
A Transparent View of How YO Keeps Your Funds Safe
When you deposit into YO, you're placing trust in the protocol to earn you yield and keep your funds protected while doing it. Transparency is a core principle for YO, as you should never have to wonder what happens to your assets once they leave your wallet.
This post will walk you through exactly how your funds move through YO (from the moment you deposit to the moment you withdraw) and the architecture we've built to make sure they're protected at every step.
The simplest way to understand YO's security model is this: your funds are held in the vault, and they never leave it. Every mechanism described below exists to enforce and verify that guarantee.
Funds Flow
The funds flow shows how your assets move at every stage; from initial deposit to strategy deployment, all the way to withdrawal. Each stage has built-in safeguards, whether it's a verified price feed, a hard cap on what the protocol can do with your assets, or a structured process for paying you out. Let's walk through each one.
Deposit Flow
The deposit flow begins when you submit your assets to YO. Every deposit passes through the YoGateway, the single entry point for all YO vaults. The YoGateway verifies that the vault you're depositing into is a registered YO vault before processing anything. If it isn't on the list, the transaction fails.
Once your deposit reaches the vault, you receive yoTokens in return. These tokens represent your share of the vault, they're how YO tracks what you're owed. Before minting your yoTokens, the vault reads the current share price exclusively from YoOracle. YoOracle uses an anchor price validation system: it maintains a rolling price window, and any update that deviates too far from that anchor is automatically rejected. This prevents anyone from manipulating the price at the moment of your deposit to give you fewer shares than you're owed.
Redemption Flow
The redemption flow is the stage where you request your assets back. Before processing any withdrawal, the vault calculates available liquid balance against total pending redemptions, ensuring it always has an accurate picture of what it can pay out immediately.
Withdrawals are instant up to the 5% idle buffer the vault holds at all times. Your shares are burned and your assets are sent immediately from idle reserves. For requests beyond the idle buffer, the vault automatically unwinds yield positions to free up liquidity — typically completing within hours. All queued requests are fulfilled within 24 hours. Your redemption rate is fixed at the moment you make the request, and requests are fulfilled in first-in, first-out order.
For a deeper look at the withdrawal process, see our How YO Solves Vault Withdrawals post.

Strategy Deployment
Once your funds are in the vault, YO's Operator deploys them across lending markets, staking protocols, and other yield strategies to earn the best available risk-adjusted return following YO's built-in optimization algorithm. This is the stage where most of the protocol's security design is concentrated, because this is where funds are put to work.
How the vault interacts with external protocols
The vault does not call external protocols directly. Instead, every interaction goes through purpose-built contracts called adapters, one per protocol. There is a YoMorphoAdapter for Morpho, a YoLidoAdapter for Lido, (and so on) plus a YoSwapAdapter for token swaps. The designated Operator role can only call these adapters. It cannot make arbitrary calls to any other contract.
This design matters for two reasons.
The first is scope. Each adapter is built to do exactly one protocol's job, nothing more. The YoMorphoAdapter can supply assets to a Morpho lending market and withdraw them. It has no function to borrow against those assets. The YoLidoAdapter can stake ETH and unstake it. That's it. The narrower the scope of what an adapter can do, the more predictable the protocol's behavior — and the smaller the surface area for anything to go wrong.
The second is the destination. Every adapter is immutable (it cannot be upgraded or modified after deployment) and every adapter hardcodes where funds go. When assets move to a protocol, they go from the vault to that protocol. When they come back, they return to the vault. The adapter enforces this structurally onchain. There is no configuration, no parameter, and no action the Operator can take that can redirect funds anywhere else. Your assets cannot leave the protocol ecosystem.
How token approvals work
To interact with external protocols, the vault sometimes needs to grant those protocols permission to pull tokens. This is a standard requirement of how the EVM works. Without a token approval, a protocol cannot access funds even if you intend it to.
YO handles this through a dedicated function called approveToken, which is gated by the YoApprovalRegistry. Before any approval can be set, the registry must already contain an entry for that specific combination of vault, token, and protocol, along with a maximum amount. The Operator cannot grant an approval to any address that isn't pre-registered, and cannot set an allowance above the registered cap. This turns a necessary mechanism for ERC20 tokens into a hard constraint: the vault can only authorize pre-approved protocols, up to pre-defined limits, and nothing else.
Cross-chain transactions
When assets need to move across blockchains, the vault contract itself initiates every bridge transaction. Funds travel from vault to bridge to vault on the destination chain. Each cross-chain transaction is capped at $500k, limiting how much can move in any single operation.
The automated co-signer gate
Every transaction the Operator submits passes through an automated co-signer gate before it can execute. The gate runs three checks in sequence:
- Transaction Simulation: The proposed transaction is replayed against the current state of the blockchain. The actual outcome must match the expected outcome exactly. Any deviation triggers an automatic rejection before the transaction reaches the human signer.
- Price Impact and Slippage: For any trade or liquidity operation, expected price impact and slippage are calculated. If either exceeds the configured tolerance, the transaction is automatically rejected.
- Malicious Outcome Detection: The gate screens for anomalous asset flows, unauthorized recipients, or behavior inconsistent with the transaction's stated purpose. Any flag triggers an automatic rejection.
Only transactions that pass all three checks reach the human signer for final approval.
Authorization Flow
YO's authorization flow is the blueprint for how transactions are reviewed, approved, and executed. Every action taken on behalf of the vault passes through multiple checkpoints before it can go through, and the system is designed so that no single point of failure can compromise user funds.
At the foundation is RolesAuthority, the on-chain access control contract that defines exactly what the Operator is and is not permitted to call. The Operator's permissions are limited to the registered adapters and the approveToken function. No address in the system can transfer funds out of the vault directly. This is enforced on-chain on every chain YO operates on.
Above the Operator sits the Admin Multisig, a 4-of-6 multisig operated by senior YO staff. The Admin Multisig governs upgrades, whitelist changes, and approval registry updates. Key actions like upgrades are subject to a 48-hour timelock; meaning no change can go live until 48 hours after it has been queued. Every upgrade is audited in advance. The Admin Multisig's signers are geographically distributed across jurisdictions, reducing the risk of coordinated compromise.

Additional Security Measures
Beyond the protections built into each stage of the funds flow and authorization flow, YO applies hard allocation caps across every yield source, protocol, and risk tier. No single strategy or protocol can hold more than its capped share of the vault, enforcing diversification and ensuring that a failure in any one place is bounded in its impact. These caps are also central to how YO optimizes for risk-adjusted yield.
YO has undergone multiple independent security audits with firms including Zellic, Spearbit, Offbeat, and Aether Labs. All audit reports are publicly available at docs.yo.xyz/protocol/security-audits.
Secure By Design
Security isn't a feature added at the end — it's designed into every layer of the protocol from the start.
Funds are held in the vault and can only move through pre-approved adapters to pre-approved protocols. Adapters are immutable and narrowly scoped: they do exactly what they're built to do, and nothing else. Token approvals are registry-gated and capped. Every Operator transaction passes automated checks before a human signer approves it. Upgrades require multi-party governance, a 48-hour timelock, and a veto layer backed by cold wallets.
The result is a system where the guarantees aren't promises: they're enforced onchain.
For the full list of deployed contract addresses, visit docs.yo.xyz/protocol/contracts.