search

Failure Modes and Mitigation

Surf is designed with the assumption that every component in a decentralised, automated financial system can fail. The architecture is built to detect failure early, contain blast radius, and default to safety over execution.

This section outlines the primary failure modes Surf models for, and how each is mitigated through the Guardian Layer, deterministic controls, and execution architecture.

hashtag
1. Strategy Model Failure

Failure Mode The AI or statistical model proposes an action based on incomplete data, regime shift, or incorrect inference.

Mitigation

  • AI is restricted to proposal only. It never has execution authority.

  • All actions are validated against deterministic rules and invariants.

  • Simulation is run before execution using the current market state and liquidity.

  • If projected outcomes violate safety thresholds, the action is rejected.

  • Rejected actions are logged and used to refine guardrails before autonomy expands.

Result: A wrong model output results in a blocked action, not a loss.

hashtag
2. Oracle Failure or Price Distortion

Failure Mode Price feeds lag, spike, or are manipulated, leading to incorrect valuation or execution triggers.

Mitigation

  • Multi-source oracle validation with deviation checks.

  • Confidence scoring and regime detection on price inputs.

  • Hard bounds on acceptable price movement per block and per time window.

  • Automatic freeze when the oracle disagreement or anomaly exceeds thresholds.

Result: Execution halts until price integrity is restored.

hashtag
3. Liquidity Collapse and Slippage Shock

Failure Mode Liquidity evaporates or becomes fragmented, causing extreme slippage or failed exits.

Mitigation

  • Pre-trade impact simulation using real-time pool depth and volatility.

  • Slippage ceilings enforced by Guardian Layer.

  • Position sizing bounded by exit-liquidity, not just entry liquidity.

  • Multi-step unwind paths with fallback venues.

  • Circuit breaker triggers when slippage or depth deteriorates beyond safe unwind limits.

Result: Capital is prevented from entering states that cannot be exited safely.

hashtag
4. Protocol-Level Exploits or Insolvency

Failure Mode A lending market, DEX, or infrastructure protocol is exploited, frozen, or becomes insolvent.

Mitigation

  • Strict protocol allowlists with continuous health monitoring.

  • Exposure caps per protocol, per asset, and per strategy.

  • Rapid disable switches to halt new interactions.

  • Emergency migration and unwind logic to isolate and exit affected venues.

Result: Contagion is contained, and vault-level exposure is bounded.

hashtag
5. Execution Path Manipulation (MEV, Sandwiching, Reordering)

Failure Mode Transactions are reordered or sandwiched to extract value from vault execution.

Mitigation

  • Atomic transaction batching.

  • Private and protected routing when available.

  • Slippage bounds enforced at execution, not UI.

  • Path validation to ensure no intermediate state exposes exploitable transitions.

Result: Execution either completes safely or reverts entirely.

hashtag
6. Smart Contract Bugs

Failure Mode A logic error or unexpected state transition in vault or strategy contracts.

Mitigation

  • Formal invariant checks.

  • Simulation under adversarial scenarios.

  • Independent audits and continuous runtime monitoring.

  • Vault isolation so no single failure can cascade across user funds.

  • Emergency pause and asset freeze controls.

Result: Damage is isolated, execution is halted, and recovery paths are preserved.

hashtag
7. Key Compromise or Signing Layer Attack

Failure Mode Compromise of signing keys or transaction authorisation.

Mitigation

  • MPC-based signing with threshold security.

  • No single signer has unilateral execution authority.

  • Policy-level checks before signature approval.

  • Rate limits and anomaly detection on signing behaviour.

Result: An attacker cannot move funds even with a partial key compromise.

hashtag
8. Systemic Market Stress

Failure Mode Extreme volatility, cascading liquidations, or liquidity runs.

Mitigation

  • Regime detection and dynamic risk tightening.

  • Automatic reduction of exposure and leverage.

  • Cooldown periods between rebalances.

  • Circuit breakers that switch the system to capital-preservation mode.

Result: The system prioritises survival and capital integrity over yield.

hashtag
Design Philosophy

Surf is not built on the assumption that failures are rare. It is built on the assumption that failures are inevitable.

The goal is not to eliminate risk, but to:

  • Detect it early

  • Contain it deterministically

  • Prevent single-point failures

  • Ensure every automated action is reversible, bounded, and rule-constrained

This is what allows AI-driven execution to operate safely with real capital at scale.

PreviousRisk AssumptionsNextGuardian Layer Overview

Last updated