Smart Contract Security and Trust Assumptions

Security Review Status

Upgradeability

Smart contracts may be upgraded through governance. All upgrades require:

• ForageGovernor proposal (1% minimum to propose)
• Approximately 5-day voting period with 4% quorum
• 8-day mandatory timelock delay

This gives depositors time to review proposed changes and exit if desired.

Pause Powers

Guardians can pause and unpause contracts immediately without the timelock. Guardian powers are strictly limited:

Guardian powers have a published sunset timeline for progressive reduction.

Custody Model

• RISKUSDC backing: RISKUSDC is minted 1:1 against deposited USDC and backed by on-vault USDC plus conservatively valued deployed capital/custodian value
• Trading capital: Deployed to supported liquidity venues (off-chain custody during trading)
• Treasury funds: Held in on-chain treasury contracts, controlled by governance

The protocol does not use a multi-sig for core operations. Governance is the primary control mechanism.

Trust Assumptions

Participants trust that:

1. Smart contracts are correct — No bugs that could result in loss of funds (mitigated by audits)
2. Off-chain services operate honestly — Signal evaluation, PnL computation, and execution are off-chain (mitigated by public trading wallet)
3. Governance acts in good faith — Parameter changes could disadvantage some participants (mitigated by timelock exit window)
4. Guardians use powers appropriately — Emergency pause is a privileged action (mitigated by scope limits and sunset timeline)

Known Limitations

• Contracts have not yet undergone independent third-party audit
• Off-chain operations (signal evaluation, execution) require trust in the protocol operator
• Venue concentration introduces operational and counterparty risk
• PnL deposit timing is operationally determined (not automated on-chain)