Risk Management
How the ksUSD vault contains volatility, slippage, and oracle stress.
Built-in protections
Liquidity buffer
Idle USDC kept on-vault for instant withdrawals
10% of NAV
Drawdown guard
emergency_close callable by anyone once (peak − current) / peak ≥ emergency_close_dd_bps AND consecutive_dd_settles_observed ≥ consecutive_dd_settles_required
5% NAV drop, sustained 2 settles
Mode-switch dwell
Minimum time between mode changes to prevent ping-pong on noisy funding
12 h
Funding EMA + staleness
Smoothed funding on-chain; opens revert if stale
6 h staleness
Drawdown latency
Two consecutive sub-threshold settles required before drawdown trips
consecutive_dd_settles_required = 2
Slippage cap
Jupiter swaps revert if executed price worse than max_swap_slippage_bps
0.5%
Oracle staleness
Pyth feed must have an update within the staleness window
5 min
Oracle confidence
Pyth confidence / price must be tight
< 2%
LST depeg check
settle auto-pauses if jitoSOL / SOL < 1 − lst_depeg_bps
5%
NAV change cap
attest_nav delta bounded per hour
±50%/hr
HWM monotonicity
Performance fees can't be charged twice on the same gains
Always
Deposit cap
Total NAV cap to bound systemic exposure during early operation
$1M at launch
Reserve fund
Loss-absorbing buffer fed by 5% of perf fees, lent on Kamino
Grows over time
Wind-down path
Terminal admin instruction that blocks new state and switches users to pro-rata claim
Manual
On stress events
Funding spikes (e.g. FTX-style)
Drift hourly funding can spike to deeply negative APR in extreme conditions (e.g. −235% in Nov 2022). The funding EMA + dwell timer mean the vault doesn't flip on a single bad sample — it waits for sustained signal. Once it flips to reverse basis, the trade is delta-neutral and earns the negative funding, turning the stress event into the highest-earning regime.
jitoSOL depeg
settle reads both Pyth feeds and reverts (with LstDepeg) AND auto-pauses the vault when jitoSOL/SOL < 1 − lst_depeg_bps. Existing position stays open but no new opens proceed. Admin investigates and either unpauses or invokes emergency_close.
Oracle outage
Pyth staleness / confidence checks revert every strategy instruction that depends on SOL/USD pricing. Deposits and instant withdrawals don't touch the oracle, so user-facing flows stay open during a brief outage.
Drift outage / market halt
Strategy instructions revert at the CPI boundary. Existing positions continue to accrue funding (Drift settles internally), and the next settle crank refreshes NAV. If a position needs to be exited urgently, emergency_close can run as soon as the market is queryable.
Kamino LTV stress (reverse basis only)
KaminoLtvExceeded reverts any attempt to add to the borrow. Real LTV breach (price-driven) is handled by Kamino's own liquidation mechanics; the drawdown guard catches the NAV impact downstream.
NAV reconciliation drift
If keeper-attested NAV needs to move more than max_nav_change_bps_per_hour in one shot, attest_nav reverts with NavChangeExceedsCap. The keeper stages multiple smaller deltas across consecutive hours — and an outsized delta is a flag to investigate, not to bypass.
What's not protected
Smart-contract bugs. The program is unaudited until the planned pre-mainnet audit. Significant capital should not be deployed until results are published.
Counterparty insolvency. Drift, Kamino, Marginfi, Jupiter, or Jito having a critical exploit or upgrade-key compromise would cascade into NAV losses.
Black-swan slippage. Modeled max drawdown is −0.6% (funding-only) because perp-leg price impact during rebalances isn't simulated; realistic worst month under stressed conditions is −2% to −5%. The reserve fund cushions but does not eliminate this.
Regulatory action. A jurisdiction restricting access to Solana DeFi could compress redemption liquidity for affected users.
Related
Last updated