Security
Content Out of Date
This content is not maintained and refers to an out-of-date version of Perpetual Protocol.
For the latest documentation, see https://docs.perp.com
Risks
Smart Contract Risk
All smart contracts are subject to risks.
The Perpetual Protocol Curie contracts have undergone testing, code reviews, internal audits and several external audits, with no critical issues found. However, a risk always exists that a vulnerability is found any smart contract, which may result in a loss of funds. Never trade or invest with more funds than you can afford to lose.
Infrastructure Risks
Optimism
Perpetual Protocol is built on the Optimism network and uses on-chain oracles (Chainlink) to determine the index price for each asset. A severe degradation in any part of this critical infrastructure will adversely affect trading activity on Perp v2.
If Optimism experiences downtime, users will be unable to deposit, withdraw, or open or close their positions. If the centralized Sequencer (or ‘validator’) experiences downtime or undesired operation, funds in the clearinghouse contract will be inaccessible while block production is halted.
The Optimism team plans to decentralize the Sequencer by introducing a mechanic to permissionlessly rotate between different sequencer operators. Later down the line, Optimism will adopt a standard Byzantine Fault Tolerant consensus protocol to enable multiple, concurrent sequencers.
Fraud proofs for Optimism are in development (Cannon), meaning users currently need to trust the block proposer to submit correct L1 state roots. Funds can be stolen from the rollup if an invalid state root is submitted to the system or if there’s a malicious code upgrade (there is currently no delay for code upgrades).
Chainlink
Chainlink’s data feeds provide access to secure and reliable sources of data to facilitate trading on Perp v2. The data provided by Chainlink oracles is very difficult to manipulate and Perp v2 liquidations are based on the oracle index price. But if these price feeds experience an outage or are delayed, index prices on Perp v2 could become inaccurate and lead to erroneous liquidations or failure to liquidate.
Admin Keys
The core Perpetual Protocol smart contracts are upgradeable, which enables the core team to upgrade the protocol or to react in an emergency by allowing the developers to make updates to the smart contracts. Any such changes are made using an admin key controlling a proxy contract. The admin key uses a 3-of-5 multi-sig (0x76Ff908b6d43C182DAEC59b35CebC1d7A17D8086), meaning at least three core team members are required to sign off on any contract upgrades.
The primary uses of the admin key are:
listing new markets
implementing contract upgrades and new features
implementing bug fixes bugs
Setting protocol parameters
The admin key also has the ability to change the contracts holding user funds, set fee ratios, and add addresses to whitelists, which could mean the adjustment of user balances or the minting of virtual tokens.
There is currently no delay for any smart contract changes (which are implemented immediately), but a time-lock is planned for the future.
Perpetual Protocol is pursuing a strategy of gradual decentralization. The admin key for Perp v2 will be handed over to the Perpetual DAO once the governance system is mature enough.
The admin key signers are comprised of key team members as well as a member of the engineering team as part of a weekly on-call rotation.
Complete list of multi-sig signers:
0xB6bbd1B8BdDb3AbEE8B68306EDFe688b11fe401B
0x03d765E673bf63cC63Aed1e61F6e5f38e66f2E3a
0xEfc0D892656EEB59A0B54a6B4F2a0d2faD4B66C8
0x0d1906319D6b44d5aC198d4E4Ed82E45A9fbACb6
0x4170Bb402E6f02004fc5Fe9c9ebFA40dcCDdC5f6
0x39325BfB002ABa4a2830Cb7532e6f375B80840c2
0xd0723515cC76d960738D82dC5bd53472fA2eccd5
0x4084843F6095f63747F762974e17c486a5350738
0xc186D9B4542c0b3239550B84E1b2Fd3587ffE780
0xdd6822da73f59e677d35ae345deb9d56dff103ae
0xb99E4A2a0a72cf2f15c29cA4B5a42d9C41CB0f33
0x0f69BB1828Ee5689cBDC0309F368227bccd7F17c
0x90D6f90cc4395612D252D8Eb89324CdFa14E1e0a
USDC Blacklisting Risk
Circle, the issuer of the USDC stablecoin, maintains a blacklist of Ethereum accounts to comply with regulatory requirements. From Circle’s own documentation, “Circle and the Centre Consortium only block addresses when we are legally required”. Blacklisting prevents the target address from transferring USDC.
As of August 2022, USDC blacklisting is not possible on Optimism. This means Circle is unable to prevent an address from transferring USDC on Optimism. A blacklisted address will not be able to transfer USDC once it is bridged back to Ethereum Mainnet or to other chains on which Circle controls the blacklist admin key.
FAQs
When can we lock/take the funds?
Technically, the contract admin can lock the fund by calling pause
, and take the fund by upgrading the contract with a new function then withdraw it.
Contract admin will follow any passed proposal, though it’s only based on a social contract.
What will we do under circumstances of de-pegging, bad debt, or insurance fund dries out?
As the core developer team has the access to the contracts admin keys, we'll do whatever we can to deal with emergencies if we find it to be suitable.
Suggestions from the community, external consultants and investors will also be taken into consideration to avoid the core team harming the entire protocol. This is still based on a social contract though.
Will we pay users back in the event of a hack?
For the unlocked PERP (21M fund) we can only use it for what we apply for. The foundation team has no say in how locked PERP is used, so if the only capital available is locked PERP, then it’s the community’s decision.
What are the emergency shutdown & winding down processes?
The foundation team cannot predict black swan events, but based on what the team did previously, at least we know if the oracle is going to shut down, then we have to shut down the market (like we did with LUNA during May 2022).
Do we have to pass a vote to make any updates to the contract?
The current roadmap is to make our development more transparent first.
Once we have more community members involved with development, then we can try to expand the multi-sig to people who are not from the foundation team, and then potentially transition to an on-chain governance stage.
However, the most important thing in the current stage is growth and speed, so we plan to accelerate the decentralization once we have more traction.
v2 Audits
Perpetual Protocol v2 has undergone several audits to ensure our users the highest level of security:
Auditor
Audit Reports
Date
HashCloak
November 2nd, 2021
May 30th, 2022
July 25th, 2022
Dedaub
December 21st, 2021
March 4th, 2022
April 27th, 2022
Trail of Bits
March 22nd, 2022
March 22nd, 2022
All reports and the accompanying source code are on GitHub: https://github.com/perpetual-protocol/perp-curie-contract/tree/main/audits
v2 Bug Bounty
We have an active bug bounty on Immunefi that has been live since January 2021. Immunefi is a leading bug bounty platform for Web3 with the world's largest bug bounties.
The bug bounty covers Perpetual Protocol's smart contract code. You can find all the relevant details here: https://immunefi.com/bounty/perpetual/
Impacts in Scope
The assets in scope for each severity level are:
Critical:
Any governance voting result manipulation,
Direct theft of any user funds, whether in-rest or at-motion, other than unclaimed yield,
Permanent freezing of funds,
Miner-extractable Value (MEV),
Protocol insolvency.
High:
Theft of unclaimed yield,
Permanent freezing of unclaimed yield.
The severity guidelines are based on Immunefi's vulnerability severity classification system.
Payouts
Rewards are distributed based on the severity of the vulnerability, as shown below:
Severity
Estimated Payout
Critical
$10,000 to $250,000
High
$5,000 to $9,999
Medium
$1,000 to $4,999
Low
Up to $999
You must create an account with Immunefi and submit any in-scope bugs you discover here: https://bugs.immunefi.com/. Each bug submission will be evaluated on a case-by-case basis.
More information about the submission process is available via Immunefi's blog: https://medium.com/immunefi/a-hackers-guide-to-submitting-bugs-on-immunefi-1e6b7ada71a9
Base payouts will be handled by the Perpetual Protocol team and will be denominated in USD, but paid in PERP tokens. All amounts are calculated using a 7-day TWAP price which ends on the day of submission.
Invalid Bug Bounties
The following vulnerabilities are excluded from the rewards for this bug bounty program:
Attacks that the reporter has already exploited themselves, leading to damage,
Attacks requiring access to leaked keys/credentials,
Attacks requiring access to privileged addresses (governance, strategist),
Incorrect data supplied by third party oracles Not to exclude oracle manipulation/flash loan attacks,
Basic economic governance attacks (e.g. 51% attack),
Lack of liquidity,
Best practice critiques,
Sybil attacks,
Centralization risks.
What Happens if USDC Loses its Peg?
Funding payments, Profit & Loss and trading fees are all settled in USDC on Perp and the DEX will continue to operate as normal if the token loses its peg. This guide will outline some key points about trading on Perp if USDC loses parity with the US Dollar (USD).
USDC is a centralized stablecoin operated by Circle that is fully backed by bank deposits and treasury holdings, allowing the token to be minted or redeemed at a 1:1 ratio with USD. As the most popular stablecoin with the largest market share and the deepest liquidity on Optimism, USDC is used as the settlement token on Perp.
Although Circle is regularly audited and USDC is fully backed by dollar deposits, since it's a centralized entity and due to irrationality of the markets, there is a very low risk of losing the peg under certain extreme scenarios.
Net USD Value
In the case of a USDC de-pegging incident, the Net USD Value will only show the value of your account in USDC terms, not USD. The settlement token (USDC.e) is hard coded to $1 USD, not the actual value of the USDC token itself.
Notional Value of Positions
The notional value of all positions are also measured in USDC. In the event that the peg breaks and the value of USDC falls below $1, then notional positions, funding payments, PnL and trading fees will become worth less in USD terms.
Since USDC is the only collateral type with a 100% weight, this means that a 1 USDC deposit enables traders to mint up to 10 virtual USD (vUSD) to take a long position or, 10 vUSD worth of vETH to take a short position.
With a position size of 1 ETH and an entry price of 1700, the notional position is expressed in USDC as the amount of the base asset bought or sold multiplied by the price in vUSD. In this case, it's 1700 USDC. However, if the value of USDC falls to say $0.90, then the notional position remains as 1700 USDC, but in terms of USD equals 1530 USD (= 1700 x 0.9).
If the position was opened at 1700 where USDC = USD, and the price of the perpetual futures contract increased to 2000, then the notional position value becomes 2000 USDC. However, if USDC lost its peg and traded at $0.90, the notional position value remains as 2000 USDC but in USD terms, it is lower at 1800 USD.
Given that USDC is the only collateral type that has a weight of 100% and is the settlement currency on Perp, all positions (both maker and taker) are denominated in this stablecoin rather than USD. The USD value shown on the app (for example, the buying power, position size, price, and so on) refers strictly to the USDC value.
As a result, the USDC-USD exchange rate plays no role in Perp's architecture and the DEX operates independently of this exchange rate. Leverage and liquidation prices are not reliant on a USDC-USD feed and are also independent of this exchange rate.
Leverage
If the 1 ETH position in the example above was opened with 5x leverage, then at least 300 USDC would have been required as collateral. But when USDC is trading at a price of $0.90, the value of the collateral falls to from 300 USD to 270 USD and the notional position value falls from 1700 USD to 1530 USD.
Since the value of both the collateral and notional position have fallen by the same amount (10%), the amount of leverage for this position remains the same.
Oracle Prices
The oracle prices used to calculate the index price are for an asset's USD price (not USDC). As a result, the index price will be unaffected during a de-pegging incident for USDC.
Funding Rate
The funding rate mechanism ensures that the price of a perpetual futures contract remains in line with the price of the underlying asset. While funding payments are debited or credited in USDC, the calculations are independent of the USDC-USD exchange rate. In the event where USDC loses its peg, the funding rate will adjust to the prices on Perp's markets and the index price.
By encouraging traders to go long or short when the price of the perpetual diverges from the index price (which is calculated from the oracle price in USD), funding rate payments incentivise more traders to open long or short positions. As more traders go long or short, this acts to bring the perpetual contract price back in line with the price of the underlying asset.
The greater the deviation between the price of the perpetual contract and the index price, the larger the funding payments between traders will be. Also, the funding payments traders can earn (or pay) are determined by the size of their notional position. A larger long position will earn more in funding payments when the rate is negative, as compared to a smaller position that's also long.
For instance, markets may exhibit a negative funding rate, which encourages traders to buy perpetuals to earn funding payments and help to push the price higher, back in line with the USD value of an asset.
Liquidation Price
Liquidation prices are a function of the index price, your account value, position value and position size of token.
If the USDC no longer trades at parity with USD, your account value and position value are unaffected since they are denominated in terms of USDC.
The position size of token is totally independent of the USDC-USD exchange rate.
Finally, the index price is in USD terms, so it is also unchanged by USDC losing its peg.
As a result, your liquidation price will remain the same, as nothing in the equation shown above changes if USDC trades below (or above) USD.
Non-USDC Collateral Types
The buying power for non-USDC collateral types is calculated as the USD price (not the USDC price). For example, if ETH is worth 1000 USD but the USDC stablecoin is trading below peg at $0.50, then the notional value of this non-USD collateral remains the same.
When USDC = USD
If you deposit 1 ETH and it's worth 1000 USD (= 1000 USDC), then collateral value is collateral weight multiplied by the amount and USD price = 0.825 for ETH * 1 * 1000 = 825 USD. With a position of 5 ETH, the margin ratio is calculated as 825 / 5000 = 16.5%.
When USDC ≠ USD
Consider the same scenario above, but where ETH's USD price is 1000 and the USDC price is 2000. In this case, the collateral value remains the same at 825 USD. The position value of 5 ETH remains as 1,000 USDC, since on Perp the mark price determines the position value. As a result, the margin ratio is still 825 / 5000 = 8.25%.
If you are using non-USDC collateral types and USDC loses its peg, you should closely monitor your margin ratio.
Source Code
Curie Smart Contracts
The source code Curie smart contracts now appear on GitHub as well as Etherscan and are now more structured and easier to read. For the core smart contracts that underlie Perp v2, the full audit reports can be found here.
The Curie, Curie Periphery and Oracle contracts are all now publicly available on GitHub. If you are a smart contract developer, check out the repository links below to get started with building on top of Perp v2:
Note: the Curie contracts are subject to the bug bounty program with Immunefi.
For more details about implementation, check out the docs here. All of the contracts above are licensed under GPL-3.0, meaning that any changes must be documented and ensure that the entire ecosystem benefits from any re-use of the code.
Perp Frontend SDK
By open sourcing the software development kit for Perp v2’s frontend, it’s now easier for BUIDLers to create alternative front ends!
The Perp Frontend SDK is publicly available on GitHub: https://github.com/perpetual-protocol/perp-sdk
Perp Subgraph
Open sourcing the Perp subgraph provides more transparency and enables anyone to query historical data, especially those that are difficult to fetch from the contract.
The Perp Curie Subgraph is publicly available on GitHub: https://github.com/perpetual-protocol/perp-curie-subgraph
From now on, you’ll be able to closely follow every change made by our team in these repositories. We invite anyone to review our code, provide feedback through the issues tracker, submit pull requests to start building on top of our highly composable on-chain derivatives protocol or to build alternative frontends.
If you want to start BUIDLing using any of the materials linked above, you may be interested in our grants program, where any project or idea that builds on Perpetual Protocol and benefits our ecosystem can apply for funding.
v2 Market Delisting Process
The process for delisting a market is explained below:
1. The Token Listing DAO proposes a vote for delisting a token. The delisting requirements are markets with less than $200,000 in volume on Perp and $10 million on CoinGecko (using a 30-day rolling average for both), as outlined here.
2. The Foundation team performs a risk assessment to ensure the market can be delisted safely and defines the delisting date.
3. Whenever a market is to be delisted, an announcement will be made on Discord and Twitter for the community 2 days prior to give users enough time to close their positions and/or remove liquidity. The market will be paused 48 hours after this announcement is made.
4. During this 48-hour period, no new positions can be opened and the market cannot be traded. You can only close your positions or remove liquidity.
5. A channel dedicated to users that have open positions in the market that's going to be delisted will be available in our Discord server if you need any assistance or have any questions.
6. Once the market has been paused, users will not be able to close their positions or remove liquidity. The message below will be shown on the market's page:
7. The Foundation team performs another risk assessment again right before delisting the market.
8. BaseToken.close(indexTwapPrice) is called to close the market and another announcement will be made to inform users. Once the market is closed, it's recommended to close any remaining positions and/or remove liquidity as soon as possible. Users will see something similar to what's displayed below on the market's page. The index TWAP price will be displayed and users will be able to close their positions or remove liquidity according to the index TWAP price using the 'Close Position' button.
Last updated