Risks and mitigation

Risks and Mitigation

This page lists only the real risks that could lead to loss of funds or to funds being temporarily stuck — and how Thesauros is designed to minimize them.

What cannot happen by design

• Non-custodial ERC-4626 vaults: no one (including the team) can withdraw user funds arbitrarily.

• All operational actions go through a distributed flow (Proposer → Approver → Executor) and a multi‑sig; no single key can move assets.

• Admin functions are strictly limited and protected by multi‑sig and time‑locks; they cannot transfer user funds.

• If backend services go offline, rebalancing pauses, but deposits/withdrawals remain available on-chain.

Real risks and how we mitigate them

1) Critical bug in Thesauros contracts (loss risk)

Likelihood: Low • Impact: High

Mitigation:

• Independent audits, extensive testing, battle‑tested libraries (OpenZeppelin)

• Minimal privileged surface; no upgrade paths that can seize funds; time‑locked changes

• Pause + safe-withdraw mechanisms

2) Underlying protocol exploit (partial loss or stuck)

Likelihood: Low • Impact: Medium (only the portion allocated there)

Mitigation:

• Only blue‑chip protocols with very large liquidity, long history, active governance and time‑locks (e.g., Aave/Compound‑class)

• Diversification + hard caps per protocol (MAMM) and liquidity‑aware sizing (MALS)

• 24/7 monitoring and emergency withdrawal procedures

3) Market‑wide liquidity crunch (withdrawal delays)

Likelihood: Medium • Impact: Low–Medium

Mitigation:

• Allocation caps vs available liquidity (MALS) and diversified venues

• Slippage limits and simulation before moves

• Users can always redeem; in extreme conditions withdrawals may complete in several txs/after reallocation

4) Multi‑sig or backend compromise (mis-execution risk)

Likelihood: Very Low • Impact: Low (cannot directly steal funds)

Mitigation:

• Threshold multi‑sig; independent Approver validates each proposal via the Engine

• Rate limiting, timelocks for admin params, real‑time alerts

• No function exists to drain user funds

5) L1/L2 network incidents (stuck tx, chain halts)

Likelihood: Low • Impact: Low–Medium (temporary)

Mitigation:

• Operate on mature networks; retries and conservative gas settings

• Funds remain in non‑custodial contracts; operations resume once the network stabilizes

Why user funds are safe

• Non‑custodial architecture; creators have no technical ability to withdraw user assets

• Multi‑approval execution with independent verification and timelocks

• Blue‑chip integrations only; large liquidity, long history, public governance

• Explicit position limits and liquidity safeguards (MAMM/MALS)

— For implementation details see How It Works and contract info in Smart Contracts & Audits. For common questions see FAQ.