Security First Approach
Layers of SecurityThrough the implementation of a layered security approach, Rodeo ensures that funds deposited from all users (yield farmers, degens, whales and institutions alike) are safe when entered into the Rodeo platform both on the lending and leverage side of the equation. These layers include:
Code
Internal testing / alpha testing
Design of money market (ie isolated pools and a “closed” system, )
3rd party audits & Bug bounties
Price oracles
Caps for lending pool and farm
OpSec
Other
1. Code
As a native L2 protocol built on Arbitrum, we have purpose built our code to optimize the undercollateralized lending features on Rodeo for maximized yields, while implementing several measures in code to prevent known attack vectors such as:
Funds borrowed on Rodeo are controlled by Rodeo contracts and only allow deposits in approved strategies, as leverage
Rodeo prevents flash loans and prohibits users from opening and closing positions in the same block
Admin actions are protected behind a delay/timelock and multisig, no hot/cold wallet with admin access
Rodeo implements support for ERC-4626 vaults to ensure industry standards of security and structure are met
All public methods disallow re-entrancy to prevent this common security vulnerability
Strategies and core logic can be updated in order to respond to changing external factors or security issues
In the future, critical functions such as approving new pools and farms can be delegated to token holders / DAO
These measures, along with lessons learned from other protocol exploits, help Rodeo to prevent malicious actors from compromising funds stored on the platform.
2. Internal Testing/Alpha Testing
The Rodeo team has an extensive internal testing process that involves both manual and automated testing, including rigorous unit testing, as well as alpha testing with a select group of users.
Before any vaults are released for public use, they undergo thorough testing in a controlled environment, stress tested for exploits.
3. Design of Lending/Borrowing system
Rodeo Finance utilizes a variation on the “isolated lending market” structure. All assets are kept and controlled within the Rodeo ecosystem and only allowed to interact with whitelisted contracts, so while not “isolated” in the traditional sense of the term, in effect the pools are “isolated”.
The price oracle for all lending pools are provided by Chainlink, which has proven to be effectively impossible/impractical to manipulate. But in the event the price of a lending pool was manipulated, the attacker would not be able to drain funds from the other pools Rodeo supports. A position can only borrow from one pool, in the same asset as the collateral they provide, there’s no cross contamination possible.
4. Third Party Audits & Bug Bounties
Rodeo Finance employs third-party auditors to review their code and protocols on a regular basis. While audits are not perfect, this helps to ensure that potential vulnerabilities are identified and addressed before they can be exploited.
To further enhance security measures, Rodeo Finance offers a bug bounty program. This encourages researchers and developers to report any potential vulnerabilities they discover, and rewards them with a financial incentive.
An official bug bounty will be released with all the information related to the program in our Public GitHub; more information to be released on this in the coming future
5. Price Oracles
Lending Pools
Rodeo Finance utilizes proven chainlink oracles for our lending pool major assets (USDC, ETH, wBTC)
Farms
Rodeo uses a variety of proven oracles, including Chainlink for most asset prices. For assets not available on chainlink, Rodeo utilizes TWAPs as a preferred method when available.
For valuing LP positions we do our best to utilize proven methods to make manipulation impossible such as calculating UniswapV2 reserves in a way that can’t be manipulated by flash loans, or Curve LP tokens using the integrated price oracle.
The oracles provide reliable price feeds for each asset and ensure safety and stability of the Rodeo platform, resistant to external manipulation
6. Caps for Lending Pool and Farm
As part of our risk mitigation strategy, Rodeo Finance has implemented a cap and raise approach for both their lending pools and farms.
Rodeo will limit the amount of funds users are able to deposit into the respective pools and farms and will slowly raise the limits based on performance, time, and additional security check (such as audits)
7. OpSec
Often overlooked in DeFi, Rodeo implements strict OpSec measures and procedures including:
Establish and enforce access control parameters for critical systems
Utilize secure authentication and communications protocols
Risk management and regular testing for intrusion and exploits
Incident reporting and response structure
Admin role managed by Multi Signature w/ timelock. No hot/cold wallet with admin access.
In the future some critical functions like approving new pools and farms would be delegated to token holders
Important Note: Rodeo Finance has been audited four times; however, the protocol uses third-party oracles that may report erroneous values resulting in the loss of funds and liquidations. We cannot prevent oracle malfunctions and do not compensate for lost funds. Use at your own risk.
Last updated