Security & Risk
Risk architecture and insolvency handling
A structured disclosure of PercoSec's security assumptions, failure modes, and deterministic payout rules.
Risk Disclosure: PercoSec is experimental software operating in adversarial financial markets. No risk model is complete. The mechanisms described here represent the current design intent - not a guarantee of loss prevention or protocol solvency. Capital providers should independently assess all risks before depositing.
Claims Trigger Mechanism
Claims trigger when post-liquidation deficit exceeds market-defined threshold.
This is an on-chain, deterministic evaluation. The Insolvency Handler program reads the market's deficit account after a liquidation event completes. If the deficit exceeds the market-specific threshold parameter, the claim process executes automatically - without any human intervention, governance vote, or oracle report.
Liquidation Engine Dependency
HighArchitecture
PercoSec relies on keeper bots (off-chain executors) to trigger on-chain liquidations when positions breach maintenance margin. These keepers are incentivized with a portion of the liquidation fee.
Failure Mode
If keeper network latency or downtime allows positions to move significantly past the liquidation trigger price before execution, the realized fill price may be materially worse than the expected trigger price. This gap becomes a liquidation deficit absorbed by the insurance pool.
Mitigations
The protocol operates a primary keeper fleet and exposes liquidation instructions as permissionless CPI calls - any party can execute a valid liquidation and collect the fee. Additionally, on-chain fallback logic activates when positions exceed an extreme margin breach threshold, enabling the Insurance Pool Program to initiate forced resolution.
Oracle Dependency Risk
HighArchitecture
Price discovery relies on the market's configured oracle source - Pyth Network by default, with optional Switchboard integration for markets requiring custom feeds. Oracle prices gate all liquidations, settlement, and funding rate calculations.
Failure Modes
Oracle staleness (price not updated in >30 seconds), price manipulation via oracle provider collusion, or a flash-crash price spike can all cause either premature liquidations (cascade risk) or liquidation prevention (bad debt accumulation).
Mitigations
The protocol implements a maximum acceptable price staleness check at the program level. Liquidations are halted if the oracle timestamp exceeds the stale threshold. For high-frequency markets, a secondary oracle source can be configured as a validation reference. Price impact limits gate order execution size.
Smart Contract Risk
ModerateArchitecture
All PercoSec logic is implemented as native Solana programs written in Rust using the Anchor framework. Programs are separated by function: Risk Engine, Premium Manager, Insurance Pool, and Insolvency Handler.
Failure Modes
Smart contract vulnerabilities - including arithmetic overflow, reentrancy patterns in CPI calls, authority misuse, and account confusion - can lead to unauthorized fund access or incorrect accounting. Solana's account model eliminates some EVM-specific attack vectors but introduces others unique to the UTXO-adjacent model.
Mitigations
All programs have undergone internal security review. Third-party audits are planned prior to mainnet launch. Programs are upgradeable via a multisig authority with time-lock. All critical state transitions emit on-chain events for external monitoring. A bug bounty program will be established at launch.
Insolvency Waterfall
DefinedPurpose
The insolvency waterfall defines the order in which losses are absorbed when a market event generates a deficit that exceeds the primary liquidation proceeds. Each layer is exhausted before the next is touched.
Layer Structure
Waterfall layers apply in the following order: (1) Liquidation penalties from the insolvent position; (2) Market fee reserve (protocol-retained operational buffer); (3) Insurance Pool capital (pro-rata across providers); (4) Protocol treasury (last resort, limited allocation).
Socialization
If losses exceed the insurance pool capacity, remaining deficit is socialized across all open position holders in the affected market via a pro-rata haircut to unrealized PnL. This mechanism is an absolute last resort and its parameters are visible on-chain before position opening.
Deterministic Payout Rules
All payout rules are encoded in the Insolvency Handler program and cannot be overridden without an upgrade through the multisig authority. The following rules apply to all markets regardless of configuration.
What PercoSec Does Not Cover
- Normal trading losses from market price movement
- Losses due to user error (wrong position size, incorrect leverage settings)
- Losses from interacting with unregistered or unofficial markets
- Network-level failures (Solana validator outages, RPC unavailability)
- Losses from user-held wallets (private key compromise, phishing)
- Losses in cross-chain bridging or wrapped asset de-pegging
- Any loss exceeding the insurance pool's available balance at time of claim