Security

​Is It Safe to Use Alpaca?​
​Nexus Mutual Coverage​
​InsurAce Coverage​
​The Alpaca Guard​
Security is often the number one concern for DeFi users. We at Alpaca understand these concerns and have focused on having top-level security since the creation of our protocol, while continuously striving to improve upon it. As a result, our efforts have been recognized by various security groups and we've been trusted by large institutions with their funds, such as TrueUSD which has deployed 8 figures in funding into our protocol.
We also passed the rigorous security standards set by Nexus Mutual, a leading risk protocol for crypto, in order to offer our users cover through their platform. Alpaca Finance continues to strive to set the security standards in DeFi and become a trusted brand for institutions and everyday users. You can read more about our security protocols below.
🔒Is It Safe to Use Alpaca?
In short, yes. Within the BSC community, Alpaca Finance is widely regarded as one of the most secure platforms because of our spotless track record of never having had a security issue, and our multi-layered security processes, which you can read below:
We’ve had 11 security audits which is one of the highest amounts for any project on BSC, from top firms such as PeckShield, Certik, Inspex, and SlowMist.
In June 2021, Alpaca received the highest security rating on BSC from Defi Safety which was advertised by BSC itself, and the 3rd highest Security Score from Certik.
Regarding the ALPACA token, we've made it as dump-proof as possible. Our ALPACA token is fair launch, with 87% of total supply going to platform participants. The team is only getting less than 9% of tokens, and that’s vested over 2 years. We also had no presale, no pre-mine, and no investors, so there’s no one to dump on token holders.
Our code is open-source, with every line having been combed through by hundreds of independent developers. We even have a professional Bug Bounty Program with Immunefi to offer high rewards if anyone spots as little as a minor issue. We invite you to have a look through our code yourself here.
Then, besides extensive code reviews having been conducted both internally and externally, there are also built-in safeguards in place. For example, all the contracts we deploy are owned by a Timelock contract. Thus, any changes made by our developers will have a 24-hour lag before becoming effective. That means users will have ample time to withdraw their funds and exit safely in the case of any questionable update to the code. With tens of thousands of users, you can believe that every small change is under constant scrutiny from many participants. At times, it's a tough job dealing with all their questions, but it's honest work. 👨‍🌾
Regarding flash loans, Alpaca does not allow them so you will be safe from all such attacks.
Then for price manipulation and flash liquidation, Alpaca integrates Chainlink price feeds and also has an in-house Alpaca Guard which prevents those.
Finally, we make efforts not only to secure our own protocol, but also the entire ecosystem. That's why we only work with projects that meet our high standards for safety. Every project we work with has to pass our Security Scorecard, a type of qualitative audit that complements code audits.
For users who desire insurance, we've also integrated Nexus Mutual Coverage to provide users the option of buying Cover, which can reimburse their funds in the event of a loss.
As a final word, even with everything we do, users should still educate themselves. It's important to be aware of the potential risks of participating in any DeFi project, which you can read more about here.
Is Alpaca at risk of a flash loan attack?
No, Alpaca is only EOA which means it does not allow flash loans to interact with the protocol. This makes flash loan attacks impossible.
💰Nexus Mutual Coverage
Alpaca is one of a handful of top BSC protocols covered by Nexus Mutual, a premium DeFi coverage provider. Users have the option to purchase cover for their funds deployed in any Alpaca product, including lending, farming, the Grazing Range, and staking.
How you can benefit from this partnership
You can take advantage of this partnership in two ways:
Buy Cover: Users who have capital deployed on Alpaca Finance can buy coverage for a potential loss of funds.
Provide Cover: If you believe that Alpaca’s code is safe, you can earn income by providing cover for buyers through staking NXM tokens and receiving the coverage premium as yield. You can stake in up to 20 pools at once (using the same NXM tokens) including Alpaca so it is very capital efficient.
The features are live so you can head over to Nexus Mutual now to buy or provide cover! (Do note that to buy or provide cover, you have to do so on the Ethereum Mainnet. However, the coverage applies to your funds within Alpaca Finance on BSC, and in fact — all blockchains Alpaca will be on in the future)
Shield mining
Starting now, users will be able to stake $NXM to provide cover for Alpaca Finance (as well as 19 other protocols to get their rewards as well) and receive USD $35k rewards in ETH over a period of one month.
​Stake here​
What situations are covered?
In general, Nexus cover protects against loss of funds (i.e. loss of tokens), but not loss of value (a token’s price dropping). The coverage includes funds deployed in all sections of Alpaca Finance, so whether you’re lending, farming, grazing, or staking — you’ll be covered!
Risks Covered:
Smart contract risk
Code being used in an unintended way
Economic design failure
Severe oracle failure
Governance Attacks
Protection for assets on Layer 2 solutions
Protection for non-Ethereum smart contracts
Protection for a protocol across multiple chains
Risks NOT Covered:
Bad debt
Liquidations
Any other form of defaults
Centralization risk such as “rug pulls”
Loss events localized to integrated protocols (ie. Pancake if you are in an Alpaca PCS farming pool)
For full coverage details, please refer to this document.
How do I buy cover?
First, you must become a Nexus member by paying a small membership fee of 0.0020 ETH (~$5.54): https://app.nexusmutual.io/home​
Then, once you’re a member, you can purchase cover within the application interface using a Metamask account (on the Ethereum Mainnet).
Purchasing cover involved only three easy steps:
1.Press “Get quote” for Alpaca Finance on the Buy cover page​
2.Specify the Cover Amount, Currency(ETH or DAI) and Cover Period
3.Generate a quote and execute the transaction using Metamask
You are now covered!
You can pay for cover using ETH, DAI or NXM. If paying in ETH or DAI, the system will convert the funds to NXM in the background, then immediately use that NXM to purchase cover.
To reiterate, Nexus Mutual currently only operates on the Ethereum Mainnet. You must switch your wallet to Ethereum Mainnet first before interacting with the protocol. However, the coverage you purchase will be applicable for BSC as well as all other chains that Alpaca Finance will operate on in the future.
How do I file a claim?
If you lost funds, owned cover at the time, and believe the circumstances of the loss fall under Nexus Mutual’s coverage policy, you can submit a claim, which will then go through the Nexus Mutual’s Claims Assessment process.
Members who stake NXM and choose to act as Claims Assessors can participate in reviewing, discussing, and voting on claims. Members acting as Claims Assessors are incentivized to act honestly, and are deterred from voting fraudulently. If it is determined that a member voted fraudulently in the claims process, the Advisory Board has the power to burn the malicious Claims Assessor’s staked NXM as punishment.
To file a claim, you can go to app.nexusmutual.io/home. The instructions on how to file a claim can also be found here.
Even though we at Alpaca Finance take pride in having one of the cleanest track records and most thorough multi-layered security processes on BSC, we never stop working to improve. Now, with this partnership, we’ve added yet another layer of security to our protocol, hoping it’ll bring even greater peace of mind to our Herd, giving any alpaca the ability to further manage their risks, and farm peacefully.
(Note: This article is a snapshot of information at publishing date and details on coverage may be subject to change. Alpaca does not administer or manage this coverage, and is not responsible for it. For the final say on the terms and conditions of coverage, please make sure to check with Nexus Mutual directly)
💰InsurAce Coverage
InsurAce.io will give our users the option to purchase coverage for their funds deployed anywhere in Alpaca Finance, including lending, farming, the Grazing Range, and staking.
InsurAce.io is unique in that it integrates various investment products and strategies to offset coverage costs, which gives them the ability to offer low premiums. InsurAce.io also allows users to purchase one single low-cost plan to cover multiple protocols and multiple chains, making the process of covering an entire portfolio very convenient. Most importantly though, InsurAce’s coverage can be purchased directly on BSC.
With this partnership, Alpaca will become one of only five BSC protocols covered by both Nexus Mutual and InsurAce.io, taking another step forward in giving our users peace of mind and establishing ourselves as one of the most secure DeFi protocols.
☔What situations are covered?
Coverage purchased on InsurAce generally insures against loss of funds (i.e., loss of tokens), but not loss of value (a token’s price dropping). As mentioned before, the coverage includes funds deployed in all sections of Alpaca Finance.
InsurAce’s Smart Contract Cover
InsurAce.io covers smart contract risks, where the designated smart contract means a single smart contract or group of smart contracts, as specified in the Cover, running on the public blockchain network, and excluding any outside inputs to that system such as oracles, miners, and individuals or groups of individuals interacting with the system.
Smart Contract Cover will not pay a claim if
Assets lost are NFTs
Losses due to phishing, private key security breaches, malware, etc.
Losses due to devaluation of assets, regardless if such devaluation is related to the Attack
Hacks occurring during the Cover Period, but the hack/bug occurred or was known before the Cover Period
Any events where any other external interoperable or interactive smart contracts are hacked or manipulated in an unintended way, while the Designated smart contract continues to operate as intended
Any event where external inputs (oracles, governance systems, incentive structures, miner behavior and network congestion, etc.) are manipulated, while the Designated smart contract continues to operate as intended
The insured provided false information or tried to hide, lie, or mislead claim assessment
Please note that InsurAce’s Cover will not include issues on underlying DEXs like PancakeSwap or WaultSwap. So if you want coverage on those too, consider including them as one of the protocols when you buy Cover.
InsurAce’s full description of what is and is not covered is provided here.
❓How do I buy cover?
Buying coverage is simple and fast. Users can buy cover for Alpaca Finance with MetaMask configured to BSC, or in fact, Ethereum and Matic (Polygon) Mainnet. When configured to these networks, coverage is paid in BNB, ETH or MATIC, respectively.
Step 1: Go to InsurAce.io and select the protocols you want insurance on
Launch the InsurAce.io App (https://app.insurace.io/)
Go to the “Insurance” tab, click “Buy Covers”
Select Alpaca Finance, in addition to other protocols you want insurance on
Step 2: Specify the Cover Amount and Cover Period and confirm the transaction
Click the green Folder icon on the bottom right
Input the desired Cover Amount* and Cover Period
Enter a Referral Code (optional). Entering a referral code will get you $INSUR rewards (claimed here) amounting to 5% of the insurance premium paid. If you don’t have one, you can use our code: 117812559893613627489677677639357097345960442556.
If you’re satisfied with the pricing, check the Terms and Conditions box and click “Confirm”
You are now covered!
​This link will redirect you to InsurAce.io’s website with most of the steps above completed. A step-by-step guide to purchasing cover is provided here.
*The Cover Amount is the amount you want to be insured. Thus, it is the maximum amount that will be paid to you in the unfortunate case of lost funds.

🏹The Alpaca Guard
Financial markets can be dangerous, my fellow Alpacas, which is why we’ve introduced something to protect you in the worst of times, from potential price manipulation, flash liquidation, and market failure. You may get nervous with other farms, but at Alpaca, you’ll never have anything to be nervous about, because this is much more than a new feature; this, is your new protector — the Alpaca Guard.
Some of you who used our platform may have noticed that certain functions were temporarily grayed-out such as opening positions on certain pairs. This was the Alpaca Guard in Protection Mode, keeping you safe from the dangers of the market.
To be specific, when the price of an asset in your farming pair has its on-chain price from the exchange that pair is on(PancakeSwap) differ more than 10% from the median of a batch of off-chain oracles we verify with, the Alpaca Guard enters Protection Mode; This consists of disabling liquidations, and opening/closing positions; all in order to protect you from trading at bad prices and taking an unjust loss.
Do note that you can still add collateral to positions while Alpaca Guard is activated, in case you find your Safety Buffer running low, though you will not be able to borrow more capital. You should also be aware that if you do not add collateral in a 50:50 ratio, the swap may happen at a sub-optimal price since Alpaca Guard activation implies prices may be misaligned.
So as you can see, the Alpaca Guard exists to protect you, and in fact, the Alpaca Guard saved a lot of users’ funds during the May 20th, 2021 market crash.
When the entire market flash crashed, the Alpaca Guard went into action, protecting many users’ positions from flash liquidations, allowing them to stay safe and keep farming once prices realigned and the Guard lifted Protection Mode. During this chaotic time, many users were prevented from losing their positions and trading at bad prices.
Feeling safer already? You should. 😄 The Alpaca Guard’s Protection Mode acts as an oracle delay, verifying price feeds consistently after activation(verification frequency varies depending on overall market volatility), which prevents large market orders from engaging in price manipulation(such as flash loans or margin orders). When the on-chain price moves far off from where it should be, this delay gives enough time for arb bots to push back that price to realignment either with other exchanges or a peg in the case of stablecoins and other pegged tokens.
In summary, the Alpaca Guard is watching your back. Yet, when he does activate Protection Mode, you don’t have to be worried either, because it’s also unlikely to stay on for long. Inevitably, arb bots will soon close the price divergence, letting the Alpaca Guard remove his protections and you to return to customizing your position, if you’d like.
The Venus Incident vs. Alpaca Guard
On 5/18/21, Venus had a major incident that created $200M+ USD in liquidations and $100M in bad debt. We won’t go into the details and there are differing accounts of what happened but you can read about it here and here. In any case, what we do know is that the ultimate culprit that caused the market dump on XVS was a series of cascading liquidations. Integrating Chainlink wasn’t enough to protect them. So it’s interesting to note that, in fact, if Venus had the Alpaca Guard, he would’ve blocked this incident from ever happening!
The Alpaca Guard would’ve frozen the system when price took the first drop, blocking this chain of liquidations from the start! What’s more is he may have even stopped the original price pump that allowed several users(attackers depending on who you ask) to over-borrow against an inflated XVS price.
How about PancakeBunny’s exploit on 5/19/21 for 200M? A flash loan attack. As it stands, that wouldn’t have gotten past the Alpaca Guard either! Not only does Alpaca Finance not work with flash loans, but the Alpaca Guard would’ve frozen the attack as soon as price made a drastic movement!
Well, it’s very unfortunate he wasn’t at either of those platforms, but that’s because he’s dedicated to his current job and thus, can only guarantee that one place is safe— Alpaca Finance.
So luckily for us, we don’t have to worry about any of these dangers, because the Alpaca Guard is also an Alpaca that lives on the farm, and he’ll never let the Llamas hurt you! 😄
Yet, even though the Alpaca Guard has demonstrated his strength, he never stops going to the gym and becoming stronger, so that he can protect us even better. In reality, you could say our devs are his personal trainers.
By that I mean, our team is working on adding even more mechanisms to his program, making his supreme defense all-powerful. One of these boosts is a debt cap on farming pools, one that varies per pool depending on liquidity, which would further block someone trying to manipulate price by opening a huge position. In the future, we’re even considering adding trailing debt caps. Ok, so what would that mean for Alpaca Guard? Imagine Arnold Schwarzenegger + Bruce Lee + Optimus Prime…
Yea, you can feel safe.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
In summary, we hope you’ve enjoyed meeting your new Alpaca bodyguard, protecting your assets from external threats.‌ Hence, if you ever find the Alpaca Guard in Protection Mode, you can rest assured that your assets are secured from any external factors until the markets realign, because that’s the Alpaca Guard’s job: standing guard over the herd, watching, and protecting all you young Alpacas.