Skip to content
Tessera

Risks

Tessera lets you borrow USDC against tokenized stocks. Like any borrowing protocol, this comes with real risks. We list them plainly below — not to scare you, but so you can make an informed choice about whether Tessera is right for you.

Gap risk: the core problem we exist to solve

Tokenized stocks on Robinhood Chain trade 24/7. The underlying US equity market does not — it closes at 4pm ET Friday through 9:30am ET Monday, plus overnight. When the market reopens, a stock's price can jump sharply if there was news, earnings, or a geopolitical event over the weekend. If you've borrowed against that stock, your position can jump underwater overnight, and you may get liquidated before you wake up.

This is the structural problem Tessera exists to solve. Our AI agent (the Watcher) watches your health factor around the clock and can auto-repay on your behalf (if you opt in) or alert you before liquidation happens. But understand: a severe enough gap can still liquidate you, even with the agent running. The agent is a risk layer, not an insurance policy.

Our risk parameters (max LTV 40–60%, liquidation thresholds 55–75%) are conservative precisely because of this risk. They give you room to absorb a gap without immediate liquidation.

Agent downtime or malfunction

The Watcher is a TypeScript agent running on a host process. It monitors your health via RPC calls and can execute liquidations and repayments on-chain. If the agent goes down or fails to check your position, you lose the real-time protection it provides; your position is no longer watched every 10 seconds. You can still repay manually via the dashboard or by calling repay() directly. If your health factor drops below 1.0 and the agent is down, anyone can liquidate you (once the permissionless backstop is enabled at mainnet; on testnet, only the agent can liquidate).

On testnet, the agent has a heartbeat-gated permissionless backstop built and tested: if the agent goes silent for more than 15 minutes, the vault enters a mode where any address can liquidate stale-heartbeat positions at a bounty. This backstop is proven to work on-chain but is not yet enabled (it will be at mainnet after independent audit). Until then, testnet users rely on the agent staying online.

Smart-contract risk

Tessera's vault contract and the oracle router (PriceGuard) are both written in Rust (Arbitrum Stylus). Both are testnet software and have not been audited by a third party. Real bugs — reentrancy, arithmetic overflow, access-control errors — are possible and could lead to loss of funds.

Tessera is pre-audit testnet software. Do not deposit funds you cannot afford to lose. Independent audit is a hard requirement before any mainnet deployment. The vault uses conservative math: multiplication before division, saturating arithmetic where overflow could matter, and unit tests covering the health-factor and liquidation math. The code is open-source and has been through internal review. But testnet is testnet — real security review by professional auditors will happen before mainnet.

Oracle risk

Tessera reads prices through the PriceGuard oracle router, which pulls from Chainlink (or a mock on testnet). If the oracle is wrong, so are your health factor and liquidation price.

On testnet today, we use a mock oracle — an owner-controlled price feed for testing. This is not a real Chainlink feed; it's a stand-in so we can demo and test without depending on Chainlink's RH Chain infrastructure (which doesn't exist yet). A real Chainlink oracle is a mainnet gate.

Risks in the oracle path: (1) Staleness: If the price feed stops updating (network outage, Chainlink node down), the vault's prices are stale and may not reflect reality. PriceGuard has a staleness check that reverts borrow() and liquidate() if the feed is too old; but stale prices that are within the freshness window will still be used. (2) Deviation: If a secondary oracle deviates sharply from the primary, PriceGuard halts new risk (borrow/withdraw) to be safe, but existing liquidations may proceed. (3) Market-hours haircut: When the underlying market is closed (weekends, holidays), new borrows are haircut (reduced LTV) to account for the higher gap risk. But the price itself is still read from the last trade; if the market gaps hard at open, that position is still at risk.

Liquidation risk and bad debt

If your health factor falls below 1.0, your position can be liquidated. The liquidator repays some of your USDC debt and receives collateral plus a 5% base bonus (which ramps with depth if you're very underwater). With a 50% close factor, a liquidator can repay up to 50% of your debt in one transaction.

Liquidation is not always enough to clear your debt — if your collateral runs out before the debt is repaid, you have bad debt. In that case, the protocol marks the loss (you owe USDC you don't have), and the lenders on the supply side bear the loss. On testnet, the reserve factor (15% of borrow interest) is the first-loss buffer; at mainnet, we'll have insurance / additional safeguards.

Off-hours execution risk

Markets close, but the blockchain does not. When the US equity market is closed (nights, weekends, holidays), Robinhood Chain still accepts transactions. If you or the agent tries to borrow or liquidate during off-hours: (1) New borrows are haircut (e.g., a collateral that normally supports 60% LTV is reduced to 51% LTV). This prices in the gap risk. You can still borrow, just less. (2) Liquidations can still proceed at any time (the agent might liquidate your position at 2am to protect you). (3) Prices are read from the last trade during market hours. If a stock gaps hard at market open, that price won't be known on-chain until the oracle updates — which could leave you underwater at an old price.

Lender risks (USDC supply side)

If you supply USDC to Tessera to earn lending yield: You earn interest from borrowers, but you're exposed to bad debt. If borrowers get liquidated but collateral doesn't cover the debt, lenders absorb the loss. The protocol's 15% reserve factor is your first-loss cushion; beyond that, lender losses are real. On testnet, there is no insurance or safety net. Mainnet will require insurance and additional safeguards.

Testnet-only risks

Tessera is live on Robinhood Chain testnet (chain 46630) only. No real assets can be used; all tokens are test mocks. The entire system may be reset or shut down. Do not treat testnet money as real. The RPC endpoint may be unstable or disappear. Testnet tokens have no real value. The vault contract may be redeployed, which would reset all balances. The mock price oracle is owned by the operator and can be updated instantly for testing.

What we do to mitigate these risks

  1. Conservative LTVs: tAAPL max 50%, tTSLA 40%, tSPY 60%. These give you room to absorb volatility.
  2. The Watcher: Monitors your health ~every 10 seconds and can auto-repay (with your pre-approval) before liquidation happens.
  3. Dual-feed oracle routing (PriceGuard): Primary and secondary oracle feeds with deviation checks. If secondary deviates sharply, we halt new risk.
  4. Staleness protection: borrow() and liquidate() revert if the price is older than the freshness window.
  5. Market-hours haircut: Off-hours borrows are haircut to account for gap risk.
  6. Permissionless backstop: Built and tested. If the agent goes silent, anyone can liquidate stale positions at a bounty, so lenders are not stranded.
  7. Open-source code: You can read everything. Bugs have nowhere to hide.
  8. Transparent parameters: All risk numbers (LTV, thresholds, reserve factor, agent caps) are public and on-chain.