Security Risks

Refer to the High Level Architecture for an overview of the components of the Locust Product.

Locust exposes users to the following risks

• Smart contract compromise

• Smart contract admin account compromise

• Bugs in the off-chain executor

• The off-chain executor is offline

• Infrastructure is offline

• The off-chain executor account is compromised

Smart contract compromise

The Locust Vault Framework includes the Fund Contract and the Strategy Contract. Although the surface of these contracts is small, users are still exposed to smart contract risk and potential loss of funds.

The Locust Vault Framework has received a full audit from Oak Security and the audit will be published on completion of the audit. Furthermore the Locust Vault Framework will be open sourced under and Apache 2.0 License on completion of the audit.

Smart Contract Admin Account Compromise

The admin of a smart contract may change configuration parameters and migrate contracts. In a benign case this could lead to a misconfiguration of contract parameters leading to a bug and potential loss of funds. In a malign case a bad actor who is able to compromise the Admin account private key can migrate the smart contract, change Authz permissions and steal all funds.

The mitigation is that the admin account is limited to team members and will transition to a multi-signature wallet.

To verify Authz permissions get the strategy contract address from the contracts page. Then query the config.

neutrond query wasm \ 
    contract-state smart \
    neutron1me4fuchq3pgle46dvdxsgvpz02z605gkr0sgs6uwew25cpgg3ydsfg8zms \
    '{"config": {}}'  | jq .

View the controllerkey which is the account that may manage funds. Also the grantskey which specifies the grants issued.

{
  "data": {
    "admin": "neutron1ha2hjlce7sqp59g8xhxz2jds97x8fdw9k9wngp",
    "controller": "neutron1nz852flh6np9xlg9ju3ka6w5txezsxt0j4lypn",
    "vault": "neutron17fyzkafg4scrd6xu0sp9llrl6hazegza7yer4erlea0kvk30yxsqk2xqfd",
    "token0": "ibc/78F7404035221CD1010518C7BC3DD99B90E59C2BA37ABFC3CE56B0CFB7E8901B",
    "token1": "ibc/B559A80D62249C8AA07A380E2A2BEA6E5CA9A6F079C912C3A9E9B494105E4F81",
    "grants": [
      "/neutron.dex.MsgCancelLimitOrder",
      "/neutron.dex.MsgDeposit",
      "/neutron.dex.MsgPlaceLimitOrder",
      "/neutron.dex.MsgWithdrawFilledLimitOrder",
      "/neutron.dex.MsgWithdrawal"
    ],
    "pool_info": {
      "slinky": {
        "base": "BTC",
        "quote": "USD",
        "timeout": 900
      }
    },
    "name": "crates.io:strategy",
    "version": "0.0.4"
  }
}

For a canonical understanding of the permissions the executor has query the Authz module.

neutrond query authz grants \
    neutron1me4fuchq3pgle46dvdxsgvpz02z605gkr0sgs6uwew25cpgg3ydsfg8zms \ 
    neutron1nz852flh6np9xlg9ju3ka6w5txezsxt0j4lypn | jq .

Verify that the json response matches the permissions specified in the contact

{
  "grants": [
    {
      "authorization": {
        "type": "cosmos-sdk/GenericAuthorization",
        "value": {
          "msg": "/neutron.dex.MsgCancelLimitOrder"
        }
      }
    },
    {
      "authorization": {
        "type": "cosmos-sdk/GenericAuthorization",
        "value": {
          "msg": "/neutron.dex.MsgDeposit"
        }
      }
    },
    {
      "authorization": {
        "type": "cosmos-sdk/GenericAuthorization",
        "value": {
          "msg": "/neutron.dex.MsgPlaceLimitOrder"
        }
      }
    },
    {
      "authorization": {
        "type": "cosmos-sdk/GenericAuthorization",
        "value": {
          "msg": "/neutron.dex.MsgWithdrawFilledLimitOrder"
        }
      }
    },
    {
      "authorization": {
        "type": "cosmos-sdk/GenericAuthorization",
        "value": {
          "msg": "/neutron.dex.MsgWithdrawal"
        }
      }
    }
  ],
  "pagination": {
    "total": "5"
  }
}

Bugs in the off-chain executor

The off-chain executor manages funds on behalf of the strategy contract. The messages that it can sign on behalf of the the strategy contract are limited in scope via Authz permissions, which are verifiable on-chain.

Users are exposed to bugs in the off-chain executor which may in an extreme case cause partial or full loss of funds. The worst case is that messages are created incorrectly, causing positions to be created incorrectly and the strategy failing.

This is mitigated in part by formal code reviews and alerts on errors in running strategies.

The off-chain executor is offline

Users are exposed to the risk of the off-chain executor being offline. This can occur due to server failure or the process crashing and not restarting. In this case market conditions may move unfavorably against existing positions causing a strategy to become unprofitable. In extreme cases it can result in partial or full loss of funds.

This is mitigated in part by fault tolerant infrastructure and high levels of monitoring and alerting.

Infrastructure is offline

Strategies rely on interrogating APIs and services for current market conditions in order to build and sign messages. These include RPC servers, third-party APIs and data feeds. In the case that a service is unavailable market conditions may move unfavorably against existing positions causing a strategy to become unprofitable. In extreme cases it can result in partial or full loss of funds.

This is mitigated in part by having fail over instances in the case of RPCs and limiting the reliance on single point of failure APIs.

The off-chain executor account is compromised

In the case that the off-chain executor account is compromised an attacker could create and sign transactions for message types that the account has Authz permissions for. This would allow an attacker to potentially steal some or all funds.

This is mitigated in part by the use of Authz which limits the scope of an attack.