🔒 Security

Security is often the number one concern for DeFi users. We at Alpaca understand these concerns and have focused on having top-level security since the creation of our protocol, while continuously striving to improve upon it. As a result, our efforts have been recognized by various security groups and we've been trusted by large institutions with their funds, such as TrueUSD which has deployed 8 figures in funding into our protocol.

We also passed the rigorous security standards set by Nexus Mutual, a leading risk protocol for crypto, in order to offer our users cover through their platform. Alpaca Finance continues to strive to set the security standards in DeFi and become a trusted brand for institutions and everyday users. You can read more about our security protocols below.

🔒Is It Safe to Use Alpaca?

In short, yes. Within the BSC community, Alpaca Finance is widely regarded as one of the most secure platforms because of our spotless track record of never having had a security issue, and our multi-layered security processes, which you can read below:

  • We’ve had 11 security audits which is one of the highest amounts for any project on BSC, from top firms such as PeckShield, Certik, Inspex, and SlowMist.

  • In June 2021, Alpaca received the highest security rating on BSC from Defi Safety which was advertised by BSC itself, and the 3rd highest Security Score from Certik.

  • Regarding the ALPACA token, we've made it as dump-proof as possible. Our ALPACA token is fair launch, with 87% of total supply going to platform participants. The team is only getting less than 9% of tokens, and that’s vested over 2 years. We also had no presale, no pre-mine, and no investors, so there’s no one to dump on token holders.

  • Our code is open-source, with every line having been combed through by hundreds of independent developers. We even have a professional Bug Bounty Program with Immunefi to offer high rewards if anyone spots as little as a minor issue. We invite you to have a look through our code yourself here.

  • Then, besides extensive code reviews having been conducted both internally and externally, there are also built-in safeguards in place. For example, all the contracts we deploy are owned by a Timelock contract. Thus, any changes made by our developers will have a 24-hour lag before becoming effective. That means users will have ample time to withdraw their funds and exit safely in the case of any questionable update to the code. With tens of thousands of users, you can believe that every small change is under constant scrutiny from many participants. At times, it's a tough job dealing with all their questions, but it's honest work. 👨‍🌾

  • Regarding flash loans, Alpaca does not allow them so you will be safe from all such attacks.

  • Then for price manipulation and flash liquidation, Alpaca integrates Chainlink price feeds and also has an in-house Alpaca Guard which prevents those.

  • Finally, we make efforts not only to secure our own protocol, but also the entire ecosystem. That's why we only work with projects that meet our high standards for safety. Every project we work with has to pass our Security Scorecard, a type of qualitative audit that complements code audits.

  • For users who desire insurance, we've also integrated Nexus Mutual Coverage to provide users the option of buying Cover, which can reimburse their funds in the event of a loss.

  • As a final word, even with everything we do, users should still educate themselves. It's important to be aware of the potential risks of participating in any DeFi project, which you can read more about here.

Is Alpaca at risk of a flash loan attack?

No, Alpaca is only EOA which means it does not allow flash loans to interact with the protocol. This makes flash loan attacks impossible.

💰Nexus Mutual Coverage

Alpaca is one of a handful of top BSC protocols covered by Nexus Mutual, a premium DeFi coverage provider. Users have the option to purchase cover for their funds deployed in any Alpaca product, including lending, farming, the Grazing Range, and staking.

How you can benefit from this partnership

You can take advantage of this partnership in two ways:

  • Buy Cover: Users who have capital deployed on Alpaca Finance can buy coverage for a potential loss of funds.

  • Provide Cover: If you believe that Alpaca’s code is safe, you can earn income by providing cover for buyers through staking NXM tokens and receiving the coverage premium as yield. You can stake in up to 20 pools at once (using the same NXM tokens) including Alpaca so it is very capital efficient.

The features are live so you can head over to Nexus Mutual now to buy or provide cover! (Do note that to buy or provide cover, you have to do so on the Ethereum Mainnet. However, the coverage applies to your funds within Alpaca Finance on BSC, and in fact — all blockchains Alpaca will be on in the future)

Shield mining

Starting now, users will be able to stake $NXM to provide cover for Alpaca Finance (as well as 19 other protocols to get their rewards as well) and receive USD $35k rewards in ETH over a period of one month.

Stake here

What situations are covered?

In general, Nexus cover protects against loss of funds (i.e. loss of tokens), but not loss of value (a token’s price dropping). The coverage includes funds deployed in all sections of Alpaca Finance, so whether you’re lending, farming, grazing, or staking — you’ll be covered!

Risks Covered:

  • Smart contract risk

  • Code being used in an unintended way

  • Economic design failure

  • Severe oracle failure

  • Governance Attacks

  • Protection for assets on Layer 2 solutions

  • Protection for non-Ethereum smart contracts

  • Protection for a protocol across multiple chains

Risks NOT Covered:

  • Bad debt

  • Liquidations

  • Any other form of defaults

  • Centralization risk such as “rug pulls”

  • Loss events localized to integrated protocols (ie. Pancake if you are in an Alpaca PCS farming pool)

For full coverage details, please refer to this document.

How do I buy cover?

First, you must become a Nexus member by paying a small membership fee of 0.0020 ETH (~$5.54): https://app.nexusmutual.io/home

Then, once you’re a member, you can purchase cover within the application interface using a Metamask account (on the Ethereum Mainnet).

Purchasing cover involved only three easy steps:

  1. Press “Get quote” for Alpaca Finance on the Buy cover page

  2. Specify the Cover Amount, Currency(ETH or DAI) and Cover Period

  3. Generate a quote and execute the transaction using Metamask

You are now covered!

You can pay for cover using ETH, DAI or NXM. If paying in ETH or DAI, the system will convert the funds to NXM in the background, then immediately use that NXM to purchase cover.

To reiterate, Nexus Mutual currently only operates on the Ethereum Mainnet. You must switch your wallet to Ethereum Mainnet first before interacting with the protocol. However, the coverage you purchase will be applicable for BSC as well as all other chains that Alpaca Finance will operate on in the future.

How do I file a claim?

If you lost funds, owned cover at the time, and believe the circumstances of the loss fall under Nexus Mutual’s coverage policy, you can submit a claim, which will then go through the Nexus Mutual’s Claims Assessment process.

Members who stake NXM and choose to act as Claims Assessors can participate in reviewing, discussing, and voting on claims. Members acting as Claims Assessors are incentivized to act honestly, and are deterred from voting fraudulently. If it is determined that a member voted fraudulently in the claims process, the Advisory Board has the power to burn the malicious Claims Assessor’s staked NXM as punishment.

To file a claim, you can go to app.nexusmutual.io/home. The instructions on how to file a claim can also be found here.

Even though we at Alpaca Finance take pride in having one of the cleanest track records and most thorough multi-layered security processes on BSC, we never stop working to improve. Now, with this partnership, we’ve added yet another layer of security to our protocol, hoping it’ll bring even greater peace of mind to our Herd, giving any alpaca the ability to further manage their risks, and farm peacefully.

(Note: This article is a snapshot of information at publishing date and details on coverage may be subject to change. Alpaca does not administer or manage this coverage, and is not responsible for it. For the final say on the terms and conditions of coverage, please make sure to check with Nexus Mutual directly)

🏹The Alpaca Guard

Financial markets can be dangerous, my fellow Alpacas, which is why we’ve introduced something to protect you in the worst of times, from potential price manipulation, flash liquidation, and market failure. You may get nervous with other farms, but at Alpaca, you’ll never have anything to be nervous about, because this is much more than a new feature; this, is your new protector — the Alpaca Guard.

Some of you who used our platform may have noticed that certain functions were temporarily grayed-out such as opening positions on certain pairs. This was the Alpaca Guard in Protection Mode, keeping you safe from the dangers of the market.

To be specific, when the price of an asset in your farming pair has its on-chain price from the exchange that pair is on(PancakeSwap) differ more than 10% from the median of a batch of off-chain oracles we verify with, the Alpaca Guard enters Protection Mode; This consists of disabling liquidations, and opening/closing positions; all in order to protect you from trading at bad prices and taking an unjust loss.

Do note that you can still add collateral to positions while Alpaca Guard is activated, in case you find your Safety Buffer running low, though you will not be able to borrow more capital. You should also be aware that if you do not add collateral in a 50:50 ratio, the swap may happen at a sub-optimal price since Alpaca Guard activation implies prices may be misaligned.

So as you can see, the Alpaca Guard exists to protect you, and in fact, the Alpaca Guard saved a lot of users’ funds during the May 20th, 2021 market crash.

When the entire market flash crashed, the Alpaca Guard went into action, protecting many users’ positions from flash liquidations, allowing them to stay safe and keep farming once prices realigned and the Guard lifted Protection Mode. During this chaotic time, many users were prevented from losing their positions and trading at bad prices.

Feeling safer already? You should. 😄 The Alpaca Guard’s Protection Mode acts as an oracle delay, verifying price feeds consistently after activation(verification frequency varies depending on overall market volatility), which prevents large market orders from engaging in price manipulation(such as flash loans or margin orders). When the on-chain price moves far off from where it should be, this delay gives enough time for arb bots to push back that price to realignment either with other exchanges or a peg in the case of stablecoins and other pegged tokens.

In summary, the Alpaca Guard is watching your back. Yet, when he does activate Protection Mode, you don’t have to be worried either, because it’s also unlikely to stay on for long. Inevitably, arb bots will soon close the price divergence, letting the Alpaca Guard remove his protections and you to return to customizing your position, if you’d like.

The Venus Incident vs. Alpaca Guard

On 5/18/21, Venus had a major incident that created $200M+ USD in liquidations and $100M in bad debt. We won’t go into the details and there are differing accounts of what happened but you can read about it here and here. In any case, what we do know is that the ultimate culprit that caused the market dump on XVS was a series of cascading liquidations. Integrating Chainlink wasn’t enough to protect them. So it’s interesting to note that, in fact, if Venus had the Alpaca Guard, he would’ve blocked this incident from ever happening!

The Alpaca Guard would’ve frozen the system when price took the first drop, blocking this chain of liquidations from the start! What’s more is he may have even stopped the original price pump that allowed several users(attackers depending on who you ask) to over-borrow against an inflated XVS price.

How about PancakeBunny’s exploit on 5/19/21 for 200M? A flash loan attack. As it stands, that wouldn’t have gotten past the Alpaca Guard either! Not only does Alpaca Finance not work with flash loans, but the Alpaca Guard would’ve frozen the attack as soon as price made a drastic movement!

Well, it’s very unfortunate he wasn’t at either of those platforms, but that’s because he’s dedicated to his current job and thus, can only guarantee that one place is safe— Alpaca Finance.

So luckily for us, we don’t have to worry about any of these dangers, because the Alpaca Guard is also an Alpaca that lives on the farm, and he’ll never let the Llamas hurt you! 😄

Yet, even though the Alpaca Guard has demonstrated his strength, he never stops going to the gym and becoming stronger, so that he can protect us even better. In reality, you could say our devs are his personal trainers.

By that I mean, our team is working on adding even more mechanisms to his program, making his supreme defense all-powerful. One of these boosts is a debt cap on farming pools, one that varies per pool depending on liquidity, which would further block someone trying to manipulate price by opening a huge position. In the future, we’re even considering adding trailing debt caps. Ok, so what would that mean for Alpaca Guard? Imagine Arnold Schwarzenegger + Bruce Lee + Optimus Prime…

Yea, you can feel safe.


In summary, we hope you’ve enjoyed meeting your new Alpaca bodyguard, protecting your assets from external threats.‌ Hence, if you ever find the Alpaca Guard in Protection Mode, you can rest assured that your assets are secured from any external factors until the markets realign, because that’s the Alpaca Guard’s job: standing guard over the herd, watching, and protecting all you young Alpacas.