Risk Management

How the ksUSD vault contains volatility, slippage, and oracle stress.


Built-in protections

Layer
Mechanism
Default

Liquidity buffer

Idle USDC kept on-vault for instant withdrawals

10% of NAV

Drawdown guard

emergency_close callable by anyone once (peak − current) / peak ≥ emergency_close_dd_bps AND consecutive_dd_settles_observed ≥ consecutive_dd_settles_required

5% NAV drop, sustained 2 settles

Mode-switch dwell

Minimum time between mode changes to prevent ping-pong on noisy funding

12 h

Funding EMA + staleness

Smoothed funding on-chain; opens revert if stale

6 h staleness

Drawdown latency

Two consecutive sub-threshold settles required before drawdown trips

consecutive_dd_settles_required = 2

Slippage cap

Jupiter swaps revert if executed price worse than max_swap_slippage_bps

0.5%

Oracle staleness

Pyth feed must have an update within the staleness window

5 min

Oracle confidence

Pyth confidence / price must be tight

< 2%

LST depeg check

settle auto-pauses if jitoSOL / SOL < 1 − lst_depeg_bps

5%

NAV change cap

attest_nav delta bounded per hour

±50%/hr

HWM monotonicity

Performance fees can't be charged twice on the same gains

Always

Deposit cap

Total NAV cap to bound systemic exposure during early operation

$1M at launch

Reserve fund

Loss-absorbing buffer fed by 5% of perf fees, lent on Kamino

Grows over time

Wind-down path

Terminal admin instruction that blocks new state and switches users to pro-rata claim

Manual


On stress events

Funding spikes (e.g. FTX-style)

Drift hourly funding can spike to deeply negative APR in extreme conditions (e.g. −235% in Nov 2022). The funding EMA + dwell timer mean the vault doesn't flip on a single bad sample — it waits for sustained signal. Once it flips to reverse basis, the trade is delta-neutral and earns the negative funding, turning the stress event into the highest-earning regime.

jitoSOL depeg

settle reads both Pyth feeds and reverts (with LstDepeg) AND auto-pauses the vault when jitoSOL/SOL < 1 − lst_depeg_bps. Existing position stays open but no new opens proceed. Admin investigates and either unpauses or invokes emergency_close.

Oracle outage

Pyth staleness / confidence checks revert every strategy instruction that depends on SOL/USD pricing. Deposits and instant withdrawals don't touch the oracle, so user-facing flows stay open during a brief outage.

Drift outage / market halt

Strategy instructions revert at the CPI boundary. Existing positions continue to accrue funding (Drift settles internally), and the next settle crank refreshes NAV. If a position needs to be exited urgently, emergency_close can run as soon as the market is queryable.

Kamino LTV stress (reverse basis only)

KaminoLtvExceeded reverts any attempt to add to the borrow. Real LTV breach (price-driven) is handled by Kamino's own liquidation mechanics; the drawdown guard catches the NAV impact downstream.

If keeper-attested NAV needs to move more than max_nav_change_bps_per_hour in one shot, attest_nav reverts with NavChangeExceedsCap. The keeper stages multiple smaller deltas across consecutive hours — and an outsized delta is a flag to investigate, not to bypass.


What's not protected

  • Smart-contract bugs. The program is unaudited until the planned pre-mainnet audit. Significant capital should not be deployed until results are published.

  • Counterparty insolvency. Drift, Kamino, Marginfi, Jupiter, or Jito having a critical exploit or upgrade-key compromise would cascade into NAV losses.

  • Black-swan slippage. Modeled max drawdown is −0.6% (funding-only) because perp-leg price impact during rebalances isn't simulated; realistic worst month under stressed conditions is −2% to −5%. The reserve fund cushions but does not eliminate this.

  • Regulatory action. A jurisdiction restricting access to Solana DeFi could compress redemption liquidity for affected users.


Last updated