Risk Management

The problem with most yield vaults

In the standard onchain vault design, the entity issuing the token is also the entity curating the strategy, setting the risk parameters, and holding the admin keys. When the issuer, the curator, and the custodian are the same, a single compromise — key leak, insider risk, governance capture, or just bad judgment — is enough to put user funds at risk.

This is the default in DeFi today. It's also the default users have quietly accepted because separating these functions has historically been expensive, operationally complex, and bad for UX.

We think that default is wrong for the kind of capital we're serving.

The Nerona separation model

Nerona's sUSDnr vault splits the three functions — policy, execution, and signing — across three independent layers:

The one-line version: Upshift defines what the vault can do. Nerona executes within those rules. Neither party can move user funds unilaterally.

Why this matters

This separation produces three properties that are hard to get with a conventional vault design:

1. No single point of failure. A compromise of Nerona cannot redirect funds to an unapproved protocol — the whitelist is controlled by Upshift. A compromise of Upshift cannot extract funds — they can't sign transactions. A compromise at the signing layer still has to pass through the whitelist.

2. Real policy enforcement. Strategy guardrails aren't just a PDF on a pitch deck. They're enforced at the smart-contract level by Upshift's architecture. If a strategy is not on the whitelist, the Operator cannot deploy to it — full stop. If a protocol is de-whitelisted, capital flows back in.

3. Verifiable onchain. You do not have to take our word for any of this. Whitelisted protocols, active strategies, and vault positions are visible onchain. Anyone can independently verify that Nerona is operating within the mandate.

What Upshift provides at the protocol level

Beyond the role separation, the Upshift vault inherits the platform's structural safeguards:

• Non-custodial by construction. Funds can only move between the vault contract and whitelisted strategy contracts. Neither Nerona nor Upshift can withdraw funds to an external address.
• NAV volatility protection. The share-to-asset ratio has a hard per-update ceiling and floor, blocking oracle manipulation and latency arbitrage.
• Withdrawal liquidity buffer. A configurable portion of the vault stays liquid to service redemptions without forcing strategy unwinds.
• Timelocks on sensitive parameters. Fee changes, withdrawal-period changes, and similar updates are subject to a 24-hour delay, giving users time to exit.
• Emergency pause and pull-back. A multi-sig-controlled function can pause deposits and withdrawals and pull all strategy funds back into the vault in a tail-risk scenario.

What users are actually trusting

We think it's important to be direct about residual risk. Even with the architecture above, depositors are exposed to:

• Smart contract risk at every layer — Upshift, Fordefi, the underlying DeFi protocols, and the bridges used to move capital cross-chain
• Strategy risk within the whitelist — a whitelisted protocol can still be exploited, and losses flow back to the vault
• M0 / wM risk at the USDnr layer — the backing of USDnr depends on M0 Protocol's T-Bill custody and attestation infrastructure
• Counterparty risk on partners that provide fiat onramps, cards, and custody adjacent to the protocol

What we've done is structurally minimize the risks where users have historically taken the worst deal — the "trust us with admin keys" risk. The remaining risks are real, priced in, and documented.

Audits and ongoing review

Upshift vault contracts have been audited by independent firms; current audit reports are available in the Upshift smart contract audits documentation. Nerona-specific contracts are audited separately and posted publicly when deployed.