There are different types of risks that users should consider.
Firstly, there is smart contract risk, although Automation has been audited with no issues found.
Automation is made with a safety first approach and there are number of limitations in place for security reasons. These include:
- Automation is non-custodial and trustless, you never give up ownership of your CDP and our contracts never hold or pool any user funds
- Automation never has access to your end account (e.g. your MetMask or Ledger account) and cannot use any funds from it
- By enabling Automation you provide automation contracts with the privileges to apply Boost and Repay (and only those two) for your position (a specific MakerDAO CDP, or a Compound/Aave portfolio)
- When enabled Automation is fully limited by your configuration - it cannot trigger a Boost if your ratio is below your configured max ratio (boost if above ratio) and it cannot trigger a Repay if your ratio is below your configured min ratio (repay if below ratio) - such attempts would result in failed transactions
- Boost will only execute successfully if it results in increased amount of collateral in your position and Repay will only execute successfully if it results in reduced debt and decreased ratio of your position
- Automation is also limited in how much it can charge for the transaction fee and that amount can never be greater than 20% of the Boost/Repay amount
- All mentioned limitations are hard coded at the smart contract level
- For anyone Solidity inclined, all contracts are open source at https://github.com/DecenterApps/defisaver-contracts
- Finally, another point worth noting is that Automation has been online since September 2019 (with a number of improvements in the meantime) with no security issues either noticed or exploited
Secondly, there is technical risk, where network conditions or other issues may prevent automated-adjustments from being made in a timely manner.
Lastly, there is economic risk, which would ultimately be caused by the market moving against the user’s position, but should be considered in either case.