Skip to content
All protocols
Ethereum Stablecoin (Managed Single-Asset (yield-bearing vault over off-chain backed stablecoin)) TVL $75.30M

APYX

Audited 04/01/2026 · 1mo ago Martin & Agent Tier: Moderate Framework V1.2.3
Deal Breaker Gate
PASS
No deal breakers triggered
Score
72 /100
Grade B
Risk Level
Medium
Aggregate finding
Re-check Cadence
Weekly
Suggested for next assessment
0 deal-breaker FAILs 8 open issues 0 EOA surfaces 12 contracts 3 audits 3 Tier-1

Findings

All deal breakers pass. Material residual risks are an admin-controlled vesting-substitution path (setVesting) with no output-bounds validation or timelock, an ADMIN role with zero execution delay at $75M+ TVL, and entirely off-chain backing of apxUSD with no on-chain proof-of-reserve. These are counterbalanced by strong smart-contract architecture (OZ AccessManager, OZ ERC4626 with built-in inflation protection), three top-tier audits, a 30-day withdrawal cooldown that structurally blocks flash-loan extraction, and a doxxed ex-Kraken team.

Technical findings only — not financial advice.

Trust Surfaces

Who can move funds, and how fast
apxUSD — UUPS upgrade
Multisig 3/6
Controller 0xf986…3ce2 ↗
Min delay Instant
Worst case Replace apxUSD implementation — arbitrary mint or freeze of the stablecoin
apyUSD — UUPS upgrade
Multisig 3/6
Controller 0xf986…3ce2 ↗
Min delay Instant
Worst case Replace vault implementation — full drainage of deposited apxUSD
apyUSD — setVesting()
Multisig 3/6
Controller 0xf986…3ce2 ↗
Min delay Instant
Worst case Replace vesting contract with one returning inflated vestedAmount() — manipulate totalAssets and share price (HIGH finding F-C-02)
apyUSD — setUnlockToken()
Multisig 3/6
Controller 0xf986…3ce2 ↗
Min delay Instant
Worst case Replace withdrawal mechanism — alter or bypass the 30-day cooldown that anchors flash-loan resistance
AccessManager — co-admin
Multisig 4/6
Controller 0xabdd…5e96 ↗
Min delay Instant
Worst case Same authority as 3/6 admin; both Safes share an identical 6-signer set, so defense-in-depth between thresholds is limited
MinterV0 — apxUSD mint authority
Contract
Controller 0x2c36…a76e ↗
Min delay Instant
Worst case Schedule apxUSD mint up to supply cap ($100M); 60-second AccessManager delay between schedule and execute provides a brief reaction window
YieldDistributor — withdraw()
Multisig 3/6
Controller 0xf986…3ce2 ↗
Min delay Instant
Worst case Withdraw accumulated yield. Blast radius bounded by MAX_FEE = 1% hard-cap

Deal Breaker Matrix

PASS 16 FAIL 0 N/A 7 Inconclusive 0

Access Control & Governance

Item Status Evidence
EOA Upgrade Control PASS UUPS _authorizeUpgrade routes through AccessManager → 3/6 + 4/6 multisig. Deployer EOA (0x0442) revoked at block 24481052.
EOA Fund Control PASS No single-EOA fund withdrawal. YieldDistributor.withdraw() restricted to multisig.
>60% Governance Centralization N/A No governance token. Control is exclusively via multisig.
Governance Mechanism Bypass N/A No governance mechanism exists.
Timelock Backdoors N/A No timelock deployed. No emergencyExecute() or fastTrack() found.
No Emergency Controls PASS pause()/unpause() implemented on apxUSD, apyUSD, MinterV0, and CommitToken.

Oracle & Price Integrity

Item Status Evidence
Direct Pool Price Oracle N/A Managed single-asset vault; no external oracle consumed for share pricing.
Manual Price Control PASS No direct setPrice. Vesting substitution via setVesting() requires 3/6 multisig — not single-key. Flagged as HIGH finding.

Smart Contract Architecture

Item Status Evidence
Known Compiler Bugs PASS Solidity 0.8.30 across all contracts. No known compiler-bug CVEs.
No Reentrancy Protection PASS CEI on critical paths (CommitToken._withdraw deletes state before call). ReentrancyGuardTransient on YieldDistributor.
Unlimited Minting PASS Supply cap ($100M) + MinterV0 rate limiting + 60s AccessManager delay + multisig.
Unsafe Delegatecall PASS No delegatecall to user-supplied addresses found.
Uninitialized Implementation PASS _disableInitializers() called in ApxUSD constructor (line 78) and ApyUSD constructor (line 90).
Unprotected Initializer PASS All initialize() functions use the initializer modifier with zero-address guards on all params.

Audit & Verification

Item Status Evidence
No Audit + High TVL PASS TVL ~$75.3M apxUSD supply. Three audits: Zellic (Jan 2026), Quantstamp (Feb 2026), Certora (Mar 2026).
Unverified Contracts PASS 7 of 7 core contracts verified on Sourcify with full metadata match.
Critical Unfixed Issues PASS Zellic critical finding addressed. Certora high finding confirmed fixed.

Economic & Liquidity

Item Status Evidence
Zero Flash Loan Protection PASS 30-day UnlockToken cooldown blocks same-block extraction. Architecture flash-loan-resistant by design.
Broken Tokenomics PASS Yield from off-chain MSTR preferred-stock dividends (real yield), not circular emissions. APY < 100%.
No Slippage Protection PASS depositForMinShares(), mintForMaxAssets(), withdrawForMaxShares(), redeemForMinAssets() all present.

Cross-Chain & Bridges

Item Status Evidence
Centralized Bridge N/A Single chain (Ethereum mainnet). CCIP integration is interface-only.
No Transfer Limits N/A Not a bridge protocol.
No Token Verification N/A Not a bridge protocol.

Open Issues

P1: 2P2: 6
  • P1 High · Oracle/DVI Timeline: 1 month
    Unbounded vesting contract substitution
    Impact: Admin-controlled share-price inflation via setVesting() with no output-bounds or timelock
    Recommendation: Add output-bounds validation or timelock on setter
  • P1 Medium · Access Control Timeline: 1 month
    No timelock on ADMIN role
    Impact: Upgrades execute immediately at $75M+ TVL with no public reaction window
    Recommendation: Implement 48h+ timelock for upgrade authorization
  • P2 Low · Oracle/DVI Timeline: Optional
    _decimalsOffset() = 0 — minimal virtual offset
    Impact: OZ built-in +1 virtual shares makes inflation non-profitable; a larger offset would add defense-in-depth
    Recommendation: Consider _decimalsOffset()=6 for extra margin
  • P2 Medium · Economic Timeline: 1 month
    Off-chain backing unverifiable on-chain
    Impact: Entire protocol value rests on team trust; no on-chain mechanism verifies the off-chain MSTR preferred-stock collateral
    Recommendation: Implement proof-of-reserve oracle or custodian attestation
  • P2 Medium · Economic Timeline: 1 month
    No on-chain redemption for apxUSD
    Impact: No on-chain path to redeem against off-chain collateral
    Recommendation: Establish and publish off-chain redemption policy
  • P2 Low · Smart Contract Timeline: 1 month
    Missing nonReentrant on apyUSD._withdraw()
    Impact: pullVestedYield() called pre-burn creates a theoretical re-entry window (requires admin-set malicious vesting contract)
    Recommendation: Add nonReentrant or move pullVestedYield() post-burn
  • P2 Low · Operations Timeline: 1 month
    No bug bounty or public security contact
    Impact: No incentive for responsible disclosure; researchers have no documented channel
    Recommendation: Launch Immunefi program with $500K+ max payout
  • P2 Low · Composability Timeline: 1 month
    AddressList as system-wide SPOF
    Impact: Bricked deny list freezes all token transfers
    Recommendation: Consider automated failsafe or backup list

Contract Inventory

Verified Proxy
Compiler: 0.8.30
Verified
Compiler: 0.8.30
Verified Proxy
Compiler: 0.8.30
Verified
Compiler: 0.8.30
Verified
Compiler: 0.8.30
Verified
Compiler: 0.8.30
Verified
Compiler: 0.8.30
Verified
Compiler: 0.8.30
Verified
Compiler: 0.8.30
Verified
Compiler: 0.8.30
Verified
Verified

Audit History

Tier 1 Zellic 01/2026 Full protocol — ApxUSD, ApyUSD, CommitToken, UnlockToken, MinterV0, YieldDistributor, LinearVestV0, AddressList Report ↗
1 Critical 2 Medium 2 Low
Tier 1 Quantstamp 02/2026 APX USD Stablecoin Report ↗
Tier 1 Certora 03/2026 APYX APX USD (apxUSD + apyUSD) — manual code review Report ↗
1 High

Protocol

Launched: 2026-Q1
TVL Source: Protocol disclosure (not listed on DeFiLlama)

Operations

Bug Bounty: None detected
All role assignments (5)
Contract Role Holder Powers
AccessManager ADMIN (Role 0) 0xf986...3ce2 (3/6 Safe) Authorize UUPS upgrades, grant/revoke roles, call admin setters (setVesting, setUnlockToken)
AccessManager ADMIN (Role 0) 0xabdd...5e96 (4/6 Safe) Co-admin authority (shared signer set with 3/6)
AccessManager MINT_STRAT (Role 1) MinterV0 (0x2c36...a76e) Schedule apxUSD mints with 60s AccessManager delay
AccessManager Role 6 YieldDistributor (0xdbca...9c2a) Yield-distribution operations
apxUSD / apyUSD / MinterV0 / CommitToken Pause 3/6 Safe pause() / unpause() on each core contract

All reports for APYX