On Ethereum, we propose using PriceCapAdapter CAPO adapter, with syrupUSDC as the ratio provider and a capped USDC/USD feed as the base aggregator.
CAPO bounds upward moves caused by donations. Downward moves caused by credit losses reduce value as expected for a credit-backed wrapper. Downward moves caused by administrative impairment actions also reduce the oracle-observable value and connect Maple’s control surface directly to the Aave pricing path.
Upgradeability and control surface
The listed token is not upgradeable, but the surrounding system is not static. The PoolManager is a minimal proxy, and Globals is upgradeable and controls protocol roles. The Governor Timelock was deployed in September 2025 and audited by Sherlock and 0xMacro. Maple documentation states a minimum delay of one day, although the timelock does not expose standard OpenZeppelin getMinDelay() behavior.
The main control surface sits at the Maple governance and admin layer. The Governor Safe holds PROPOSER_ROLE. The Timelock ROLE_ADMIN set includes an EOA. EXECUTOR_ROLE includes both an EOA and the OperationalAdmin Safe. SecurityAdmin holds emergency pause authority. OperationalAdmin can impair or disable lending strategies without timelock protection. From an Aave integration perspective, this is the most important admin path because strategy impairment can increase unrealizedLosses() and reduce the syrupUSDC exchange rate observed through the oracle path.
| Role | Holder(s) | Functions | Criticality | Risk |
|---|---|---|---|---|
| ROLE_ADMIN | Includes EOA 0xa04bddfb5bce1afc0a939749dc721ba762019b2a |
Grant / revoke proposer and executor permissions; broader timelock role administration | CRITICAL | |
| Governor Safe | 0xd6d4Bcde6c816F17889f1Dd3000aF0261B03a196 (4-of-7) |
Proposal scheduling / governance proposal path via PROPOSER_ROLE |
HIGH | |
| SecurityAdmin Safe | 0x6b1A78C1943b03086F7Ee53360f9b0672bD60818 (3-of-6) |
Emergency pause actions | HIGH | |
| OperationalAdmin Safe | 0xCe1cE7c7F436DCc4E28Bc8bf86115514d3DC34E8 (3-of-5) |
Strategy impairment / disablement and related operational actions outside timelock protection | CRITICAL | |
| PoolDelegate | Role-based operational actor | Day-to-day loan origination and management | MEDIUM |
Governor Timelock
Maple uses a proprietary Governor Timelock contract at 0x2eFFf88747EB5a3FF00d4d8d0f0800E306C0426b as the governance execution layer. Maple documentation states a minimum delay of one day, although the contract does not expose standard OpenZeppelin getMinDelay() behavior onchain. The timelock is role-based and sits at the center of the Maple governance and admin control surface.
| Permission Owner | Functions | Criticality | Risk |
|---|---|---|---|
| Governor Timelock | Governance execution layer with delayed execution | HIGH | |
ROLE_ADMIN: Governor 4-of-7, EOA 0xa04bddfb5bce1afc0a939749dc721ba762019b2a |
Can alter proposer and executor permissions | CRITICAL | |
| PROPOSER_ROLE: Governor 4-of-7 | Can schedule governance proposals | HIGH | |
| EXECUTOR_ROLE: OperationalAdmin 3-of-5, EOA | Can execute proposals | HIGH | |
| SecurityAdmin 3-of-6 | Emergency pause actions | HIGH | |
| PoolDelegate | Day-to-day loan origination and management | MEDIUM |
The signer sets are:
Governor Safe — 4-of-7
0xd6d4Bcde6c816F17889f1Dd3000aF0261B03a196
-
0x690A5aCa4E6c2f0c9880e582c2AA9913586e12BF
-
0x0f4430f1cEc6b976a9358EFfa95399EE8fc8BD40
-
0xF4b33586ee31DC6db89DA7Fb64b853E99F984B7F
-
0xd9c66fc2b01Bb6d72e8884d2AA1e2DDA2995ecD6
-
0x96481CB0fCd7673254eBccC42DcE9B92da10ea04
-
0x04eBB8201BC767BD96932D33b12BD2EaA661E918
-
0x588C6eb6E68F3Cb03243835c1c67864C84dF85bD
SecurityAdmin Safe — 3-of-6
0x6b1A78C1943b03086F7Ee53360f9b0672bD60818
-
0x4E107C30a68C9fe7236F0091160198ddad074E4b
-
0x8Ce4D92CE97B4e970f95281C8Fd75c90d2808624
-
0x4109372c415E383814a73E1DE65fc631A93C1ED1
-
0x54cCAB4D3E6694A092B0Db186e5150B3669E3B74
-
0x44A6dd2749309691d0912258245de288FD3733CA
-
0x063087CFa971cC237d7Bf5810d7ce64aDF894FF8
OperationalAdmin Safe — 3-of-5
0xCe1cE7c7F436DCc4E28Bc8bf86115514d3DC34E8
-
0x57d1b1d5271390e161155A4594657fAcF05ccc7c
-
0x8be3Eb3C4F748F0Ec660B996ef7E1d44f5D89736
-
0x4024b08D3fFEF9F7bCED48C820E53edbC983307b
-
0xF5703815842E06cE68940FA64eAa5bf36817D827
-
0x7371Da5AC817C05547da65a84EACd72D653027AF
Exchange-rate mechanism
The wrapper uses standard ERC-4626 accounting through convertToAssets(). Under normal operation, the exchange rate increases as Maple’s lending portfolio generates yield. Because the token is non-rebasing, value accrual is reflected in the exchange rate rather than in balances.
Borrower defaults increase unrealizedLosses() and reduce redemption value. OperationalAdmin can also impair strategies, which can increase unrealizedLosses() and reduce the oracle-observable exchange rate. The accounting path is straightforward. The relevant risk is the control surface that can affect that path.
Withdrawals are handled through a two-step FIFO queue. Average completion is stated as under one hour. The reviewed material also notes instant liquidity through Uniswap V4 and Balancer with approximately $20M of combined DEX depth. There is no slashing model. Losses pass through the exchange rate.
Dependency analysis
The relevant dependencies are Maple protocol contracts and governance, USDC as the underlying asset, the CAPO adapter, Chainlink’s USDC/USD feed, DEX liquidity, the Maple withdrawal queue, and the institutional borrower set.
totalAssets() is driven by outstanding loan balances rather than by passively held base assets. Borrower default that is not stabilized or liquidated in time increases unrealizedLosses() and reduces the exchange rate. The reviewed material describes the mitigants as overcollateralized loans, active margin monitoring, onchain liquidation processes, and borrower concentration limits, with no single borrower representing more than 20% of pool exposure.
USDC adds standard centralized issuer risk at the underlying layer, including blacklist and pause risk.
Audit coverage
The reviewed audits include coverage from Trail of Bits, Spearbit, Three Sigma, 0xMacro, Sherlock, Dedaub, and Sigma Prime across Maple Core V2, later protocol updates, the Syrup Router, the Governor Timelock, the Withdrawal Manager, and the CCIP Receiver. No unresolved critical findings are identified in those audits. Maple also maintains an Immunefi bug bounty with a maximum reward of $500,000.
The historical record includes Maple defaults in late 2022, including Orthogonal Trading, under the earlier delegated-pool model rather than the current Maple Direct architecture. Maple Direct was introduced in 2024. syrupUSDC launched in May 2024 under that model, with no defaults noted in the reviewed period.
Risk summary
The token contract is verified, non-rebasing, and non-upgradeable. The remaining risks sit at the Maple governance and admin layer and in the fragility of the share-price accounting.
Maple has clarified that the EOA address retaining ROLE_ADMIN role in the timelock control surface is a MPC wallet with strict multisig rules. Roles capable of affecting unrealizedLosses() and the oracle-observed exchange rate are clearly documented and tightly constrained.
syrupUSDC is eligible with conditions. It should not be borrowable. Strategy impairment or disablement can increase unrealizedLosses() and reduce the exchange rate, which connects Maple’s control surface directly to the Aave pricing path.