Nov 12, 2024
YieldNest is currently developing ERC-4626 compatible vaults denominated in major base assets such as ETH, BTC, and USD. The vaults will accept a variety of underlying derivative assets, including stETH, mETH, oETH, USDS, and slisBNB. A set of strategies will be employed to handle the deposits and allocate them to selected DeFi protocols like EigenLayer, Symbiotic, Aave, etc.
To support YieldNest’s commitment to designing secure and resilient vaults, we present here a comprehensive mapping of the various risks inherent in this architecture. A thorough understanding of these threats is essential for crafting vaults that effectively mitigate risks while prioritizing user protection.
I. Vault Risk
Inflation Attacks
Inflation attacks occur when an attacker exploits vulnerabilities in the vault’s share issuance mechanism to mint more shares than they are legitimately entitled to. The share calculation mechanism of the vault is critical because it ensures that each user’s share accurately reflects their contribution relative to the total assets.
If this mechanism is improperly designed or lacks sufficient safeguards, an attacker might manipulate it to create an excessive number of shares without depositing the equivalent value of assets.
Reentrancy Attacks
In the context of a vault, reentrancy attacks typically involve malicious contracts exploiting functions that interact with external contracts, such as token transfers or protocol interactions.
Logic Errors
Flaws in the code that cause the contract to behave incorrectly or unexpectedly. In a vault, critical functions like deposit, withdrawal, and allocation of assets must operate flawlessly to ensure the security and correctness of user funds. Allocation logic errors can misdirect funds to incorrect strategies or addresses, potentially losing assets or exposing them to additional risks. Logic errors can also lead to situations where funds become locked in the contract, inaccessible to users.
Strategy complexity
Each additional strategy introduces its own set of risks and complexities. The overall vault risk increases with the number of strategies due to several factors:
Complex interactions: More strategies mean more contracts interacting with each other, increasing the likelihood of unforeseen interactions or conflicts between strategies.
Increased attack surface: Each strategy may interact with different external protocols, each with its own vulnerabilities. This broadens the attack surface, making it more difficult to secure the entire system.
Operational overhead: Managing multiple strategies requires more sophisticated monitoring and management systems to detect and respond to issues promptly.
Coprocessor Dependencies
The integration of a coprocessor into the vault’s architecture introduces a layer of dependency that carries inherent risks associated with entrusting critical functions to an external entity. Delegating essential accounting responsibilities to the coprocessor introduces counterparty risk. The vault’s accurate functioning becomes contingent upon the coprocessor’s reliability, integrity, and performance. Delays in processing transactions or updating records can result in discrepancies between the actual and reported states of the vault, affecting users’ ability to make informed decisions. If compromised, either through external attacks or internal malfeasance, the coprocessor could intentionally manipulate data to benefit certain parties at the expense of others.
II. Strategy Risk
Protocol Vulnerabilities
Strategies within a vault often involve interacting with external protocols to generate returns. If a strategy integrates with a protocol that is compromised or contains vulnerabilities, the funds allocated to that strategy are at risk. Vulnerabilities in external protocols can include coding errors, flawed logic, lack of proper access controls, or governance exploits.
Even if the external protocol is secure, it may have administrative keys or privileged roles that, if compromised, could lead to malicious actions. The vault’s reliance on external protocols thus introduces dependencies that are outside of its direct control, increasing the overall risk.
Changes in External Protocols
DeFi protocols are dynamic and may undergo upgrades, parameter changes, or governance decisions that can affect how they operate. These changes might introduce new features, fix bugs, or alter existing functionalities. While upgrades aim to improve the protocol, they can also introduce incompatibilities or new vulnerabilities.
Liquidity Risks
Sudden changes in liquidity pools can occur due to market volatility, large trades, or shifts in user behavior. These changes can impact strategies in several ways:
Slippage: When executing large trades in a low-liquidity environment, the price received can differ significantly from the expected price, resulting in losses.
Inability to execute trades: Strategies may fail to enter or exit positions if there isn’t enough liquidity, leading to missed opportunities or inability to mitigate risks.
Price impact: Large trades can move the market price against the strategy, causing unfavorable execution.
Liquidity risks are particularly acute in times of market stress when many participants may be trying to exit positions simultaneously, exacerbating the lack of liquidity.
Lending Protocols Exposure
Strategies frequently use lending protocols to generate yield. The highest yielding are usually associated with high utilization ratios, which may cause issues. These include:
Withdrawal Delays or Failures: If too many assets are borrowed, lenders may be unable to withdraw their funds until borrowers repay their loans.
Interest Rate Volatility: High utilization can lead to increased interest rates, which can affect the strategy’s returns.
Undercollateralization: If the collateral provided by borrowers decreases in value (e.g., due to a market downturn), and the protocol’s liquidation mechanisms fail to respond effectively, lenders may face losses.
In extreme cases, systemic failures in the lending protocol can lead to a loss of assets for all participants, including those invested through the vault’s strategies.
Leverage Exposure
Risks associated with leverage exposure include:
Forced Liquidations: Rapid price declines can trigger liquidations, resulting in losses and possible penalties or fees.
Slippage and Market Impact: Liquidations can lead to large sell orders, causing additional downward pressure on prices and increasing losses.
Failed Liquidations: In volatile or illiquid markets, liquidation mechanisms may fail to execute promptly, leading to greater losses.
Additionally, if the liquidations are not correctly processed due to technical issues or network congestion, the vault may incur unexpected losses beyond the initial collateral.
Restaking Protocols Exposure
The exposure to restaking protocols introduces multifaceted strategic risks to investment strategies built on top of them. The complexities associated with deposit conditions and stake delegation can affect liquidity, operational flexibility, and risk concentration. Withdrawal limitations can lock assets for extended periods, exposing them to ongoing risks without the possibility of timely mitigation or redeployment. The variability and potential opacity of slashing policies can create uncertainties that complicate risk assessment and management. While the slashing modularity offered by some protocols can help isolate and manage risks more effectively, it also requires stakers to thoroughly understand the terms and potential implications of each vault’s slashing policies. Stakers should be aware that they remain exposed to slashing and market risks during any dispute or arbitration period without necessarily receiving compensation, which can result in financial losses.
Impermanent Loss
Impermanent loss can result in the value of the liquidity provider’s assets being less than if they had simply held the assets outside the liquidity pool. Even with the addition of trading fees earned from the pool, the total return may be negative compared to holding. Strategies that involve providing liquidity to AMMs must consider the impact of impermanent loss, especially when dealing with volatile asset pairs.
Risk of Artificial Yield Sources
Strategies that depend on unclear yield sources—such as points accrual systems, reward tokens, or anticipated future airdrops—are susceptible to significant risks that can dilute or erode profitability. These yield sources often lack intrinsic value and rely on the promise of future benefits that may not materialize as expected. The accrual of points or rewards is typically contingent on specific conditions set by the issuing platform, which can change unilaterally, reducing or nullifying the anticipated returns. Dependence on such artificial incentives exposes strategies to volatility and unpredictability, making them vulnerable to shifts in market sentiment, regulatory changes, or alterations in the reward mechanisms.
III. Asset Risk
Token Type
Token types pose the risk of vulnerabilities such as:
Smart contract errors can lead to exploits such as unlimited minting, freezing of transfers, or theft of funds.
Assets with centralized control or administrative privileges can be subject to abuse if the controlling parties act maliciously or are compromised.
New or obscure tokens may not have undergone thorough security audits, increasing the risk of undiscovered vulnerabilities.
Tokens may be subject to legal actions if they are deemed to violate securities laws or other regulations, impacting their value and liquidity.
These risks are inherited when respective tokens are included in a vault strategy.
Token Design
Tokens with special mechanics, such as rebasing tokens, deflationary tokens, or those with transfer fees, present additional complexities in managing and accounting within a vault. If the vault’s smart contracts are not designed to handle these unique behaviors, it can lead to incorrect balance calculations, unexpected losses, or vulnerabilities.
Tokens implemented using proxy patterns can have their underlying logic upgraded or changed. If these changes are not controlled through mechanisms like timelocks or decentralized governance, there is a risk of malicious upgrades or unpredictable changes disrupting vault strategies. The lack of hardcoded limits or secure governance processes increases uncertainty and the potential for adverse outcomes, making such tokens riskier to include in vault strategies.
Token Liquidity
Tokens with low liquidity pose significant risks for strategies that require buying, selling, or swapping assets. Low liquidity can lead to high slippage or difficulties in exiting positions. Under these circumstances it is also easier for attackers to manipulate the token’s price, potentially exploiting the vault’s strategies.
Restaking protocols or novel crypto assets may have particularly low liquidity. Strategies involving such tokens must carefully consider the risks of liquidity constraints and their impact on the vault’s operations.
Tokens with adjustable emission rates without backstop pose a risk of inflation. If the token’s supply can be increased arbitrarily, it can dilute the value of existing holdings.
Liquid Staking Tokens (LSTs)
LSTs introduce a wide array of risks rooted in the specific LST design. Although they cannot be generalized for all tokens of this type, the main ones are:
Slashing Risk: Validators can be penalized (slashed) for misbehavior, resulting in the loss of staked assets. This loss is reflected in the value of the LSTs.
Price Discount: LSTs may trade at a discount to the underlying staked asset due to factors like liquidity preferences, perceived risks, or limitations on redeemability.
Smart Contract Risks: The contracts managing LSTs may have vulnerabilities that can be exploited, leading to loss of funds.
Technical Risks: Issues with the staking protocol itself, such as bugs or consensus failures, can impact the value and security of LSTs.
Adoption Risks: Limited acceptance of LSTs across platforms reduces their utility and liquidity, potentially leading to price volatility and difficulty in executing strategies.
Including LSTs in vault strategies requires careful consideration of these risks, as they can significantly impact the performance and safety of the vault.
Oracle Dependencies
Vaults may rely on oracles to determine asset valuations, calculate share prices, or trigger certain actions within strategies. At the same time, oracles represent an attack surface for various manipulation tactics some of which can be severe. The vault may misprice assets, leading to erroneous share calculations. Manipulated prices can trigger unwarranted liquidations or prevent necessary ones. Attackers can profit from discrepancies between manipulated oracle data and real market prices.
Oracle dependencies warrant a thorough evaluation as they can undermine the integrity of the vault’s operations and can lead to significant financial losses.
IV. Operational Risk
Misallocation of Funds
Errors in the allocation logic or execution processes pose a significant threat. This can occur when assets are mistakenly sent to incorrect or malicious addresses because of code vulnerabilities, incorrect parameter inputs, or flaws in transaction execution sequences. Such misallocations can lead to irrecoverable losses, especially if funds are sent to addresses that are inaccessible or controlled by attackers. The complexity of smart contracts and the intricacies involved in managing multiple strategies amplify the likelihood of such errors, necessitating rigorous testing and validation of all fund allocation mechanisms.
Privilege Abuse
Administrators or managers with elevated permissions have significant control over the vault’s functions and assets. If their access is misused—either intentionally or due to compromised credentials—it can lead to unauthorized actions that harm the vault and its users. This includes the potential for insiders to manipulate parameters, execute unauthorized transactions, or disable security features. The concentration of power in privileged roles creates a single point of failure, making the vault vulnerable to internal threats.
Emergency Situations
Emergency situations present additional operational challenges, particularly if the vault lacks mechanisms to respond effectively to security incidents, market anomalies, or other unforeseen events. In times of crisis, delays or inability to withdraw assets can exacerbate losses and erode user trust. Without emergency withdrawal functionalities or the ability to pause certain operations, the vault may be unable to accommodate these needs, leaving users exposed to further risk.
Closing
This piece has identified numerous sources of risk that vault-based architecture may present. Developers designing DeFi protocols using these to achieve their aims should be mindful of all of the above listed when they reach the implementation phase. It is important to remember that DeFi grows in complexity with each day, meaning that your vault system may face a risk not identified here. All the same, this risk mapping outlays a productive starting point.
Sources:
https://www.arkhamintelligence.com/research/defi-yield-farming-beginners
https://medium.com/@andreysokolow2025/defi-yield-farming-methods-and-risks-f0034a0cb96b
https://mixbytes.io/blog/yield-aggregators-common-pitfalls
https://exponential.fi/blog/how-defi-yield-aggregators-work
https://medium.com/iearn/yearn-strategies-case-study-lido-staked-eth-d21b2a57f79c