Security

Content Out of Date

This content is not maintained and refers to an out-of-date version of Perpetual Protocol.

For the latest documentation, see https://docs.perp.com

Risks

Smart Contract Risk

All smart contracts are subject to risks.

The Perpetual Protocol Curie contracts have undergone testing, code reviews, internal audits and several external audits, with no critical issues found. However, a risk always exists that a vulnerability is found any smart contract, which may result in a loss of funds. Never trade or invest with more funds than you can afford to lose.

Infrastructure Risks Optimism

Perpetual Protocol is built on the Optimism network and uses on-chain oracles (Chainlink) to determine the index price for each asset. A severe degradation in any part of this critical infrastructure will adversely affect trading activity on Perp v2.

If Optimism experiences downtime, users will be unable to deposit, withdraw, or open or close their positions. If the centralized Sequencer (or ‘validator’) experiences downtime or undesired operation, funds in the clearinghouse contract will be inaccessible while block production is halted.

The Optimism team plans to decentralize the Sequencer by introducing a mechanic to permissionlessly rotate between different sequencer operators. Later down the line, Optimism will adopt a standard Byzantine Fault Tolerant consensus protocol to enable multiple, concurrent sequencers.

Fraud proofs for Optimism are in development (Cannon), meaning users currently need to trust the block proposer to submit correct L1 state roots. Funds can be stolen from the rollup if an invalid state root is submitted to the system or if there’s a malicious code upgrade (there is currently no delay for code upgrades).

Chainlink

Chainlink’s data feeds provide access to secure and reliable sources of data to facilitate trading on Perp v2. The data provided by Chainlink oracles is very difficult to manipulate and Perp v2 liquidations are based on the oracle index price. But if these price feeds experience an outage or are delayed, index prices on Perp v2 could become inaccurate and lead to erroneous liquidations or failure to liquidate.

Admin Keys

The core Perpetual Protocol smart contracts are upgradeable, which enables the core team to upgrade the protocol or to react in an emergency by allowing the developers to make updates to the smart contracts. Any such changes are made using an admin key controlling a proxy contract. The admin key uses a 3-of-5 multi-sig (0x76Ff908b6d43C182DAEC59b35CebC1d7A17D8086), meaning at least three core team members are required to sign off on any contract upgrades.

The primary uses of the admin key are:

  • listing new markets

  • implementing contract upgrades and new features

  • implementing bug fixes bugs

  • Setting protocol parameters

The admin key also has the ability to change the contracts holding user funds, set fee ratios, and add addresses to whitelists, which could mean the adjustment of user balances or the minting of virtual tokens.

There is currently no delay for any smart contract changes (which are implemented immediately), but a time-lock is planned for the future.

Perpetual Protocol is pursuing a strategy of gradual decentralization. The admin key for Perp v2 will be handed over to the Perpetual DAO once the governance system is mature enough.

The admin key signers are comprised of key team members as well as a member of the engineering team as part of a weekly on-call rotation.

Complete list of multi-sig signers:

  1. 0xB6bbd1B8BdDb3AbEE8B68306EDFe688b11fe401B

  2. 0x03d765E673bf63cC63Aed1e61F6e5f38e66f2E3a

  3. 0xEfc0D892656EEB59A0B54a6B4F2a0d2faD4B66C8

  4. 0x0d1906319D6b44d5aC198d4E4Ed82E45A9fbACb6

  5. 0x4170Bb402E6f02004fc5Fe9c9ebFA40dcCDdC5f6

  6. 0x39325BfB002ABa4a2830Cb7532e6f375B80840c2

  7. 0xd0723515cC76d960738D82dC5bd53472fA2eccd5

  8. 0x4084843F6095f63747F762974e17c486a5350738

  9. 0xc186D9B4542c0b3239550B84E1b2Fd3587ffE780

  10. 0xdd6822da73f59e677d35ae345deb9d56dff103ae

  11. 0xb99E4A2a0a72cf2f15c29cA4B5a42d9C41CB0f33

  12. 0x0f69BB1828Ee5689cBDC0309F368227bccd7F17c

  13. 0x90D6f90cc4395612D252D8Eb89324CdFa14E1e0a

USDC Blacklisting Risk

Circle, the issuer of the USDC stablecoin, maintains a blacklist of Ethereum accounts to comply with regulatory requirements. From Circle’s own documentation, “Circle and the Centre Consortium only block addresses when we are legally required”. Blacklisting prevents the target address from transferring USDC.

As of August 2022, USDC blacklisting is not possible on Optimism. This means Circle is unable to prevent an address from transferring USDC on Optimism. A blacklisted address will not be able to transfer USDC once it is bridged back to Ethereum Mainnet or to other chains on which Circle controls the blacklist admin key.

FAQs

When can we lock/take the funds?

Technically, the contract admin can lock the fund by calling pause, and take the fund by upgrading the contract with a new function then withdraw it.

Contract admin will follow any passed proposal, though it’s only based on a social contract.

What will we do under circumstances of de-pegging, bad debt, or insurance fund dries out?

As the core developer team has the access to the contracts admin keys, we'll do whatever we can to deal with emergencies if we find it to be suitable.

Suggestions from the community, external consultants and investors will also be taken into consideration to avoid the core team harming the entire protocol. This is still based on a social contract though.

Will we pay users back in the event of a hack?

For the unlocked PERP (21M fund) we can only use it for what we apply for. The foundation team has no say in how locked PERP is used, so if the only capital available is locked PERP, then it’s the community’s decision.

What are the emergency shutdown & winding down processes?

The foundation team cannot predict black swan events, but based on what the team did previously, at least we know if the oracle is going to shut down, then we have to shut down the market (like we did with LUNA during May 2022).

Do we have to pass a vote to make any updates to the contract?

The current roadmap is to make our development more transparent first.

Once we have more community members involved with development, then we can try to expand the multi-sig to people who are not from the foundation team, and then potentially transition to an on-chain governance stage.

However, the most important thing in the current stage is growth and speed, so we plan to accelerate the decentralization once we have more traction.

v2 Audits

Perpetual Protocol v2 has undergone several audits to ensure our users the highest level of security:

Auditor

Audit Reports

Date

HashCloak

HashCloak_Perpv2

HashCloak2_Perpv2

HashCloak3_Perpv2

November 2nd, 2021

May 30th, 2022

July 25th, 2022

Dedaub

Dedaub_Perpv2

Dedaub2_Perpv2

Dedaub3_Perpv2

December 21st, 2021

March 4th, 2022

April 27th, 2022

Trail of Bits

ToB_Retest_Perpv2

ToB_Final_Perpv2

March 22nd, 2022

March 22nd, 2022

All reports and the accompanying source code are on GitHub: https://github.com/perpetual-protocol/perp-curie-contract/tree/main/audits

v2 Bug Bounty

We have an active bug bounty on Immunefi that has been live since January 2021. Immunefi is a leading bug bounty platform for Web3 with the world's largest bug bounties.

The bug bounty covers Perpetual Protocol's smart contract code. You can find all the relevant details here: https://immunefi.com/bounty/perpetual/

Impacts in Scope

The assets in scope for each severity level are:

  • Critical:

    • Any governance voting result manipulation,

    • Direct theft of any user funds, whether in-rest or at-motion, other than unclaimed yield,

    • Permanent freezing of funds,

    • Miner-extractable Value (MEV),

    • Protocol insolvency.

  • High:

    • Theft of unclaimed yield,

    • Permanent freezing of unclaimed yield.

The severity guidelines are based on Immunefi's vulnerability severity classification system.

Payouts

Rewards are distributed based on the severity of the vulnerability, as shown below:

Severity

Estimated Payout

Critical

$10,000 to $250,000

High

$5,000 to $9,999

Medium

$1,000 to $4,999

Low

Up to $999

You must create an account with Immunefi and submit any in-scope bugs you discover here: https://bugs.immunefi.com/. Each bug submission will be evaluated on a case-by-case basis.

More information about the submission process is available via Immunefi's blog: https://medium.com/immunefi/a-hackers-guide-to-submitting-bugs-on-immunefi-1e6b7ada71a9

Base payouts will be handled by the Perpetual Protocol team and will be denominated in USD, but paid in PERP tokens. All amounts are calculated using a 7-day TWAP price which ends on the day of submission.

Invalid Bug Bounties

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage,

  • Attacks requiring access to leaked keys/credentials,

  • Attacks requiring access to privileged addresses (governance, strategist),

  • Incorrect data supplied by third party oracles Not to exclude oracle manipulation/flash loan attacks,

  • Basic economic governance attacks (e.g. 51% attack),

  • Lack of liquidity,

  • Best practice critiques,

  • Sybil attacks,

  • Centralization risks.

What Happens if USDC Loses its Peg?

Funding payments, Profit & Loss and trading fees are all settled in USDC on Perp and the DEX will continue to operate as normal if the token loses its peg. This guide will outline some key points about trading on Perp if USDC loses parity with the US Dollar (USD).

USDC is a centralized stablecoin operated by Circle that is fully backed by bank deposits and treasury holdings, allowing the token to be minted or redeemed at a 1:1 ratio with USD. As the most popular stablecoin with the largest market share and the deepest liquidity on Optimism, USDC is used as the settlement token on Perp.

Although Circle is regularly audited and USDC is fully backed by dollar deposits, since it's a centralized entity and due to irrationality of the markets, there is a very low risk of losing the peg under certain extreme scenarios.

Net USD Value

In the case of a USDC de-pegging incident, the Net USD Value will only show the value of your account in USDC terms, not USD. The settlement token (USDC.e) is hard coded to $1 USD, not the actual value of the USDC token itself.

Notional Value of Positions

The notional value of all positions are also measured in USDC. In the event that the peg breaks and the value of USDC falls below $1, then notional positions, funding payments, PnL and trading fees will become worth less in USD terms.

Since USDC is the only collateral type with a 100% weight, this means that a 1 USDC deposit enables traders to mint up to 10 virtual USD (vUSD) to take a long position or, 10 vUSD worth of vETH to take a short position.

With a position size of 1 ETH and an entry price of 1700, the notional position is expressed in USDC as the amount of the base asset bought or sold multiplied by the price in vUSD. In this case, it's 1700 USDC. However, if the value of USDC falls to say $0.90, then the notional position remains as 1700 USDC, but in terms of USD equals 1530 USD (= 1700 x 0.9).

If the position was opened at 1700 where USDC = USD, and the price of the perpetual futures contract increased to 2000, then the notional position value becomes 2000 USDC. However, if USDC lost its peg and traded at $0.90, the notional position value remains as 2000 USDC but in USD terms, it is lower at 1800 USD.

Given that USDC is the only collateral type that has a weight of 100% and is the settlement currency on Perp, all positions (both maker and taker) are denominated in this stablecoin rather than USD. The USD value shown on the app (for example, the buying power, position size, price, and so on) refers strictly to the USDC value.

As a result, the USDC-USD exchange rate plays no role in Perp's architecture and the DEX operates independently of this exchange rate. Leverage and liquidation prices are not reliant on a USDC-USD feed and are also independent of this exchange rate.

Leverage

If the 1 ETH position in the example above was opened with 5x leverage, then at least 300 USDC would have been required as collateral. But when USDC is trading at a price of $0.90, the value of the collateral falls to from 300 USD to 270 USD and the notional position value falls from 1700 USD to 1530 USD.

Since the value of both the collateral and notional position have fallen by the same amount (10%), the amount of leverage for this position remains the same.

Oracle Prices

The oracle prices used to calculate the index price are for an asset's USD price (not USDC). As a result, the index price will be unaffected during a de-pegging incident for USDC.

Funding Rate

The funding rate mechanism ensures that the price of a perpetual futures contract remains in line with the price of the underlying asset. While funding payments are debited or credited in USDC, the calculations are independent of the USDC-USD exchange rate. In the event where USDC loses its peg, the funding rate will adjust to the prices on Perp's markets and the index price.

By encouraging traders to go long or short when the price of the perpetual diverges from the index price (which is calculated from the oracle price in USD), funding rate payments incentivise more traders to open long or short positions. As more traders go long or short, this acts to bring the perpetual contract price back in line with the price of the underlying asset.

The greater the deviation between the price of the perpetual contract and the index price, the larger the funding payments between traders will be. Also, the funding payments traders can earn (or pay) are determined by the size of their notional position. A larger long position will earn more in funding payments when the rate is negative, as compared to a smaller position that's also long.

For instance, markets may exhibit a negative funding rate, which encourages traders to buy perpetuals to earn funding payments and help to push the price higher, back in line with the USD value of an asset.

Liquidation Price

Liquidation prices are a function of the index price, your account value, position value and position size of token.

  • If the USDC no longer trades at parity with USD, your account value and position value are unaffected since they are denominated in terms of USDC.

  • The position size of token is totally independent of the USDC-USD exchange rate.

  • Finally, the index price is in USD terms, so it is also unchanged by USDC losing its peg. 

#long
liqPrice = indexPrice - ((accountValue - totalPositionValue * mmRatio) /  ((1 - mmRatio) * positionSizeOfTokenX))

#short
liqPrice = indexPrice - ((accountValue - totalPositionValue * mmRatio) /  ((1 + mmRatio) * positionSizeOfTokenX))

As a result, your liquidation price will remain the same, as nothing in the equation shown above changes if USDC trades below (or above) USD.

Non-USDC Collateral Types

The buying power for non-USDC collateral types is calculated as the USD price (not the USDC price). For example, if ETH is worth 1000 USD but the USDC stablecoin is trading below peg at $0.50, then the notional value of this non-USD collateral remains the same.

When USDC = USD

If you deposit 1 ETH and it's worth 1000 USD (= 1000 USDC), then collateral value is collateral weight multiplied by the amount and USD price = 0.825 for ETH * 1 * 1000 = 825 USD. With a position of 5 ETH, the margin ratio is calculated as 825 / 5000 = 16.5%.

When USDC USD

Consider the same scenario above, but where ETH's USD price is 1000 and the USDC price is 2000. In this case, the collateral value remains the same at 825 USD. The position value of 5 ETH remains as 1,000 USDC, since on Perp the mark price determines the position value. As a result, the margin ratio is still 825 / 5000 = 8.25%.

If you are using non-USDC collateral types and USDC loses its peg, you should closely monitor your margin ratio.

Source Code

Curie Smart Contracts

The source code Curie smart contracts now appear on GitHub as well as Etherscan and are now more structured and easier to read. For the core smart contracts that underlie Perp v2, the full audit reports can be found here.

The Curie, Curie Periphery and Oracle contracts are all now publicly available on GitHub. If you are a smart contract developer, check out the repository links below to get started with building on top of Perp v2:

Note: the Curie contracts are subject to the bug bounty program with Immunefi.

For more details about implementation, check out the docs here. All of the contracts above are licensed under GPL-3.0, meaning that any changes must be documented and ensure that the entire ecosystem benefits from any re-use of the code.

Perp Frontend SDK

By open sourcing the software development kit for Perp v2’s frontend, it’s now easier for BUIDLers to create alternative front ends!

The Perp Frontend SDK is publicly available on GitHub: https://github.com/perpetual-protocol/perp-sdk

Perp Subgraph

Open sourcing the Perp subgraph provides more transparency and enables anyone to query historical data, especially those that are difficult to fetch from the contract.

The Perp Curie Subgraph is publicly available on GitHub: https://github.com/perpetual-protocol/perp-curie-subgraph

From now on, you’ll be able to closely follow every change made by our team in these repositories. We invite anyone to review our code, provide feedback through the issues tracker, submit pull requests to start building on top of our highly composable on-chain derivatives protocol or to build alternative frontends.

If you want to start BUIDLing using any of the materials linked above, you may be interested in our grants program, where any project or idea that builds on Perpetual Protocol and benefits our ecosystem can apply for funding.

v2 Market Delisting Process

The process for delisting a market is explained below:

1. The Token Listing DAO proposes a vote for delisting a token. The delisting requirements are markets with less than $200,000 in volume on Perp and $10 million on CoinGecko (using a 30-day rolling average for both), as outlined here.

2. The Foundation team performs a risk assessment to ensure the market can be delisted safely and defines the delisting date.

3. Whenever a market is to be delisted, an announcement will be made on Discord and Twitter for the community 2 days prior to give users enough time to close their positions and/or remove liquidity. The market will be paused 48 hours after this announcement is made.

4. During this 48-hour period, no new positions can be opened and the market cannot be traded. You can only close your positions or remove liquidity.

5. A channel dedicated to users that have open positions in the market that's going to be delisted will be available in our Discord server if you need any assistance or have any questions.

6. Once the market has been paused, users will not be able to close their positions or remove liquidity. The message below will be shown on the market's page:

7. The Foundation team performs another risk assessment again right before delisting the market.

8. BaseToken.close(indexTwapPrice) is called to close the market and another announcement will be made to inform users. Once the market is closed, it's recommended to close any remaining positions and/or remove liquidity as soon as possible. Users will see something similar to what's displayed below on the market's page. The index TWAP price will be displayed and users will be able to close their positions or remove liquidity according to the index TWAP price using the 'Close Position' button.

Last updated