Skip to main content

Honest risk, named in full.

Every lending protocol carries residual risk. The useful question is not whether, it is which classes, how they are bounded, and what the lender is actually exposed to after the design has done its work. This page walks through each class of risk on SatsTerminal Lending, what the protocol does to bound it, and what residual exposure remains with the lender. Nothing here is a guarantee, it is a structured disclosure intended to support real diligence.

1. Oracle risk

What it is: Every market prices collateral through an oracle. If that oracle returns a stale, manipulated, or incorrect price, liquidations may fire late or not at all, and bad debt can accumulate in that market. How the protocol bounds it:
  • Per-market oracle selection. Each market specifies its own price source. There is no protocol-wide oracle dependency. A failure on one feed cannot propagate.
  • Conservative initial markets. The first markets at mainnet use battle-tested, redundant feeds. Aggressive oracles are out-of-scope for launch.
  • Isolated containment. An oracle failure damages only the lenders who supplied that market. The protocol absorbs no socialized loss.
Residual exposure: The lender supplying a given market accepts the oracle of that market. Lenders who do not supply that market are structurally insulated. The discipline of isolated markets is the central defense.

2. Liquidation risk

What it is: If liquidations are too slow, too expensive, or too restricted, undercollateralized positions accumulate bad debt that ultimately falls on lenders. How the protocol bounds it:
  • Permissionless liquidation. Anyone can liquidate any unhealthy position. There is no whitelist, no auction delay, no privileged actor.
  • Sub-second execution. Settlement supports the speed liquidations need to be economically rational under volatility.
  • Liquidation incentive. The discount paid to liquidators is sized to ensure bots will compete to close positions in time.
  • Simple liquidation path. The mechanic is mechanically simple, fewer edge cases, fewer ways for a liquidation to fail when it is most needed.
Residual exposure: In extreme market dislocations, liquidations may execute against thin liquidity at unfavorable prices. Conservative LTVs and conservative collateral selection at launch reduce, but do not eliminate, this tail.

3. Parameter risk

What it is: Every market is defined by its parameters: LTV, liquidation threshold, interest curve, oracle. Bad parameters can make a market dangerous to supply, even if the rest of the protocol is sound. How the protocol bounds it:
  • Parameters are immutable per market. A market deployed with a given parameter set keeps that set for its lifetime. Lenders are not exposed to retroactive changes.
  • Markets compete for capital. Lenders supply markets they trust. Markets with bad parameters do not attract capital and do not become systemic.
  • Curated initial markets. At mainnet, the initial market set is conservative and curated. Permissionless market creation activates only when the protocol has matured enough to support it.
Residual exposure: A lender supplying a market accepts that market’s parameters in full. There is no upgrade path that adjusts them. This is intentional, and it places the underwriting decision squarely with the lender.

4. Smart-contract risk

What it is: The protocol is software. Software can have bugs. A critical bug in the lending core could enable loss of funds. How the protocol bounds it:
  • Minimal surface. The lending core is small, small enough to be exhaustively reviewable. Fewer lines, fewer bugs, fewer hiding places.
  • Open source. Every line of the core is public. Source-verified bytecode on-chain. There is no hidden module.
  • No upgradeability on the core. The core does not change after deployment. The contract you reviewed is the contract that runs. Forever.
  • Audit path before mainnet. Independent audit is part of the pre-mainnet roadmap. Public bug bounty follows.
  • Battle-tested ancestry. The architectural pattern (isolated markets, no admin keys, minimal core) has been stress-tested on EVM chains for several cycles. We adopt the validated parts and refuse the rest.
Residual exposure: Smart-contract risk is never zero on a live protocol. The protocol’s response is to minimize what the contract has to do, and to expose what it does do to the most reviewable, most adversarial conditions we can stage before assets are at risk.

5. Risk classes we explicitly refuse

Several risks common to other on-chain lending venues do not exist in this protocol by construction. Naming them matters:

Admin-key risk

No team-controlled keys can move user funds, change parameters, or pause withdrawals. The risk is absent because the surface is absent.

Bridge / custody risk

The protocol does not custody assets in a bridge. There is no wrapped-BTC issuer in the path and no contract holding redemption rights to drain.

Governance risk

No DAO vote can change the rules under which your position was opened. Governance has no jurisdiction over user funds.

Shared-pool contagion

There is no aggregate liability pool. There is no surface for a loss in one market to reach another.

6. The hardening path before mainnet

1

Independent audit

Comprehensive third-party review of the lending core and integration surfaces before mainnet deposits.
2

Public bug bounty

Live before mainnet, with material rewards sized to make adversarial review worthwhile.
3

Conservative launch markets

Mainnet opens with a small, curated set of markets using the most conservative feasible parameters and oracles.
4

Coordinated disclosure

A documented disclosure policy and a clear channel for responsible reporting. Security correspondence is treated as first-class.
Risk is the product we are actually selling. Yield is the price someone pays to take on a defined risk. We have made the definition as clean as we know how.

Read the security model →

How “trust the math, not the team” translates into specific design choices.