Security Risks
Last updated
Last updated
Refer to the for an overview of the components of the Locust Product.
Locust exposes users to the following risks
Smart contract compromise
Smart contract admin account compromise
Bugs in the off-chain executor
The off-chain executor is offline
Infrastructure is offline
The off-chain executor account is compromised
The Locust Vault Framework includes the Fund Contract and the Strategy Contract. Although the surface of these contracts is small, users are still exposed to smart contract risk and potential loss of funds.
The Locust Vault Framework has received a full audit from and the audit will be published on completion of the audit. Furthermore the Locust Vault Framework will be open sourced under and on completion of the audit.
The admin of a smart contract may change configuration parameters and migrate contracts. In a benign case this could lead to a misconfiguration of contract parameters leading to a bug and potential loss of funds. In a malign case a bad actor who is able to compromise the Admin account private key can migrate the smart contract, change Authz permissions and steal all funds.
The mitigation is that the admin account is limited to team members and will transition to a multi-signature wallet.
To verify Authz permissions get the strategy contract address from the page. Then query the config.
View the controller
key which is the account that may manage funds. Also the grants
key which specifies the grants issued.
For a canonical understanding of the permissions the executor has query the Authz module.
Verify that the json response matches the permissions specified in the contact
Users are exposed to bugs in the off-chain executor which may in an extreme case cause partial or full loss of funds. The worst case is that messages are created incorrectly, causing positions to be created incorrectly and the strategy failing.
This is mitigated in part by formal code reviews and alerts on errors in running strategies.
Users are exposed to the risk of the off-chain executor being offline. This can occur due to server failure or the process crashing and not restarting. In this case market conditions may move unfavorably against existing positions causing a strategy to become unprofitable. In extreme cases it can result in partial or full loss of funds.
This is mitigated in part by fault tolerant infrastructure and high levels of monitoring and alerting.
Strategies rely on interrogating APIs and services for current market conditions in order to build and sign messages. These include RPC servers, third-party APIs and data feeds. In the case that a service is unavailable market conditions may move unfavorably against existing positions causing a strategy to become unprofitable. In extreme cases it can result in partial or full loss of funds.
This is mitigated in part by having fail over instances in the case of RPCs and limiting the reliance on single point of failure APIs.
In the case that the off-chain executor account is compromised an attacker could create and sign transactions for message types that the account has Authz permissions for. This would allow an attacker to potentially steal some or all funds.
This is mitigated in part by the use of Authz which limits the scope of an attack.
The off-chain executor manages funds on behalf of the strategy contract. The messages that it can sign on behalf of the the strategy contract are limited in scope via permissions, which are verifiable on-chain.