Risks
This section explains the risks that you subject your funds to when you use Robin.
Firstly, like any other protocol, you are exposed to a so-called “smart contract risk”. This means that any protocol you use – no matter how well audited it is – always carries the risk of exposing funds to vulnerabilities due to code exploits. In Robin’s MVP (current version), this affects Robin’s own contracts as well as Aave’s v3 smart contracts, in which user funds are deployed for generating yield. Aave has its own risks section in its docs here.
The second risk is temporarily locked up funds due to illiquidity. Aave pools can potentially prevent lenders like Robin from immediately withdrawing their funds if not enough liquidity is available. This is only temporary until borrow utilization decreases. What this means is that even though Robin is designed in a way to always allow withdrawals, you could be prevented temporarily from withdrawing your outcome tokens from Robin or from redeeming your winning tokens for USDC. The Robin team already has developed mitigation strategies for this illiquidity risk which will become available in the next version of Robin.
We have completed a security audit with Phage Securit in September 2025 for the Robin Vault System.
Findings
[H-01] DoS in _unlockYield via token donation → Fixed in commit 3015cc3
[H-02] createVault misuse could brick markets → Fixed in commit 7b8e57a
[L-01] Missing storage gap for upgradability → Fixed in commit 289a8f3
[L-02] Raw approve replaced with safeIncreaseAllowance → Fixed in commit 4406e47
All issues resolved and verified by the audit team.
See full audit report below.
Last updated