Failure Scenarios
Multyr contracts are deployed on Arbitrum One. The system is currently in validation phase. Deposits are not open to the public. Behavior described on this page reflects the protocol's designed behavior; some mechanisms are active in shadow testing, others become active at public launch. See the Status page for details.
This page documents specific failure scenarios and the system's response. Each scenario is scoped to a concrete trigger, not a general category of risk.
Scenario 1: An underlying lending protocol is exploited
Trigger. An exploit on Aave v3 Arbitrum (or similar whitelisted protocol) causes partial loss of deposited capital.
System response.
- Oracle/health monitors detect abnormal NAV drop
- Strategy is marked DEGRADED (by Guardian or automation)
- No new allocation flows to the affected strategy
- Existing capital in the strategy is unwound on next feasible withdrawal cycle
- Per-strategy loss cap caps the loss attributable to this strategy
Allocator impact. Capital allocated to the affected strategy at time of exploit is subject to the exploit's loss, bounded by the per-strategy loss cap and the strategy's share of vault capital.
Scenario 2: Oracle feed becomes stale
Trigger. Chainlink price feed fails to update beyond freshness threshold.
System response.
- Deposits blocked
- Rebalances blocked
- Withdrawals continue using fallback pricing
- System remains in this state until oracle resumes
Allocator impact. Deposits unavailable until oracle recovery. Withdrawals remain possible but may use fallback pricing with documented approach.
Scenario 3: Governance multisig is compromised
Trigger. SAFE_GOV (3-of-5) is compromised and submits a malicious parameter change.
System response.
- Parameter change enters ROOT_TIMELOCK (48h delay)
- Change is publicly visible during delay
- SAFE_VETO multisig can cancel the pending change
- If SAFE_VETO also fails, SAFE_GUARDIAN can pause system while community coordinates response
- Force withdrawals remain available throughout
Allocator impact. 48+ hour window to exit or monitor before any governance change takes effect. Exit path preserved through force withdrawal.
Scenario 4: A strategy experiences rapid unbounded loss
Trigger. Leveraged or structured strategy incurs losses faster than the system's normal response cycle.
System response.
- Aggregate loss cap halts new allocation
- Guardian pauses the strategy at BROKEN state
- Capital in the strategy is unwound, accepting whatever execution is available
- Remaining capital in other strategies continues to operate normally
Allocator impact. Loss is bounded by the per-strategy loss cap and the strategy's allocation share. Capital in unrelated strategies is unaffected.
Scenario 5: Arbitrum sequencer failure
Trigger. Arbitrum One sequencer experiences extended downtime.
System response.
- No transactions process during sequencer downtime
- On sequencer resumption, deposits and withdrawals resume in normal order
- Underlying positions continue to accrue or lose value based on their on-chain state during downtime
Allocator impact. Transaction unavailable during downtime. Positions continue to be exposed to underlying protocol dynamics during the same period. Force exit to L1 is available via Arbitrum's native escape hatch (independent of Multyr).
Scenario 6: A critical bug is discovered in Multyr contracts
Trigger. Security researcher or internal review identifies a critical vulnerability.
System response.
- Guardian pauses deposits immediately
- Withdrawals proceed if safe, or are paused if they could worsen the issue
- Root cause analysis and disclosure timeline published
- Remediation executed via governance with appropriate delay
- Post-mortem published
Allocator impact. Funds accessible via withdrawal (instant, queued, or force depending on state). New deposits blocked until remediation complete.
What these scenarios share
- No discretionary loss absorption. The system does not socialize losses beyond what is encoded.
- Exit paths preserved. Force withdrawal remains available in all scenarios short of total contract destruction.
- Bounded exposure. Per-strategy and aggregate loss caps bound the magnitude of any single failure.
- Public visibility. All state changes are on-chain.