🔐Security
List of methods on how we are making sure even Krystal’s devs won’t be able to exploit the system and take user’s funds
Access Control
#limit_fee #pause #multi_sig
The smart contract V3 Automation
is operated and guarded by 3 different roles Admin
, Withdrawer
, and Operator
What can
Admin
role do?Assign a wallet to be
Operator
orWithdrawer
Pause the smart contract to stop executing orders
Setting the ceiling fee taken in one execution
→ This role is maintained by a multi-sig wallet which requires 5/6 signatures 🔰
What can
Withdrawer
role do?Withdraw the collected fee in the smart contract
→ Withdrawers cannot touch any of the LP positions → This role is maintained by a multi-sig wallet and a different set of approvals to reduce the risk.
→ It can be changed to other wallets by the
Admin
roleWhat can
Operator
role do?The only role to manage users’ positions on behalf of them, such as depositing, withdrawing, collect fees from the pool.
→ Limited set of actions that they could perform for rebalancing only. Things are wrapped in specific transactions (a.k.a. rebalance) to ensure this role cannot interact with the fund freely. → This role is run by multiple EoA wallets to serve multiple orders at once → It can be added/removed by the
Admin
role
Sign & Verify
#verification
The smart contracts only run the settings by the owner; even Krystal devs won’t be able to change those settings
Since the Operator
manages user position on their behalf, it can deposit, withdraw & collect liquidity assets, and swap. To make sure each execution follows the user’s intention, Krystal will ask users to sign their order off-chain, and then verify this signature once again on the smart contract.
Users will be asked to sign their order config following the EIP-712: Typed structured data hashing and signing, this signature will be kept by Krystal
Example
When
Operator
callsV3 Automation
smart contract to perform the functionexecute
, it will send the signature along with the order config. The smart contract will verify if the signer is the position-owner.Code
Canceling orders
#cancel
Smart contract settings would make sure users have full access and control over their positions and automation, even when Krystal server is inaccessible.
Even though Krystal allows users to cancel orders off-chain, this system can malfunction, e.g.: failing to handle cancel requests. In that case, users can call the smart contract directly with the method cancelOrder
using the order config and signature to cancel the order. When this happens, the Operator
cannot execute the order anymore.
✅ In any case, the fund is safe on-chain even when our server is down or malfunctioning.
Revoke
#revoke
Users can call the NonfungiblePositionManager
smart contract directly using the method setApprovalForAll
(V3 Automation Address, false)
to revoke the permission granted for V3 Automation
, and then Krystal cannot execute their orders anymore.
Last updated