Security

The Manual Loop Markets system is designed with layered security controls that protect both protocol integrity and user funds. It follows best practices for flash loan execution, credit delegation, and leveraged position management.

1. Architecture-Level Protections

  • Modular Isolation – The Looping Layer (flash loans + swaps) and Strategy Layer (user-owned leverage management contracts) are fully separated, reducing the blast radius of any contract-level issue.

  • User-Specific Contracts – Each user operates through their own strategy contract, ensuring position isolation and preventing cross-user fund exposure.

  • Factory Uniqueness – The system enforces one strategy per asset-pair/eMode per user, avoiding conflicts and unintentional position overlaps.

2. Looping Layer Safeguards

  • Reentrancy Protection – All public functions are nonReentrant via OpenZeppelin’s ReentrancyGuard.

  • Strict Flash Loan Validation – The flash loan callback verifies that calls originate only from the Aave Pool.

  • Safe Token Handling – All transfers use SafeERC20; approvals are tightly scoped to prevent lingering allowances.

  • Input Validation – All loop/unloop parameters, swap settings, and amounts are checked before execution to prevent malformed or harmful calls.

3. Strategy Layer Safeguards

  • Owner-Only Control – Only the strategy owner can open, close, or modify their position.

  • Credit Delegation Safety – Aave credit delegation is only set for the intended Looping Helper, with defined borrowing limits.

  • E-Mode Consistency Checks – The system ensures that yield and debt assets share the same eMode category before allowing leverage boosts.

4. Operational Risk Controls

  • Leftover Handling – Any residual tokens after operations are automatically supplied back to Aave or repaid toward debt, preventing idle funds from being stranded.

  • Swap Safety – All swaps pass through the universal DEX module with price execution checks and slippage protection.

  • Position Monitoring – Users are encouraged to monitor health factors and collateral ratios to avoid liquidation during market volatility.

5. Emergency & Recovery

  • Skim Function – Strategy contracts include an emergency skim method for recovering stuck tokens.

  • Isolated Exit Paths – Positions can be unlooped atomically in a single transaction, enabling rapid deleveraging in stressed markets.

  • Immutable Records – Strategy mappings and IDs prevent unauthorized redeployment or replacement of a user’s strategy.

6. External Security Measures

  • Audited Codebase – All core contracts and strategies undergo third-party security reviews before deployment.

  • Ongoing Monitoring – Continuous on-chain monitoring for abnormal operations, failed flash loan calls, and unexpected balance changes.

All core contracts and strategy logic have been fully audited by Sherlock to ensure robust security before deployment.

811KB
ManualLoopMarket_FinalReport_Sherlock.pdf
pdf
PreviousHow it worksNextDevelopers

Last updated