Risks, Security, Audits

This page explains how we think about security. It is written for all readers (users, investors, institutions, and developers). Before reading this section, it is important to understand:

• Smart contracts are immutable once deployed; transactions are irreversible.
• DeFiDeFiFinancial services built on public blockchains using smart contracts rather than centralized intermediaries.View glossary entry involves market, protocol, and operational risks. Losses are possible.
• Nothing here is investment advice. Yields are variable and not guaranteed.

Our Security Principles

1. Minimize avoidable risk. Prefer simple, battle‑tested patterns and conservative assumptions over yield‑chasing or complexity.
2. Least privilege & separation of duties. Use role‑based access, multisigmultisigA multi‑signature wallet with elevated permissions used for safety‑critical admin actions.View glossary entry guardianship, and timelocks where appropriate.
3. Defense in depth. Multiple layers: audits, monitoring, pausingpausingTemporarily halting token transfers or protocol operations via admin roles for safety.View glossary entry/guardians, circuit breakers, parameter caps, and incident runbooks.
4. Transparency. Publish parameters, addresses, audit reports, and incident post‑mortems.
5. No surprise dependencies. Limit external protocol reliance; avoid leverageleverageTrading with exposure greater than posted collateral; in FT futures, leverage constraints are set using depth‑aware metrics.View glossary entry and bridging in the backing capitalbacking capitalThe contributed assets that back each primary FT position while the Perpetual PUT remains open.View glossary entry allocation for the PCA by default.

General DeFi Risks

1) Smart Contract Risk

Bugs or logic errors can lead to loss of funds, frozen assets, or unintended behavior. Even audited code can contain undiscovered issues.

What we do: smart contract risk

• Multiple internal reviews and external audits before enabling capital‑bearing features.
• Gradual launch with caps/whitelists where prudent.
• Continuous monitoring and formal incident runbooks.

2) Market, Liquidity & Volatility Risk

On‑chain markets can move quickly; liquidity can disappear in stress. This affects pricing, collateralcollateralAssets allowed as collateral and the maximum per‑asset size configured to manage concentration and risk.View glossary entry health, liquidations, and exitexitAction that exercises the Perpetual PUT at par; the original asset/amount is returned.View glossary entry timing.

What we do: market, liquidity & volatility risk

• Conservative risk parameters and dynamic mechanisms in the broader product suite (e.g., snapshotsnapshotA point‑in‑time capture of on‑chain state used to determine whitelist eligibility.View glossary entry LTVs, soft liquidations, time‑slicing).
• Emphasis on unwind‑friendly positions for treasury and backing capitalbacking capitalThe contributed assets that back each primary FT position while the Perpetual PUT remains open.View glossary entry.

3) Price Discovery, MEV & Economic Attack Risk

Front‑runningFront‑runningSubmitting a transaction to execute before a visible pending transaction in order to capture profit.View glossary entry, sandwich attacks, and flash‑loan‑driven manipulations can harm users and LPs if not mitigated. External oracleoracleExternal feed of asset prices. Flying Tulip futures derive pricing/settlement from in‑house trading activity to avoid oracle lag/manipulation.View glossary entry feeds can lag or be manipulated.

What we do: price discovery & MEV risk

• Depth‑aware pricing metrics in trading products; guardrails and regime detection.
• Reduce reliance on external oracles where design allows; if used, apply cross‑checks and conservative thresholds.

4) Third‑Party & Integration Risk

When capital is deployed to external venues (lending, staking, LSTs), those venues have their own contracts, validators, and operational risks.

What we do: third-party & integration risk

• Use established, liquid venues for conservative yield.
• Avoid leverageleverageTrading with exposure greater than posted collateral; in FT futures, leverage constraints are set using depth‑aware metrics.View glossary entry and bridging in the backing capitalbacking capitalThe contributed assets that back each primary FT position while the Perpetual PUT remains open.View glossary entry allocation.
• Diversify and size exposures with caps and stress assumptions.

5) User Operational Risk

Key loss, phishing, malicious approvals, wrong addresses/URLs, and wallet compromises are common causes of loss.

What you can do

• Use hardware wallets; verify URLs and contract addresses.
• Review token approvals; start small; simulate transactions when possible.

Security Controls & Operational Safeguards

• Roles & MultisigMultisigA multi‑signature wallet with elevated permissions used for safety‑critical admin actions.View glossary entry. Sensitive functions gated by multisigmultisigA multi‑signature wallet with elevated permissions used for safety‑critical admin actions.View glossary entry; roles separated (ConfiguratorConfiguratorAdmin role used to set or update parameters (e.g., pausing, asset lists, strategy weights).View glossary entry, Treasury, StrategyStrategyA yield venue tracked by the wrapper; strategies can be added/removed/reordered and capital moved between them by authorized roles.View glossary entry Manager, etc.).
• Parameter Caps. Per‑asset/venue caps and whitelists; snapshotsnapshotA point‑in‑time capture of on‑chain state used to determine whitelist eligibility.View glossary entry LTVs where relevant.
• No LeverageLeverageTrading with exposure greater than posted collateral; in FT futures, leverage constraints are set using depth‑aware metrics.View glossary entry / No BridgingNo BridgingBacking capital remains on the source chain and is not bridged as part of the default allocation policy.View glossary entry (backing capitalbacking capitalThe contributed assets that back each primary FT position while the Perpetual PUT remains open.View glossary entry). Backing capitalBacking capitalThe contributed assets that back each primary FT position while the Perpetual PUT remains open.View glossary entry allocation avoids leverageleverageTrading with exposure greater than posted collateral; in FT futures, leverage constraints are set using depth‑aware metrics.View glossary entry and bridging by default for unwind simplicity.
• Transparency. Publish contract addresses, ABIs, parameters, and post‑mortems where applicable.

Incident Response (Overview)

1. Detect & Verify. Monitoring alerts; reproduce on a fork; classify severity.
2. Contain. PausePauseTemporarily halting token transfers or protocol operations via admin roles for safety.View glossary entry/circuit breakers; parameter throttles; multisigmultisigA multi‑signature wallet with elevated permissions used for safety‑critical admin actions.View glossary entry actions.
3. Remediate. Hotfixes via audited patterns; re‑audit if code changes.
4. Communicate. Timely, factual updates; impact and user guidance.
5. Post‑Mortem. Public root‑cause analysis and long‑term fixes.

What Users Can Do

• Verify URLs and contract addresses; never trust DMs.
• Use hardware wallets and limit approvals to trusted contracts.
• Start with smaller allocations and scale only after you are comfortable with the flow.
• Monitor your allowances and revoke unused approvals.
• Understand the differences between Hold, ExitExitAction that exercises the Perpetual PUT at par; the original asset/amount is returned.View glossary entry, and Withdraw in the Perpetual PUTPerpetual PUTThe on-chain right attached to primary-issued FT that lets a holder: Hold (keep the FT NFT attached), Exit (Exit at par; return collateral), or Withdraw (unlock FT; invalidate the PUT; released backing capital can fund market buyback-and-burn of FT).View glossary entry.