search
Ctrlk

Security Model

hashtag
Access Control

Role
Typical capabilities

Fund / portfolio authority

update_fund_params / update_params, pause_fund / pause_portfolio, transfer_authority, manual position instructions where restricted, toggle_emergency (Core), enable_lending / enable_basis_lending / enable_reverse_basis (one-time setups)

Portfolio authority (Core only)

collect_fees on Core — not permissionless

Public (permissionless)

Deposits and withdrawals (when not paused), fund collect_fees, Alpha rebalance, Neutral deploy_capital / settle_funding / parking / reverse-basis cranks (subject to on-chain gates), Core rebalance, and other instructions documented as permissionless in each program

Fund / Core PDA

Signs token and protocol CPIs on behalf of the fund or portfolio. No private key exists off-chain

Keystone Neutral — Marginfi parking: There is no unpark_capital instruction. If USDC was parked in Marginfi via park_capital, deploy_capital withdraws from Marginfi first (when lending accounts are passed and state matches) before redeploying into the basis trade.

Keystone Core — user operations: migrate_portfolio is executed by the user (owner of ksCORE), not the portfolio authority.

Fund authority can be transferred to a multisig via transfer_authority on each fund (irreversible). Keystone Core does not expose transfer_authority in the current program — portfolio authority is set at initialize_portfolio; plan authority changes accordingly before mainnet.

hashtag
Protections

hashtag
Shared across programs

  • Emergency pause — Authority can halt fund or portfolio operations (exact behavior per program).

  • Deposit caps — Configurable maximum TVL where implemented.

  • Rate limiting — Cooldowns / minimum intervals between sensitive operations (e.g. rebalance, settle).

  • Oracle validation — Pyth (and protocol-specific checks) with staleness and confidence constraints where enforced on-chain.

  • Integer arithmetic — Fixed-point and checked math; no floating-point in consensus code.

  • High-water mark (performance fee) — Performance fees apply to net-new gains above the mark; no double-charging through recovery.

hashtag
Keystone Alpha Fund

  • Slippage protection on Jupiter swaps

  • Volatility-aware position sizing

  • Market regime detection (four regimes)

  • Circuit breakers that reduce or suspend rebalancing during extreme stress

hashtag
Keystone Neutral Fund

  • Health factor monitoring on Jupiter Perps

  • Automated deleverage when health falls below threshold

  • Funding rate history and gates for deploy / reverse basis

  • Automated position close on sustained negative funding (when enabled)

  • Funding-rate floor for deploy_capital when configured

  • NAV drawdown guard when configured

  • Volatility-aware sizing at deployment

  • Slippage limits on swaps

hashtag
Keystone Defense Fund

  • Multiple operational modes (staking baseline, Jupiter Perps long for negative funding, liquidation and distressed-asset flows as implemented)

  • Oracle-backed checks for stressed-market actions where enforced on-chain

hashtag
Audit Status

  • Current status: Unaudited

  • Planned: Pre-mainnet security audit (Ottersec / Sec3 / Neodyme)

Do not deploy significant capital until the audit is complete.

PreviousProtocol IntegrationsNextDevnet

Last updated