syrupUSDT (cross-chain) technical analysis

Summary

Following the new proposal for listing SyrupUSDT on Plasma, we examined the Maple Team’s implementation of the cross-chain asset.

This is a technical analysis of all the smart contracts of the SyrupUSDT on Plasma and main bridge dependencies.

Disclosure: This is not an exhaustive security review of the asset like the ones done by the Maple team, but an analysis from an Aave technical service provider on different aspects we consider critical to review before a new type of listing.

Analysis

SyrupUSDT in Ethereum follows the same architecture and is controlled by the same entities as SyrupUSDC, for which we did an extensive evaluation that can be found here. It’s a cross-chain asset on Plasma bridged through Chainlink’s CCIP infrastructure.

syrupusdt-scheme1816×677 64 KB

General points

• The SyrupUSDT contract uses the standard Chainlink’s CCIP contracts for lock/release on Ethereum and mint/burn Plasma.

• It relies on two non-upgradable contracts controlled by the Maple’s timelock and Chainlink’s RBACTimelock.

• For access control, it uses OZ role-based.

Contracts

The following is a non-exhaustive overview of the main smart contracts involved with SyrupUSDT on Plasma:

syrupusdt-contracts2337×244 62.6 KB

SyrupUSDT

It represents the cross-chain SyrupUSDT token, which extends standard functionality for minting and burning capabilities through role-based access control.

Permission Owner	functions	Criticality	Risk
ADMIN_ROLE: 3-day Timelock	setCCIPAdmin, grantRole	HIGH
MINTER_ROLE: TokenPool	mint	HIGH
BURNER_ROLE: TokenPool	burn, burnFrom	HIGH

• Access Control

  • The ADMIN_ROLE can set the s_ccipAdmin via the setCCIPAdmin(address) method. It’s important to mention that the s_ccipAdmin doesn’t have any special access control within the system.

• Minting and Burning

  • The TokenPool controls the minting and burning of SyrupUSDT through the mint(to, amount) , burn(amount), burnFrom(from, amount) functions.

TokenPool

The TokenPool contract manages cross-chain token operations via CCIP’s router contract, facilitating the minting and burning of SyrupUSDT. It handles token decimals across different chains, rate limiting, and uses a role-based access control.

Plasma: TokenPool

Permission Owner	functions	Criticality	Risk
owner: RBACTimelock	setRouter, addRemotePool, removeRemotePool, applyChainUpdates, setRateLimitAdmin, applyAllowListUpdates	HIGH

Mainnet: TokenPool

Permission Owner	functions	Criticality	Risk
owner: RBACTimelock	setRouter, addRemotePool, removeRemotePool, applyChainUpdates, setRateLimitAdmin, applyAllowListUpdates, transferLiquidity	HIGH

• Access Control

  • The RBACTimelock can configure the cross-chain between new chains through the addRemotePool(), removeRemotePool(), and applyChainUpdates() functions. It can also configure the allowlist via the applyAllowListUpdates() and set a rate limiter contract by calling the setRateLimitAdmin() method.

  • The liquidity locked in a previous TokenPool can be migrated to the new (current) TokenPool via the transferLiquidity(amount) function.

• Bridging

  • For cross-chain SyrupUSDT from Mainnet to Plasma, the call is initiated through the router.ccipSend(destChain, message) function. The SyrupUSDT is locked in the TokenPool contract and then forwarded via the evmOnRap.forwardFromRouter(destChain, message) method.

  • To send it back to the mainnet, it uses the same process via the router by calling the ccipSend(destChain, message) function. The token amount is burned on Plasma by the TokenPool, and the message is forwarded to the mainnet via the offRamp. executeSingleMessage(msg), where the TokenPool contract receives a releaseOrMint(releaseOrMintIn) call and transfers the SyrupUSDT to the user.

Pricing strategy

We recommend pricing SyrupUSDT with a CAPO Adapter using the SyrupUSDT/USDT exchange rate along with the Capped USDT/USD Price feed. This method aligns with the price recommendation for syrupUSDC on mainnet.

Miscellaneous

• The security reviews of the CCIP contracts’ infrastructure used in SyrupUSDT can be found here.

• During the review process, we suggested to the Maple team to timelock the admins of SyrupUSDT. They implemented it shortly afterward, keeping the system consistent with the mainnet.

Conclusion

We believe SyrupUSDT has no issues with Aave integration and no major blockers for listing.