Risks and Trust Assumptions
There are two major roles we define the trust assumptions of
owner
inSTEXAMM
,stHYPEWithdrawalModule
, andSTEXRatioSwapFeeModule
Lending Protocol
pool
inAAVELendingModule
stHYPE Protocol, particularly the upgradable
Overseer.sol
and its dependencies
Owner
Owner role in STEXRatioSwapFeeModule
STEXRatioSwapFeeModule
Role:
Can change fee parameters without Timelock
Swap fees are bounded between
0-5_000
BIPs by the Sovereign Pool
Can set the STEX Sovereign Pool only once
Risks:
Owner can change parameters for
token0
->token1
swaps freely, with the constraint that fees applied are between0-5_000
BIPs
Owner role in stHYPEWithdrawalModule
stHYPEWithdrawalModule
Role:
Can update the lending module under 3-7 day timelock
Can send any amount of
token1
to the lending moduledeposit()
functionCan withdraw any amount of
token1
from the lending modulewithdraw()
function and send it to the pool.Can send the pool's entire
token0
balance to the stHYPE OverseerburnAndRedeemIfPossible
function, queuing for withdrawal with the Withdrawal Module being the recipient.
Risks:
Owner can steal
token1
reserves with a minimum 3-day timelock by upgrading the lending module to a malicious contract.The current implementation complies with the fact that no slashing is implemented for HyperEVM nor stHYPE Protocol's Overseer. Once slashing is enabled, the current implementation of stHYPEWithdrawalModule would need to be replaced with one that allows LPs to claim partial amounts of native token withdrawals due to slashing.
Owner role in STEXAMM
STEXAMM
Role:
Can propose a new Swap Fee Module under 3-7 day timelock
Swap fees are always bounded between
0-5_000
BIPs by the Sovereign Pool regardless of Swap Fee Module implementation
Can set Pool Manager Fees without timelock
Can propose a new Withdrawal Module under a 7-day timelock
Can pause swaps and deposits.
Risks:
Owner can add non-zero fees for
token1
->token0
swaps under a minimum 3-day timelock bounded between0-5_000
BIPsThis can harm the native integrations of external LST protocols that expect a no-fee rate for
token1
->token0
swaps
Can change Pool Manager Fee recipient without timelock
Manager Fee Share is only applied to Swap Fees accrued after the change is made
Manager Fee share can go as high as 100% of accrued Swap Fees
Manager Fee recipients cannot be changed
Can steal
token0
andtoken1
reserves with a minimum of a 7 days timelock by upgrading the Withdrawal Module to a malicious contract.
Lending Module in stHYPEWithdrawalModule
(AaveLendingModule)
stHYPEWithdrawalModule
(AaveLendingModule)The integrated lending protocol in Lending Module custodies a portion of token1
reserves determined by `owner`.
Risks:
If the integrated lending protocol becomes insolvent or contains faulty withdrawal logic, funds will be lost.
If the integrated lending protocol is working correctly but does not have enough liquidity to honor instant withdrawals, then LP withdrawals via STEX AMM `withdraw` would become temporarily blocked. In this scenario, the user is expected to withdraw at a later stage.
It is assumed that the lending protocol's
deposit
function does not allow for partially deposited amounts. If that is the case, the Lending Module would need to handle refunds of unused token amounts back into the pool.
stHYPE Protocol (Overseer
and stHYPE
contracts)
Overseer
and stHYPE
contracts)stHYPE AMM integrates with the stHYPE Overseer
contract for token0
withdrawals, and allows the external custody of up to 100% of the AMMs token0
reserves as Pending Withdrawals. Overseer is upgradable, and stHYPE AMM trusts the management of the stHYPE protocol to manage its stHYPE assets for delayed redemption at its true rate.
This codebase is currently intended to deployed on Hyperliquid's HyperEVM, where slashing is not active. This is why the stHYPEWithdrawalModule
contract always assumes that Overseer
will honor stHYPE withdrawal requests amount at 1:1 rate against Native Token.
Last updated
Was this helpful?