Skip to main content

Risk Framework

Current Phase: Shadow Mainnet Testing

Multyr contracts are deployed on Arbitrum One. The system is currently in validation phase. Deposits are not open to the public. Behavior described on this page reflects the protocol's designed behavior; some mechanisms are active in shadow testing, others become active at public launch. See the Status page for details.

Multyr is a non-custodial allocation system. Interaction with the protocol exposes the allocator to multiple categories of risk, both at the system level and at the level of underlying protocols.

This page documents, for each category:

  • the definition of the risk
  • the specific mitigations Multyr enforces
  • the residual exposure that mitigations do not eliminate

Mitigations are encoded in smart contracts or enforced through documented procedures. Their effectiveness is bounded by the same risks they address.

1. Smart Contract Risk

Definition. Bugs, vulnerabilities, or misconfigurations in Multyr's smart contracts may cause partial or total loss of vault capital.

Mitigation.

  • Codebase tested with 289 test files, 3,500+ test functions, 50+ stateful invariants, 14 fork validation domains (see Testing Deep Dive)
  • Shadow Mainnet Testing phase validates contract behavior under real on-chain conditions before public capital is accepted
  • External security reviews: top-tier auditor firms are being evaluated. Target: end of Q2 / early Q3 2026
  • Bug bounty program: scheduled concurrent with first audit report, Q3 2026 (Immunefi)
  • Role-based access control (RBAC) across all modules; no single-address privileged entry points
  • Reentrancy protection at module and system level

Residual exposure. Audits and testing reduce but do not eliminate smart contract risk. Novel vulnerabilities may exist. Allocators accept this risk by depositing.

2. Underlying Protocol Risk

Definition. Multyr allocates capital to external DeFi protocols (lending markets, structured products, etc.). A failure in an underlying protocol directly impacts capital allocated there.

Mitigation.

  • Strategy eligibility: only whitelisted underlying protocols can receive allocation
  • Per-protocol exposure limits enforced at allocation transaction (see How It Works)
  • Strategy isolation: capital in one underlying protocol does not cross-collateralize capital in another
  • Automatic exclusion from allocation of underlying protocols marked DEGRADED or BROKEN
  • Per-strategy loss cap exits a strategy that breaches the threshold

Residual exposure. Multyr cannot prevent a failure in an underlying protocol. Capital allocated to that protocol at the time of failure is subject to the same loss as any direct user of that protocol. Exposure limits bound the impact to a defined share of vault capital.

3. Strategy Risk

Definition. Each strategy has its own risk profile. Leveraged positions face liquidation risk. Delta-neutral strategies depend on hedging assumptions. Structured yield may degrade as conditions change.

Mitigation.

  • Each Strategy Vault is documented separately (see Strategy Types) with its specific risk profile
  • Strategy-specific parameters (leverage caps, hedge ratios, liquidation buffers) are on-chain and enforced at execution
  • Automated transition to DEGRADED state when strategy-specific health conditions are breached
  • Guardian intervention available for manual DEGRADED/BROKEN marking

Residual exposure. Strategy performance is not guaranteed. Market conditions may cause any strategy to degrade faster than the system's response.

4. Liquidity Risk

Definition. Withdrawals depend on the liquidity of underlying positions. Under stress, unwinding positions may be delayed or executed with slippage.

Mitigation.

  • Liquid buffer maintained per vault for instant withdrawals, sized per parameters
  • Queued withdrawal mode for amounts exceeding instant buffer, with defined settlement cadence
  • Force withdrawal emergency path available under emergency procedures (see Emergency Procedures)
  • Liquidity-aware allocation: allocation size bounded by available market depth of underlying positions

Residual exposure. Under extreme market conditions, withdrawal execution may incur slippage and delays. Force withdrawals prioritize exit over execution quality.

5. Allocation and Rebalancing Risk

Definition. Allocation logic may produce suboptimal distribution; rebalancing incurs gas and slippage costs; rule-based behavior may underperform discretionary action in some conditions.

Mitigation.

  • Execution threshold gating: rebalances execute only when expected benefit exceeds execution cost
  • Bounded rebalance batch size to prevent large market impact
  • On-chain logging of every rebalance with pre/post state for public audit
  • Parameters tunable via governance (ROOT_TIMELOCK 48h) — no instant parameter changes

Residual exposure. Rule-based allocation will not capture tactical opportunities that fall outside the rule set. Over long horizons, systematic discipline is designed to outperform discretionary action; over short horizons, it may not.

6. Market Risk

Definition. General market conditions — interest rates, asset volatility, DeFi-wide liquidity shifts — affect vault performance.

Mitigation.

  • USDC base asset minimizes non-USD exposure
  • Diversification across strategies reduces dependence on any single market regime
  • Exposure limits per strategy cap impact of any single market-driven failure

Residual exposure. Multyr does not hedge against market conditions. Broad market stress affects DeFi yields across all strategies.

7. Governance and Parameter Risk

Definition. Governance-controlled parameters (exposure limits, fees, loss caps, strategy whitelisting) may be misconfigured or updated in ways that affect allocators.

Mitigation.

  • ROOT_TIMELOCK: all parameter changes subject to 48-hour delay from proposal to execution, contract at 0x295C...2798
  • SAFE_VETO (1-of-1): can cancel any pending governance transaction before execution, contract at 0xF0c1...f1D7
  • All parameter changes are on-chain and publicly observable during the delay window
  • Governance is executed by SAFE_GOV (3-of-5) at 0x70ef...a326

Residual exposure. Governance decisions may still produce adverse outcomes. The 48h delay gives allocators a window to exit before any parameter change takes effect, but does not prevent the change from occurring if not vetoed.

8. Oracle Risk

Definition. NAV pricing, strategy valuation, and some allocation decisions rely on oracle data. Stale or manipulated oracle data may lead to incorrect pricing.

Mitigation.

  • Chainlink primary price feeds with staleness checks (default ~1 hour max staleness)
  • Secondary oracle validation for deviation detection
  • Deviation threshold: deposits blocked if primary and secondary oracles diverge beyond ~2%
  • NAV freshness enforcement on deposits (warm NAV max age ~15 minutes)
  • Withdrawals are never blocked by oracle failure — deliberate design choice to preserve exit paths

Residual exposure. Oracle design mitigates but does not eliminate manipulation risk. Extreme coordinated manipulation of multiple oracle sources could affect deposit pricing.

9. Regulatory Risk

Definition. Changes in laws or regulations may affect access to the protocol, specific strategies, or the underlying protocols integrated.

Mitigation.

  • Non-custodial design: Multyr does not hold user funds off-chain
  • Allocators remain responsible for compliance in their jurisdiction

Residual exposure. Regulatory outcomes vary by jurisdiction and are outside protocol control.

Capital protection mechanisms

In addition to per-category mitigations, the protocol enforces the following structural protections:

  • Strategy isolation: failure in one strategy does not propagate to others
  • Per-strategy loss cap (see Parameters)
  • Aggregate loss cap (see Parameters)
  • Exit paths: instant and queued withdrawal modes available in normal operation; force withdrawal emergency path under adverse conditions
  • Guardian pause: halts deposits and withdrawals in emergency (cannot resume without governance)
  • No permanent withdrawal block: no entity can permanently prevent user exits

Safety Reserve

The Safety Reserve Safe is deployed on Arbitrum at 0x8c85...4f2B (2-of-3 multisig).

  • Funded from a portion of protocol fees
  • Currently minimal balance (shadow testing phase, no user fees generated yet)
  • Build-up accelerates at public launch when the protocol starts generating user-based fees
  • Acts as a limited loss-absorption buffer for specific scenarios

The Safety Reserve is not an insurance mechanism. It does not guarantee capital protection and may be insufficient to cover losses.

Current Status

See System Lifecycle — Current Status for the full status disclosure. In addition to the risks outlined above, users interacting with Multyr during the shadow testing phase should consider:

  • Not all features may be active
  • System behavior is still being validated
  • Parameters and strategies may evolve
  • External audits are engaged but not yet complete

These factors amplify the risk categories described on this page.

Important statements

  • Multyr does not guarantee returns
  • Multyr does not guarantee capital preservation
  • Multyr does not make discretionary investment decisions
  • Multyr does not hold user capital off-chain
  • Multyr does not prevent users from exiting the system