Risks & Security
Understanding Slashing, Smart Contract, and Oracle Risks
Risk Summary
| Risk | Affected Vault | Description |
|---|---|---|
| Slashing | mMITOc | Validator issues → collateral decrease → rate drop |
| Smart Contract | All | Bug/exploit |
| Oracle Delay | mMITOc | Delayed collateral state reflection |
| Liquidity | All | 7-day withdrawal wait |
Slashing Risk (mMITOc)
Conditions
Validators get slashed for:
- Extended downtime
- Double signing
- Other protocol violations
Impact
Before slashing:
├─ totalAssets: 1000 WMITO
├─ totalSupply: 1000 mMITOc
└─ Rate: 1.0
After 10% slashing:
├─ totalAssets: 900 WMITO (Oracle reported)
├─ totalSupply: 1000 mMITOc
└─ Rate: 0.9 // [!code hl]mMITOs is Safe
Oracle System
Trust Model Comparison
Traditional Oracle ❌
Operator claims "Collateral is 1000 MITO"
→ Must trust them
→ Can be manipulatedVerification Process
ABCI Query
Request validator/collateral data + proof from Consensus Layer
Oracle Feeder (SP1)
Generate ZK inclusion proof
Collateral Oracle
Verify proof and store collateral info
EIP-4788
Verify freshness via Beacon Root (= AppHash)
Proof Structure
Two-stage ICS23 proof:
- ics23: AppHash → Module roots
- ics23: Module root → State (validator, collateral data)
Freshness Guarantee
uint256 public constant EIP4788_TIMEOUT = 1 days / 2; // 12 hours
// Verify proof is within 12 hours
require(block.timestamp - proofTimestamp < EIP4788_TIMEOUT); Proofs older than 12 hours are rejected.
Smart Contract Security
Applied Patterns
| Pattern | Purpose |
|---|---|
| UUPS Proxy | Upgradeable (with time-lock) |
| ERC-7201 | Namespaced storage (collision prevention) |
| ReentrancyGuard | Reentrancy attack prevention |
| AccessControl | Role-based permissions |
External Dependencies
- OpenZeppelin Contracts (Upgradeable)
- Solady (gas optimization)
- SP1 Verifier
Liquidity Risk
7-day Withdrawal Wait
Alternatives for Instant Liquidity
- Sell WithdrawalNFT on marketplace (at discount)
- Trade mMITOc/mMITOs directly on DEX (if liquidity exists)
Emergency Situations
Oracle Outage
| Scenario | Behavior |
|---|---|
| Oracle down | Last valid data used |
| New slashing | Not detected until recovery |
| Withdrawals | Continue to work |
Contract Pause
Admin can pause in emergency:
- Deposits/withdrawals halted
- Existing withdrawal requests can still be processed