Skip to main content

Documentation Index

Fetch the complete documentation index at: https://whitepaper.flowstate.exchange/llms.txt

Use this file to discover all available pages before exploring further.

FlowState is built on three years of in-house development across C1 Pool architecture and predecessor liquidity infrastructure, audited by Hashlock and tested in adversarial simulations. Security is the primary design constraint because oracle-priced models require a higher bar than AMM models, and FlowState’s mitigation set reflects that.

Audits

Audit firmScopeStatus
HashlockC1 Pool smart contractsCompleted
HashlockFrontend, API and Envio indexer (follow-up)In progress
The completed Hashlock audit covers the C1 Pool contracts, the fee distribution contract, the liquidity registry and the oracle integration layer. The follow-up audit covers the FlowState frontend, the API layer and the Envio indexer infrastructure that surrounds the audited contracts. The smart contract audit report is available on request to integration partners via contact. The follow-up audit report will be made available on completion.

Smart contract security model

  • Time-locked upgrades. Changes to core settlement logic require multi-sig approval and a delay period before execution pre-TGE. Governance transitions to FLOW token holders post-TGE. No instant upgrade pattern.
  • Role-separated access control. Administrative functions are split across roles. No single key controls fee rates and oracle feed selection simultaneously.
  • Adversarial simulation testing. The contracts have been tested under adversarial conditions including oracle manipulation scenarios, reentrancy, flash loan attacks and integer boundary conditions.
  • Production track record. Live in production on KyberSwap. Real trades route through C1 Pools today.
  • Audit scope. Smart contracts have been audited by Hashlock. The surrounding frontend, API and Envio indexer infrastructure are currently undergoing follow-up audit by Hashlock.

Oracle integrity is the critical risk

Oracle-priced models are only as reliable as their oracle inputs. Thin liquidity tokens are inherently more susceptible to spot-price manipulation than liquid pairs because a smaller capital outlay can move the spot price meaningfully. C1 Pools implement multiple layers of protection.
Multi-source aggregation, TWAP smoothing, circuit breakers, rate limits, oracle confidence thresholds

Multi-source aggregation

Where multiple oracle feeds exist for a token, C1 Pools aggregate across sources and reject execution if feeds diverge beyond a configurable threshold. Single-source oracle risk is mitigated by requiring consensus.

TWAP smoothing

Time-weighted average price calculations smooth transient price spikes caused by short-duration manipulation. The TWAP window is configurable per pool based on the token’s liquidity profile and oracle availability.

Circuit breakers

Execution is paused automatically if the oracle price moves beyond a configurable percentage within a single block or short timeframe. This prevents exploitation during active manipulation events.

Rate limits on deposits and withdrawals

Large sudden inflows or outflows can be a precursor to oracle attacks. Rate limits prevent flash-loan-assisted manipulation patterns.

Minimum oracle confidence thresholds

Pyth provides a confidence interval alongside each price. C1 Pools require oracle confidence to be within an acceptable band before executing, preventing trades during periods of oracle uncertainty.

Lessons from oracle-priced incidents

The following incidents inform FlowState’s mitigation set. None of them happened on C1 Pools. They are instructive because they show how oracle-priced models can fail and how mitigations evolved in response.
IncidentLossLesson
Mango Markets (Oct 2022)$117MSingle-source oracle, no TWAP, no circuit breakers
GMX (Sep 2022)$565KConcentrated price impact attack, fixed via OI caps
Hyperliquid JELLY (Mar 2025)$12MPrice feed manipulation, fixed via multi-source and circuit breakers
C1 Pools include multi-source aggregation, TWAP smoothing, circuit breakers, rate limits and confidence thresholds from launch. The mitigation playbook is well-developed in the perpetual DEX space (GMX, Hyperliquid, Drift), refined in response to incidents like those above, and FlowState applies the same toolkit. The mitigations are part of the protocol’s core design, not retrofit responses to FlowState-specific incidents.

What this does and does not protect against

Manipulating the on-chain spot price for a few blocks does not move the C1 Pool price because TWAP smoothing and multi-source aggregation reject single-block anomalies.
Rate limits on deposits and withdrawals prevent the typical flash-loan-then-manipulate pattern. Circuit breakers add a second layer.
Where multiple feeds exist, divergence beyond threshold halts execution. Single-source attacks require both oracles to be compromised simultaneously.
If a token’s underlying market is manipulated for a sustained period (long enough to move the TWAP), the oracle price reflects the manipulated market. This is not specific to C1 Pools. It is a property of any oracle-priced system. Token-specific guardrails (configurable per pool) and conservative parameters on thin-liquidity tokens manage this risk.
If Pyth or Chainlink were compromised, C1 Pools using those feeds would be affected. This is the same systemic dependency every oracle-priced protocol carries. Multi-source aggregation reduces this exposure where multiple feeds exist.

Reporting security issues

Security issues should be reported to support@flowstate.exchange with [SECURITY] in the subject line. For lending protocols and high-stakes integrations, dedicated risk model collaboration is available. Contact the team to discuss specific oracle alignment, depth requirements and circuit breaker configurations.