Risks

What is it?

Smart contracts are code deployed on the blockchain. If there are bugs, vulnerabilities, or design flaws in the code, attackers may be able to exploit them to steal funds or disrupt the protocol.

ZenSats Contracts

The ZenSats protocol consists of multiple contracts:

• Zenji vault contract (core logic)
• Loan manager implementations (Aave, LlamaLend)
• Yield strategy implementations (IPOR)
• Swapper contracts (Curve integration)
• View helper and tracker contracts

Each of these contracts could potentially contain vulnerabilities that lead to loss of funds.

Mitigation

• Contracts are open source and can be reviewed by anyone
• Code follows industry best practices (OpenZeppelin libraries, etc.)
• Extensive testing and simulation before deployment
• Conservative design (no flash loans, no exotic mechanisms)

Note: The contracts have not yet undergone a formal third-party security audit. Use at your own risk.

Possible Impact

⚠️ Complete loss of all deposited funds

What is it?

If your collateral's price falls rapidly, the loan-to-value (LTV) ratio increases. If LTV exceeds the liquidation threshold (typically ~80-90% on lending protocols), the position can be liquidated at a penalty.

Example Scenario

Mitigation

• Conservative target LTV (65-70%) provides ~25-30% buffer before liquidation
• Automated rebalancing reduces LTV when it drifts too high
• Deadband system (±3%) triggers early rebalancing
• Permissionless rebalancing allows anyone to trigger if needed
• Emergency mode owner can activate to unwind positions

Residual Risk

Despite protections, liquidation can still occur if:

• Collateral crashes faster than rebalancing can execute
• Gas prices spike, making rebalancing transactions fail
• Oracle prices lag real market prices
• Rebalancing keepers are offline or don't act in time

Possible Impact

⚠️ 10-50% loss of deposited value (liquidation penalty + slippage)

What is it?

The protocol uses multiple pegged assets that are supposed to maintain 1:1 value with their reference asset:

• WBTC: Wrapped Bitcoin (should = 1 BTC)
• wstETH: Wrapped staked ETH (should track ETH staking value)
• USDT: Tether stablecoin (should = $1 USD)
• crvUSD: Curve USD stablecoin (should = $1 USD)

If any of these assets lose their peg, the carry trade economics break down.

Collateral Wrapper Risk

USDT Depeg Scenarios

The vault borrows USDT, so if USDT depegs downward, your debt is worth less (actually beneficial). But if it depegs upward or becomes illiquid, exiting positions becomes difficult.

crvUSD Depeg Scenarios

Since crvUSD is used in the yield strategy, a depeg means strategy holdings are worth less than expected.

Mitigation

• Vault can be put in idle mode to stop new deployments
• Emergency mode allows full unwinding if depeg is severe
• Multiple stablecoin options (USDT, crvUSD) diversify risk
• Future strategies may use different pegged assets

Possible Impact

⚠️ 5-100% loss depending on severity of depeg

What is it?

ZenSats integrates with multiple external DeFi protocols. If any of these protocols are hacked, become insolvent, or experience technical failures, funds could be lost.

Aave V3 Risk

What the vault uses: Collateral deposits + USDT borrowing

Risk scenarios:

• Smart contract exploit in Aave Pool or LendingPool contracts
• Oracle manipulation causing incorrect liquidations
• Bad debt accumulation if collateral loses value faster than liquidations
• Governance attack changing parameters maliciously

Track record: Aave V3 has billions in TVL and has been running for years without major incidents. However, past safety does not guarantee future safety.

LlamaLend Risk

What the vault uses: Collateral deposits + crvUSD borrowing via LLAMMA

Risk scenarios:

• LLAMMA algorithm failure during extreme volatility
• Soft liquidation mechanism doesn't work as intended
• Oracle failures causing incorrect liquidation bands
• crvUSD minting exploit leading to insolvency

Track record: LlamaLend is newer than Aave with less battle-testing. The LLAMMA mechanism is innovative but complex.

RAAC / pmUSD Risk

What the vault uses: crvUSD/pmUSD Curve pool LP, staked in StakeDAO

Risk scenarios:

• Smart contract bug in RAAC pmUSD token or Curve pool contracts
• pmUSD loses its peg or becomes illiquid
• StakeDAO reward vault exploit or insolvency
• Curve pool imbalance makes LP withdrawal costly

Note: pmUSD is a newer asset with less history than established stablecoins. This adds uncertainty.

Curve Finance Risk

What the vault uses: USDT ↔ crvUSD swaps via ThreeCrypto pool

Risk scenarios:

• Pool imbalance causing unfavorable swap rates
• Smart contract exploit in StableSwap or Tricrypto contracts
• Reentrancy attacks during swaps

Track record: Curve is one of the oldest and most battle-tested DeFi protocols, but has experienced exploits in the past (2023 vyper compiler bug).

Mitigation

• All integrated protocols are established with significant TVL
• Swapper contracts can be updated via timelocked governance; vault validates swapper output
• Emergency mode allows rapid unwinding if a protocol becomes risky
• Loan manager and strategy are immutable per vault deployment — a new vault must be deployed to change them

Possible Impact

⚠️ 10-100% loss depending on which protocol fails and how

What is it?

The protocol is currently controlled by a centralized owner address that can make administrative changes. This introduces trust assumptions and potential for misuse.

Owner Powers

The owner can:

• Change target LTV (within hard-coded bounds: 15-65%)
• Set fee rate (max 20%)
• Enter idle mode or emergency mode
• Set strategy slippage parameters
• Withdraw protocol fees

What the owner CANNOT do:

• ❌ Steal user funds directly
• ❌ Set fees above 20%
• ❌ Set LTV outside safe bounds
• ❌ Swap the loan manager or yield strategy (these are immutable per deployment)
• ❌ Reverse emergency mode once activated

Attack Scenarios

Mitigation

• 1-week timelock on swapper changes gives users time to exit
• Hard-coded limits prevent extreme parameter abuse
• Transparent events make all governance actions visible on-chain
• Emergency mode is one-way (cannot be toggled maliciously)
• Decentralization is a longer-term goal, but not guaranteed
• Open source code allows community verification

Despite these protections, you must trust that the owner will act in good faith or exit during the timelock period if they don't.

Why Centralized?

The protocol is early-stage. Centralized control allows faster response to bugs and market conditions. Decentralization is a goal but not a guarantee. See Governance for scope of admin powers.

Possible Impact

⚠️ Up to 20% loss from malicious fee extraction, or more if owner is compromised

What is it?

The protocol relies on Chainlink oracles for BTC/USD price data. If the oracle provides incorrect prices or goes offline, it could cause incorrect liquidations or prevent rebalancing.

Used Oracles

• Chainlink BTC/USD: 0xF4030086522a5bEEa4988F8cA5B36dbC97BeE88c
• Update frequency: ~1 hour or 1% price deviation
• Staleness check: Reverts if data > 1 hour old

Risk Scenarios

• Oracle reports stale price during volatility
• Oracle network becomes unreachable
• Oracle nodes collude to report false price
• Price lags significantly behind real market

Mitigation

• Chainlink is the most battle-tested oracle network
• Staleness checks prevent using old data
• Multiple independent oracle nodes reduce single point of failure

Possible Impact

⚠️ Incorrect liquidations or inability to rebalance (medium probability, medium impact)

What is it?

The carry trade relies on earning more from the yield strategy than the cost of borrowing. If market conditions change, the spread can become negative, meaning the vault loses money.

Negative Spread Scenarios

Example: If borrow cost is 10% and strategy earns 8%, you lose 2% APR on the leveraged position.

Historical Context

Carry trades are most profitable during:

• Low interest rate environments
• High demand for stablecoin yield
• Stable or rising collateral prices

During rate hikes, recessions, or bear markets, the spread can compress or invert.

Mitigation

• Idle mode allows pausing deployments during bad conditions
• Fee adjustments: owner can reduce fees if needed
• New vault deployments can use different strategies or loan managers if conditions change

Users should monitor their positions and withdraw if the carry trade becomes uneconomical.

Possible Impact

⚠️ Slow value erosion (1-5% per year) if spread goes negative for extended period