Skip to main contentBlend is committed to the highest standards of security. The protocol has undergone multiple independent security audits by reputable firms to ensure the safety and reliability of the codebase.
All audit reports are publicly available below and the report files are held in github.com/blendmoney/audits.
Initial Code Audit
Cantina • August 10, 2025
Overview
The comprehensive security review examined Blend’s core protocol contracts, evaluating the overall architecture, smart contract security, and potential vulnerabilities.
Key Findings
- No critical or high-risk vulnerabilities identified
- Mature and well-maintained codebase
- All medium-risk issues promptly fixed and verified
- Robust mitigations for identified risks
Areas Reviewed
- Slippage control mechanisms
- Rebalance validation logic
- Griefing attack vectors
- Core protocol security
View Full Audit Report →
Code Improvements Audit
Cantina • September 29, 2025 • Auditor: Sujith Somraaj
Overview
This focused review examined recent improvements to Blend’s Intent Engine contracts, covering changes from PR 47, PR 48, and PR 49 during August 27-28, 2025.
Key Findings
- No critical, high, medium, or low severity issues
- 5 informational-level improvements identified and implemented
- All changes verified and confirmed
Improvements Made
- Removed redundant controller existence check in
StrategyManager.executeVaultAction
- Optimized loop structure in
MorphoVaultController.executeRebalance
- Cached redundant
WRAPPED_NATIVE() calls for gas efficiency
- Increased test coverage for execution paths in PR 47 and PR 48
- Added share-price validation safety checks
The review confirmed that all changes introduced no new security risks and maintained the protocol’s strong security posture for updated rebalancing and action-execution flows.
View Full Audit Report →
Cross-Chain Adapter Audit
Cantina • September 29, 2025 • Auditor: Rvierdiiev
Overview
This review focused on Blend’s cross-chain infrastructure, examining the AcrossXChainAdapter and SwapAdapter contracts from PR 62 during September 16-19, 2025.
Key Findings
- No critical, high, or medium severity issues
- 1 gas optimization implemented
- 3 informational findings appropriately mitigated
Optimizations & Mitigations
- Gas Optimization: Fixed unnecessary external call in
AcrossXChainAdapter.execute
- Chain Configuration: Enhanced flexibility addressed through deployment strategy
- Griefing Risks: Mitigated via Blend’s private execution environment
- Slippage Calculations: Validated methodology and controlled mempool usage
The review confirmed that PR 62 maintains strong security with no exploitable vulnerabilities. All identified optimizations were implemented and verified.
View Full Audit Report →
Swap Adapter Security Assessment
Zellic • October 2, 2025
Overview
This security assessment reviewed Blend’s swap adapter implementations, focusing on PR #68 and the temporal access control mechanisms in WhitelistedSwapAdapter and SwapAdapter contracts.
Key Findings
- No critical, high, medium, or low severity issues
- 1 informational-level configuration check implemented
- All findings remediated and verified
Areas Reviewed
- Swap adapter security and access controls
- Temporal execution windows (rebalance and vault action phases)
- WhitelistedSwapAdapter configuration validation
- SwapAdapter integration patterns
The review confirmed that PR #68 introduced no new vulnerabilities and that temporal access controls are correctly implemented. The single informational finding regarding constructor validation was promptly fixed.
View Full Audit Report →
Swap Adapter Enhancement Audit
Cantina • October 5, 2025 • Auditor: Sujith Somraaj
Overview
This security review examined PR 69, focusing on swap adapter enhancements and multi-hop swap functionality during October 3-4, 2025.
Key Findings
- No critical, high, or medium severity issues
- 2 low-risk findings identified and addressed
- 1 gas optimization implemented
- 4 informational improvements applied
Improvements Made
- Event Enhancement: Added actual output amount to
SwapExecuted event for better off-chain monitoring
- Gas Optimization: Changed
strategyData parameter from memory to calldata for reduced gas costs
- Validation Improvements: Added upper bound validation for
maxSlippageBps and zero address checks
- Code Quality: Removed unused library imports and improved error messaging clarity
- Multi-hop Swap Design: Dust handling in multi-hop swaps acknowledged as intentional design trade-off for gas efficiency
The review confirmed that all changes maintain strong security with no exploitable vulnerabilities. One low-risk finding regarding intermediary token dust was acknowledged as an acceptable design choice prioritizing gas efficiency.
View Full Audit Report →
Rate Limiting Enhancement Audit
Cantina • October 10, 2025 • Auditor: Sujith Somraaj
Overview
This focused review examined PR 80, analyzing rate limiting enhancements in the Strategy Manager contract during October 6-7, 2025.
Key Findings
- No critical, high, medium, or low severity issues
- 4 informational-level improvements identified and implemented
- All findings promptly fixed and verified
Improvements Made
- Added explicit visibility identifier for
MIN_SECONDS_BETWEEN_OPERATIONS variable
- Removed
virtual keyword from executeRebalance() to prevent potential rate limit bypass in derived contracts
- Fixed off-by-one error in rate limiting logic to ensure proper minimum interval enforcement
- Added upper bound validation for
_minSecondsBetweenOperations constructor parameter
The review confirmed that PR 80 introduced robust rate limiting controls with no security vulnerabilities. All code quality improvements were successfully implemented.
View Full Audit Report →