Skip to main content
In Railnet smart contracts, an Allocation Strategy is implemented as a MultiVehicle, an Advanced Strategy as a Specialized Vehicle, and a Yield Source is connected via a Vehicle adapter. See Glossary for all terminology.
Railnet provides several mechanisms to manage risk across yield strategies — from on-chain exposure limits and operational guardrails to portfolio-level analytics and compliance enforcement.

Risk parameters

Strategies support configurable thresholds that limit exposure to individual protocols. The Vehicle Registry stores per-source authorization and allocation caps, allowing operators to set maximum allocation amounts per yield source. These limits are enforced on-chain — the contracts reject operations that would breach them. This is not advisory risk management; it is deterministic, rules-based enforcement at the smart contract level.

Exposure limits and diversification

Allocation queues define target caps per yield source. When a source reaches its target allocation, new deposits are automatically routed to the next source in the queue. This provides deterministic diversification:
  • Deposit queues distribute incoming capital according to configured priorities (e.g., first 20M to Morpho, next 10M to Aave, remainder to a tokenized T-bill yield source)
  • Redeem queues define the order in which capital is withdrawn from yield sources
  • Over-allocation prevention is enforced at the contract level — the Vehicle Registry tracks current vs. target allocation for each yield source

Operational guardrails

Railnet’s role-based access control (EAC) enforces strict separation of duties:
  • Asset managers can only operate within their authorized yield sources and allocation ranges. Permissions are scoped to specific contracts, preventing over-broad access.
  • Keepers can only advance query states, not move assets arbitrarily. Their role is limited to automating state transitions.
  • Factory controls prevent deployment of unauthorized adapter types. Only approved factories can create new Vehicle adapters.
  • Module timelocks require a mandatory waiting period between requesting a module change and activating it. This prevents sudden logic changes and gives stakeholders time to review.
  • Beacon freeze provides an irreversible guarantee that contract logic cannot be changed. Once a beacon is frozen, the implementation is provably immutable — providing a strong assurance to depositors and regulators.

Error isolation

The STEAM standard ensures that a failure in one Query does not affect other operations:
  • Each Query is independent with its own state machine and unique ID
  • The RECOVERING state allows assets to be reclaimed from a failed operation without impacting the broader system
  • The REJECTED state provides explicit denial with assets returned to the sender
  • A bug or failure in one yield source does not propagate to other yield sources in the same Strategy
This per-operation isolation is critical when combining assets with fundamentally different risk profiles and timing characteristics in a single strategy.

Circuit breakers and pause mechanisms

Railnet uses a beacon proxy architecture that supports two independent safety mechanisms:
Operations can be temporarily halted and resumed. This is useful during security incidents, market dislocations, or when investigating unexpected behavior. While paused, no new deposits, redemptions, or allocations can be executed.
Once frozen, contract logic can never be upgraded again. This provides a provable guarantee to depositors, counterparties, and regulators that the rules governing their assets cannot change. Freezing is an irreversible, one-way action — it cannot be undone.
These mechanisms operate independently. A contract can be paused without being frozen, and vice versa. Together they provide both emergency response capability and long-term immutability guarantees.

Portfolio risk analytics

Sector-based accounting provides real-time visibility into every capital state across the portfolio:
  • Idle capital in the deposit sector
  • Allocated capital deployed to each yield source
  • In-flight capital mid-deposit or mid-redemption through ephemeral sectors
  • Pending redemptions queued for processing
This on-chain position data enables portfolio-level risk calculations: exposure per protocol, concentration risk across yield sources, liquidity profiles (how quickly capital can be withdrawn from each source), and in-flight asset tracking for accurate NAV under async conditions. The reporting API provides queryable access to Strategy positions, Query lifecycle events, fee accrual, and sector accounting data — enabling custom dashboards and monitoring systems.

Monitoring and observability

Railnet emits events on every state transition, enabling real-time monitoring and alerting:
  • Keeper automation monitors yield source health and operation status through the Job Listing registry
  • Event-driven architecture — every deposit, redemption, allocation, rebalancing, and fee collection emits on-chain events that external systems can subscribe to
  • Job Listing registry provides on-chain visibility into automation status — which operations are pending, which keepers are active, and where attention is needed

Audit and compliance

Every capital flow is recorded on-chain with block-level timestamps, creating a complete and independently verifiable audit trail:
  • Permission history — role-based access control creates an auditable record of who was authorized to do what, and when permissions were granted or revoked
  • Fee transparency — fee collection and distribution is fully on-chain and verifiable
  • Compliance enforcementAccountList integration supports allowlists, blocklists, and sanctions oracle connections
  • Transfer modes — configurable controls determine how shares can move: permissionless transfers (ALLOW_TRANSFER), restricted to approved accounts (ACCOUNT_LIST), or mint-and-burn only with no secondary transfers (BLOCK_TRANSFER)
  • On-chain books and records — sector-based double-entry accounting provides continuously reconciled books that auditors can verify independently, without relying on the asset manager’s internal records