Security & trust

Non-custodial

The protocol never holds your funds beyond the vault's accounting, and the AI agent never holds them at all.

The agent can only REDUCE your debt

Auto-repay (agentRepayFor) is agent-only and pulls only from the USDC allowance you pre-approve to the vault — it can never withdraw or move your collateral. Your allowance is both the spending cap and the kill switch: revoke it and protection is off instantly. There is also an on-chain per-(user, day) cap on agent repay.

The AI never moves money on a hunch

All money decisions (whether and how much to act) are deterministic. The LLM only writes the plain-English explanations; it cannot trigger a transaction.

Not custody, not money transmission

The agent never holds, pools, or transmits your funds. It can do exactly one thing: call agentRepayFor to reduce your own loan, using an allowance you granted and can revoke. It cannot send your money anywhere — not to us, not to a third party. There is no flow in which value leaves your control to anyone but your own debt.

Permissionless backstop — built and tested; disabled on testnet, enabled at mainnet

If the agent goes silent, a heartbeat-gated backstop is designed to let anyone liquidate an unhealthy position — running the identical close-factor + post-HF-improvement guards, so it's provably as safe as an agent liquidation. It is implemented in the vault and covered by tests, and was demonstrated on an earlier Robinhood Chain deployment (a non-agent address backstop-liquidated a stale-heartbeat position, health factor 0.94 → 1.20 — demonstration tx ↗). On the current testnet vault it is DISABLED — liquidation is agent-only — and it is enabled at mainnet only once the agent stamps an on-chain idle heartbeat (so a merely-idle agent can never expose healthy positions). Until then, treat liquidation as agent-only and best-effort.

What the owner CAN do (all owner-gated, all emit events)

Set per-asset risk parameters (LTV, liquidation threshold, supply/borrow caps, reserve factor) and the rate-curve params; replace the oracle and the agent address; set the price-staleness window; pause the vault or freeze an individual asset; and transfer ownership. Each is a single only_owner entrypoint.

What the owner CANNOT do

There is no entrypointthat lets the owner withdraw, move, or mint user funds, or increase anyone's debt. The owner cannot take balances. The agent address it sets is still bound by the agent's own on-chain limits (reduce-debt-only, capped by the allowance you grant) — a malicious agent key still cannot move your collateral.

Not upgradeable — the code is immutable at its address

The Stylus vault is deployed directly, not behind an upgradeable proxy, so there is no delegatecalland no function to swap the logic out from under you. An "upgrade" means deploying a fresh vault and migrating — a visible, opt-in, on-chain event at a new address, never a silent change to the contract you're using.

Owner key → multisig before mainnet

On testnet the owner is a single key. Moving it to a 2-of-N multisig is a stated mainnet gate (below), alongside the audit and bug bounty.

Conservative LTVs, sized for overnight gaps

40–60% max LTV and 55–75% liquidation thresholds per asset — deliberately low so a weekend or earnings gap has room to be absorbed. See per-asset numbers on Risk.

Oracle staleness reverts

Every price read enforces a max-age bound; a stale feed reverts rather than acting on a bad price. On testnet the oracle is a mock kept fresh by a keeper.

Pause + per-asset freeze

The owner can pause the whole vault and freeze an individual collateral asset (blocking new deposits while existing positions keep their value).

What if the agent goes down?

Your on-chain protections (allowance cap, HF checks, the contract's own rules) don't depend on it. While it's down, new alerts/auto-repays pause. On testnet today liquidation is agent-only, so if the agent is down no new liquidations happen until it recovers — this is exactly why the permissionless backstop above is a hard pre-mainnet gate. The live agent heartbeat is on Status.

What if the oracle is stale?

Reads revert past the staleness window — the protocol refuses to act on a bad price rather than mis-liquidate.

Single-keeper risk

Today the agent is a single signer. That is a known MVP limitation; the permissionless backstop + an always-on host + monitoring address it before mainnet.

How do I verify the deployed code is the source?

The whole stack is open source, and the deployed addresses are listed on Transparency. The repo's VERIFICATION.md is a copy-paste runbook to rebuild the Stylus vault from source and reproduce every test, the CI-locked backtest, and the on-chain state — none of it needs our cooperation.

What if my wallet can't cover the repay?

Auto-repay pulls from yourUSDC. If your balance or remaining allowance can't cover what's needed, the agent does notfail silently — it falls back to a loud alert so you can act yourself. Protection degrades to a warning; it never pretends to have saved a position it couldn't.

No token, ever

No airdrop, points, or governance coin — nothing to farm or defend. Revenue is the classic money-market interest spread, nothing more.

15% reserve factor

Of the interest borrowers pay, 85% flows to lenders (your supply APY) and 15% is set aside as a protocol reserve — the entire business model. (The on-chain skim and reserve accounting are implemented in the vault and CI-tested, alongside the insolvency waterfall below.)

The reserve is first-loss capital, not a treasury

By design the reserve is drawn down to absorb bad debt before any loss reaches lenders — the insolvency waterfall: reserve first, then a single visible pro-rata socialization, never a silent share-price hit. It also funds operations (oracle keeper, hosting, audit) — not insiders; there are none.

Protection is funded by you, liquidation by the liquidator

Auto-repay spends your pre-approved USDC to save your position — never protocol funds. Liquidation is funded by the liquidator, who earns the 5% bonus in full — the protocol takes none of it. Revenue is the reserve factor, nothing else.