Risk model

The risks Chamber reduces at the contract level, and the risks that remain with the depositor

A vault's total risk has several layers. Some are addressed by Chamber's architecture — audits, the Guard System, oracle design, fee caps. Others sit with the depositor regardless of how well Chamber is built. This page splits them.

For the plain-English depositor-facing version, see Deposit: risks.

Risk categories

1. Smart contract risk

What it is: A bug in the Chamber core vault contracts or their integration adapters causes loss of funds, incorrect accounting, or unintended asset movement.

What Chamber does:

Multiple external audits from firms including Sherlock, Santipu, iosiro, CertiK, and Trust Security. See Audits.
A live bug bounty through Immunefi with payouts up to $50,000.
The Guard System isolates each integration into an adapter — a bug in one integration doesn't give it arbitrary access to vault assets.
No custom code shipped without review for mainnet deployment.

Residual risk: Non-zero. No contract is provably bug-free. The audit trail and incident history (none since October 2020) are the best forward-looking signal, not a guarantee.

2. Integration / counterparty risk

What it is: A protocol Chamber vaults integrate with (Aave, GMX, Pendle, Uniswap, etc.) fails — exploit, governance attack, bad oracle, socialised loss.

What Chamber does:

Protocol allowlists are governance-controlled, not manager-controlled. A manager cannot add a new protocol to the allowlist on their own.
Each integration ships with an adapter that constrains which functions on the external protocol can be called.
Integrations are audited alongside core contracts.

Residual risk: Inherited directly. If Aave V3 has a governance exploit, a Chamber vault holding aTokens on Aave is affected.

3. Oracle risk

What it is: The price feed a vault uses for NAV or collateral pricing reports a stale, manipulated, or incorrect value.

What Chamber does:

Uses established providers: Chainlink, Pyth, and for some assets TWAPs. See Oracles.
Staleness timeouts on every feed (25 hours default for Chainlink, per-aggregator values for Pyth and hybrids) — stale prices revert the transaction rather than pricing off bad data.
Per-asset feed selection is governance-controlled, not manager-controlled.

Residual risk: Short-window mispricing during oracle anomalies, depegs, or provider outages. Chamber can reject a stale feed but cannot manufacture a correct one.

4. Manager risk

What it is: The manager makes bad trades inside the vault's rules — bad entries, over-concentration, poor timing — and depositors lose money.

What Chamber does:

The Guard System limits what a manager can trade (assets, protocols, actions).
Public performance, risk factor, and vault score make manager behaviour legible before depositing. See Leaderboard & ranking.
Fee caps and 14-day announcement delays prevent a manager from extracting via fee changes.

What Chamber doesn't do:

Chamber does not guarantee a manager trades well. Guards constrain the action space, not the quality of decisions inside it. A depositor picks the manager; Chamber makes that pick safer but not safe.

5. Market risk

What it is: The assets the vault trades move against the strategy. A long-ETH vault loses money when ETH drops. A leveraged vault loses multiples.

What Chamber does: Nothing — and it shouldn't. Market risk is the product the depositor is buying. Chamber's job is to make sure what you see is what you get, not to hedge the market for you.

Residual risk: Total. This is always the depositor's.

6. Liquidity risk

What it is: When you withdraw, the vault has to produce assets. If it holds illiquid positions, single-asset withdrawal incurs slippage; underlying-basket withdrawal hands you the illiquid positions directly.

What Chamber does:

Both withdrawal methods are available — pick the one that fits.
The basket method removes the vault's need to trade in stressed markets at all.
No withdrawal gating. The cost of stressed markets is passed through, not absorbed.

Residual risk: In extreme stress, withdrawals are painful but not blocked.

7. Governance risk

What it is: A DAO decision materially changes the protocol — fee split, Guard System parameters, supported assets — in a way that harms existing vaults or depositors.

What Chamber does:

Material parameter changes go through meta-proposals with vDHT-weighted voting and a public Snapshot record.
Certain depositor-hostile actions (retroactive fee changes, forced withdrawals) are not possible at the contract level.

Residual risk: The DAO exists and can make decisions. Track governance if you're a serious depositor or manager.

8. Regulatory risk

What it is: Your jurisdiction's rules change, affecting your ability to deposit, withdraw, or realise gains.

What Chamber does: Nothing. The protocol is decentralised. Regulatory exposure sits with the user.

Summary — who carries what

Risk

Chamber reduces

Depositor carries

Smart contract

●●●○

●

Integration / counterparty

●●

Oracle

●●●

●

Manager (inside rules)

●●

Market

—

●●●●

Liquidity

●●

Governance

●●

Regulatory

—

●●●●

The framing is deliberate: Chamber is a safer wrapper around a risky activity, not a risk-free wrapper. Treat it that way when sizing a deposit.

hashtagRisk categories

hashtag1. Smart contract risk

hashtag2. Integration / counterparty risk

hashtag3. Oracle risk

hashtag4. Manager risk

hashtag5. Market risk

hashtag6. Liquidity risk

hashtag7. Governance risk

hashtag8. Regulatory risk

hashtagSummary — who carries what

hashtagSee also

Risk categories

1. Smart contract risk

2. Integration / counterparty risk

3. Oracle risk

4. Manager risk

5. Market risk

6. Liquidity risk

7. Governance risk

8. Regulatory risk

Summary — who carries what

See also