What are the risks of using Stacking DAO?
Last updated
Last updated
Stacking DAO allows liquidity providers to generate STX yield. Yield is generated through taking risk. The aim of this section is to give an overview of risks associated with depositing STX in Stacking DAO.
When a user deposits STX, the STX is held in the StackingDAO reserve contract and locked in Stacks consensus from there. STX that's locked in Stacks consensus is no longer available for withdrawal.
Hence, STX that's locked in Stacks consensus cannot be accessed during a hypothetical exploit. This makes StackingDAO more secure than other smart contract based DeFi applications that have funds available for withdrawal at all times (i.e. AMMs or lending protocols).
STX is only held in the Stacking DAO reserve contract when:
STX is waiting to be stacked in the next cycle
STX is pending withdrawal for this cycle
STX rewards have been added to the contracts (after swapping rewarded BTC->STX)
All other STX is locked in Stacks Consensus and can't be withdrawn in the event of an exploit.
Security is of utmost importance for any protocol in DeFi and for Stacking DAO this is no different.
Stacking DAO has been audited multiple times (4 audits in total as of today). Two audits were completed by reputable auditing firms, and two audits by bounty-winning top-15 Immunefi white hat hackers. The audit reports can be found and . White hat audit reports are currently being written up. We're happy to share that no critical vulnerabilities were found.
Stacking DAO runs a bug bounty program with Immunefi to discover any potential bug with the help of white hat hackers, see .
No single person or entity ever takes custody of STX deposits at any point in time. STX deposits are deposited in a decentralised reserve contract () and those STX tokens can be delegated to stacking pools throughout the ecosystem (see ), after which they are stacked in .
Certain contracts such as the stacking pools are upgradeable, since they need to be able to support upgrades in Stacks consensus (Proof of Transfer upgrades). In order to do a stacking pool upgrade, the STX tokens end up back into the reserve-v1 contract from the Stacks consensus pox contract. Upgrade functions are controlled by a multisig. Once governance is introduced, this multisig will be controlled by decentralised Stacking DAO governance.
We're working together with to build threat detection and continuous monitoring of smart contracts on Stacks.
Stacking DAO locks STX in Proof-of-Transfer to generate stacking yield. Funds would be at risk from potential issues in Proof-of-Transfer, the consensus mechanism of the Stacks blockchain. Since the Stacks launch in January 2021, no such issues have occurred.
This risk only applies to the Stacking rewards (i.e. the APY of the protocol), not the locked STX.
BTC rewards from stacking STX are directed to a BTC address managed by Stacking DAO. Each cycle, the BTC is swapped to STX and deposited into the Stacking DAO reserve contract. To swap BTC rewards into STX, Stacking DAO relies on external swap services that could have issues outside of Stacking DAOs control. Stacking DAO will automate the BTC --> STX swap once sBTC launches on Stacks as part of the Stacks Nakamoto upgrade.
For completeness, funds are at risk if the Stacks blockchain were to get exploited.