Risks & Safety

Note: This list is not exhaustive; users should conduct their own due diligence before depositing. See the Comprehensive Risk Disclosure in our Terms of Service.

Introduction

RockSolid Vaults are built on smart contracts that have been audited by Nethermind. These contracts currently secure >$140m of TVL. However, all participation in DeFi carries risk. This page outlines the main categories of risk that depositors should understand, along with the measures RockSolid takes to mitigate them.

Smart Contract Risk

All RockSolid vaults use the ERC-7540 Asynchronous Tokenized Vault Standard, (inheriting from OpenZeppelin’s ERC-4626) This vault standard is battle tested and as of Sep 15, 2025 is currently securing >$140m of TVL without exploit.

Risks

  • Like any software, these contracts may contain bugs or vulnerabilities that could be exploited.

  • The developer of the vault smart contract could push an upgrade that compromises user funds.

  • Smart contracts that the vault deploys assets into (e.g. DeFi protocols or L2s) could be compromised.

Mitigations

  • Independent audits conducted by leading security firms such as Nethermind.

  • Battletested-ness: contracts are already ‘in the wild’ securing >$140m of TVL without exploit.

  • Contract upgrades are ‘opt-in’, meaning that RockSolid and co-signers are given time to review and approve any upgrades (providing protection against malicious upgrades). All accepted upgrades are time-delayed by 3 days, giving depositors time to review even after RockSolid has approved.

  • Open-source contracts available for community review.

  • Continuous on-chain monitoring of contract behavior.

Slashing Risk

Risk

  • ETH validators may face penalties if they behave incorrectly or go offline.

  • These risks are inherent in the underlying LST deployed (e.g. rETH) and aren’t controlled by RockSolid

Mitigations

  • RockSolid vaults primarily allocate to diversified liquid staking tokens (e.g., rETH)

  • These tokens spread validator exposure across a wide operator set, lowering the impact of any single validator event.

Liquidity Risk

Risk

  • Withdrawals are not instant.

Mitigations

  • Vaults maintain partial liquidity buffer.

  • Clear disclosure of withdrawal mechanics and timing (~24H withdrawals).

  • In the future, we expect the vault receipt token to have liquidity in secondary markets to allow instant liquidity if needed.

Market & Strategy Risk

Risk

  • Strategies may involve lending, looping, or interacting with other DeFi protocols.

  • Risks include liquidation, changes in rewards, external protocol failures, depegs, or total loss of deposited assets

Mitigations

  • Exposure caps for each strategy.

  • Preference for established, battle-tested protocols with high TVL.

  • Continuous monitoring of positions and market conditions.

Counterparty Risk

Risks

  • Vaults have exposure to several parties, including: the Distributor; the Strategy Manager; the Infrastructure Provider; and external protocols (e.g. DeFi protocols, L1s, L2s, etc).

  • If a counterparty fails, acts maliciously, or is exploited, vault assets could be lost.

Mitigations

  • Whitelisting of strategies such that funds can only be deployed into pre-approved protocols.

  • Institutional-grade MPC signing and controls such that no single party has the power to unilaterally move user funds outside of pre-approved strategies.

  • Conservative strategy design with limited exposure to any single DeFi counterparty.

Oracle Risk

Risk

  • Most vaults rely on on-chain oracles for pricing and accounting, which can be manipulated or return inaccurate data.

  • Underlying DeFi positions and assets (e.g. the exchange rate of LSTs) can be manipulated or can fail, resulting in depegs and liquidation of leveraged positions.

Mitigations

  • Manual NAV Updates: RockSolid does not use oracles for NAV. Vault NAV is updated manually through a two-step process (proposal by the Strategy Manager, and co-signing by the Distributor), and positions can be independently verified on-chain (e.g., via DeBank).

  • Oracles for Display Only: Oracles (Pyth) are used solely for display purposes, such as showing values in rETH. They do not affect vault accounting or strategy execution.

Transparency and Disclosures

All APRs, fees, and allocations are reported clearly. Vault dashboards display:

  • Strategy-level allocations (staking vs lending vs looping vs incentive farming)

  • Realized vs accruing APR side by side

  • Regular updates on audits, monitoring, and risk assessments.

PreviousRewardsNextOverview for Protocols

Last updated