Asset Risk Assessment: ApeUSD

A look into ApeCoin’s stablecoin ApeUSD

Dec 12, 2022

This research was spearheaded by @Lavi_54 and @dabar_90.

Useful links:

ApeFinance Docs
ApeCoin DAO forum (AIP-83)
Ape Finance APE Oracle
Ape Finance Timelock (Timelock7days, Timelock4h, and Timelock3h)
Ape Finance Developer Fund Multisig
Amount of APE collateral deposited: apeApe Token (ApeERC20Delegator)
Amount ApeUSD available to borrow: apeApeUSD Token (ApeErc20Delegator)
Curve Metapool: apeUSDFRAXBP (pool transaction/rebalances here)
Ape Finance Github
Ape Finance Snapshot
DeFi Llama
ApeFi Twitter
ApeFi NFT Twitter
Medium
Coingecko APEFI
Coingecko ApeUSD

Abstract

Ape Finance is a stablecoin lending protocol. It enables ApeCoin ($APE) token holders to deposit APE as collateral and borrow $ApeUSD against it. $ApeUSD is soft-pegged to the US-Dollar. Ape Finance aims to bring DeFi to the BAYC community and unlock capital efficiency, new yield farming opportunities, and other use cases for APE holders. The protocol applies Automated Market Operations (AMO) via a Curve metapool to ensure liquidity and peg stability.

A quick TL;DR of our findings:

Ape.fi was created by anonymous developers to enable additional utility for ApeCoin ($APE). ApeCoin is the native ERC-20 token of the ApeCoin DAO. The token was airdropped to BAYB and MAYC NFT holders.
In May 2022, Ape.fi introduced $ApeUSD, a stablecoin soft-pegged to the US-Dollar, that can only be borrowed against ApeCoin. $ApeUSD is also available via a Curve metapool.
Ape Finance limits the total supply of $ApeUSD (currently 15M) and uses the majority share - that is not borrowed - to provide liquidity to their Curve metapool apeUSD/FRAXBP. They apply a concept similar to Curve AMOs (Automated Market Operations) pioneered by Frax. So effectively the majority of ApeUSD’s circulating supply is not backed by APE, but deposited into the metapool by Ape Finance.
The key “trick” behind $ApeUSD’s stability is to maintain the balance inside the metapool, by adding and removing $ApeUSD when an imbalance occurs. The gated access to $ApeUSD via the lending protocol and its limited supply prevent extreme imbalances. For an outsized inflow of $ApeUSD into the pool, it's necessary to borrow $ApeUSD from Ape Finance (which they can control via parameter setting and supply available for borrowing). An outsized inflow of counterparty assets (FRAX or USDC) can also be countered by minting and adding more ApeUSD.
The protocol also issued its own native token $APEFI, which is used to reward liquidity providers. Other than that, $APEFI only functions as a currency to buy Ape.fi NFTs. Those NFTs are intended to serve as governance tokens. However, as of today, there are no governance processes in place. While in the process of shifting to decentralized governance, the anon team still has full control over the protocol. Furthermore, 97% of $APEFI’s total supply sits in a multi-sig controlled by the same group.
Ape Finance applies a „Protocol-Owned-Farming” strategy. They own most of the Curve metapool and stake those LP tokens to earn liquidity incentivizes. The protocol is rewarded chiefly by accumulating CRV, CVX, and FXS. Some of the rewards are vote-locked in order to further incentivize the metapool.
Ape Finance has not been audited. The smart contracts are mostly forks of Compound, Cream, and Fixed Forex (by Iron Bank). There seems to be no community activity or governance process that would allow anyone outside the team to influence the protocol on any level.

Ape Finance - Introduction

A short retrospect

In April 2021, Yuga Labs released a series of 10-thousand NFTs called the Bored Ape Yacht Club (BAYC). The NFT collection became extremely popular very quickly. Many celebrities started to buy them. Soon bored apes would sell for as high as $3M for one piece. Building upon this success, Yuga Labs released their second NFT collection, the Mutant Ape Yacht Club (MAYC). And in March 2022, the ApeCoin DAO issued its native token ApeCoin ($APE).

15% or 150M of the newly created $APE tokens were airdropped to BAYC and MAYC holders. It should serve as the governance and utility token of the ApeDAO ecosystem.

Ape Finance Lending Platform

Ape Finance (Ape.fi) is a stablecoin lending protocol created by a group of anonymous developers active in ApeCoin DAO, to which they applied for a $250k grant. The goal of Ape.fi is to unlock capital efficiency for APE holders, by offering them the option to borrow a stablecoin (ApeUSD) against their APE tokens, and earn a yield on the borrowed funds.

On a technical level, Ape.fi is mostly a fork of Compound with some elements of Fixed Forex (code written by Andre Cronje). Ape Finance currently only supports one lending pool ($APE) and one borrowing counterpart ($ApeUSD). Unlike Compound’s cTokens (the IOU token that users receive when lending tokens), Ape.fi issues $apeAPE tokens that don’t accrue any interest but only serve as a receipt for the deposited collateral.

$APEFI and ApeFi NFTs

Ape Finance also issued its own ERC-20 token called $APEFI. The token is supposed to further incentivize contributions to the protocol and function as a reward token for liquidity providers. Furthermore, $APEFI serves as the only currency for buying ApeFi NFTs according to their docs. These NFTs are then used for governance (1 NFT = 1 vote). In other words, users have to decide whether they want to keep the financial reward or participate in governance.

There are, however, some inconsistencies with regard to those plans. At first, the plan was to airdrop 5% of the token to all participants of the AIP-83 Snapshot vote, which would get Ape.fi the grant from ApeCoin DAO. This was also described in a blog post, where the distribution of $APEFI was further detailed (5% initial bootstrap, 5% airdrop, 25% contributors, 65% community/treasury).

(source: Twitter)

However, ApeCoin DAO never created the Snapshot vote for the grant that Ape.Fi asked for. According to the Ape.Fi team, several attempts for submitting the grant to a vote were ignored. Hence, the team plans to pivot from the ApeCoin ecosystem and aims to enable additional assets to collateralize ApeUSD.

Essentially, the token distribution as described above never took place. At the time of writing this article, 97.25% of all $APEFI tokens still sit in the initial contract, which is controlled by the team. And ~2% are in a Uniswap V2 pool.

The failed grant petition notwithstanding, the team received initial capital from machibigbrother.eth and from an FTX address in mid-May. Machibigbrother.eth is one of the largest BAYC holders, and also a controversial figure, having been involved with numerous failed crypto projects.

In total, their developer fund received $150k in USDC and 56,250 $APE tokens (worth ~$452k at that time). These funds were used to bootstrap the initial liquidity on Curve and Uniswap:

First by buying and deploying $100k FRAX with the USDC, and minting and deploying $200k ApeUSD with the APE tokens (txn).
Secondly by deploying $50k ApeUSD (swapped using the remaining 50k USDC) and 8.25M APEFI into a Uniswap V2 pool (txn 1 & txn 2).

Ape.Fi governance has not yet realized its stated roadmap. Contrary to statements in the docs, voting is actually done with $APEFI tokens, not with ApeFi NFTs. The team emphasized that the NFT launch and voting will come in December 2022. As yet, Ape.fi’s Snapshot page has only been used for a few meta-governance votes from ApeCoin DAO.

$ApeUSD

$ApeUSD is a stablecoin soft-pegged to the US-Dollar. It can either be borrowed by collateralizing ApeCoin ($APE) or traded on Curve against USDC or FRAX. The team is working on enabling two more assets to be used as collateral.

The first mechanism for maintaining $ApeUSD’s peg is over-collateralized borrowing through the lending protocol. The Loan-to-Value (LTV) is currently set to 60%. The second stability mechanism - also enabling arbitrage - is the ApeUSD/FRAXBP Curve metapool. Ape Finance has complete control over the supply of $ApeUSD. They do this by adjusting the total amount of $ApeUSD available for borrowing through their platform (see image below) and by balancing the amount of $ApeUSD in apeUSDFRAXBP metapool.

(source: Ape.fi)

The max supply of $ApeUSD is currently set to 15M. This can change though. At the beginning of November 2022, the supply was at 20M. The team can decide to increase/decrease the supply with a 1-day timelock.

Only 93 addresses currently hold $ApeUSD, whereby the Curve pool and ApeErc20Delegator (smart contract containing the borrowable tokens) account for 99.87% of the total supply.

Minting $ApeUSD

$ApeUSD is minted through the function _mintBorrow. Very little interaction with the protocol is required. To mint $ApeUSD, users only have to select the amount of $APE they deposit as collateral, and define the borrowed amount. After allowing the deposit, the actual depositing and borrowing can be done in one click.

Ape Finance simplifies the lending and borrowing process by batching all steps into one transaction (deposit APE – mint apeAPE – borrow ApeUSD), shown below. The first image shows the flow of a transaction on Etherscan, and the second is a screenshot of the _mintBorrow function from the ApeTokenHelper smart contract.

(source: Etherscan)

(source: ApeTokenHelper.sol)

(source: ApeUSD.sol)

The image above displays the G (modifier), which allows the gov-account to mint $ApeUSD. This can only be set by Ape Finance multi-sig with a 1-day delay. The contract is a fork of Iron Bank’s fixed forex contract (for more info check the Fixed Forex Risk Assessment).

Protocol-owned Liquidity

Ape Finance applies a strategy to use the non-borrowed $ApeUSD actively. They base this off Frax’s Curve AMOs, whereby unbacked $ApeUSD are deployed into Curve. The team's justification for this strategy is that the counterpart assets inside the pool (USDC and FRAX) function as indirect backing.

This is partially true. The protocol has full control over the $ApeUSD supply and its balance against crvFRAX inside the liquidity pool. To achieve this, they use the StabilizerV3 contract, which is controlled by the team’s multi-sig. The image below shows that the most called function of the stabilizer is for depositing $ApeUSD into the pool.

(Source: Tenderly)

The team regularly rebalances the amount of $ApeUSD in the pool. Since they also control the amount of $ApeUSD that can be borrowed, nobody can suddenly mint a large amount of $ApeUSD by surprise. Essentially, Ape Finance fully owns at least 50% of the factory metapool (i.e. the $ApeUSD part), hence the comparison to Frax’s AMO strategy. However, in the case of Frax, the protocol owns the counterparty assets in its Curve AMO pool. The collateral ratio (CR) of FRAX is usually between 85% and 92%. Ape.fi on the other hand, only owns ~$1M in counterparty assets (FRAX & USDC).

A minority of $ApeUSD is actually borrowed by users and thus over-collateralized with APE. At the time of writing this report, ~275k $APE tokens were deposited into the protocol, worth roughly ~$1.1M USD. Given the current LTV of 60%, a maximum of ~660k $ApeUSD could be borrowed. However, the Curve pool holds over 2.87M $ApeUSD. The majority of the tokens were deposited into Curve by Ape Finance, using the tactic described above.

Ape.fi does not provide any insights into the CR. However, it can be monitored by looking at their TVL on DeFi Llama (~$4M) and comparing the circulating $apeUSD supply with the actual backing ($APE) and the counterparty assets in the pool that is owned by the protocol’s stabilizer contract.

[Side note: The largest depositor of $APE is this address. It’s not clear whether the address is somehow related to Ape Finance. However, it regularly interacts with the protocol.]

Protocol-owned Farming

To sum it up, most $ApeUSD in the Curve pool was deposited by Ape.Fi. The protocol uses the minted - but unused $ApeUSD - that sits in their smart contracts and deploys them into the Curve pool. This AMO-like strategy allows them to earn CRV, CVX, and FXS incentives (they call it protocol-owned farming). Almost all liquidity inside the Curve pool is currently staked on Convex. And roughly half of it is also staked on Frax. The farmed tokens are regularly claimed by their developer fund, swapped for CVX, and re-locked to Convex for vlCVX (see history).

With the current yield (image below) and at the current $9.4M as base TVL, they can earn roughly $780k in CRV and CVX per year. If the staked LPs on Frax were also owned by Ape.Fi, it would be an additional ~$330k. However, we don’t know that for sure.

(source: Convex)

Unfortunately for Curve, the token isn’t drawing much trading volume. Most days there is no activity at all. The image below displays the pool's trading volume. There is only sporadic trading, mostly caused by rebalancing activities.

(Source: Dex.guru)

Risk Vectors

Some of the risks are highlighted below.

Smart Contract Risk

Ape Finance has not been audited by any third party. On their Github profile, Ape.fi published an audit that was performed on Cream Finance by Trail of Bits (Cream also uses the same smart contracts). However, CREAM is notorious for suffering from a few exploits in the past.

The team also refers to a formal verification process provided by Certora Proven. Unfortunately, the repositories they linked mostly refer to Compound’s cTokens (which Ape.fi doesn’t use) and some links are many months older than Ape Finance itself. Thus, it’s doubtful that the verification process was actually performed.

All smart contracts used by Ape Finance, - also those that contain the user funds - are essentially forks of Compound, Fixed Forex, or Cream. Some of these platforms have experienced at least one exploit. There is no active bug bounty program. Moreover, there is no fallback or emergency mechanism in case something goes wrong.

When providing feedback to this article, the team highlighted that their first audit is currently underway.

Custody Risk

All changes over Ape.fi and its protocol-owned liquidity are controlled by a 2-of-4 multi-sig wallet (signer 1, signer 2, signer 3, signer 4). Ape Finance could implement changes that can pose a danger to user funds. Some examples of what can be changed:

It can alter collateral factors, fees, or the interest rate
It can change the oracle implementation affecting the price
It can alter the smart contracts and add maliciously-crafted elements
It can adjust the available amount of $ApeUSD, impacting the utilization rate

The Ape Finance team and the multi-sig owners are not doxxed. One signer (apeficaesar) is an active ApeDAO community member, while the other three signers are just EOAs with no activity. In the discussion on the ApeCoin governance forum, concerns were raised by other community members regarding the anonymity of the team.

Oracle Risks

Ape Finance uses Chainlink as the price-feed provider for $APE. The token price is updated every time Chainlink post a new price on-chain. Relying on off-chain price updates prevents $APE price manipulation inside one block (flash loan attacks). Oracle failure would have a small direct effect on the protocol since a minority of $ApeUSD is collateralized, but such a black swan could irrevocably damage confidence in the peg.

Depeg Risk

$ApeUSD’s price history since inception is relatively stable. As eluded earlier, since $ApeUSD is not collateralized, Ape Finance needs to maintain the balance between tokens inside the pool with its Stabilizer smart contracts. They simply deposit the unused borrowing power from the lending protocol via the stabilizer contract, which is based on two admin rebalance functions:

depositAndStake- when the price of $apeUSD >$1, they can take $ApeUSD from the lending protocol and add to the pool
unstakeAndWithdraw- when the price of $apeUSD <$1, they can remove $ApeUSD from the pool and repay the debt position

The StabilizerV2 smart contract is adapted to the Convex boosting pool strategy.

(source: Etherscan StabilizerV2 - strategy)

The StabilizerV3 smart contract is optimized for yield strategies over 3 pools - apeUSDConvexStakingWrapperFrax, apeUSDFraxStaking, and apeUSDCurvePool. This enables farming triple rewards - CRV, CVX, and FXS.

(source: Etherscan StabilizerV3)

Essentially, the $ApeUSD stability is fully controlled by Ape Finance multi-sig. Currently, the protocol admin has control over almost all $ApeUSD supply (~99.8%). And with frequent rebalances of $ApeUSD from [ApeUSD/crvFRAX] metapool, the protocol is successfully keeping the peg and the balance with the counterpart assets.

Given that $ApeUSD is not really utilized in the open market, there is little risk of external factors impacting the pool balance. Since ApeFi also controls the utilization rate of $ApeUSD within the lending protocol, there is little danger of an unexpected supply increase. The image below displays the correlation of $ApeUSD and the corresponding counterpart assets crvFRAX within the Curve pool.

(Source: Dune)

Depeg risk is more likely to arise as a result of centralization in $ApeUSD's core functionality. Without active and responsible rebalancing executed by the protocol multisig, $ApeUSD would almost certainly depeg.

Collateral Risk

Although Ape Finance is largely a Compound fork, the lending protocol is designed to maximally reduce collateral risk. The protocol has only one collateral market ($APE) with the following settings:

Loan-to-Value: 60%
Liquidation Premium: 10%
Close Factor: 50%
Borrowing Interest Rate: variable but capped at 10%
Borrow fee: 0.50%
Borrow cap: 5,000,000 $ApeUSD
Oracle price feed: Chainlink with on-chain price updates

All these factors are set to a conservative default setting. In terms of risk parameters, ApeFi is relatively risk-averse.

Apecoin ($APE) as the collateral asset has a large market cap ($1,058,753,958) and the token has high liquidity, but mostly on centralized exchanges (Binance, Coinbase, KuCoin, Kraken, and many others), while on decentralized exchanges most liquidity is on Uniswapv3.

(source: UniswapV3 Analytics)

However, as emphasized several times, most of the $ApeUSD in circulation is not backed by $APE. This always has to be kept in mind when interacting with the protocol.

Reflections

Ape.fi leaves the impression of a rather risky protocol that is still mostly under development. This comes from a few observations:

The project's documentation is clear and informative but isn’t very detailed. In general, their communication and promises are sometimes inconsistent with their execution. For instance: no $APEFI token distribution as promised, rather intransparent funding, governance NFTs are still not active, and general lack of transparency regarding collateralization of $ApeUSD.
There seems to be no community or any attempts to build DAO-like structures. Ape.fi has no Discord (only a Telegram chat). There is no forum, no governance process, and the Snapshot page is only used to vote on ApeCoin DAO meta-governance decisions (with very little participation).
Influence over the protocol is limited to the initial group of developers. The team controls the multisig and has full control over the entire protocol.
The vast majority of $ApeUSD is minted via the stabilizer contract. However, in contrast to other protocols applying the AMO concept, the majority of the circulating stablecoins are created this way and thus have no $APE as backing. Plus there are no emergency or other stability mechanisms in place.
As of today, the protocol has not found a clear product-market fit. There’s little native TVL of $APE tokens. There is no use case for $ApeUSD outside the Curve factory pool. Most of the circulating stablecoins belong to the protocol and are used to farm CRV, CVX, and FXS. The protocol’s treasury is rewarded chiefly through their farming activities, but there is no community to profit from those rewards.
ApeFinance is a fork of forks that has not been audited and they only refer to a CREAM audit. The team stated that they are currently conducting an audit, although this has not been verified.

ApeFi Gauge Criteria

Is it possible for a single entity to rug its users?

Yes, Ape Finance could rug its users. ApeApe.sol and apeApeUSD.sol are both controlled by the admin multi-sig (2-out-of-4) with a 2-day timelock.

None of the team members are doxxed and out of four signers, only one can be “verified” as a real user (i.e. a community member with an ENS). The other signing EOAs are probably created only for signing purposes (based on EOA activity).

If the team vanishes, can the project continue?

Probably not, because Ape Finance’s multi-sig controls most of the protocol’s key mechanisms (e.g. unitroller markets, maintaining the peg with add/remove actions, $ApeUSD available for borrowing, lending parameters, etc.).

Do audits reveal any concerning signs?

No audit was performed on Ape Finance smart contracts directly, although contracts are forks of Compound, Cream, and Iron Bank.

Risk Team Recommendation

Given the reasonable possibility that a single anonymous actor has the power to rug [ApeUSD/FraxBP] pool LPs, we urge the Ape.fi team to reconfigure the protocol multisig. The unverified owners should be replaced by representatives from external, trusted stakeholders, such as team members from Convex, Curve, Frax, and/or the Crypto Risk team.

Barring a good faith effort, we believe $ApeUSD does not meet the criteria for a Curve gauge.

[Edit: 2/13/23] Since this report was published, user deposits in the lending platform have declined substantially, making almost all outstanding $ApeUSD from the AMO strategy. ApeFi has not found product-market fit, so a vote to kill gauge emissions is in progress. If the project continues and manages to generate growth in the absence of incentives, we are open to unkilling the gauge.