Security Statement
Alkemi Network is committed to ensuring the maximum levels of safety for our customers and their assets, integrating the platform security assessment framework initiated by ConsenSys/Codefi. The following document explains the potential risks and Alkemi's targeted approach to mitigating them on an ongoing basis.
Categories
Smart Contract Risks
Financial / Credit Risks
Centralization Risks
Institutional Risks
1. Smart Contract Risks
Alkemi Earn users can lend and borrow digital assets using smart contracts run on the Ethereum Blockchain. Smart contracts are self-executing programs that facilitate credible transactions without third parties. It is important to note that no smart contract can be guaranteed to be absolutely safe and free of bugs. Errors in smart contracts can result in financial damages and irreversible loss of funds. Therefore, the continuous internal and external assessment of smart contract code is imperative for the safety and security of all protocols.
Smart contract exploit example: The DAO Attack: Understanding What Happened
How we mitigate Smart Contract Risks:
Diligent internal functional testing and user acceptance testing with legacy finance partners prior to every release
Real-time monitoring, alerting and troubleshooting for smart contracts (Tenderly)
Utilization of security-trialled, community-reviewed code libraries where available, continuously improved and tested by developers worldwide
Smart contract audit commitment at every major release by independent, reputable expert firms with public documentation of results (first audit completed Q3 2021 by Quantstamp)
Bug bounty programs incentivizing the developer community to propose code improvements in exchange for rewards are also planned for Q3/Q4 2021
2. Financial / Credit Risks
Liquidity
Alkemi Earn utilizes a dynamic interest rate model to incentivize liquidity. The model is encoded into the money market smart contracts in the protocol. When liquidity is low in a given market, the interest rate increases to incentivize depositors. When liquidity is high, the interest rate decreases to incentivize borrowers. This model also enables participants to borrow and lend directly, removing the necessity for counterparty negotiation of loan terms including maturity, interest rate, and collateral. However, incentivized liquidity does not imply guaranteed liquidity.
Collateral
Decentralized finance is fundamentally inclusive because there is no centralized identity or reputation monitoring required (e.g. credit history) to participate in transactions. On the other hand, in the absence of such mechanisms, determining and managing the credit capacity of borrowers is a challenging task and requires conservative approaches to collateral. This challenge, combined with the high volatility of digital assets, carries the potential to result in system insolvencies if proper safeguards are not put in place.
A liquidity risk analysis: Illiquidity and Bank Run Risk in DeFi
How Alkemi Network mitigates Financial/Credit Risks:
Risk assessments for current and prospective market assets to ensure stability, liquidity and credibility
Over-collateralization to reduce credit risk (loan-to-value ratio currently set at 80% for all markets)
Continuous monitoring and alerting for healthy market utilization ratios
Financial edge case scenario testing and operational partnerships with legacy and crypto finance partners to anticipate and prevent potential insolvencies (Shift Markets, Radar)
Protocol insurance pool deployed as a buffer for potential low liquidity events in markets, continuously funded at a block level with 1% of interest earnings from outstanding borrows
3. Centralization Risks
Protocol Administration
Centralization of mission-critical processes is an administrative and operational risk factor for any network. If privileges are centralized at the administrative level (e.g. key management, executing protocol changes, authorizing transactions) a potential hack, human error, or a disgruntled administrator's actions could lead to unwanted changes and financial loss.
Price Oracles
Financial protocols are dependent upon the functionality of price oracles for any transaction in the network. Centralization of this dependency may become a critical vulnerability. If price feeds come from a single origin, an exploit or mistake in the originating feed could mislead network participants and trigger irreversible transactions and losses.
Oracle exploit example: Compound liquidator makes $4M as oracles post inflated Dai price
How Alkemi Network mitigates Centralization Risks:
Protocol administrators are subject to a multi-signature process requiring 2 out of 3 members of the core team to validate protocol-level changes
Utilization of Chainlink, an industry-leading decentralized price oracle system with high-quality data sources and node redundancy, in order to avoid price manipulation
Time-lock before critical protocol modifications take place in order to allow network participants to exit the protocol if they do not agree with the changes (planned for v2 release)
During the early stages, Alkemi Earn is protected by a single Administrator account. It has various functions and can pause the protocol in case of a problem. It cannot withdraw anyone's funds from their accounts. During Alkemi's move to a fully decentralized protocol, the privileges of the Administrator account will be gradually replaced by network governance from those who hold ALK tokens and use them to make these changes democratically, like through the use of votes.
4. Institutional Risks
Alkemi Earn is an institution-grade liquidity network designed around risk mitigation and control features. As regulated entities, our customers and partners require us to perform the highest standards of due diligence to ensure operation in compliance with regulatory requirements. Decentralized applications (Dapps) provide numerous capital deployment opportunities for financial institutions, but also carry risks in terms of security, identity management (trusted counterparty verification), transaction monitoring and risk control mechanisms.
Securing customer and partners' control requirements is a top priority at Alkemi Network.
How Alkemi Network mitigates institutional risks:
Permissioned liquidity pool with KYC / AML verified onboarding in partnership with KYC-Chain
Participants may only use the protocol after completing the verification process and undergoing approval procedures for their wallet address. These processes maintain a safety buffer against the majority of DeFi-specific risks (security and compliance)
Institutionally-focused financial transaction monitoring and reporting to satisfy internal and external audit baseline requirements. This includes level 1/2/3 support thresholds, a customer support-dedicated representative and a notification service with a 24/7 monitoring system
Planned for Alkemi Earn v2 release:
Real-time transaction monitoring allowing for continued mitigation of compliance-related risks
Formal protocol audit by a leading blockchain security and smart contract auditor (completed by Quantstamp Q3 2021).
Disclaimer
The purpose of this document is to outline the currently known risks associated with DeFi protocols and communicate Alkemi's commitment and continuous efforts to mitigate them. The contents of this document do not warrant absolute protection from the aforementioned risk categories.
Last updated