# Smart Contract Risk

The on-chain infrastructure of Ledgity is intentionally minimalist to reduce attack surface and complexity. Smart contracts are designed to be transparent, upgrade-controlled, and auditable, ensuring that the on-chain system remains stable even as TVL scales.

The architecture focuses on **custody safety, deterministic yield accounting, and predictable liquidity flow** rather than complex on-chain logic.

***

#### Contract Design Principles

* **No leverage** is used anywhere on-chain.
* **No rebase mechanics**: yield is reflected through **Price-Per-Share (PPS)**, preventing integration issues.
* **Vaults are segregated**: a failure in one vault cannot impact another.
* **No algorithmic yield generation**: contracts do not “seek” yield; they reflect yield produced off-chain.

This significantly reduces systemic risk and composability failures.

***

#### Upgrade & Permission Controls

Smart contracts are controlled by an upgrade process that prioritizes safety:

| Control Layer                    | Purpose                                                                       |
| -------------------------------- | ----------------------------------------------------------------------------- |
| **Multisig Ownership (Council)** | Execution of approved parameter or contract updates                           |
| **Timelock (if enabled)**        | Allows the community to review before changes take effect                     |
| **Global Pause Mechanism**       | Enables temporary freeze of deposits/withdrawals in case of abnormal behavior |

These controls exist to prevent unauthorized changes, mitigate cascading failure, and allow structured incident response.

***

#### Audits

All core vault and token contracts will need external security audits \
Any material upgrade or new vault listing triggers a new review cycle.

Audit scope includes:

* Permission and role controls
* State transition integrity
* PPS accounting correctness
* Deposit / withdrawal flows
* Emergency controls

Audit reports will be publicly linked in the new section once published.

***

#### Attack Surface Reduction

The protocol avoids common high-risk DeFi patterns:

| Risk Pattern Avoided               | Why                                           |
| ---------------------------------- | --------------------------------------------- |
| Rebase tokens                      | Breaks accounting across integrations         |
| Leveraged yield loops              | Can fail catastrophically in volatile markets |
| Auto-compounding vault recursion   | Hard to monitor, can destabilize liquidity    |
| Flash-loan-sensitive oracle design | Eliminated by off-chain pricing and PPS model |

Yield cannot be manipulated on-chain because it does **not** depend on AMM price, lending rates, or oracle variations.\
It depends only on **cash flows entering the system**, reflected in PPS.

***

#### Emergency Controls

If anormal conditions are detected (contract attack, unexpected price behavior, off-chain disruption), the protocol can be temporarily paused:

* **Deposits and withdrawals freeze**
* Capital is *not moved automatically*
* Council initiates investigation and coordination
* Normal operations resume once confirmed safe

This mechanism is strictly defensive — **it does not allow reallocating or seizing user funds.**