Security & Risk

Risk architecture and insolvency handling

A structured disclosure of PercoSec's security assumptions, failure modes, and deterministic payout rules.

Risk Disclosure: PercoSec is experimental software operating in adversarial financial markets. No risk model is complete. The mechanisms described here represent the current design intent - not a guarantee of loss prevention or protocol solvency. Capital providers should independently assess all risks before depositing.

Claims Trigger Mechanism

Claims trigger when post-liquidation deficit exceeds market-defined threshold.

This is an on-chain, deterministic evaluation. The Insolvency Handler program reads the market's deficit account after a liquidation event completes. If the deficit exceeds the market-specific threshold parameter, the claim process executes automatically - without any human intervention, governance vote, or oracle report.

Liquidation Engine Dependency

High

Architecture

PercoSec relies on keeper bots (off-chain executors) to trigger on-chain liquidations when positions breach maintenance margin. These keepers are incentivized with a portion of the liquidation fee.

Failure Mode

If keeper network latency or downtime allows positions to move significantly past the liquidation trigger price before execution, the realized fill price may be materially worse than the expected trigger price. This gap becomes a liquidation deficit absorbed by the insurance pool.

Mitigations

The protocol operates a primary keeper fleet and exposes liquidation instructions as permissionless CPI calls - any party can execute a valid liquidation and collect the fee. Additionally, on-chain fallback logic activates when positions exceed an extreme margin breach threshold, enabling the Insurance Pool Program to initiate forced resolution.

Oracle Dependency Risk

High

Architecture

Price discovery relies on the market's configured oracle source - Pyth Network by default, with optional Switchboard integration for markets requiring custom feeds. Oracle prices gate all liquidations, settlement, and funding rate calculations.

Failure Modes

Oracle staleness (price not updated in >30 seconds), price manipulation via oracle provider collusion, or a flash-crash price spike can all cause either premature liquidations (cascade risk) or liquidation prevention (bad debt accumulation).

Mitigations

The protocol implements a maximum acceptable price staleness check at the program level. Liquidations are halted if the oracle timestamp exceeds the stale threshold. For high-frequency markets, a secondary oracle source can be configured as a validation reference. Price impact limits gate order execution size.

Smart Contract Risk

Moderate

Architecture

All PercoSec logic is implemented as native Solana programs written in Rust using the Anchor framework. Programs are separated by function: Risk Engine, Premium Manager, Insurance Pool, and Insolvency Handler.

Failure Modes

Smart contract vulnerabilities - including arithmetic overflow, reentrancy patterns in CPI calls, authority misuse, and account confusion - can lead to unauthorized fund access or incorrect accounting. Solana's account model eliminates some EVM-specific attack vectors but introduces others unique to the UTXO-adjacent model.

Mitigations

All programs have undergone internal security review. Third-party audits are planned prior to mainnet launch. Programs are upgradeable via a multisig authority with time-lock. All critical state transitions emit on-chain events for external monitoring. A bug bounty program will be established at launch.

Insolvency Waterfall

Defined

Purpose

The insolvency waterfall defines the order in which losses are absorbed when a market event generates a deficit that exceeds the primary liquidation proceeds. Each layer is exhausted before the next is touched.

Layer Structure

Waterfall layers apply in the following order: (1) Liquidation penalties from the insolvent position; (2) Market fee reserve (protocol-retained operational buffer); (3) Insurance Pool capital (pro-rata across providers); (4) Protocol treasury (last resort, limited allocation).

Socialization

If losses exceed the insurance pool capacity, remaining deficit is socialized across all open position holders in the affected market via a pro-rata haircut to unrealized PnL. This mechanism is an absolute last resort and its parameters are visible on-chain before position opening.

Deterministic Payout Rules

All payout rules are encoded in the Insolvency Handler program and cannot be overridden without an upgrade through the multisig authority. The following rules apply to all markets regardless of configuration.

Deterministic payout rules for insurance claims
Rule	Definition
Trigger Condition	Post-liquidation account deficit exceeds the market-configured insolvency threshold, verified on-chain by the Insolvency Handler program.
Trigger Initiator	Any network participant can call the claim instruction. No governance vote or multisig approval required. The claim is accepted or rejected deterministically based on on-chain state.
Payout Calculation	Payout equals the lesser of (a) the verified deficit amount and (b) the market's pool balance at time of claim, subject to maximum payout per epoch limits.
Settlement Speed	Claims are settled within the same transaction block once the trigger condition is verified. No oracle report delay or governance queue.
Provider Impact	Payouts reduce pool TVL proportionally across all active depositors in the market pool. No single depositor is preferentially protected or penalized.
Dispute Resolution	There is no off-chain dispute mechanism. All decisions are made by on-chain program logic. Users who disagree with parameter configurations should not participate.

What PercoSec Does Not Cover

Normal trading losses from market price movement
Losses due to user error (wrong position size, incorrect leverage settings)
Losses from interacting with unregistered or unofficial markets
Network-level failures (Solana validator outages, RPC unavailability)
Losses from user-held wallets (private key compromise, phishing)
Losses in cross-chain bridging or wrapped asset de-pegging
Any loss exceeding the insurance pool's available balance at time of claim