Security

Tessera is a protocol that holds your funds and can move money (via the agent's allowance). Security is foundational. This page explains how we design for safety and what still needs to happen before mainnet.

Conservative LTVs

The maximum loan-to-value for each collateral is deliberately low:

Why so conservative? Gap risk. A typical single-stock can move 3–5% in a single day; on a weekend with earnings or geopolitical news, 10–20% gaps are real. An index like SPY is more stable but still vulnerable. These LTVs assume a 10–20% overnight gap might happen and you'll still have room before liquidation. When the market closes, new borrows are haircut further (e.g., 50% → 42.5% during off-hours). You can still borrow, but less, to price in the extreme gap risk of a multi-day closed market.

The deterministic risk core

The vault's health factor and liquidation calculations are pure math — no guessing, no discretion. The math is implemented in Rust (Arbitrum Stylus), unit-tested exhaustively, and proven against reference specs.

Example: your health factor is always collateral_value × liquidation_threshold ÷ debt. Every step saturates (never panics on overflow) and is bounded by unit tests that cover edge cases (zero debt, zero collateral, near-liquidation scenarios).

The AI agent (the Watcher) is advisory only. It can read health, send you alerts, and (with your opt-in) execute agentRepayFor() to repay debt from your allowance. But the decision of whether to repay is deterministic: if your health is below threshold X, repay. The LLM only writes the alert copy.

Non-custodial design

The vault never holds your funds. It holds accounting (who owns what), but the actual USDC and collateral tokens stay in your wallet (or a contract you control).

The agent's agentRepayFor() function can only: (1) Reduce your own debt (pull USDC from your allowance and repay the vault). (2) Never withdraw your collateral or USDC. (3) Never move your funds to another address.

The allowance is both the spending cap and your kill switch: revoke it at any time, and the agent can no longer act.

The reserve: first-loss capital

The protocol keeps a reserve funded by 15% of all borrow interest. This is the first-loss layer for bad debt: (1) When bad debt happens (collateral runs out, debt remains), the reserve covers it first. (2) USDC lenders only absorb losses after the reserve is exhausted. (3) The reserve is transparent and on-chain; you can read it anytime.

On testnet, the reserve factor is 15%. At mainnet, we may increase it and/or add insurance to make bad-debt absorption more robust.

Dual-feed oracle routing

The PriceGuard oracle router can validate against a secondary feed. If the secondary feed deviates sharply from the primary, the vault halts new risk (borrow / withdraw) but allows debt reduction (repay / liquidate). This prevents the protocol from being whipsawed by a bad oracle.

At testnet, we use a single mock feed. At mainnet, we'll deploy Chainlink as primary + a secondary oracle for validation.

Open-source code

Everything is public on GitHub: contracts, agent, web UI. You can read the vault's health-factor math, the liquidation logic, and the interest rate curve. Bugs have nowhere to hide. We encourage security researchers to review the code. (Formal bug-bounty program to come at mainnet.)

What's NOT yet in place

The following are hard requirements before any mainnet deployment. Do not confuse shipped code with shipped safety. (1) Independent audit: Testnet software has not been reviewed by external security professionals. A full third-party audit (Arbitrum Foundation grant-funded preferred) is non-negotiable before mainnet. (2) Insurance / safety net: On testnet, bad-debt losses go straight to lenders. Mainnet requires insurance (e.g., Sherlock) or an expanded safety reserve. (3) Permissionless backstop enabled: The backstop is built and tested but stays disabled on testnet (delay 0, agent-only); it will be enabled at mainnet after the audit passes. (4) Real Chainlink oracle: The testnet mock will be replaced with real Chainlink feeds (and secondary feeds for validation). (5) US + sanctions geo-block: The frontend will enforce legal compliance; UI is not available to US persons or sanctioned jurisdictions. (6) Bug bounty: A formal Immunefi or equivalent bounty will be live before mainnet. (7) Mainnet TVL caps: Caps per asset (e.g., $1M tAAPL supply max initially) to manage risk during the ramp.

The agent hot key

The agent signs transactions with a single private key (AGENT_PRIVATE_KEY). If this key leaks: (1) An attacker becomes the agent and can call liquidate() and agentRepayFor() at any time. (2) They cannot extract value — agentRepayFor() only reduces debt from a user's pre-approved allowance, and liquidation is limited by the close factor and collateral balance. (3) They can grief: force-repay opted-in users' USDC at bad times, or liquidate positions strategically. Per-user daily caps ($25K/day, $10K/tx) are enforced on-chain to bound the damage.

Immediate response: Call vault.setAgent(0x0) to revoke the compromised agent. The vault then rejects all agent actions. Provision a fresh key and call setAgent(<new_address>).

Operational security

• .env files with secrets are gitignored and never committed. CI enforces this.
• AGENT_ADMIN_SECRET (which gates operational endpoints like /metrics, /alerts) has no safe default in production — the agent refuses to boot if it's still the dev default and NODE_ENV=production.
• The agent's public HTTP surface is rate-limited and CORS-scoped; sensitive endpoints are bearer-token-gated.
• Action logs truncate addresses and round amounts to prevent data leaks.

Responsible disclosure

Found a security bug? Do not open a public GitHub issue. Contact the maintainers privately first via email or X DM (see the repo profile) with a description and ideally a reproduction. We aim to acknowledge within 72 hours and will publish a postmortem after a fix ships. This is part of our radical-transparency commitment: if something breaks, we'll tell you what happened.