Audits

Blend’s smart contracts have been audited 8 times by 3 independent firms: Cantina, Sherlock, and Zellic. Every report is public. Zero critical or high-severity issues have ever been found. All reports are available at github.com/blendmoney/audits.

​

Ostium Integration and Bundler3 Compatibility

Sherlock | January 12-15, 2026 | Auditors: eeyore, montecristo Reviewed Blend’s integration with Ostium perpetual trading and Morpho Bundler3 adapter compatibility. Covered vault controllers, swap adapters, cross-vault actions, perpetual position management, and oracle fee mechanics.

Key fixes

• Rebalance validation for oracle fees and freed capital during position adjustments
• Pending order management to prevent multiple positions at different indexes
• Rebasing token support (stETH) in SwapAdapter
• Improved balance calculations using maxWithdraw
• Comprehensive @custom:reverts tags across all adapter contracts

View report (PDF) →

​

Swap Adapter Security Review

Sherlock | November 27-28, 2025 | Auditor: PUSHO Focused on SwapAdapter.sol and PriceLib.sol. Added sweepToken function for recovering intermediate tokens stuck in multi-hop swaps, and corrected misleading code comments. View report (PDF) →

​

Rate Limiting Enhancement

Cantina | October 10, 2025 | Auditor: Sujith Somraaj Reviewed rate limiting in the Strategy Manager contract. Fixed an off-by-one error, added visibility identifiers, removed virtual keyword to prevent rate limit bypass in derived contracts, and added constructor validation. View report (PDF) →

​

Swap Adapter Enhancement

Cantina | October 5, 2025 | Auditor: Sujith Somraaj Reviewed multi-hop swap functionality. Added output amounts to SwapExecuted events, switched strategyData to calldata for gas savings, added slippage and zero-address validation.

Key fixes

• Added actual output amount to SwapExecuted event for better off-chain monitoring
• Changed strategyData parameter from memory to calldata for reduced gas costs
• Added upper bound validation for maxSlippageBps and zero address checks
• Dust handling in multi-hop swaps acknowledged as intentional gas-efficiency trade-off

View report (PDF) →

​

Swap Adapter Security Assessment

Zellic | October 2, 2025 Assessed WhitelistedSwapAdapter and SwapAdapter contracts, focusing on temporal access control (rebalance and vault action phases). Single informational finding about constructor validation was fixed. View report (PDF) →

​

Cross-Chain Adapter Audit

Cantina | September 29, 2025 | Auditor: Rvierdiiev Reviewed AcrossXChainAdapter and SwapAdapter contracts. Fixed unnecessary external call for gas savings. Griefing risks mitigated via private execution environment. Slippage methodology validated. View report (PDF) →

​

Code Improvements Audit

Cantina | September 29, 2025 | Auditor: Sujith Somraaj Reviewed Intent Engine contract improvements. Removed redundant checks, optimized loop structures, cached WRAPPED_NATIVE() calls, increased test coverage, and added share-price validation. View report (PDF) →

​

Initial Code Audit

Cantina | August 10, 2025 Comprehensive review of Blend’s core protocol contracts. Evaluated architecture, smart contract security, slippage controls, rebalance validation, and griefing vectors. Mature, well-maintained codebase with all issues promptly resolved. View report (PDF) →

​

Audit Firms