Whitepaper
9. Security & Risk Management
9. Security & Risk Management
This chapter explains, in clear language, how UST Protocol / USTD protects user funds, the peg, and day-to-day operations.
Our approach combines 1:1 collateral, automation instead of discretion, multiple independent data sources, audited code, clear limits, and simple playbooks for unusual events. Where helpful, we quote short lines from earlier chapters so you can see the foundation in the core design.
9.0. TL;DR
USTD is engineered to be conservative, observable, and easy to reason about. Collateral is always visible; redemptions are always available; and safety systems favor “pause and verify” over “guess and hope.” The protocol is built to do a few important things reliably, and to do them in a way ordinary users can verify on-chain.
Key anchors from the whitepaper:
1:1 collateral and transparent reserves:
• “Every USTD token is fully backed by a corresponding unit of USDC/USDT. Reserves are tracked and governed on Terra Classic L1 (transparent on-chain accounting), while the underlying USDC/USDT is deployed into whitelisted stablecoin-to-stablecoin liquidity pools on decentralized exchanges to earn fees.” (Ch. 4.4)
Always-open redemptions:
• “USTD tokens can be redeemed at any time by converting them back into their underlying collateral (USDC/USDT) through a fully transparent on-chain process.” (Ch. 5.1)
No discretionary levers:
• Yield and operations are hard-coded and automatic; there are no “manual switches” for favored parties. (Ch. 4.3)
Defense-in-depth:
• “Oracle Adapter Module… with sanity checks and quorum rules, automatically pausing sensitive actions if data disagrees or goes stale.” (Ch. 4.2)
• “Safety & Controls Module: Uses circuit breakers to halt minting/redemptions on extreme moves or bad data, applies rate limiters to cap per-block/epoch changes, and supports governance-controlled pause/unpause for incident response.” (Ch. 4.2)
Independent assurance:
• “Smart contracts are rigorously audited… Bug Bounty Programs… Formal Verification….” (Ch. 4.5)
Integrated L1 governance:
• “USTD is fully integrated into Terra Classic’s on-chain governance… All decisions, upgrades, and risk management measures… are managed by Terra Classic Governance.” (Ch. 8)
Bridges are treated as a top risk:
• “The biggest risk factor comes from utilizing cross-chain bridges… We can minimize this risk by utilizing native cross-chain swap providers such as Mayan or Thorchain.” (Ch. 9.2)
9.1. What We Protect & Why It Matters
User funds and 1:1 backing:
• The most important promise is that circulating USTD equals collateral on chain. The system is designed so anyone can check this relationship, not merely take it on faith. As stated in the design, “Every USTD token is fully backed by a corresponding unit of USDC/USDT held in a transparent reserve on Terra Classic L1.” (Ch. 4.4)
The $1 peg:
• UST Protocol aims to track one U.S. dollar through simple mechanics: 1:1 reserves and open redemptions. The peg does not rely on complex incentives or market timing. It relies on the ability to redeem at any time: “USTD tokens can be redeemed at any time… through a fully transparent on-chain process.” (Ch. 5.1)
Uptime of core functions:
• Mint, redeem, and transfer should operate normally most of the time. When something looks unusual, the system prefers safety: pause, verify, and then resume.
Transparency:
• Important numbers—supply, reserves, redemption activity, oracle health, and key limits—are intended to be observable on chain or through public dashboards.
9.2. Risk Appetite & Principles
Our posture is simple:
• Zero tolerance for unauthorized mint/burn, reserve shortfalls, hidden backdoors, or one-source oracles deciding system behavior.
• Low tolerance for bridge exposure, DEX or venue concentration, governance capture, or long-lasting peg deviations.
• Moderate tolerance for short, clearly communicated safety pauses, variations in yield, and routine maintenance.
• Automation over discretion. The architecture favors predictable code paths. As described in the design, yield mechanics are “hard-coded” and not steered by manual overrides (Ch. 4.3).
These principles are conservative by design. They make the protocol slower to react to edge cases, but more predictable and safer for ordinary users.
9.3. Who Does What
• Smart contracts run the core logic on Terra Classic: minting, burning, redemption, yield routing, buyback/burn, oracle checks, and safety switches.
• Terra Classic governance sets and approves parameter changes, upgrades, and emergency actions. “UST Protocol / USTD is fully integrated into Terra Classic’s on-chain governance….” (Ch. 8)
• Contributors and auditors build, test, review, and monitor before and after launch. Their role is to harden the system, not to hold discretionary power over user funds.
9.4. Smart Contract Security
Rigorous Audits:
• UST Protocol’s smart contracts undergo multiple rounds of audits by industry-leading security firms. Audit reports and remedial actions are made publicly available to ensure full transparency.
Bug Bounty Program:
• An incentivized bug bounty program encourages independent security researchers to identify vulnerabilities in the protocol, with rewards provided for verified findings.
Formal Verification:
• Critical modules—particularly those managing yield harvesting and the buyback/burn operations—are subject to formal verification, ensuring their mathematical correctness and robustness.
Fallback Mechanisms:
• Emergency protocols such as circuit breakers are embedded to protect user funds during periods of extreme market volatility or technical anomalies. In such events, Terra Classic Governance may trigger additional measures if needed.
Upgrade safety:
• The “Governance & Upgradability Module” “sends parameter changes… through on-chain governance” and “performs upgrades via audited migration paths with community approval.” (Ch. 4.2) Upgrades are planned, announced, and rolled out carefully; if something behaves unexpectedly, we roll back.
Testing culture:
• High coverage unit tests, fuzzing, property/invariant checks (for example, supply must equal reserves), and scenario tests where oracles flap, gas spikes, or exchanges have issues.
What this means for you:
• Multiple lines of defense reduce the chance of a critical fault and give the protocol space to stop and verify if anything looks suspicious.
9.5. Oracles & Data Integrity
Oracle mistakes can be dangerous, so the protocol assumes data can disagree or go stale. The architecture makes that a safe event.
Quorum and sanity checks:
• “Oracle Adapter Module: Aggregates decentralized price and risk feeds—relayed by L2 containers on Akash—with sanity checks and quorum rules, automatically pausing sensitive actions if data disagrees or goes stale.” (Ch. 4.2)
Fail-safe over fail-open:
• If feeds disagree, the system pauses sensitive parts on its own. It resumes only after the data is fresh and in agreement again.
Independent watchers:
• Additional monitors verify freshness and quorum, providing early alerts and clear public signals.
9.6. Reserves, Collateral & Treasury Protections
1:1 backing:
• “Every USTD token is fully backed by a corresponding unit of USDC/USDT. Reserves are tracked and governed on Terra Classic L1 (transparent on-chain accounting), while the underlying USDC/USDT is deployed into whitelisted stablecoin-to-stablecoin liquidity pools on decentralized exchanges to earn fees.” (Ch. 4.4)
Diversification and caps:
• Exposure per issuer, per venue, and per bridge is capped. This limits blast radius if any single component misbehaves.
Proof and visibility:
• Reserves, supply, and flows are designed to be observable on chain or via public dashboards, so the community can self-verify.
Future safety (optional):
• The design leaves room to grow a small, decentralized risk-buffer over time using a portion of system yields, without changing the 1:1 promise. (Ch. 4.4, “Overcollateralization & Diversification (Future Consideration)”)
9.7. Redemptions & Peg Defense
Redemptions are the core peg mechanism. They remain open, with clear queues and buffers to make behavior predictable in quiet and busy periods alike.
Always-open redemptions:
• “USTD tokens can be redeemed at any time… through a fully transparent on-chain process.” (Ch. 5.1)
Operating buffers:
• The system keeps a portion of collateral immediately available to fulfill everyday redemptions without touching LP positions.
Fair queues:
• Under heavy demand, redemptions follow a first-come, transparent queue so users know where they stand.
Safe unwinds:
• When LP positions must be reduced to meet redemptions, exits are staged (for example, using time-weighted averages) to reduce price impact.
Buyback execution hygiene:
• Buybacks are executed with MEV-aware tactics (randomized timing, split orders, or batch/auction style) to avoid front-running and unnecessary costs.
9.8. Risk Management Strategies
Liquidity & Market Risk:
• The protocol allocates collateral only to low-risk, high-liquidity stablecoin-to-stablecoin pools. Continuous monitoring and automated yield adjustments help mitigate risks associated with market fluctuations.
Decentralization Risk:
• With USTD & UST Protocol fully integrated into Terra Classic L1 and governed by its decentralized community, risks associated with centralization are minimized. Multiple fallback mechanisms—such as overcollateralization and emergency governance protocols—further enhance resilience.
Emergency Protocols:
• Should unforeseen circumstances arise, pre-defined emergency mechanisms (e.g., temporary suspension of yield harvesting or a controlled redemption window) are activated via Terra Classic Governance, ensuring user funds remain secure.
Bridges:
• The biggest risk factor comes from utilizing cross-chain bridges, as these are a potential vector for hacks and exploits. We can minimize this risk by utilizing native cross-chain swap providers such as Mayan or Thorchain.
Gas/Tx Fees:
• During times of high traffic/network congestion, gas/transaction fees can get expensive and potentially eat into the yields. We can mitigate this by monitoring gas fees and hold moving funds until they have subsided to reasonable levels again.
Oracles:
• Oracles are used to monitor price feeds across markets. While generally safe, they can become an attack vector for hackers, where they exploit an Oracle so that it gives out inaccurate price data. We can minimise this risk by using multiple Oracles from different providers.
9.9. Cross-Chain & Bridge Exposure
The protocol treats bridges with extra caution because they have been a major source of losses across the industry.
Acknowledged risk:
• “The biggest risk factor comes from utilizing cross-chain bridges… We can minimize this risk by utilizing native cross-chain swap providers such as Mayan or Thorchain.” (Ch. 9.2)
Prefer native where possible:
• Use native or IBC pathways (for example, CCTP for USDC where available) before considering wrapped assets.
Hard caps per bridge:
• Exposure to any bridge is capped and published. If a bridge misbehaves or diverges from its underlying, affected paths are disabled quickly.
Migration plan:
• When signals turn negative, liquidity is moved away in stages, and the community gets a clear timetable and explanation.
9.10. Venue / DEX Counterparty Risk
Where liquidity sits matters. The protocol only allocates to DEXes and venues that pass basic safety and governance checks.
Allowlist and scoring:
• Venues are scored on code quality, audits and bounty history, governance process, TVL profile, and incident track record.
Per-venue limits:
• No single DEX carries a dominant share of exposure. If a DEX is compromised, limits keep the problem small.
Fast exit playbooks:
• If a venue looks risky (for example, unannounced upgrades or paused withdrawals), the protocol de-allocates quickly and explains why.
9.11. Operational Security & Infrastructure
The off-chain parts are decentralized and replaceable by design, so users are not forced to trust a single web server or company.
Decentralized operations layer:
• “Operational components (UI hosting, RPC, indexing, price relays, and optional liquidity bots) run on decentralized third-party infrastructure—primarily Akash Network, Jackal Protocol, and GetBlock.” (Ch. 4.1)
Signed builds and content hashes:
• Front-end artifacts are signed and content-addressed so anyone can verify they are using the intended interface.
RPC diversity:
• Multiple RPC providers and regions reduce correlated outages and censorship risks.
Clear status and safe read-only mode:
• If a front-end cannot operate normally, it should fall back to read-only views and direct contract links, with a visible status notice.
9.12. Keys & Access (Ops-only)
There are no keys with “god-mode” powers over collateral, minting, burning, or yield. The protocol prefers automation and governance over human overrides.
Operational multisigs only:
• Any multisigs are limited to routine off-chain operations such as paying for decentralized hosting or domains, and do not control protocol funds.
Least privilege and rotation:
• Keys are hardware-protected, permissions are narrowly scoped, and spending limits are low. Rotation procedures are documented and practiced.
9.13. Monitoring, Alerts & Public Dashboards
Users should be able to see the same signals the protocol watches:
• Reserves and supply. Collateral and circulating USTD, with simple visualizations of where funds sit.
• Peg health. A view of the $1 peg across major venues.
• Redemptions and buffers. Queue length, typical processing time, and current “cash on hand.”
• Oracle health. Quorum status and data freshness.
• Exposure limits. Live use vs. caps for issuers, venues, and bridges.
Key Risk Indicators (simple thresholds):
• Peg deviation. If price drifts by ~0.30% for 30 minutes, we review execution and posture; if it drifts by ~1.00% for 30 minutes, non-essential operations pause and redemptions take priority.
• Oracle age or disagreement. If oracle data is stale or not in quorum, sensitive functions pause automatically (Ch. 4.2).
• Bridge divergence. If a wrapped asset diverges materially from its underlying, the affected path is disabled and liquidity is unwound.
• Buffer level. If the redemption buffer is low, new mints may slow and LP positions unwind in stages to restore headroom.
These thresholds are published and adjusted through governance as the system matures.
9.14. Incident Response — Clear Playbooks
Each playbook fits on a single page and follows the same rhythm: trigger → immediate actions → user impact → communication → restart.
A) Oracle or data issue
• Trigger: Feeds disagree or become stale.
• Actions: Sensitive functions pause automatically; unhealthy sources are replaced; activity resumes once data is fresh and in quorum. (Ch. 4.2)
B) Bridge or wrapped-asset issue
• Trigger: A wrapped asset diverges from its underlying or a bridge reports an incident.
• Actions: Cap or disable the affected path; unwind safely; route redemptions via unaffected legs; publish a migration plan and timeline.
C) Venue/DEX exploit
• Trigger: A venue is hacked or shows unsafe behavior.
• Actions: De-allocate promptly; notify users; re-allocate to safer venues; publish a short post-mortem with changes to caps or allowlists.
D) Redemption bank-run
• Trigger: Queue grows rapidly or buffers drop.
• Actions: Pause buybacks to prioritize redemptions; draw on buffers; unwind LPs via TWAP; post live queue metrics and estimated clearance times.
E) Smart-contract bug reported
• Trigger: A credible report through the bounty or an audit finding.
• Actions: Pause the affected module; fix is tested and deployed via the governed upgrade path described in the “Governance & Upgradability Module”; publish the diff, the timeline, and the lessons learned. (Ch. 4.2, Ch. 4.5)
9.15. Testing & Assurance (Before & After Launch)
Pre-launch gates:
• High-coverage unit and integration tests, fuzzing, invariant checks (for example, “supply equals reserves”), multiple independent audits, live bug bounty, and a staged mainnet rollout with strict caps. (Ch. 4.5)
Ongoing checks:
• Continuous fuzzing, scenario tests (oracle delays, gas spikes, DEX downtime), and scheduled parameter reviews with public notes.
9.16. Compliance Touchpoints (pointer to Chapter 10)
Security and risk controls work alongside responsible market behavior. The front-end presents jurisdiction notices and self-attestation for users (“first-connection gate… user self-attests they’re allowed to use USTD”), EU retail marketing waits until a suitable reporting arrangement exists, and the U.S. posture is framed as a non-payment stablecoin. Details and legal analysis live in Chapter 10.
9.17. Residual Risks & Published Limits
Even careful systems carry residual risk.
Bridge tail risk:
• Bridges remain a notable source of industry losses; USTD limits exposure and prefers native pathways but cannot reduce this to zero. (Ch. 9.2)
Venue or DEX failures:
• Allowlists, audits, and limits reduce impact but cannot fully remove venue risk.
Issuer or custodian policy changes:
• Diversification and migration plans help, but abrupt actions by third parties may still create temporary friction.
Extreme market stress:
• In severe conditions, queues and protective pauses are used to preserve solvency and fairness.
Publishing limits, buffers, and caps helps users understand this residual risk and make decisions with open eyes.
9.18. Closing Note
The combination of 1:1 reserves and always-open redemptions, no discretionary levers, multi-source oracles with automatic pause, audits + bounty + formal verification, governed change control, and published limits aims to make USTD understandable, verifiable, and dependable for everyday users.