Skip to main content

Risks

Every honest yield product carries risk, and Trade Dollar is no exception. This page sets out the main risks and how each one is managed. None of this removes risk.

Counterparty risk. The risk that a counterparty does not perform: the pre-contracted end buyer does not pay for the goods, or a supplier fails to meet its obligations. The vault manages this with the non-credit model: a financing vehicle holds legal title to the physical goods on the vault's behalf, so the goods can be sold to recover capital rather than relying on an unsecured claim. Cargo insurance in excess of cargo value (currently 110%) placed with an A-rated insurer, diversification across goods and regions, and pre-agreed buyers reduce it further. It does not disappear, because recovery still depends on the value of the goods, how fast they can be sold, and the insurance claim. Insurance itself can fail: claims can be disputed, insurers can fail, and cover has defined limits. See Insurance architecture for the failure modes and how they are managed. The receivables variant works the same way but is secured by an assigned receivable, with trade-credit insurance covering buyer non-payment. See The non-credit model: default and recovery.

Fraud and documentation risk. The risk that trade documents are forged, goods are pledged to more than one lender, or inventory does not match its paperwork. This is the historic failure mode of commodity trade finance, and it deserves to be named. It is managed structurally: verified identities on the Salus layer, independent inspection and grading, approved storage under custody agreements, and DWRs that make each document's record tamper-evident. A hash proves a document has not changed; inspection and custody are what tie it to real goods. This risk is reduced, not removed.

Commodity price risk. The risk that the market value of the goods falls while capital is deployed. Two controls hold against it. First, the haircut: the vault advances less than the goods are worth, and the structure is currently sized so the financed amount holds against a price fall of about 45% over a deal's tenor. Second, monitoring is active, not passive: a margin-call mechanism can require more collateral or partial repayment if the effective loan-to-value breaches its thresholds, and an uncured margin call becomes an event of default handled through the recovery path. These are design parameters, not guarantees: a severe enough fall can still reduce what is recovered in a default. Live parameters are shown per vault; see Contract addresses and parameters.

Smart contract risk. The risk of a bug or exploit in the vault code. The contracts follow the ERC-4626 and ERC-7540 standards, are set for an independent third-party smart-contract audit before mainnet, and use a time delay on critical changes. No smart contract is ever fully safe.

Stablecoin risk. The deposit asset and the liquid buffer are major stablecoins, USDT or USDC. A stablecoin can trade away from its peg, its issuer can fail, or issuer controls can freeze balances. The exposure sits mainly on idle balances: the buffer and capital waiting in the queue. Deployed capital is in goods or receivables rather than in a stablecoin. The vault accepts only major stablecoins and does not use a bespoke issuer.

Liquidity and redemption risk. The risk that you cannot withdraw exactly when you want. This is built into real-world asset timelines. The vault holds a liquid buffer, runs a first-in, first-out queue, and manages deal maturities so capital recycles regularly, but a full withdrawal can still take 30 to 90 days, or longer under stress.

Valuation (NAV) risk. The risk that the vault is valued incorrectly. Each NAV update is checked by hand against the settlement records rather than produced automatically, and gains are only recognized once they are realized. A stepwise NAV also creates timing considerations: what an entry or exit is priced at, just before or after an update, matters. Withdrawals price at the NAV on fulfillment; the deposit-side pricing rules are part of the vault parameters, published before launch.

Concentration at launch. The first vault launches concentrated, and deliberately so: deals are sourced through a single originator, Salus, the initial book is Rwandan metals (tin, tantalum, and niobium), and the vault starts with a single Curator. Salus also runs physical custody and monitoring, issues the Digital Warehouse Receipts, and acts as the primary recovery agent, so several operational roles sit with one partner; the counterweights are set out on Curator, Risk Committee, and who can change what. Concentration is therefore higher at launch than in the diversified end-state described on the Roadmap: more originators, more products, more corridors. Deal-level concentration limits are set by the Risk Committee and tighten as the book grows. [The limits are published with the vault parameters.]

Key-person risk. Trade Dollar is run by a small, early-stage team, which creates dependency on specific people. The structure reduces the single-point weight: vault actions run through multisigs rather than one keyholder, the risk framework and operating processes are written rather than held in heads, roles are separated across the Curator, the platform administrator, and Salus, and fallback recovery agents stand behind the primary. The dependency is reduced, not eliminated.

Regulatory risk. The risk that the rules change, or that existing rules are applied differently. The specific forms matter more than the general one: a regulator could deem the vault share token a security, or the platform a money-services or money-transmitter business, in one or more jurisdictions. The consequences could include restricted access in affected jurisdictions, limits on transfers, changes to compliance requirements, or, at the far end, an orderly exit from a market. The vault's posture is restrictive by default: a verified whitelist, access not open everywhere, and no offer where it is not permitted. See Legal: what you hold.

Infrastructure risk. The risk tied to the underlying blockchain. The vault runs on Ethereum, the most tested and widely used smart contract network, and uses established standards.

Tail risks. Low-likelihood, high-impact events sit behind the categories above: a geopolitical shock such as war, an embargo, or sanctions touching a commodity or a trade route; a sourcing country defaulting or imposing currency controls so proceeds cannot be repatriated; a port seizure, customs hold, or route closure; or the failure of an FX or price hedge. These are managed through the same structure as everything else, short tenors, pre-contracted buyers, insurance, and the concentration limits, but they cannot be engineered away. Stablecoin issuer failure, the remaining tail, is covered under stablecoin risk above.

For what happens in a default, see The non-credit model: default and recovery. For audits and code security, see Security and audits.