Security
Unaudited Software
This software has not been audited. Use at your own risk. Do not supply funds you cannot afford to lose.
Trust assumptions
What you trust
- The admin address: Can add/remove supported stablecoins, pause the contract, and transfer admin role
- The smart contract code: Has not been formally verified or audited
- Underlying stablecoins: The protocol assumes USDC/USDT maintain their peg
What you don't need to trust
- Price feeds: No oracles—1:1 is hardcoded
- Liquidity providers: No LPs, no impermanent loss
- Governance: No governance token, no voting, no time-delayed changes (except admin transfer)
Security measures
In the contract
- ReentrancyGuard: All state-changing functions protected
- SafeERC20: Safe token transfer handling
- Pausable: Admin can pause in emergencies
- Two-step admin transfer: Prevents accidental admin loss
- Checks-effects-interactions: State changes before external calls
Queue protections
- Max 150 positions: Bounded gas costs
- Minimum order scaling: Prevents dust spam
- FIFO ordering: No manipulation of queue order
Known limitations
Supply can be depleted
If everyone wants the same stablecoin, supply depletes and users queue. This is by design—the protocol's tradeoff is time, not price.
No partial fill protection for swapExactInput
The aggregator function either fully fills or reverts. No slippage protection is needed since rate is always 1:1, but supply can deplete between quote and execution.
Queue position value can change
If a user is in queue and the stablecoin depegs, the position is still denominated in that stablecoin. The protocol doesn't handle depeg scenarios.
Bug bounty
No formal bug bounty program exists yet. If you find a vulnerability, please report responsibly to the team.
Recommended practices
- Start small: Test with small amounts first
- Verify addresses: Always verify contract addresses from official sources
- Monitor positions: Watch queue positions for fills
- Understand the risks: This is experimental software