defirisk.co
rubric v1.7.0

Empty cToken-style market (zero supply/borrow)

Maple Finance's assessment for RD-F-070 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] Maple V2 implements `bootstrapMint` mechanism (set by Governor per asset) to prevent first depositor share-inflation on ERC-4626-style pool tokens. High-severity finding identified by Spearbit in Dec 2022 V2 audit and remediated before launch. Active pools have non-zero TVL ($1.70B). Green — mitigant present and currently active.

Detail #

Maple V2 pools use the revenue-distribution-token (RDT) library which implements ERC-4626-compatible share math. The RDT convertToShares function follows the pattern: supply==0 ? assets : (assets * supply) / totalAssets(), which is vulnerable to first-depositor share inflation absent a guard. Spearbit's December 2022 audit identified this as a high-severity finding. The remediation was a governor-configurable `bootstrapMint` amount per ERC-20 asset, minted at pool creation to provide a non-zero initial supply. Currently active pools (Syrup USDC 0x80ac24, Syrup USDT 0x356B8d, Maple Institutional Secured 0xC39a5A) all have non-zero supply ($1.70B total TVL). The protocol is NOT a Compound V2 fork, but the ERC-4626 share-inflation vector is covered by the bootstrapMint mitigant. Scoring green with medium confidence because: (1) the bootstrapMint is governor-settable (not a hardcoded protection), meaning new pools could theoretically be launched with bootstrapMint=0 if the Governor misconfigures; (2) the specific bootstrapMint value for active pools was not directly read on-chain.

Sources #

Methodology #

Determine whether any listed Compound V2-fork market has `totalSupply == 0` and `totalBorrow == 0`, the precondition for a donation-exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol maple-finance factor RD-F-070 score green collected_at 2026-04-27 05:38:08