Security First Approach
Layers of SecurityThrough the implementation of a layered security approach, Rodeo ensures that funds deposited from all users (yield farmers, degens, whales and institutions alike) are safe when entered into the Rodeo platform both on the lending and leverage side of the equation. These layers include:
- 2.Internal testing / alpha testing
- 3.Design of money market (ie isolated pools and a “closed” system, )
- 4.3rd party audits & Bug bounties
- 5.Price oracles
- 6.Caps for lending pool and farm
As a native L2 protocol built on Arbitrum, we have purpose built our code to optimize the undercollateralized lending features on Rodeo for maximized yields, while implementing several measures in code to prevent known attack vectors such as:
- Funds borrowed on Rodeo are controlled by Rodeo contracts and only allow deposits in approved strategies, as leverage
- Rodeo prevents flash loans and prohibits users from opening and closing positions in the same block
- Admin actions are protected behind a delay/timelock and multisig, no hot/cold wallet with admin access
- Rodeo implements support for ERC-4626 vaults to ensure industry standards of security and structure are met
- All public methods disallow re-entrancy to prevent this common security vulnerability
- Strategies and core logic can be updated in order to respond to changing external factors or security issues
- In the future, critical functions such as approving new pools and farms can be delegated to token holders / DAO
These measures, along with lessons learned from other protocol exploits, help Rodeo to prevent malicious actors from compromising funds stored on the platform.
The Rodeo team has an extensive internal testing process that involves both manual and automated testing, including rigorous unit testing, as well as alpha testing with a select group of users.
Before any vaults are released for public use, they undergo thorough testing in a controlled environment, stress tested for exploits.
Rodeo Finance utilizes a variation on the “isolated lending market” structure. All assets are kept and controlled within the Rodeo ecosystem and only allowed to interact with whitelisted contracts, so while not “isolated” in the traditional sense of the term, in effect the pools are “isolated”.
The price oracle for all lending pools are provided by Chainlink, which has proven to be effectively impossible/impractical to manipulate. But in the event the price of a lending pool was manipulated, the attacker would not be able to drain funds from the other pools Rodeo supports. A position can only borrow from one pool, in the same asset as the collateral they provide, there’s no cross contamination possible.
Rodeo Finance employs third-party auditors to review their code and protocols on a regular basis. While audits are not perfect, this helps to ensure that potential vulnerabilities are identified and addressed before they can be exploited.
To further enhance security measures, Rodeo Finance offers a bug bounty program. This encourages researchers and developers to report any potential vulnerabilities they discover, and rewards them with a financial incentive.
Rodeo Finance utilizes proven chainlink oracles for our lending pool major assets (USDC, ETH, wBTC)
Rodeo uses a variety of proven oracles, including Chainlink for most asset prices. For assets not available on chainlink, Rodeo utilizes TWAPs as a preferred method when available.
For valuing LP positions we do our best to utilize proven methods to make manipulation impossible such as calculating UniswapV2 reserves in a way that can’t be manipulated by flash loans, or Curve LP tokens using the integrated price oracle.
The oracles provide reliable price feeds for each asset and ensure safety and stability of the Rodeo platform, resistant to external manipulation
As part of our risk mitigation strategy, Rodeo Finance has implemented a cap and raise approach for both their lending pools and farms.
Rodeo will limit the amount of funds users are able to deposit into the respective pools and farms and will slowly raise the limits based on performance, time, and additional security check (such as audits)
Often overlooked in DeFi, Rodeo implements strict OpSec measures and procedures including:
- Establish and enforce access control parameters for critical systems
- Utilize secure authentication and communications protocols
- Risk management and regular testing for intrusion and exploits
- Incident reporting and response structure
- Admin role managed by Multi Signature w/ timelock. No hot/cold wallet with admin access.
- In the future some critical functions like approving new pools and farms would be delegated to token holders