> For the complete documentation index, see [llms.txt](https://docs.keystonefi.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keystonefi.xyz/how-it-works/volatility-risk-management.md). # Risk Management How the ksUSD vault contains volatility, slippage, and oracle stress. *** ## Built-in protections | Layer | Mechanism | Default | | --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | | **Liquidity buffer** | Idle USDC kept on-vault for instant withdrawals | 10% of NAV | | **Drawdown guard** | `emergency_close` callable by anyone once `(peak − current) / peak ≥ emergency_close_dd_bps` AND `consecutive_dd_settles_observed ≥ consecutive_dd_settles_required` | 5% NAV drop, sustained 2 settles | | **Mode-switch dwell** | Minimum time between mode changes to prevent ping-pong on noisy funding | 12 h | | **Funding EMA + staleness** | Smoothed funding on-chain; opens revert if stale | 6 h staleness | | **Drawdown latency** | Two consecutive sub-threshold settles required before drawdown trips | `consecutive_dd_settles_required = 2` | | **Slippage cap** | Jupiter swaps revert if executed price worse than `max_swap_slippage_bps` | 0.5% | | **Oracle staleness** | Pyth feed must have an update within the staleness window | 5 min | | **Oracle confidence** | Pyth `confidence / price` must be tight | < 2% | | **LST depeg check** | `settle` auto-pauses if `jitoSOL / SOL < 1 − lst_depeg_bps` | 5% | | **NAV change cap** | `attest_nav` delta bounded per hour | ±50%/hr | | **HWM monotonicity** | Performance fees can't be charged twice on the same gains | Always | | **Deposit cap** | Total NAV cap to bound systemic exposure during early operation | $1M at launch | | **Reserve fund** | Loss-absorbing buffer fed by 5% of perf fees, lent on Kamino | Grows over time | | **Wind-down path** | Terminal admin instruction that blocks new state and switches users to pro-rata claim | Manual | *** ## On stress events ### Funding spikes (e.g. FTX-style) Drift hourly funding can spike to deeply negative APR in extreme conditions (e.g. −235% in Nov 2022). The funding EMA + dwell timer mean the vault doesn't flip on a single bad sample — it waits for sustained signal. Once it flips to reverse basis, the trade is delta-neutral and earns the negative funding, turning the stress event into the highest-earning regime. ### jitoSOL depeg `settle` reads both Pyth feeds and reverts (with `LstDepeg`) AND auto-pauses the vault when `jitoSOL/SOL < 1 − lst_depeg_bps`. Existing position stays open but no new opens proceed. Admin investigates and either unpauses or invokes `emergency_close`. ### Oracle outage Pyth staleness / confidence checks revert every strategy instruction that depends on SOL/USD pricing. Deposits and instant withdrawals don't touch the oracle, so user-facing flows stay open during a brief outage. ### Drift outage / market halt Strategy instructions revert at the CPI boundary. Existing positions continue to accrue funding (Drift settles internally), and the next `settle` crank refreshes NAV. If a position needs to be exited urgently, `emergency_close` can run as soon as the market is queryable. ### Kamino LTV stress (reverse basis only) `KaminoLtvExceeded` reverts any attempt to add to the borrow. Real LTV breach (price-driven) is handled by Kamino's own liquidation mechanics; the drawdown guard catches the NAV impact downstream. ### NAV reconciliation drift If keeper-attested NAV needs to move more than `max_nav_change_bps_per_hour` in one shot, `attest_nav` reverts with `NavChangeExceedsCap`. The keeper stages multiple smaller deltas across consecutive hours — and an outsized delta is a flag to investigate, not to bypass. *** ## What's *not* protected * **Smart-contract bugs.** The program is unaudited until the planned pre-mainnet audit. Significant capital should not be deployed until results are published. * **Counterparty insolvency.** Drift, Kamino, Marginfi, Jupiter, or Jito having a critical exploit or upgrade-key compromise would cascade into NAV losses. * **Black-swan slippage.** Modeled max drawdown is **−0.6% (funding-only)** because perp-leg price impact during rebalances isn't simulated; realistic worst month under stressed conditions is **−2% to −5%**. The reserve fund cushions but does not eliminate this. * **Regulatory action.** A jurisdiction restricting access to Solana DeFi could compress redemption liquidity for affected users. *** ## Related * [Security model](/reference/security.md) * [NAV & share pricing](/reference/nav-calculation.md) · [Whitepaper — Risk](/reference/whitepaper.md#risk) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keystonefi.xyz/how-it-works/volatility-risk-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.