Risks and mitigation

Risks and Mitigation

This page lists only the real risks that could lead to loss of funds or to funds being temporarily stuck — and how Thesauros is designed to minimize them.

What cannot happen by design

  • Non-custodial ERC-4626 vaults: no one (including the team) can withdraw user funds arbitrarily.

  • All operational actions go through a distributed flow (Proposer → Approver → Executor) and a multi‑sig; no single key can move assets.

  • Admin functions are strictly limited and protected by multi‑sig and time‑locks; they cannot transfer user funds.

  • If backend services go offline, rebalancing pauses, but deposits/withdrawals remain available on-chain.

Real risks and how we mitigate them

1) Critical bug in Thesauros contracts (loss risk)

Likelihood: Low • Impact: High

Mitigation:

  • Independent audits, extensive testing, battle‑tested libraries (OpenZeppelin)

  • Minimal privileged surface; no upgrade paths that can seize funds; time‑locked changes

  • Pause + safe-withdraw mechanisms

2) Underlying protocol exploit (partial loss or stuck)

Likelihood: Low • Impact: Medium (only the portion allocated there)

Mitigation:

  • Only blue‑chip protocols with very large liquidity, long history, active governance and time‑locks (e.g., Aave/Compound‑class)

  • Diversification + hard caps per protocol (MAMM) and liquidity‑aware sizing (MALS)

  • 24/7 monitoring and emergency withdrawal procedures

3) Market‑wide liquidity crunch (withdrawal delays)

Likelihood: Medium • Impact: Low–Medium

Mitigation:

  • Allocation caps vs available liquidity (MALS) and diversified venues

  • Slippage limits and simulation before moves

  • Users can always redeem; in extreme conditions withdrawals may complete in several txs/after reallocation

4) Multi‑sig or backend compromise (mis-execution risk)

Likelihood: Very Low • Impact: Low (cannot directly steal funds)

Mitigation:

  • Threshold multi‑sig; independent Approver validates each proposal via the Engine

  • Rate limiting, timelocks for admin params, real‑time alerts

  • No function exists to drain user funds

5) L1/L2 network incidents (stuck tx, chain halts)

Likelihood: Low • Impact: Low–Medium (temporary)

Mitigation:

  • Operate on mature networks; retries and conservative gas settings

  • Funds remain in non‑custodial contracts; operations resume once the network stabilizes

Why user funds are safe

  • Non‑custodial architecture; creators have no technical ability to withdraw user assets

  • Multi‑approval execution with independent verification and timelocks

  • Blue‑chip integrations only; large liquidity, long history, public governance

  • Explicit position limits and liquidity safeguards (MAMM/MALS)

— For implementation details see How It Works and contract info in Smart Contracts & Audits. For common questions see FAQ.

PreviousAuditsNextTerms of use

Last updated