Reference
Security and risks
What has been verified, what hasn't, what the admin can and cannot do, and the honest list of risks you accept by using an early, unaudited protocol.
What has been done
- Three internal audit rounds before mainnet, each with fixes verified on-chain against real Blend interest: token-approval lifetimes, unit conversion in the YT trade route, withdrawal price floors, the maturity-freeze mechanism, and interest settlement on YT transfers, among others.
- Randomized property testing: a 10,000-step test that hammers the contracts with random splits, transfers, claims, recombines and redemptions under changing rates, checking after every step that the escrow still covers everything it owes. The AMM also has a 10,000-case reserve/custody property suite, but its current fixture runs at SY rate 1.0; non-par plain PT↔SY normalization is the documented M6 release gate for the factory-built AMM.
- Live simulation: waves of real testnet wallets ran the full lifecycle against fresh deployments, and every claimed finding was re-verified against source before being recorded. The mainnet deployment itself has run the complete lifecycle with real funds.
- Reproducible builds: anyone can rebuild the contracts from the recorded source commit and confirm the result matches what is on chain, byte for byte (see Deployed contracts).
- A floating-point tripwire in CI: Stellar contracts must use whole-number math, and the build pipeline fails if any floating-point instruction appears, so the pool’s arithmetic cannot silently regress.
Known issues, all minor and none affecting funds, are tracked publicly in findings.md.
What the admin can and cannot do
The admin is a single key. Its complete list of powers:
- Can: re-point the SY wrapper at the same USDC asset under a new Blend reserve slot, if Blend ever reshuffles its internal indexing. The contract checks that the new slot really holds the same asset, so this lever cannot be aimed anywhere else.
- Cannot: upgrade contracts, move or freeze anyone’s funds, set or change the exchange rate, mint tokens, pause the market, or change fees. None of those entrypoints exist in the deployed code.
The production rate path has no human in it: the SY rate is read from the Blend position on every interaction, and the deployment tooling refuses to record a deployment configured any other way.
Risk register
| Risk | Posture |
|---|---|
| Contract defect (unaudited code) | The dominant risk. Immutable contracts make any defect permanent. Testing and internal audits reduce it; nothing eliminates it. Size positions accordingly. |
| Underlying failure (Blend) | SY is a Blend position, so a Blend loss is an SY loss. The damage is contained to this one wrapper, and it is priced rather than blocked: PT redemptions cap at each holder’s fair share, and PT is paid before YT. |
| Price-feed manipulation | There is no external price feed to manipulate. The rate comes from Blend directly, and outside integrators get a 30-minute average with an explicit warming-up flag. |
| Thin liquidity | Trades in the current shallow pool move prices sharply. Every swap carries a minimum-received floor, so a stale quote cancels instead of filling badly. |
| Falling interest rates | If the Blend rate falls, YT earns less than its price implied. That is the instrument working as designed, not failing: YT is the leveraged side. |
| Storage rent lapse | Stellar archives lapsed storage entries rather than deleting them, and a standard network operation restores them. The app tops entries up automatically. Funds cannot be lost this way. |
| Interest at the maturity boundary | The freeze pins the last rate recorded at or before maturity. Any small unrecorded tail goes predictably to PT (the senior claim), never to whoever transacts fastest. |
Reporting a vulnerability
Report security findings privately via GitHub’s Report a vulnerability flow, not as a public issue. See SECURITY.md for the policy.