Blend is committed to the highest standards of security. The protocol has undergone multiple independent security audits by reputable firms to ensure the safety and reliability of the codebase.All audit reports are publicly available below and the report files are held in github.com/blendmoney/audits.
This focused review examined recent improvements to Blend’s Intent Engine contracts, covering changes from PR 47, PR 48, and PR 49 during August 27-28, 2025.
Removed redundant controller existence check in StrategyManager.executeVaultAction
Optimized loop structure in MorphoVaultController.executeRebalance
Cached redundant WRAPPED_NATIVE() calls for gas efficiency
Increased test coverage for execution paths in PR 47 and PR 48
Added share-price validation safety checks
The review confirmed that all changes introduced no new security risks and maintained the protocol’s strong security posture for updated rebalancing and action-execution flows.View Full Audit Report →
This review focused on Blend’s cross-chain infrastructure, examining the AcrossXChainAdapter and SwapAdapter contracts from PR 62 during September 16-19, 2025.
Gas Optimization: Fixed unnecessary external call in AcrossXChainAdapter.execute
Chain Configuration: Enhanced flexibility addressed through deployment strategy
Griefing Risks: Mitigated via Blend’s private execution environment
Slippage Calculations: Validated methodology and controlled mempool usage
The review confirmed that PR 62 maintains strong security with no exploitable vulnerabilities. All identified optimizations were implemented and verified.View Full Audit Report →
This security assessment reviewed Blend’s swap adapter implementations, focusing on PR #68 and the temporal access control mechanisms in WhitelistedSwapAdapter and SwapAdapter contracts.
Temporal execution windows (rebalance and vault action phases)
WhitelistedSwapAdapter configuration validation
SwapAdapter integration patterns
The review confirmed that PR #68 introduced no new vulnerabilities and that temporal access controls are correctly implemented. The single informational finding regarding constructor validation was promptly fixed.View Full Audit Report →
Multi-hop Swap Design: Dust handling in multi-hop swaps acknowledged as intentional design trade-off for gas efficiency
The review confirmed that all changes maintain strong security with no exploitable vulnerabilities. One low-risk finding regarding intermediary token dust was acknowledged as an acceptable design choice prioritizing gas efficiency.View Full Audit Report →
Added explicit visibility identifier for MIN_SECONDS_BETWEEN_OPERATIONS variable
Removed virtual keyword from executeRebalance() to prevent potential rate limit bypass in derived contracts
Fixed off-by-one error in rate limiting logic to ensure proper minimum interval enforcement
Added upper bound validation for _minSecondsBetweenOperations constructor parameter
The review confirmed that PR 80 introduced robust rate limiting controls with no security vulnerabilities. All code quality improvements were successfully implemented.View Full Audit Report →
Token Sweeping Functionality: Implemented sweepToken function in SwapAdapter to allow recovery of intermediate tokens that may get stuck in multi-hop swaps due to price action (PR 87)
Code Comment Fixes: Corrected misleading comments regarding token transfer amounts in swap functions (PR 86)
The review confirmed that the swap adapter implementations maintain strong security with no exploitable vulnerabilities. Both informational findings were addressed through code improvements and enhanced documentation.View Full Audit Report →
