MakeBanc: Full-Stack Security Audit & Protocol Hardening

MakeBanc is a prominent on-chain capital connectivity infrastructure platform bridging institutional liquidity into decentralized finance. The protocol allows investors to deposit USDC into tokenized ERC-4626 and EIP-7540 asynchronous vaults. Capital is traded off-chain on centralized exchanges, and valuations are consistently written back on-chain.

The MakeBanc team engaged FailSafe to perform a comprehensive, full-stack security assessment prior to production deployment. Unlike standard audits that focus exclusively on smart contracts, this engagement encompassed the entire hybrid architecture, including the core Solidity contracts and the extensive off-chain backend orchestration services.

A Full-Stack Audit Scope

Modern decentralized applications frequently rely on complex off-chain infrastructure, and MakeBanc's architecture is a prime example. The audit scope covered nearly 30,000 lines of code across three primary repositories:

• Smart Contracts: The core on-chain components deployed on Base, including the upgradeable vaults, tier management, and fee accumulation logic.
• Safe Orchestration Service: A robust TypeScript Fastify service responsible for building Gnosis Safe payloads, relaying admin-signed transactions, and indexing blockchain events.
• Platform Backend: A Python FastAPI service handling user authentication, KYC onboarding, settlement ledgers, and inbound webhooks.

Hardening the Hybrid Architecture

Our security engineers focused heavily on the intersection of on-chain execution and off-chain state. We identified and helped remediate multiple findings related to operational robustness, state synchronization, and accounting precision. Key areas of hardening included the following.

Fee Arithmetic and Epoch Accounting

The on-chain vaults manage complex high-water marks and epoch-based fee sweeps. We analyzed the deposit and redemption workflows to ensure that performance and management fees are calculated with absolute precision. We worked with the MakeBanc team to refine the accounting logic, ensuring that high-water marks scale proportionally during split withdrawals and subsequent deposits, fully protecting both protocol revenue and user balances.

Payload Signing and Relay Integrity

Because MakeBanc utilizes an asynchronous model, administrative actions and settlements are built off-chain and relayed. We audited the transaction reconstruction and signature validation flows to ensure absolute cryptographic integrity. This guarantees that settlements cannot be spoofed, replayed, or executed out of order.

Cross-System State Consistency

A significant portion of the review focused on maintaining synchronicity between the TypeScript indexer, the Python settlement ledgers, and the on-chain vault state. We verified the system's ability to handle blockchain reorganizations smoothly and ensured that internal databases accurately reflect the canonical on-chain truth without drift.

Webhook Authenticity and Access Control

The off-chain services heavily rely on inbound webhooks for KYC and settlement data. We validated the HMAC-SHA256 and ECDSA-P384 signature verification mechanisms to prevent malicious actors from injecting forged state changes. Additionally, we reviewed the Auth0 JSON Web Token implementation and Sign-In With Ethereum workflows for secure user provisioning.

Conclusion

The MakeBanc development team demonstrated an excellent commitment to security. By proactively engaging with FailSafe for a comprehensive full-stack audit, they successfully hardened their extensive backend infrastructure alongside their smart contracts.

Following the remediations, the MakeBanc ecosystem is fortified against both traditional web2 vulnerabilities and complex web3 vector attacks, ensuring the stability of their institutional-grade capital connectivity platform.