Smart Contract Risk
All smart contracts are subject to risks.
The Perpetual Protocol Curie contracts have undergone testing, code reviews, internal audits and several external audits, with no critical issues found. However, a risk always exists that a vulnerability is found any smart contract, which may result in a loss of funds. Never trade or invest with more funds than you can afford to lose.
Perpetual Protocol is built on the Optimism network and uses on-chain oracles (Chainlink) to determine the index price for each asset. A severe degradation in any part of this critical infrastructure will adversely affect trading activity on Perp v2.
If Optimism experiences downtime, users will be unable to deposit, withdraw, or open or close their positions. If the centralized Sequencer (or ‘validator’) experiences downtime or undesired operation, funds in the clearinghouse contract will be inaccessible while block production is halted.
The Optimism team plans to decentralize the Sequencer by introducing a mechanic to permissionlessly rotate between different sequencer operators. Later down the line, Optimism will adopt a standard Byzantine Fault Tolerant consensus protocol to enable multiple, concurrent sequencers.
Fraud proofs for Optimism are in development (Cannon), meaning users currently need to trust the block proposer to submit correct L1 state roots. Funds can be stolen from the rollup if an invalid state root is submitted to the system or if there’s a malicious code upgrade (there is currently no delay for code upgrades).
Chainlink’s data feeds provide access to secure and reliable sources of data to facilitate trading on Perp v2. The data provided by Chainlink oracles is very difficult to manipulate and Perp v2 liquidations are based on the oracle index price. But if these price feeds experience an outage or are delayed, index prices on Perp v2 could become inaccurate and lead to erroneous liquidations or failure to liquidate.
The core Perpetual Protocol smart contracts are upgradeable, which enables the core team to upgrade the protocol or to react in an emergency by allowing the developers to make updates to the smart contracts. Any such changes are made using an admin key controlling a proxy contract. The admin key uses a 3-of-5 multi-sig (0x76Ff908b6d43C182DAEC59b35CebC1d7A17D8086), meaning at least three core team members are required to sign off on any contract upgrades.
The primary uses of the admin key are:
- listing new markets
- implementing contract upgrades and new features
- implementing bug fixes bugs
- Setting protocol parameters
The admin key also has the ability to change the contracts holding user funds, set fee ratios, and add addresses to whitelists, which could mean the adjustment of user balances or the minting of virtual tokens.
There is currently no delay for any smart contract changes (which are implemented immediately), but a time-lock is planned for the future.
Perpetual Protocol is pursuing a strategy of gradual decentralization. The admin key for Perp v2 will be handed over to the Perpetual DAO once the governance system is mature enough.
The admin key signers are comprised of key team members as well as a member of the engineering team as part of a weekly on-call rotation.
Complete list of multi-sig signers:
USDC Blacklisting Risk
Circle, the issuer of the USDC stablecoin, maintains a blacklist of Ethereum accounts to comply with regulatory requirements. From Circle’s own documentation, “Circle and the Centre Consortium only block addresses when we are legally required”. Blacklisting prevents the target address from transferring USDC.
As of August 2022, USDC blacklisting is not possible on Optimism. This means Circle is unable to prevent an address from transferring USDC on Optimism. A blacklisted address will not be able to transfer USDC once it is bridged back to Ethereum Mainnet or to other chains on which Circle controls the blacklist admin key.
When can we lock/take the funds?
Technically, the contract admin can lock the fund by calling
pause, and take the fund by upgrading the contract with a new function then withdraw it.
Contract admin will follow any passed proposal, though it’s only based on a social contract.
What will we do under circumstances of de-pegging, bad debt, or insurance fund dries out?
As the core developer team has the access to the contracts admin keys, we'll do whatever we can to deal with emergencies if we find it to be suitable.
Suggestions from the community, external consultants and investors will also be taken into consideration to avoid the core team harming the entire protocol. This is still based on a social contract though.
Will we pay users back in the event of a hack?
For the unlocked PERP (21M fund) we can only use it for what we apply for. The foundation team has no say in how locked PERP is used, so if the only capital available is locked PERP, then it’s the community’s decision.
What are the emergency shutdown & winding down processes?
The foundation team cannot predict black swan events, but based on what the team did previously, at least we know if the oracle is going to shut down, then we have to shut down the market (like we did with LUNA during May 2022).
Do we have to pass a vote to make any updates to the contract?
The current roadmap is to make our development more transparent first.
Once we have more community members involved with development, then we can try to expand the multi-sig to people who are not from the foundation team, and then potentially transition to an on-chain governance stage.
However, the most important thing in the current stage is growth and speed, so we plan to accelerate the decentralization once we have more traction.