Trust & What Could Go Wrong

We just walked the guardrails one by one - the caps, the marks, the pauses, the halts. This chapter steps back and asks the blunt question an outsider should always ask: where could this actually go wrong, and what catches it when it does? No system is risk-free. The honest answer is that Own faces a handful of real risks - and was built around mitigating each one. Let's walk them.

Risk 1 - The price is wrong

Everything in Own hangs off one number: the price of the asset. If that number is wrong - stale, manipulated, or fat-fingered - eTokens could mint too cheap or redeem too dear, and the collateral pool could quietly drain.

So the price has to pass several checks before it's trusted:

  • Many sources, one agreed number. The Oracle doesn't trust a single feed. It gathers prices from several places and takes the median, throwing out anything stale or absurd. One bad feed can't move the result.
  • It's signed. The agreed price is wrapped in a cryptographic signature (an EIP-712 attestation) tied to this chain and this contract. Nobody can forge a price or replay yesterday's signature on a different deployment.
  • Staleness limits. A signed price has a short shelf life. If it's older than the allowed window, the contracts reject it. A frozen Oracle can't keep feeding an old price into live trades.
  • Deviation limits. Each new price is compared to the last accepted one. If it jumps more than the allowed percentage in a single step, it's rejected. This bounds the damage a single leaked or buggy signer key could do - it can't print an outlandish price.
  • Settle bands. Even a valid price only settles a trade if it sits within a small band of the protocol's working mark. A quote priced outside that band reverts. So even if a price slips past the earlier checks, the trade it produces still has to look sane next to the risk system's own view.

That's five independent gates between "a price appeared" and "money moved." A failure has to beat all of them at once.

Risk 2 - The collateral itself crashes or depegs

eTokens are backed by real collateral in the vaults - USDC, staked ETH, BTC. If that collateral loses value (a stablecoin depeg, a sharp crypto drawdown), the backing behind every token shrinks at once.

Own's main defense here is conservatism, set per collateral type. Each vault has a backing cap - the most tokens it will let you mint against a given pile of collateral - and the riskier the collateral, the tighter that cap:

  Collateral      Backing cap     Why
  -----------     -----------     -----------------------------
  USDC (cash)     ~1.5x           can't really crash -> roomy
  cbBTC           ~1.8x           volatile, but less than ETH
  wstETH          ~2.0x backing   most volatile -> tightest cap

(The cap is expressed as how much collateral stands behind each dollar of tokens - bigger number, more cushion.) And there's a golden rule from the economics: never loosen a backing cap to make room for more demand. When a vault fills up, the fix is to attract more collateral, not to weaken the safety limit. The cap is a brake, not a dial to chase growth with.

The system also runs well below its own ceilings on purpose - operating around 77% of the mint cap - so a price rally has headroom before it bumps any limit.

Risk 3 - The Market Maker or Vault Manager misbehaves or goes broke

The Vault Manager runs the market-making and risk backend, and the Market Maker quotes the firm prices you trade against. What if it quotes recklessly, can't pay, or its signing key leaks?

Several things contain this:

  • It hedges. The Market Maker offsets the exposure it takes on an outside venue, so it isn't betting on the stock - it stays roughly direction-neutral and doesn't accumulate a position that could sink it.
  • Reconciliation. A watcher continuously compares three numbers: what the protocol thinks is outstanding, what the hedge venue shows, and what's actually backed. If they drift apart past a tolerance, that's a red flag.
  • A circuit breaker. When something looks wrong - the hedge venue is down, the underlying market is closed, prices fail a cross-check, the maker's balance dips below a floor, or reconciliation shows drift - the circuit breaker shuts the front door: it stops handing out new quotes. Crucially it never blocks the back door - existing positions can still close and hedges can still flatten. New risk stops; unwinding never does.
  • Banded prices again. Even a leaked signer key can't quote a wild price, because the settle band rejects anything far from the mark.
  • A signer registry. Only registered signers can produce valid quotes, and the admin can revoke a compromised one.

So a misbehaving maker is throttled from taking on new risk while it's still free to wind down - the safe direction.

Risk 4 - Borrowers over-leverage

Traders can borrow USDC against their eTokens to run the leverage loop. If a borrower's collateral falls in value, their loan could end up under-backed - bad debt that lands on LPs.

The guard here is the health factor: a live ratio of what a position is worth against what it owes. Loans open at a conservative limit (you can't borrow the full value of your collateral), and a separate, higher liquidation threshold sits above it. If a position crosses that threshold, anyone can step in and liquidate it - repaying part of the debt and seizing collateral at a small bonus - before it goes underwater. If a rare gap still leaves a shortfall, there's a defined bad-debt path that the protocol treasury absorbs first.

Risk 5 - The smart contracts have a bug

This is the risk you can never fully eliminate: code can have flaws. Own's honest position is that the contracts have been audited and are today running on Base Sepolia, a testnet - not yet holding real money at scale. That's a deliberate stage, not a finished guarantee. As with any onchain protocol, smart- contract risk remains, and you should size your exposure accordingly. The design leans on conservative rounding (always in the protocol's favor) and pause/halt controls so an operator can freeze trading if something looks wrong.

What just happened

  • Own faces five real risks - a bad price, a collateral crash, maker misbehaviour, borrower over-leverage, and a contract bug - and is built around mitigating each, not pretending they don't exist.
  • A price must clear five gates (multi-source median, signing, staleness, deviation, settle bands) before it can move money.
  • Collateral risk is held back by per-asset backing caps that get tighter the more volatile the asset - and are never loosened to chase growth.
  • A misbehaving Market Maker is contained by hedging, reconciliation, a circuit breaker that stops new quotes but never blocks unwinding, banded prices, and a revocable signer registry.
  • Borrowers are kept solvent by a health factor with conservative borrow limits and liquidation; the contracts are audited and run on testnet today, so smart-contract risk still remains.

Disclaimer. This book describes Own's target mechanics and uses illustrative figures that reflect market conditions around June 2026; actual results vary. Nothing here is an offer, investment advice, or a guarantee of returns. Synthetic stock exposure carries market, smart-contract, and counterparty risk. Own is not available to US persons or other restricted jurisdictions.

results matching ""

    No results matching ""