This directory contains all security audit reports for the Blend protocol. Blend is committed to the highest standards of security, and the protocol has undergone multiple independent security audits by reputable firms to ensure the safety and reliability of the codebase.
All audit reports are publicly available and can be found in this directory.
- Auditor: Cantina
- Date: August 10, 2025
- File:
blend-25-08-10-0-cantinacode.pdf - Scope: Core protocol contracts, architecture, and smart contract security
- Result: No critical or high-risk vulnerabilities identified
- Auditor: Cantina (Sujith Somraaj)
- Date: September 29, 2025
- File:
blend-25-09-29-0-cantinacode.pdf - Scope: Intent Engine contract improvements (PR 47, 48, 49)
- Result: No critical, high, medium, or low severity issues
- Auditor: Cantina (Rvierdiiev)
- Date: September 29, 2025
- File:
blend-25-09-29-1-cantinacode.pdf - Scope: Cross-chain infrastructure,
AcrossXChainAdapterandSwapAdapter(PR 62) - Result: No critical, high, or medium severity issues
- Auditor: Zellic
- Date: October 2, 2025
- File:
blend-25-10-02-0-zellic.pdf - Scope: Swap adapter implementations and temporal access controls (PR 68)
- Result: No critical, high, medium, or low severity issues
- Auditor: Cantina (Sujith Somraaj)
- Date: October 5, 2025
- File:
blend-25-10-05-0-cantinacode.pdf - Scope: Swap adapter enhancements and multi-hop swap functionality (PR 69)
- Result: No critical, high, or medium severity issues
- Auditor: Cantina (Sujith Somraaj)
- Date: October 10, 2025
- File:
blend-25-10-10-0-cantinacode.pdf - Scope: Rate limiting enhancements in Strategy Manager contract (PR 80)
- Result: No critical, high, medium, or low severity issues
- Auditor: Sherlock (PUSHO)
- Date: November 27-28, 2025
- File:
blend-25-12-05-0-sherlock.pdf - Scope: Swap adapter implementations (
SwapAdapter.solandPriceLib.sol) - Result: 2 Low/Info issues identified and resolved (token sweeping functionality and code comment fixes)
- Auditor: Sherlock (eeyore, montecristo)
- Date: January 12-15, 2026
- File:
blend-26-01-22-0-sherlock.pdf - Scope: Ostium vault controllers integration and Morpho Bundler3 adapter compatibility (
OstiumVaultController.sol,SwapAdapter.sol,VaultToVaultAction.sol,BalanceReplacementAdapter.sol) - Result: 2 Medium, 17 Low/Info issues identified and resolved (rebalance validation logic, pending order management, swap adapter improvements)
- Auditor: Sherlock (oot2k, thekmj)
- Date: March 3-5, 2026
- File:
blend-26-03-10-0.sherlock.pdf - Scope: Cross-chain infrastructure updates covering
AcrossXChainAdapter.sol,CCTPXChainAdapter.sol,XChainVaultAction.sol,BlendSafeFactory.sol,MorphoVaultLib.sol, andPriceLib.sol - Result: 5 Low/Info issues identified, with 3 resolved and 2 acknowledged (CCTP finality threshold, executor-controlled slippage assumptions, pragma consistency, adapter dust invariant, and
PriceLib.normalize()cleanup)
Audit reports follow the naming pattern: blend-YY-MM-DD-N-auditor.pdf
YY-MM-DD: Date of the audit reportN: Sequential number for audits on the same date (0, 1, 2, etc.)auditor: Name of the auditing firm (e.g.,cantinacode,zellic)
Across all audits, Blend has demonstrated:
- ✅ Zero critical vulnerabilities
- ✅ Zero high-risk vulnerabilities
- ✅ Zero medium-risk vulnerabilities in published reports
- ✅ Prompt remediation or acknowledgement of identified Low/Info findings
- ✅ Mature and well-maintained codebase
- ✅ Strong security posture across all protocol components
For more detailed information about each audit, including key findings and areas reviewed, please see:
- Documentation: https://docs.blend.money/resources/audits
- Public Website: The audits page on the Blend documentation site
For questions about security audits or to report security issues, please contact the Blend team through the appropriate security channels.
