Smart Contract Security
Trust minimization, isolation, and how the contracts protect themselves.
Yield Forge is designed to minimize trust. Even the protocol owner can't just take your money.
Trust Minimization
No admin custody: Your funds are deposited into the underlying protocol (Uniswap V4/V3) through the adapter. The Diamond contract holds references to positions, but admins cannot withdraw user funds arbitrarily.
Immutable core logic: The AMM pricing invariant and yield distribution math are fixed in the contract logic. Admin parameters (fees, guardian addresses) are bounded — they can't be set to arbitrary values.
Cycle Isolation
Each pool cycle is independent:
- Unique PT and YT token addresses per cycle
- Separate yield accounting per cycle
- If something goes wrong in one cycle, others are unaffected
Slippage Protection
All swap functions accept a minAmountOut parameter. The contract reverts if the output is less than specified — protecting users from front-running and sandwich attacks.
External Protocol Risk
Yield Forge depends on external protocols. Here's how we mitigate that risk:
| Risk | Mitigation |
|---|---|
| Underlying protocol bug | Only integrate with established, audited protocols |
| Adapter failure | Adapters are thin wrappers — they fail safely if the underlying reverts |
| Oracle manipulation | No external price oracles — pricing is derived from on-chain AMM state |
Immutable Fee Bounds
Key protocol parameters are bounded at the contract level:
| Parameter | Value | Can Admin Change? |
|---|---|---|
| Yield fee | 5% (500 bps) | No — immutable constant |
| Swap base fee | 10 bps | No — hardcoded |
| Swap max fee | 50 bps | No — hardcoded |
| Fee split (LP/protocol) | 80/20 | No — hardcoded |
| YT taker fee | 30 bps | No — hardcoded |