Spectra Finance

Audits and Due Diligence Disclosures

Auditor	Date	Scope	High	Medium	Low/Info	Status
Code4rena (42 wardens)	Mar-Apr 2024	spectra-core (7 contracts, 976 LoC)	0	2	11	All resolved
Pashov Audit Group	Mar 2024	spectra-core	0	3	15	All resolved
Sherlock	Sep 2025	MetaVaults V1 (private repo)	0	2	9	All resolved

Zero high-severity findings across all three audits. Codebase is open source.

Notable Code4rena findings:

• M-01: PrincipalToken is not fully ERC-5095 compliant — redeem and withdraw don't support ERC-20 approval flows; maxWithdraw/maxRedeem revert when paused instead of returning 0
• M-02: IBT vault yield drainage via flash loan deflation attack — attackers can exploit flash loans to drain accumulated yield when IBT vault prices reset to default values

The smart contract architecture involves: PrincipalToken, YieldToken, AMBeacon, AMProxyAdmin, AMTransparentUpgradeableProxy, PrincipalTokenUtil, and RayMath — moderate complexity with Curve AMM integration.

Bug Bounty

• Immunefi Audit Competition — $40,000 pool, 2-week competition (April 3-17, 2025), now finished
• No active ongoing bug bounty program currently exists for Spectra Finance
• Historical APWine bug bounty on HackenProof — status unknown post-rebrand
• Not listed on SEAL Safe Harbor registry

Historical Track Record

• Production time: Spectra V2 live since early 2024 (~2 years); APWine V1 launched 2021 (~5 years total development)
• TVL: ~$40.69M across chains (Spectra V2), historically peaked ~$100M+ (August 2025)
• Token: SPECTRA (launched December 2024, replacing APW via SIP3), max supply 876.7M

Chain Deployments:

Chain	TVL
Hemi	$20.39M
Katana	$6.5M
Ethereum	$5.71M
Flare	$5.25M
Base	$1.12M
Arbitrum	$100K
Others (Avalanche, Sonic, BSC, OP)	Minimal

Security Incidents:

1. Router Exploit (July 23, 2024): 168 ETH (~$73K) lost. Arbitrary call vulnerability in the execute function's _dispatch handler allowed an attacker to drain tokens approved to the router via the KYBER_SWAP command type. 4 wallets affected. Core protocol was unaffected — only the router contract had the vulnerability. Post-mortem published.

2. APWine Critical Delegation Bug (pre-rebrand): Discovered by whitehat setuid0 via Immunefi before exploitation. Incorrect check in PT beforeTokenTransfer allowed bypassing delegation amount checks when burning tokens (since to == address(0)). Could have enabled yield theft after ~6 months. $100,000 bounty paid. Patched before any exploitation.

No concentration risk data available for the specific MetaVault (not yet deployed). Existing MetaVaults (Gami Spectra USDC on Base: $637K TVL, vbUSDC Katana: $905K TVL) are small-scale with limited depositor data.

Funds Management

Spectra itself does not custody or delegate funds — it provides a permissionless framework for yield tokenization. The actual fund flows depend on the MetaVault configuration and the underlying IBT used.

MetaVault Fund Flow

1. Users deposit underlying assets (e.g., USDC) into MetaVault (ERC-7540 asynchronous deposit)
2. MetaVault curator allocates to Spectra pools containing interest-bearing tokens (IBTs)
3. IBTs are split into PT + YT positions and deployed into Curve liquidity pools
4. Curator manages rollovers between expiring pools and new maturities
5. Yield compounds via "YT → LP Token" reinjection loop

Accessibility

MetaVault (ERC-7540 Asynchronous):

• Deposits: Request → Settle → Claim (three-step asynchronous flow)
• Redemptions: Request → Settle → Claim
• Not atomic — curator must batch-settle requests per epoch
• Settlement risk: If curator fails to prepare sufficient assets before settlement, users face delays

Spectra PT/YT (Direct, no MetaVault):

• Anyone can deposit IBTs to mint PT + YT (permissionless)
• Deposit and withdrawal are atomic (single transaction)
• Slippage protection available via minShares parameter
• Post-expiry: first caller triggers StoreRatesAtExpiry() which freezes final rates

Collateralization

PT Backing:

• PTs are fully backed by the deposited IBT
• 1 PT represents a claim on 1 unit of underlying at maturity
• Negative yield risk: If the underlying IBT loses value (e.g., vault exploit), the PT backing decreases proportionally. The ptRate can only decrease, never increase. _computeYield() reconciles losses fairly across all holders
• All collateral is verifiable onchain through the PrincipalToken contract

The quality of PT collateral depends entirely on the underlying IBT — Spectra is agnostic to what IBT is used. If the IBT comes from a risky vault, PTs inherit that risk. Risk assessment of the specific IBT should be done separately (see respective asset reports).

Provability

• All PT/YT balances and rates are onchain and programmatically computed
• ptRate and ibtRate are transparent contract state variables
• Exchange rates computed algorithmically — no privileged role updates
• Anyone can verify reserves by reading the PrincipalToken contract
• Revenue: 3% yield fee + 3% points fee to Spectra DAO treasury

Liquidity Riskx

Note: When the MetaVault is newly deployed and liquidity data will not be available initially. This section assesses structural liquidity characteristics rather than current depth.

Spectra PT Exit Mechanisms:

1. At maturity: Direct 1:1 redemption for underlying (minus any negative yield losses). This is a time-based exit guarantee
2. Before maturity: Market-based exit via Curve AMM pools — price depends on liquidity and time to maturity
3. MetaVault: Async redemption via ERC-7540 request → settle → claim flow

Structural Liquidity Considerations:

• PT liquidity depends on the depth of the specific Curve pool for that market
• New pools and new MetaVaults will start with limited liquidity
• MetaVault curator controls rollover timing — if poorly managed, liquidity gaps can occur between pool expirations
• MetaVault adds async withdrawal delay on top of any delay from the underlying IBT. If the underlying IBT also has async withdrawals, exits face compounded delays
• PT holders can always wait until maturity for 1:1 redemption (subject to negative yield risk)
• Same-value assets (e.g., USDC-denominated PTs) can tolerate longer exit times

Existing MetaVault Liquidity Data (for reference):

MetaVault	Chain	TVL	Curator
Gami Spectra USDC	Base	$637K	Gami Labs
vbUSDC Katana	Katana	$905K	Clearstar

Centralization & Control Risks

Governance

Spectra Protocol:

• Token: $SPECTRA with veSPECTRA for governance voting, gauge allocation, and fee sharing
• Core contracts use AMProxyAdmin and AMTransparentUpgradeableProxy — upgradeable
• AccessManager: 0x7EA3097E2AF59eA705398544e0f58EdDb7bd1852 — central authority controlling upgrade permissions via OpenZeppelin 5.0 AccessManager with 11 defined roles
• DAO Multisig: 0xDbbfc051D200438dd5847b093B22484B842de9E7 — Gnosis Safe v1.3.0, 3-of-5 threshold, holds UPGRADE_ROLE (role 1) without timelock
• Signers: 5 EOAs — 0x3152D7e6B0eE11F4F945376b269A65A6c883711F, 0x4B05aC062981D229e8a47DDeAf286eAf65FB4ee0, 0x54E939c5134F237510e1a21b0d42a00D70Ab8213, 0x01Aa68b18960109C34644362F9d619517f864489, 0xA7499Aa6464c078EeB940da2fc95C6aCd010c3Cc. Identities not publicly labeled on Etherscan. No modules or guard set on Safe
• Deployer removed: Original deployer (0x020d5ca8bd6451d4c44f784e594f02f352903e61) has been fully removed from all AccessManager roles — positive security practice
• Revenue sharing: 60% swap fees to veSPECTRA voters, 20% to LPs, 20% to Curve DAO
• Pool creation is permissionless — anyone can create a Spectra market for any ERC-4626 token

Spectra MetaVault Governance (Zodiac + Gnosis Safe):

Role	Responsibilities
Accountant	Share settlement, performance tracking, conversion rate adjustments
Curator	Portfolio strategy, capital allocation across Spectra markets, rebalancing
Guardian	Security oversight, transaction monitoring, operation verification, time-locked mechanisms

• Curators execute via execTransactionWithRole with strict constraints:
  • Token receivers restricted to the MetaVault's SAFE address
  • Actions limited to curator-enabled markets only
  • DelegateCall is NOT authorized
  • Time-locked actions require cooldown period
• ADMIN can disconnect all curator access modules immediately upon trigger events
• SAFE can pause/unpause the AsyncVault, blocking deposits/withdrawals

Programmability

Spectra Core:

• Fully programmatic — PT/YT minting, yield calculation, and rate computation are all onchain
• Exchange rates (ptRate, ibtRate) computed algorithmically
• No keeper or relayer dependencies for core protocol

MetaVault:

• Hybrid — automated smart contract logic + manual curator intervention for strategy decisions
• Curator decisions (pool allocation, rollover timing, pool creation) are manual
• Settlement of deposit/redemption epochs requires active curator action
• Guardian role provides time-locked oversight for sensitive operations

External Dependencies

Dependency	Criticality	Notes
Curve Finance	Critical	All PT/IBT trading via Curve AMM pools. Spectra uses CurveOracleLib for price data. Curve is battle-tested (since 2020)
ERC-4626 IBT protocols	Critical	Spectra markets depend on the security of the underlying vault protocol providing the IBT. If the IBT vault is exploited, PT holders face proportional losses (negative yield)
Oracles	Important	Spectra provides three oracle types (Deterministic, TWAP, Hybrid) following Chainlink AggregatorV3Interface. TWAP oracles derive from Curve's price_oracle() method

PT Tokens as Morpho Collateral

Context: The team plans to use Spectra PT tokens as collateral on Morpho markets.

PT Oracle Architecture for Lending Markets

Spectra provides three oracle types, all implementing Chainlink's AggregatorV3Interface:

1. Deterministic Oracles: Price PT against underlying using a model based on expected implied APY set at deployment. Price converges to par (1:1) at maturity. Deployed via SpectraPriceOracleFactory.

2. TWAP Oracles: Report exponential moving average of PT prices derived from Curve pool's price_oracle(). Native oracle manipulation protection from Curve. Two factory variants: TwapOracleFactoryNG (twocrypto-ng) and TwapOracleFactorySNG (stableswap-ng).

3. Hybrid Oracles (Recommended for lending): Combine TWAP accuracy with deterministic oracles as a lower bound. Provides enhanced robustness against price manipulation.

Existing Morpho PT Market Precedent

• PT-cUSD Morpho market — example of Spectra PT used as Morpho collateral

PT Collateral Risks

• Maturity mismatch: PT value at discount before maturity — if used as collateral, liquidation before maturity realizes a loss
• Negative yield risk: If underlying IBT loses value, PT backing decreases, potentially triggering liquidation
• Oracle manipulation: While hybrid oracles mitigate this, TWAP-based prices can lag during rapid market moves
• Liquidity risk for liquidators: PT liquidity on Curve may be insufficient for large liquidations, especially in new markets

Operational Risk

• Founders: Gaspard Peduzzi, Antoine Mouran, Jean Chambras — EPFL (Lausanne) graduates
• Team size: 4 co-founders + 5 full-time core contributors
• Development entity: Perspective SAS (French company)
• Funding: $1M seed (March 2021, led by Delphi Ventures with Spartan Group, DeFi Alliance, Rarestone Capital, angels including Julien Bouteloup and Marc Zeller) + $2.6M seed extension (November 2022, led by Greenfield Capital)
• History: Founded August 2020, originally as APWine Finance. Rebranded July 2023. ~5 years of continuous development
• Documentation: Comprehensive — separate docs for users, developers, and curators
• Known entities — doxxed team with public professional backgrounds
• Incident response: Published detailed post-mortem after the July 2024 router exploit within days. Paid $100K bounty for pre-rebrand critical bug

Monitoring

Key Contracts (Ethereum)

Contract	Address	Monitor
SPECTRA Token	0x6a89228055c7c28430692e342f149f37462b478b	Supply changes, transfers
DAO Multisig (3/5 Safe)	0xDbbfc051D200438dd5847b093B22484B842de9E7	Signer/threshold changes, upgrade transactions
AccessManager	0x7EA3097E2AF59eA705398544e0f58EdDb7bd1852	Role grants/revocations, target function changes
Registry	0x4973b53b300d64ab72147EFF8C9d962f6b1dA02e	Implementation upgrades, fee changes

MetaVault (not yet deployed on Ethereum mainnet):

Existing MetaVaults are on Base (Gami Spectra USDC) and Katana (vbUSDC). Once deployed on Ethereum, monitor:

Contract	Monitor
MetaVault SAFE	Signer changes, pauses, curator role changes
MetavaultWrapper	Epoch settlements, deposit/redemption queues
Curator Roles Module	Whitelisted actions, new market additions
Delay Module	Time-locked operations, guardian verifications

Critical Events to Monitor:

• MetaVault SAFE signer/threshold changes
• Curator role grants/revocations
• PT rate changes (ptRate decreases indicating negative yield)
• Large withdrawal requests queued in MetaVault epochs
• Curve pool liquidity changes for PT/IBT pairs
• Underlying IBT protocol incidents
• Spectra core contract upgrades (AMProxyAdmin changes)

Reassessment Triggers

• Time-based: Reassess in 6 months (August 2026)
• TVL-based: Reassess if protocol TVL changes by more than ±50%
• Incident-based: Reassess after any exploit affecting Spectra core or MetaVault contracts
• Governance-based: Reassess if core ProxyAdmin ownership changes or MetaVault governance structure is modified
• Bug bounty: Reassess if an active ongoing bug bounty is established (would improve score)
• Dependency-based: Reassess if Curve Finance experiences a significant security event

---

Appendix A: MetaVault Management Guide

This appendix covers how to manage a self-curated Spectra MetaVault, potential problems, and security risks.

MetaVault Architecture

The MetaVault consists of two core contracts:

1. MetavaultWrapper — ERC-7540 compliant asynchronous vault, the user-facing interface
2. AsyncVault (Amphor) — Underlying yield aggregation infrastructure

Governance uses Zodiac contracts attached to a Gnosis SAFE multisig with three roles:

Role	Key Actions	Risk Level
Accountant	Settlement execution, share price updates, conversion rate adjustments	High — incorrect rates directly impact all depositors
Curator	Pool allocation, rollover timing, yield compounding, market selection	High — poor decisions cause yield loss or asset stranding
Guardian	Transaction monitoring, time-lock verification, security oversight	Medium — delayed verification could allow harmful curator actions

Curator Whitelisted Operations

Curators execute via execTransactionWithRole through the Zodiac Roles module (source):

Immediate actions:

• Token approvals (only to approved contracts)
• PT operations: claimYield, redeem, deposit, withdraw (restricted to enabled markets, receivers = SAFE only)
• Liquidity zaps: addLiquidityWithWrap, removeLiquidity, redeemLiquidityUnderlying (enabled markets only)
• IBT functions: deposit, redeem on IBTs of enabled markets
• ERC4626 wrapper: wrap, unwrap operations via Spectra4626Wrapper (for non-compliant IBTs)

Time-locked actions (via Delay module):

• Submitted via delay module, executed after cooldown via executeNextTx
• DelegateCall is NOT authorized (only regular Call)

Critical constraint: Most functions restrict token receivers to the MetaVault's SAFE address — preventing fund extraction.

Key Management Risks

1. Settlement Risk

Problem: Curator fails to prepare the SAFE with sufficient assets before epoch settlement. Impact: Users unable to claim deposits or redemptions, creating trust issues and potential panic. Mitigation: Establish automated monitoring of pending epochs and asset balances. Set calendar reminders for settlement windows.

2. Rollover Risk

Problem: When a Spectra pool expires, the curator must move assets to a new maturity pool. Delays leave assets idle (no yield) or stranded. Impact: Yield loss during transition periods. If no suitable new pool exists, assets may need to be returned to depositors. Mitigation: Pre-deploy new pools before current ones expire. Maintain a rollover schedule with buffer time.

3. Pool Selection Risk

Problem: Curator selects a pool with an underlying IBT that experiences negative yield (e.g., vault exploit). Impact: PT backing decreases proportionally — MetaVault depositors suffer losses. Mitigation: Only allocate to well-audited, established IBTs. Monitor underlying vault health continuously. Diversify across multiple IBTs/pools.

4. Yield Compounding Complexity

Problem: The "YT → LP Token" reinjection loop involves multiple steps that must be executed correctly. Impact: Failed compounding reduces effective yield. Incorrect execution could result in asset loss. Mitigation: Test compounding steps on small amounts first. Establish clear operational procedures.

5. Oracle/Pricing Risk (for Morpho collateral use)

Problem: PT oracle prices lag market reality during rapid moves, or deterministic oracle assumptions diverge from actual market pricing. Impact: If using PT as Morpho collateral, oracle lag could delay liquidation triggers or cause premature liquidations. Mitigation: Use hybrid oracles (TWAP + deterministic lower bound). Monitor oracle deviation from market prices. Set conservative LTV ratios on Morpho markets.

6. Pause/Emergency Risk

Problem: SAFE has the ability to pause/unpause the AsyncVault. Impact: Pausing blocks all deposits and withdrawals — users are locked in. Mitigation: Establish clear pause criteria documented in advance. Require multi-party approval for pause actions. Communicate pause events immediately to depositors.

7. Curator Key Compromise

Problem: If curator signing keys are compromised, an attacker can execute whitelisted actions within the constraint set. Impact: While receiver restrictions limit extraction, an attacker could still cause economic harm through poor allocation decisions (e.g., depositing into a manipulated pool). Mitigation: Use hardware wallets for all signers. Implement guardian time-locks for sensitive operations. ADMIN should monitor for anomalous curator activity and revoke access immediately if compromise is suspected.

Operational Checklist

1. Daily: Check pending deposit/redemption requests, monitor underlying IBT rates, verify no negative yield events
2. Per epoch: Settle pending requests, ensure SAFE has sufficient assets
3. Per pool expiry: Execute rollover to new maturity pool, verify new pool liquidity
4. Weekly: Review yield performance, compound YT positions into LP tokens
5. Monthly: Review overall strategy allocation, assess underlying protocol health
6. On alert: Respond to negative yield events, pause if necessary, communicate to depositors

Appendix B: PT Token Oracle Details for Morpho Integration

Oracle Types Available

Oracle Type	Mechanism	Best For	Manipulation Resistance
Deterministic	Model-based pricing converging to par at maturity	Stable, predictable pricing	High — independent of market price
TWAP	Exponential moving average from Curve pool	Lending market reference	Medium — manipulation requires sustained pool impact
Hybrid	TWAP with deterministic lower bound	Lending collateral (recommended)	High — combines both protections

Technical Implementation

• All oracles implement Chainlink's AggregatorV3Interface (latestRoundData(), getRoundData())
• 12 distinct feed contracts: 3 asset types (PT, YT, LP) × 2 quote assets (IBT, underlying) × 2 AMM variants
• CurveOracleLib invokes Curve pool's price_oracle() for TWAP data
• Deployed via factory contracts: SpectraPriceOracleFactory, TwapOracleFactoryNG, TwapOracleFactorySNG

Key Considerations for Morpho Market Creation

1. Oracle selection: Use Hybrid oracle for maximum manipulation resistance
2. LTV ratio: Set conservatively given PT price volatility before maturity and negative yield risk
3. Liquidation parameters: Ensure sufficient Curve pool liquidity for liquidator exits
4. Maturity alignment: Match Morpho market duration with PT maturity to avoid forced pre-maturity liquidations
5. Post-expiry handling: Monitor for StoreRatesAtExpiry() call — rates must be frozen for accurate post-expiry pricing