The Guardrails

We just watched the Keeper keep the system's pulse steady - fresh prices, fresh risk marks. Now let's walk the perimeter and look at the fences: the guardrails that keep everyone's money protected even when something goes wrong.

The honest way to understand a system like Own isn't to admire what happens when everything behaves. It's to ask, for each thing that could break, "what stops that from becoming a disaster?" So that's how we'll tour the guardrails - each one framed as a worry, then the answer Own builds in. None of these are new machinery; you've met all the pieces. This chapter just lines them up so you can see the whole fence at once.

"What if more tokens get minted than the collateral can back?"

This is the foundational one. Every eToken in existence is a claim on real collateral sitting in the vaults. If the protocol let people mint without limit, those claims could outrun the backing.

Two guardrails sit on every mint, and both are checked before a single token is created.

The first is the utilization cap. Add up the dollar value of all outstanding eToken exposure, divide by the total dollar value of collateral in the vaults, and you get utilization. Own caps it at 80%. So the pooled collateral is always worth meaningfully more than everything it backs - there's a built-in cushion. A mint that would push utilization past the cap simply reverts.

The second is the asset cap - a per-asset ceiling. eTSLA can only grow to a configured dollar amount of exposure, eGOLD to its own, and so on. This stops the whole system's risk from piling into one stock. Notably, an asset with no cap set is blocked entirely - the safe default is "can't mint," not "mint freely."

Crucially, these checks only ever apply to risk-increasing actions. Redeeming, closing exposure, releasing collateral - the risk-reducing paths - are never blocked by a cap. You can always shrink the system; you just can't recklessly grow it.

"What if I'm an LP and I can't get my money out?"

That same 80% utilization cap protects the people supplying the collateral. Because the vaults always hold more value than they back, there's headroom for Liquidity Providers to exit.

When an LP requests a withdrawal, the vault checks whether paying them out would push utilization past the cap. If it wouldn't, the exit proceeds (after the short wait an LP's withdrawal goes through). If it would, the exit waits until trades close or other collateral arrives. LPs aren't trapped - the cushion exists precisely so they can leave - but the system won't let an exit tip it into being under-backed for the traders who are still in.

"What if a trade settles on a stale or missing price?"

A price that's hours old is worse than no price - it lets someone trade against a number the market has already left behind. This is exactly the disaster the Keeper exists to prevent, and the contracts enforce it as a hard rule.

Every mint requires a usable mark - the protocol's working price for that asset. If there's no mark at all, the mint reverts on the spot. We call this the staleness guard. And the Keeper's job, as we saw, is to keep that mark refreshed within its freshness window (15 minutes), so the mark a mint reads is never an hour-old number. If the price ever can't be kept current, the trade simply doesn't happen until it is. And on the rare force-execute recourse path, the rule is even stricter: the collateral price proven in that transaction must be current to the minute.

"What if a signing key leaks and someone signs a fake price?"

Here's a subtle, serious one. Quotes and prices are both signed. What if one of those signing keys is stolen? Could an attacker sign a wildly wrong price and drain a vault?

The Oracle's signing key is guarded by a deviation guard. When a freshly signed price arrives, it's compared to the last accepted one - and if it has jumped more than a set distance, it's refused. On top of that, an older price can never overwrite a newer one (timestamps only move forward). So a leaked Oracle key can't suddenly mark Tesla at one dollar or ten thousand: each step is fenced to a small move from the last good price.

The Market Maker's quote-signing key is a different worry - that key signs the firm price you trade against. Its damage is bounded not by a single price check but by the caps we already met: the per-asset cap limits how much of any one asset can ever be minted, and the 80% utilization cushion limits the system as a whole. Even a stolen quote key can't mint past those ceilings, and the single-use, short-lived nature of each quote means a leaked signature can't be replayed.

It's defense in depth - no single key holds the whole system's safety in its hands.

"What if the dealer takes on risk it can't hedge?"

The Market Maker quotes prices and then hedges each fill on an outside venue to stay neutral. But what if the hedge venue goes down, or the underlying market closes, or its own funds run low? Quoting into that situation means taking on exposure it can't offset.

So the Market Maker has a circuit breaker. When conditions turn unsafe - venue unreachable, market closed, prices failing a sanity cross-check, its own balance too thin, or an operator simply pulling the cord - the breaker stops it from issuing new quotes.

The important detail is what the breaker does not touch:

   CIRCUIT BREAKER

   FRONT DOOR  ──halts──►  new quotes (taking on more risk)
                              [BLOCKED when unsafe]

   BACK DOOR   ──never──►  hedging, settling open orders,
                            flattening existing exposure
                              [ALWAYS OPEN]

It halts the front door (new intake), never the back door (winding down). In-flight hedges still complete; positions already on the books still settle. The breaker only stops the dealer from digging the hole deeper.

"What if I place a redeem order and the maker just ghosts me?"

We met this one back when we closed the loop on selling, and it belongs on the fence too. A maker that goes dark shouldn't be able to lock up your tokens.

That's force-execute. If a resting redeem order has waited past the protocol-wide claim threshold (six hours by default) and still hasn't filled, the seller settles it themselves - no maker needed - against a fresh, verified onchain price and a named collateral vault. As long as their target price was genuinely reached and the asset isn't frozen, they walk away with their money. No honest seller is ever stranded.

The whole fence, at a glance

The worry The guardrail Why it holds
Tokens outrun their backing Utilization cap (80%) + per-asset cap Collateral always worth more than it backs; risk can only grow within limits
LPs can't exit Same utilization cushion gates withdrawals Headroom exists so exits don't break backing
Trading on a stale price Staleness guard (fresh mark required) No fresh mark, no mint; force-path collateral must be current
A leaked signing key Oracle deviation guard (+ monotonic timestamps); caps bound a leaked quote key A signed price can only step a little from the last good one; mints can't pass the caps
Dealer over-extends Market Maker circuit breaker Halts new quotes; never blocks hedging or settlement
Maker ghosts a seller Force-execute recourse Seller self-settles after the claim threshold at a verified price

Notice the pattern across all of them: risk-reducing actions are never blocked. You can always redeem, always exit, always wind down. The guardrails only ever stand in the way of making things riskier - never of making yourself safer.

What just happened

  • Two caps guard every mint: an 80% utilization cap (collateral always over-backs the tokens) and a per-asset asset cap (no over-concentration); both check before minting.
  • The utilization cushion is also what lets LPs exit - withdrawals are gated so they never break the backing.
  • A staleness guard means no trade settles on an old or missing mark; the force-execute path demands an even fresher collateral price.
  • The Oracle's deviation guard (plus forward-only timestamps) caps how far a leaked price-signing key can move a price; the per-asset and utilization caps bound a leaked quote-signing key.
  • The Market Maker's circuit breaker halts new quotes when conditions are unsafe but never blocks hedging or settling what's already open.
  • Force-execute guarantees a seller is never trapped by an unresponsive maker.
  • The through-line: guardrails only ever block risk increasing, never risk decreasing.

results matching ""

    No results matching ""