aare.finance

Risk disclosure

Understand the risks before you deposit.

DeFi lending involves real financial risk. This page describes the risks specific to aare. It is not exhaustive. Read the contract. Do not deposit funds you cannot afford to lose.

Smart contract risk

Contract bugs

High risk
All smart contracts may contain bugs. Even audited contracts have been exploited. A bug in the lending contract could result in the partial or total loss of deposited funds. Third-party audit: not yet commissioned. Two audits are planned before mainnet launch (spec §10.5); reports will be linked from /security when complete.

Upgrade and governance risk

Medium risk

The Market contract that holds your principal is immutable: no proxy, no delegatecall-on-upgrade, no selfdestruct. To "upgrade" a market, a new market is deployed and users opt in by migrating; the deployed bytecode does not change.

A small set of peripheral contracts — interest-rate model, price-oracle adapter, pause guardian — can be swapped (not mutated) by governance. Swaps go through a multisig + 48-hour timelock. Adding a new collateral asset requires a 7-day timelock. There is no EOA owner; the deployer transfers ownership to the timelock at deploy time.

A captured governance cannot extract user principal: the ERC-20 recovery path is firewalled by a code-level deny-list against any allowlisted borrowable or collateral asset (spec §5.3, §8.7). Residual upgrade risk: a swapped peripheral that contains a post-launch bug — mitigated by the 48 h timelock and public proposal hashes that give external observers a window to challenge.

Liquidation risk

Position liquidation

High risk
If your health factor falls below 1, your collateral may be partially or fully liquidated by any third party. Liquidation can happen rapidly during periods of high volatility. Monitor your position. A single liquidation call repays at most 50% of your debt; if your health factor falls further (below ~0.95), a single call may repay 100%.

Health factor formula (spec §3.4, §5.1)

healthFactor =

Σᵢ(collateralValueᵢ × liquidationThresholdᵢ)

totalDebtValue

Below 1.0 → liquidatable

Note: liquidationThreshold ≠ LTV. LTV bounds max borrow; LT triggers liquidation. Each collateral asset contributes its USD value times its own liquidation threshold.

Oracle risk

Price oracle failure

High risk

The protocol uses Chainlink price feeds (AggregatorV3Interface) as the sole price source for v0 (spec §4.1). Every read validates aggregator bounds (minAnswer/maxAnswer), per-asset staleness against a published threshold, and round completion (answeredInRound >= roundId).

Failure modes and mitigations:

  • Stale or zero price — read reverts. borrow, withdraw of borrow-power-supporting collateral, and liquidate are disabled for that asset. deposit and repay remain permitted, because both make the protocol healthier.
  • Feed deprecation — governance can swap the per-asset oracle adapter behind a 48 h timelock without touching the market.
  • Manipulated underlying market that publishes within bounds — residual risk; bounded by Chainlink's minAnswer/maxAnswer and the pause-guardian's per-(market, action) pause path.

There is no silent fallback to a stale price and no spot-AMM fallback. Per-asset oracle addresses will be published after deploy.

Market and liquidity risk

Asset price volatility

High risk
The value of your collateral may decline faster than you can add more or repay debt. There is no stop-loss mechanism. Positions can be liquidated at any time without notice.

Liquidity risk

Medium risk
In periods of market stress, available liquidity in a given asset may be reduced. Withdrawals may be limited if a pool is fully utilized.

This list is not exhaustive

Additional risks may exist that are not listed here. The regulatory status of DeFi protocols is uncertain in many jurisdictions. aare is not a licensed financial product. Nothing on this site is financial advice.

Questions? security@aare.finance