FAQ

Technology risk

Smart contracts can fail. Blockchains can have outages. Code can have bugs that survive audits. This page is honest about all of it.

The risk in concrete terms:

Three sub-categories.

Smart contract risk. A bug in the ERC-7540 vault contracts, access control logic, fee accrual, or supporting contracts could cause loss of funds.

Infrastructure risk. The Base network could go down. The NAV oracle could report incorrect values. The Ceffu integration could fail unexpectedly.

Platform code risk. The MakeBanc web platform could have bugs in transaction construction, balance display, or user-facing flows.

Each has different probability, severity, and mitigation.

Smart contract risk:

The ERC-7540 vault contracts are the most consequential layer. A bug here could mean loss of funds for everyone in the vault.

What is in place:

The contracts have been audited by independent security firms. Reports are published on the audits page. Critical findings have been addressed and re-audited.

A 96-hour TimelockController governs all governance actions. Any upgrade or parameter change is announced on-chain 96 hours before it takes effect. You have time to react.

Pause logic is asymmetric. The Guardian can pause contracts immediately in response to an exploit. Unpausing requires the full timelock, so a malicious pause cannot become an attack vector.

The contracts cover vault accounting and access control only. Actual trading happens in segregated SMA accounts at the custodian, not on-chain. The vault holds no funds; deposits flow into the custodian in the same transaction, so there is nothing sitting in the contract to extract.

If an on-chain error or exploit is discovered, the vault can be upgraded and redemptions paused, but this requires the full 96-hour timelock. That window exists so you can verify any change before it takes effect.

On-chain valuations are verified by Chainlink's CRE DON, a 16-node consensus mechanism that approves or rejects each NAV update. No single party can push a manipulated valuation. The DON sends only an approve/reject signal; no edits are allowed.

Residual risk:

No audit makes a contract provably correct. Audits reduce the probability of bugs reaching production. They do not eliminate it.

The 96-hour timelock protects against malicious upgrades but not bugs in already-deployed code. The fact that the vault holds no funds significantly limits the blast radius of any contract-level exploit.

What insurance is intended to cover (in progress):

Technology risk on the underlying smart contract infrastructure is covered by insurance from Breach (technology-risk coverage, currently in progress) at the protocol level. You do not need to activate it or pay extra.

Coverage applies to smart contract failure causing loss of vault assets. It does not cover trading losses, key compromise on your end, or strategy underperformance.

Infrastructure risk:

Base is operated by Coinbase and inherits security from Ethereum L1. It has had occasional outages, all resolved within hours. During an outage, transactions cannot process but funds remain safe.

The NAV oracle is critical. It reads positions and prices from the custody and trading layer, computes vault NAV, and posts it on-chain. A bug or compromise could mis-report NAV, affecting allocations and redemptions until corrected.

What is in place:

The oracle uses redundant data sources and cross-checks. Posted NAVs are reviewable on-chain. Anomalous values trigger automated alerts.

If the oracle malfunctions, the Guardian can pause vault operations until resolved. No allocations or redemptions process at a potentially incorrect NAV.

Residual risk:

If an incorrect NAV is posted and a transaction settles against it before detection, that transaction settles at the wrong value. The platform's policy is to identify and correct NAV errors as promptly as possible, and to work toward making affected users whole where feasible. The platform's ability to do so depends on the nature and scale of the error. Detection latency is typically well under 24 hours.

Platform code risk:

The web platform constructs transactions, displays balances, and handles user flows. Bugs here would not directly cause fund loss (the smart contracts are the source of truth) but could cause confusion or failed transactions.

What is in place:

Standard secure development practices. Transactions presented for signing show actual contract calls and parameters. Critical actions require explicit confirmation.

Residual risk:

A bug could display an incorrect balance. The correct balance is always retrievable from on-chain contract state. A failed transaction does not put your funds at risk.

For larger allocations, a Safe multisig adds a second human review of every transaction before execution.

What you can do:

Three practical actions.

Verify contract addresses. Before allocating, check that you are interacting with the official vault contract. Addresses are published in Smart contract addresses. Compare what your wallet shows against that list.

Review what you sign. Every transaction shows the contract address and function being called. Look. If you cannot read it, do not sign.

Use a hardware wallet or multisig for meaningful amounts. If you would feel the loss, the operational overhead is worth it. A Safe multisig is appropriate when a single signature feels like too much trust in one device.

What this is not:

This page is not a guarantee. It is a description of the technology risk landscape, mitigations in place, and what remains.

If a technology incident happens, the response will be detailed publicly. That track record is part of what you should evaluate.

Security and risk2 of 6
← Previous
Risk framework