How Does Lulo Work?
Lulo is a yield aggregator on Solana that automatically moves your stablecoin deposits to whichever lending protocol is paying the highest interest rate. Think of it as a smart savings account that shops around for the best rate across Kamino, Drift, Save, and MarginFi — currently offering up to 7.65% APY on USDC.
TVL
$90M
Sector
Yield
Risk Grade
B
Value Grade
D-
Core Mechanisms
Yield/Aggregator
Automated yield optimization routing deposits to highest-rate Solana lending protocols
Lulo automatically migrates deposits to the lending pool offering the best yield across Kamino, Drift, Save, and MarginFi. Standard yield aggregator pattern, not novel.
Risk/User-Configurable
NovelPersonalized risk settings allowing users to restrict which underlying protocols receive deposits
Users can customize their risk profile by choosing which underlying protocols their deposits can be routed to. This is a useful differentiator among yield aggregators.
Custody/Non-Custodial
Smart contract-based routing with no custody — funds are deposited directly into underlying protocols
Lulo never holds custody of user funds. Smart contracts route deposits directly to underlying lending protocols. This reduces Lulo-specific smart contract risk but doesn't eliminate underlying protocol risk.
Yield/Compounding
Real-time fee-free auto-compounding of lending yields
Yields are auto-compounded without fees. Current top rates around 7.65% APY on stablecoin deposits. Supports USDC, USDT, SOL, and other major Solana assets.
How the Pieces Interact
Lulo deposits are routed to third-party protocols. A smart contract exploit in any underlying protocol (Kamino, Drift, Save, MarginFi) directly impacts Lulo depositors. This is the primary risk vector.
If an underlying protocol's yield is temporarily manipulated (e.g., via flash loan), Lulo's optimizer could route large deposits into a manipulated pool before rates normalize.
Certora audit found critical issues with oracle update failures. If price oracles feeding lending protocols return stale data, Lulo's routing decisions could be based on incorrect yield calculations.
Users who don't customize risk settings may have deposits routed to the riskiest underlying protocol. Default settings should be conservative, but user education is critical.
What Could Go Wrong
- Aggregator risk: Lulo routes deposits to third-party protocols (Kamino, Drift, Save, MarginFi) — an exploit in any of them causes losses for Lulo depositors
- Certora audit (Jan 2025) found critical vulnerabilities including oracle update failures and withdrawal manipulation
- No native token limits governance and community alignment — protocol direction is fully centralized to the team
Underlying Protocol Exploit via Lulo Routing
TailTrigger: A smart contract exploit in Kamino, Drift, or MarginFi drains funds that were routed there by Lulo's optimizer
- 1.Smart contract exploit hits one of Lulo's underlying protocols — Funds routed to that protocol by Lulo are drained or frozen
- 2.Lulo depositors discover their funds were in the exploited protocol — Mass withdrawal attempts from all Lulo pools
- 3.Remaining underlying protocols face liquidity stress from Lulo outflows — Yields collapse across the Solana lending ecosystem
- 4.Trust in yield aggregator model is damaged — Lulo TVL drops 70%+ as users prefer direct deposits to trusted protocols
Risk Profile at a Glance
Overall: B (25/100)
Lower score = safer