Ostium

Privileged Roles & Admin Actions

• All privileged role actions (gov, dev, manager, owner etc) are assumed to be performed correctly and in good faith. Issues arising from admin misconfiguration, incorrect parameter setting, or misuse of privileged functions are out of scope.
• Contract upgradeability via proxy admin is a known trust assumption. Findings related to the ability of the proxy admin to upgrade contracts are out of scope.
• Gov-controlled fee and parameter changes are by design. The gov role can adjust trading fees, funding rates, rollover fees, leverage limits, vault settlement parameters, and spread parameters. Reports about the gov role having this power are not valid findings.
• Dev fee claims will not drain protocol funds. It is assumed that the dev role will only claim correct amount of fees, not create scenarios where fee withdrawal impacts the rest of the protocol.
• Pause and kill-switch mechanisms are intentional. The manager can pause trading and the gov can trigger the done() kill-switch. Reports about these capabilities existing are not valid findings.
• Timelock delays are a known trade-off. Issues related to governance actions being delayed by the timelock are by design.

Keepers & Oracles

• All registered keepers (PriceUpKeep, PrivatePriceUpKeep, TradesUpKeep) and their forwarders are assumed to be trusted and operating correctly. Issues requiring a compromised or malicious keeper are out of scope.
• Price feeds (Chainlink and custom OstiumVerifier signers) are assumed to deliver accurate data. Oracle manipulation at the source (e.g., compromising Chainlink nodes or authorized signers) is out of scope. However, improper validation or handling of price data within the protocol contracts is in scope.
• Price staleness within the configured maxTsValidity window is expected behavior. Reports about price data being slightly delayed within the allowed validity window are not valid findings.

Economic & Griefing Thresholds

• Griefing attacks that require significant capital (>$10,000) with no monetary gain to the attacker are out of scope or will be downgraded at protocol discretion. The protocol reserves the right to evaluate the practical feasibility and real-world impact of any griefing submission.
• Attacks that require sustained, economically irrational behavior over multiple blocks or transactions to achieve minimal impact are out of scope.
• Theoretical insolvency scenarios that require extreme and unrealistic market conditions (e.g., all pairs simultaneously hitting max leverage liquidation thresholds) are out of scope or may be downgraded at protocol discretion.

External Dependencies & Integrations

• Issues in third-party contracts (OpenZeppelin, Chainlink, Gelato) are out of scope unless the finding demonstrates that the protocol incorrectly integrates or uses these dependencies.
• Arbitrum L2 sequencer behavior, downtime, or reorgs are out of scope. The protocol operates on Arbitrum and inherits its security properties. Findings that rely on L2 sequencer manipulation or downtime as an attack vector are not valid.
• ERC-20 token behavior of USDC is assumed to be standard. Issues related to USDC blacklisting, upgradeability, or depegging are out of scope.

General Exclusions

• Front-running of governance/admin transactions is out of scope. Privileged operations are protected by timelocks and trusted execution.
• Known gas inefficiencies in gov-only or manager-only batch functions (e.g., registerContracts, updateContracts) are out of scope. These are called infrequently by trusted roles who can manage gas limits.
• Findings based on deprecated or dead code paths scheduled for removal in the next upgrade are out of scope unless they can be exploited in the current deployed state.
• Loss-of-precision issues that result in insignificant rounding differences are out of scope.
• Best practice recommendations, gas optimizations, and informational findings without a demonstrated impact are out of scope.