Risk & Limits
This page outlines the known risks, what we do to mitigate them, and the hard limits/safeties built into Paragon.
1) Global protocol risks
Market volatility. Crypto prices can move quickly; slippage and gaps can occur even with guards.
Smart-contract bugs. Audits reduce risk but cannot guarantee safety. Contracts are open-source and time-locked; emergency pause exists (see §6).
Admin / governance risk. A multisig can update parameters, add/remove oracles, or pause modules. All changes are time-locked and announced; emergency sentinel has limited, scope-bound powers.
Third-party dependencies. Bridges, external DEXes, and oracles can fail or be attacked. We design for graceful degradation (fallbacks, circuit breakers) but cannot fully remove dependency risk.
Key management. Users are self-custodial. Loss or compromise of private keys results in loss of control over assets.
2) Execution layer (Intents, Batching & Shield)
What it is: Users sign EIP-712 swap intents. A batcher aggregates them; solvers propose settlements; FlowSettlement executes best route with Proof-of-Best-Execution (PoBE). Paragon Shield reduces front-running via batching + private submissions.
Risks & mitigations
Solver liveness. If no solver returns in time, batch falls back to the legacy Router path. Mitigation: 1-block (testnet) / 2-block (mainnet) timeouts; multiple redundant solvers; default house solver enabled.
Best-execution limits. “Best” is relative to the search space (our pools + allow-listed venues). Mitigation: we disclose venues searched; we measure surplus against user
minOutand publish PoBE metrics; conservative price guards.MEV not zero. Batching reduces sandwiches but cannot remove all MEV (esp. cross-domain). Mitigation: private mempool submission where available; randomized ordering inside batches; surplus-sharing (users receive a rebate when we beat
minOut).Off-chain batcher outage. Mitigation: automatic fallback to standard swap; intents expire and can be re-submitted.
Limits (defaults)
Batch window: 1 block (testnet) / 2 blocks (mainnet).
Per-batch notional cap: $1.0m (testnet lower).
Per-tx slippage guard: default 0.5% (user-tunable up to 1.0%; intents with >1.0% require explicit opt-in).
External venues: allow-listed; if a venue fails mid-tx, route prunes it and reverts if
minOutfails.
3) AMM liquidity risks
Impermanent Loss (IL). LPs face IL when prices diverge. Farming rewards help offset but do not eliminate IL.
Thin liquidity & price impact. Large orders on small pools move price. Mitigation: router splits across routes; UI shows expected impact; Flow can batch match some flow internally.
Spot manipulation. Attackers can try to skew spot for a single block. Mitigation: we never use single-block spot for any settlement that transfers value (indices, vaults); we use TWAP/oracles (see §4).
Limits
Max price impact (UI hard guard): 5% unless user explicitly overrides.
Pool fee model: v2 0.30% default (0.25% LPs, 0.05% Treasury/Shield); some pools may have custom fees and are labeled.
4) Pricing & Oracle risks (applies to stXPGN & indices)
We use a three-layer price stack: Chainlink (primary) → Pyth/Redstone (secondary) → On-chain TWAP (fallback & cross-check).
Risks & mitigations
Stale feeds. Mitigation: freshness checks per asset; if stale, we degrade features or halt mint (not swaps).
Outliers / manipulation. Mitigation: deviation bounds vs last accepted + TWAP cross-checks; medianization across sources.
Stablecoin depeg. Mitigation: special 1.00 peg checks; widen slippage or disable mint/redemptions that depend on the depegged stable; always allow redeem into available assets.
Oracle limits (defaults)
Freshness (
Tmax): majors 60m; stables 10m; long-tail 6h.Deviation (
Dmaxvs last accepted): majors 5%; long-tail 15%.TWAP cross-check: reject if oracle vs TWAP deviates >8% (majors) / >20% (long-tail).
Global sentinel: if >5 assets fail checks at once, index mint pauses; swaps unaffected.
5) Index tokens (P10/P50/P100/L1-10) risks
Two modes: (A) Basket-backed mint/redeem; (B) Synthetic with backing-range (fast path). Testnet launches with (B).
Risks
Tracking error (synthetic). NAV can drift until keepers rebalance. Mitigation: backing-range
ε(e.g., ±3%) with incentives to rebalance; transparent NAV events.Constituent risk. Delistings, exploit on a component token, or extreme illiquidity. Mitigation: reconstitution windows; caps; ability to temporarily zero-weight a token via governance/time-lock + emergency sentinel for hard fails.
Mint/redeem halt. If constituent feeds are stale or out of bounds, mint pauses; redeem remains open (pro-user unwind).
Zap slippage. Mint/redeem with one token requires on-chain swaps. Mitigation: router splits; user-visible slippage; per-tx slippage cap.
Index limits (defaults)
Per-tx mint cap: lower of $50k or 0.5% of P10 supply.
Daily mint cap (rolling 24h): 2% of supply.
Backing-range
ε: ±3% vs target weights (synthetic).Mint fee / redeem fee: 10 bps / 10 bps (part funds Treasury + stXPGN share).
Reconstitution cadence: weekly (testnet) / monthly (mainnet); snapshot & signed list posted on-chain.
When paused: mint disabled if any constituent is stale or out of bounds; redeem always enabled with available assets.
6) Treasury & Shield (insurance) risks
Not a guarantee. Shield/Treasury is best-effort protection, not an insurer of last resort. Payout logic and coverage criteria will be codified and are limited by available reserves.
Treasury shortfall. In extreme events, reserves may be insufficient. Governance can decide how to allocate shortfall.
Moral hazard. Coverage could encourage risky behavior; coverage scope is narrow (e.g., specific execution failures, not market losses or IL).
Limits
Treasury allocation: 0.05% of swap volume (v2 fee model) to Treasury/Shield.
Payout caps: per-incident and per-user caps defined in Shield policy (published before mainnet).
Change control: any change to payout policy is time-locked and signaled in advance.
7) Operational limits & circuit breakers
Intent expiry: intents include
deadline. Expired intents are rejected on-chain.Gas price guard: if base fee exceeds threshold, batch size shrinks; non-critical flows may queue.
Pause granularity: independent pause switches for:
FlowSettlement(keeps legacy router on)Index mint (redeem stays on)
stXPGN deposit (withdraw stays on)
New farm rewards (existing claims remain)
Cool-downs: after changing sensitive params (oracle set, fee bps), a 24h cool-down applies before becoming active (testnet shorter).
Rate limiting: per-address mint caps and per-block settlement caps to prevent abuse.
8) What happens during incidents
Degrade, don’t die. Default mode is to degrade gracefully (pause mints, keep redeems; fallback to router; widen slippage) rather than full stop.
On-chain signals: contracts emit
OracleDegraded,NavPaused,FlowFallback,ShieldTriggerevents.Post-mortem & restore: after root cause and safe parameter updates (via timelock), paused modules resume.
9) Testnet-specific caveats (next 3–4 weeks)
Oracles are mocks behind the same guard logic; deviations may be injected for testing.
Single house solver initially; permissionless solver set and bonding comes later.
Lower caps: per-tx mint cap and batch notional are much smaller on testnet; parameters may change frequently.
No real Shield payouts on testnet; only accounting/UI previews.
10) User responsibilities
Verify you are on the correct network and contracts.
Set a reasonable slippage and deadline; prefer intents for additional protection.
Review oracle status badges and expected savings before confirming.
Diversify; understand IL if you LP.
Never share seed phrases/private keys; beware of phishing.
TL;DR
We’re non-custodial with layered oracles + TWAP and graceful circuit breakers.
Intents + batching reduce MEV and unlock surplus rebates, but don’t make risk zero.
Indices mint at oracle-guarded NAV with safety caps; mint pauses if feeds degrade; redeem stays open.
Treasury/Shield strengthens resilience but is not guaranteed insurance.
All sensitive changes are time-locked; incidents favor degradation over halt.
Last updated