How Does Superform Work?
Superform is a cross-chain yield aggregator that lets users access 800+ earning opportunities across 70+ protocols on 8+ networks through a single interface. Backed by VanEck Ventures with $3M raised, it offers automated SuperVaults and cross-chain deposits. Its B- grade reflects proven yield aggregation patterns with moderate risk from the large number of integrated protocols and cross-chain bridge dependencies.
TVL
$31M
Sector
Yield
Risk Grade
B-
Value Grade
D
Core Mechanisms
2.3.3
NovelSuperVaults automated yield optimization with dual Merkle proof hook validation system
Dual Merkle tree validation for permissionless hook execution in yield vaults is a novel security approach. Global root managed by governance + strategy root managed by strategists.
8.1.3
SuperBundler cross-chain deposit routing across 8+ networks with single signature
Cross-chain aggregation using message-passing bridges is an established pattern. The single-signature UX is a convenience layer.
2.1.2
Performance-based fees on yield generated through SuperVault strategies
Standard yield aggregator fee model.
5.1.1
UP token governance for global Merkle root management and protocol parameters
Standard token-weighted governance.
2.3.1
ERC-4626 vault standard adapter for unified vault interface across 800+ integrated vaults
Standard ERC-4626 compliance enables permissionless vault integration; Superform wraps non-compliant vaults via adapters
How the Pieces Interact
SuperVaults can deposit into any approved vault via hooks. A compromised or exploited underlying vault would drain SuperVault funds, and the permissionless vault listing increases the surface area for malicious vaults.
Cross-chain deposits route through multiple bridge protocols. A bridge exploit during a cross-chain deposit could result in lost funds in transit, with the user having no recourse.
Strategists manage their own Merkle root for vault-specific hooks. A compromised strategist could approve malicious hooks for their specific vault, bypassing the global governance root.
Permissionless vault listing means any vault can be added without governance approval. Malicious or poorly-coded vaults could be listed, and users must trust that the hook validation catches malicious behavior.
What Could Go Wrong
- Superform aggregates yield across 800+ vaults and 70+ protocols on 8+ chains, creating a massive cross-chain attack surface. A vulnerability in any integrated vault or bridge adapter could expose Superform users to losses even if Superform's own contracts are secure.
- Cross-chain deposits via SuperBundler execute through multiple bridge and DEX integrations. Bridge exploits are the highest-risk attack vector in DeFi, and Superform's multi-bridge architecture multiplies the exposure surface.
- SuperVaults use a Merkle proof-based hook validation system for strategy execution. While audited, the dual Merkle tree approach (global root for governance, strategy root for strategists) introduces complexity that increases the potential for subtle validation bugs.
Underlying Vault Exploit Draining SuperVault Deposits
ModerateTrigger: An integrated vault among the 800+ listed on Superform is exploited, draining SuperVault funds deposited via approved hooks
- 1.A vault integrated with Superform (from the 800+ available) is exploited via a smart contract vulnerability — All SuperVault capital deposited into that vault via hooks is drained by the attacker
- 2.Superform's non-custodial, non-upgradeable contracts cannot recover funds or pause hooks post-deployment — Loss is permanent for affected SuperVault depositors; other vaults remain unaffected
- 3.Trust in Superform's vault curation deteriorates despite the exploit being in an external protocol — Users withdraw from SuperVaults broadly, reducing TVL across all strategies
- 4.Reduced TVL makes strategy performance less attractive — Protocol enters negative growth cycle, revenue drops below operational sustainability
Risk Profile at a Glance
Overall: B- (31/100)
Lower score = safer