Reviewers & operators
L2 sequencer failure mode, quantified exposure, compensating controls and strict-upgrade plan.
Risk acceptance: STK-001 L2 sequencer liveness
Decision
| Field | Value |
|---|---|
| Finding | STK-001 — no canonical L2 sequencer-uptime feed |
| Severity | High |
| Decision date | 2026-07-16 |
| Design decision | Deploy the explicit unprotected PRICE module while no canonical Robinhood Chain uptime feed exists |
| Status | Accepted for the review candidate; funded-market exposure is not yet authorized |
| Expiry | Canonical feed availability, any sequencer incident affecting PRICE freshness, or any proposal to increase exposure |
| Required deployment acknowledgement | ACCEPT_UNPROTECTED_SEQUENCER_RISK=true |
The project owner accepts that STONK cannot presently distinguish a healthy sequencer from an outage or the early recovery period. This is not a claim that the risk is fixed or low. The deployment and verifier identify the exception as ACCEPTED_UNPROTECTED, and the user interface discloses it on Robinhood mainnet.
Named engineering and operations/risk approvers must still sign the launch gates and approve a maximum funded-market exposure. Deployment of contracts with zero bond markets is distinct from authorizing deposits.
Failure being accepted
The primary danger is not that an outage directly changes a Chainlink price. It is transaction ordering during and immediately after an outage:
- an equity price round is published before the outage;
- normal sequencer inclusion stops while delayed-inbox transactions may remain possible;
- the sequencer recovers before a fresh equity round is published; and
- a bond deposit consumes the old round while it is still inside STONK's six-hour heartbeat.
An actor with earlier or alternative inclusion access can receive STONK against an equity asset whose realizable value has fallen. Ordinary users may not have the same ability to transact. PRICE still checks answer validity, round completion, heartbeat, description, decimals, deviation, cap, and Robinhood oraclePaused(), but none of those checks proves L2 liveness.
For an equity feed, a rough upper bound on the post-outage stale-price window is:
max(0, 6 hours - feed age at outage start - outage duration)
Actual ordering and price-publication timing can make the exploitable window shorter, but the protocol must not assume that they will.
Exposure model
Bond capacity is denominated in STONK payout. It is the maximum STONK that a market may mint across all deposits, not the quantity of quote tokens sold by the protocol. Capacity decreases by each payout; closing a market returns unused mint allowance. maxPayout separately caps one deposit.
The mainnet configuration contains nine proposed equity market templates with 500,000 STONK capacity and 50,000 STONK maximum payout each. If governance created all of them unchanged, aggregate unsold capacity would be 4,500,000 STONK. These templates are a potential ceiling, not approved launch exposure: Deploy.s.sol creates no markets.
At the $1.20 market floor and 10% equity haircut, the approximate backing after a price drop d is:
actual assets per STONK = 1.20 × (1 - d)
risk-adjusted assets per STONK = 0.90 × 1.20 × (1 - d)
risk-adjusted shortfall = max(0, 1 - risk-adjusted assets) × payout
| Equity drop before a fresh round | Actual assets per STONK | Risk-adjusted shortfall per 50,000 payout | Per 500,000 market | Across all 4,500,000 proposed capacity |
|---|---|---|---|---|
| 10% | $1.08 | $1,400 | $14,000 | $126,000 |
| 20% | $0.96 | $6,800 | $68,000 | $612,000 |
| 30% | $0.84 | $12,200 | $122,000 | $1,098,000 |
| 50% | $0.60 | $23,000 | $230,000 | $2,070,000 |
The risk-adjusted figures measure violation of the protocol's conservative $1-per-STONK backing floor. At 20%, 30%, and 50% drops, nominal asset shortfall across all proposed capacity would be approximately $180,000, $720,000, and $1,800,000 respectively. This is a scenario model, not a probability estimate; it excludes existing supply, price impact, liquidity discounts, correlated exposures, issuer controls, and adversarial market timing.
Compensating controls
- Production deploys
StonkPriceUnprotected, not a strict module with a fake or guessed feed. - Mainnet deployment fails unless the config says
ACCEPTED_UNPROTECTEDand the operator provides the explicit acknowledgement. - The deployment manifest, live verifier, keeper metrics, and mainnet interface expose that sequencer protection is disabled.
- All ordinary feed-integrity and Robinhood pause checks remain enforced.
Deploy.s.solcreates no bond markets. Governance must separately create and fund each market after approving its risk budget.- Mainnet Distributor rate is zero, so scheduled reward emissions do not consume the backing buffer at launch.
- Market capacity, maximum payout, asset count, market count, deviation, and emission rate have onchain bounds.
- The guardian can stop MINTR and TRSRY flows. Recovery requires governance.
These controls bound or disclose exposure; they do not detect the outage and do not eliminate preferential ordering.
Required conditions before funded markets
- independent review of the exact release commit and this exception;
- named engineering and operations/risk approval;
- an approved aggregate active unsold-capacity limit and per-asset limits derived from a dollar loss budget;
- external-token control monitoring and response procedures for STK-004;
- two independent RPC/keeper deployments and tested alerts;
- a current-fork rehearsal of guardian shutdown and governance recovery; and
- public disclosure that sequencer protection is unavailable.
Until those conditions are met, deploying contracts is allowed by this decision but creating or funding mainnet equity markets is not.
Upgrade and retirement plan
When a canonical Chainlink-compatible Robinhood Chain sequencer feed becomes available:
- independently verify its address, interface, decimals, status semantics, start timestamp, and operating history;
- deploy strict
StonkPricewith the current installed PRICE module asmigrationSourceso the bounded asset registry is copied and validated in the constructor; - verify every copied asset and current strict price on a current fork;
- execute
Kernel.UpgradeModulethrough governance; dependent policies reconfigure to the new module in the same transaction; - independently verify live module wiring, feed status, and recovery grace; and
- retire this acceptance only after the strict verifier passes and public artifacts are updated.
Any sequencer incident, unexplained price/inclusion discrepancy, missing monitoring interval, or proposed exposure increase reopens the acceptance and freezes new bond deposits pending review.