All DeFi protocols, including Blueberry, come with risks, which are important to understand before depositing significant amounts of crypto. Some of the main risks involved in using Blueberry are outlined here.
Smart Contract and UI Risk
There is a risk that the smart contract or UI has a bug or exploit for unexpected behavior resulting in loss of funds. This risk is inherent to all smart contracts and relies upon the discipline of the development community, core contributors, and auditors.
The Ethereum blockchain remains under development, which creates technological, uncertain, and security risks that Blueberry has no control over. The cost of transacting on the Ethereum blockchain is variable and may increase or decrease at any time causing an impact on any activities taking place on the Ethereum blockchain, which may result in losses, price fluctuations, or increased costs.
Blueberry relies on Chainlink for its main price feeds to power liquidations. There is a risk that these oracles report incorrect prices which can result in wrongful liquidations and loss of all funds.
Levered/Social Loss Risk
In the event of sharp price movements, traders with levered positions can lose more than their collateral value. In this event, these losses may be socialized across market participants.
Blueberry offers both leveraged yield positions and borrow/lend. For leveraged yield positions, there is a risk of liquidation when a user's profit and losses are approaching the total collateral they have posted.
100% Utilization Risk
When an asset is fully utilized (100% of the supply is lent out), there will be no tokens left in the pool, which means withdrawals and borrows will fail for that asset. Users will have to wait until the utilization rate goes down, either through some users repaying their loans or depositing new funds before they can withdraw or borrow.
A user is more likely to be affected by this if their deposit represents a large share of the pool, or if the asset has extremely high borrow demand.
Risks as Stated By Hacken Audit
● The system highly relies on the Blueberry Money Market and ICHI Farm functionality which is out of the audit scope. The mentioned systems receive access to user funds.
● The system uses prices received from Band Protocol, Chainlink, Uniswap (at previous blocks), and possibly other sources. The data providers may affect user position states. Check if the sources are stable and do not have disclosed vulnerabilities.
● IchiVaultOracle highly relies on IchiVault. In case the IchiVault reserves could be manipulated, the resulting price may be affected and some positions become at risk of liquidation. It is recommended to check that the used IchiVault instances do not have disclosed vulnerabilities and could not be significantly affected by any third party.
● The AggregatorOracle contract receives data from several sources and checks if the deviation of the price is within bounds. However, in case only one source responds with a price, that value is used. In case some of the sources are unstable or vulnerable, an attacker may manipulate the resulting price. It is recommended to ensure that the contract relies on stable data providers.
● According to the documentation, only the CoreOracle contract should be used for providing prices to the target contracts (BlueberryBank, IchiSpell, etc.). In case another oracle is used, important price validations may be missed.
● The oracles highly depend on the owner. The owner is able to manipulate token prices received by the project.
● The Admin of BlueBerryBank may disable/enable actions for users at any time: lend, withdraw, repay, borrow.
● The Admin of BlueBerryBank may de-whitelist previously whitelisted tokens and spells.
● The system may be vulnerable to uncommon ERC20 tokens such as tokens with floating decimals (and 19+ decimals), fee-on-transfer tokens, or tokens with a non-failing approve function implemented (which in case of error returns false instead of reverting the transaction).
● The IchiSpell contract allows the Admin to add strategies with custom vault addresses. The pool address received from the vault contract is able to drain any allowances to the IchiSpell contract.