Risk Assessment
Instadapp Risk Assessment
Overview
Instadapp is a DeFi middleware protocol that aggregates multiple protocols into an upgradeable smart account layer. Users interact through DeFi Smart Accounts (DSAs), which enable complex multi-protocol transactions in a single call, automated strategies, and simplified DeFi management.
The protocol acts as an abstraction layer that makes DeFi more accessible while providing powerful composability for advanced users.
Smart Contract Risk
Contract Architecture:
- DeFi Smart Layer (DSL) middleware aggregates protocols
- DeFi Smart Accounts (DSAs) are user-owned contract wallets
- Connector modules interface with external protocols
- Upgradeable account extensions via governance
Code Quality:
- Audited by PeckShield and Samczsun
- Open source contracts on GitHub
- Battle-tested since 2018
- Bug bounty program active
Attack Surface:
- DSAs are non-custodial (users own their accounts)
- Inherits risks from connected protocols
- Not vulnerable to protocol-specific attacks (flash loans, etc.)
- Complex interactions increase surface area
Admin/Governance Risk
Governance Structure:
- INST token for protocol governance
- Compound-style governance module
- Phased rollout prioritizing security
- DSL extensions managed by governance
Upgradeability:
- Account extensions upgradeable via governance
- Core DSA logic stable and audited
- New connectors added through governance
- Users can withdraw to owners anytime
Trust Assumptions:
- DSAs are fully trustless (user-owned)
- Governance controls extension additions
- Connected protocol risks pass through
- No admin access to user funds
Oracle Risk
Inherited Oracles:
- No native oracle dependency
- Inherits oracle requirements from connected protocols
- Aave, Compound, Maker oracles used indirectly
- Risk varies by strategy used
Economic Risk
Liquidity Risk:
- $2.5B+ managed through DSAs
- Multi-chain deployment
- Liquidity depends on connected protocols
- Aggregation improves capital efficiency
Abstraction Features (2025):
- Network abstraction (unified dashboard)
- Gas abstraction (pay fees in USDC)
- Account abstraction (modular design)
- 2FA security features planned
Operational History:
- Launched 2018
- DSA introduced 2020
- DSL launched 2021
- No major exploits
- Pioneered DeFi account abstraction
Stage Assessment
Stage 1 Criteria Met:
- Governance-controlled upgrades with delay
- DSAs are fully non-custodial
- No admin fund access
- Multiple security audits
- 5+ years operational track record
Why Not Stage 2:
- Governance can add new extensions
- Complex multi-protocol dependencies
- Inherits connected protocol risks
- Some centralization in extension approval
Justification: Instadapp achieves Stage 1 (Limited Trust) status due to its non-custodial DSA design, governance-controlled upgrades, and long operational history. Users maintain full control of their assets through their smart accounts. While governance can add functionality, it cannot access user funds. The primary trust assumptions relate to connected protocols rather than Instadapp itself. The 5+ year track record demonstrates reliability.