Risks

Rumpel is committed to transparency. It is crucial to highlight the risks associated with Rumpel Protocol, the actions taken to ameliorate risk, as well as plans to further manage these risks.

Point Oracle Risk

• A point distribution allows users to claim points they have not earned, caused by either:

  1. Teams temporarily publishing inaccurate point balances and adjusting later on OR

  2. A bug in Rumpel's distribution scripts

• Mitigations:

  1. Intentional three-day delay for Merkle root updates

  2. Manual coordinated reviews of each Merkle root submission

  3. Internal & external reviews of the Rumpel Oracle

  4. Proof generation clients written in different programming languages and by different engineers

Malicious Admin risk

• A malicious actor gets control of Rumpel’s admin multisig and mints an infinite amount of Point Tokens OR attempts to steal assets in the Rumpel wallet

• Mitigations

  1. Rumpel has an immutable blacklist on admin transfers of whitelisted assets, meaning that pre-approved assets transferred into the Rumpel wallet for point farming cannot be touched by anyone but the user.

  2. Our multisig is managed by trained singers using industry-grade signing wallet technology in different locations

  3. (Future) Enforce a cap on the amount of total point tokens that can be minted in an epoch.

Smart contract risk

• Hacks/bugs, leading to a drain of funds

• Mitigation:

  1. Multiple internal reviews & external audits from the industry’s top smart contract auditors.

Point Deletion risk

• Points can be deleted by the point issuer (note: all point holders are exposed to this risk)

• Mitigations

  1. We take great lengths to uncover and demonstrate the value of secondary marketplaces to Point Issuers

  2. While this security feature will be deprecated in the future, we can freeze Point Token transfers and protect unsuspecting Liquidity Providers if a Point Issuer attacks Rumpel by deleting points held by all Rumpel Wallets.

Airdrop claiming risk

• Rumpel is unable to claim the airdrop through Rumpel wallets due to either of the following:

  • An incompatibility with the point program's airdrop infra provider

  • The point's reward token is one of the whitelisted principal assets, an asset that the admin cannot transfer

• Mitigations

  1. Proactive collaboration with multiple airdrop infrastructure providers to ensure compliant integration with their distribution systems

  2. We will delay point token/airdrop redemptions until we’re able to support airdrop claiming

Frontrun risk

• If the following conditions are all met, then there’s a risk that some users who’ve already sold their Point Tokens will unfairly claim some of the airdrop before Rumpel can prevent transfers:

  • Rumpel Labs is unaware of a reward token release event

  • The reward token is a whitelisted principal asset within Rumpel wallets

  • Users can claim with a non-ERC 1271 signature or the reward token is pushed to wallets

• Mitigations:

  1. Proactive advertisement of this risk and collaboration with Point Issuers

Airdrop Diversion risk

• If the point issuer allows the user to delegate to a secondary account via a non-ERC1271 signature and receive their reward tokens, instead of the Rumpel Wallet

• Mitigations:

  1. Proactive advertisement of this risk and collaboration with Point Issuers