Asset Risk Assessment: DeFi Franc (DCHF)
A look into Moneta DAO and its Swiss franc stablecoin DCHF
This research was spearheaded by @paulapivat
Useful Links
Governance
TLDR
This report delves into the DeFi franc (DCHF) stablecoin (pegged to the Swiss franc), and its Moneta DAO governing body. Specifically, we analyze the risks that the DCHF-3CRV pool poses to LPs. Moneta DAO has proposed to add a gauge for this pool, and the governance proposal can be found here.
Custody risk: The AdminContract gives the owner privileges that could potentially impact user funds, primarily by adding collateral types and oracle price feeds. Although contracts are non-upgradeable, a 4-of-6 multi-sig owns all relevant contracts including AdminContract, DFrancParameters, and the DCHF token, leading to concerns about centralization. In response, the team has recently improved their multi-sig by adding a Curve team member and increasing the threshold from 3 to 4 signers.
Governance Risk: The team has recently launched the Moneta DAO. DCHF, while a fork of the governance-free Liquity Protocol, is itself governed by the Moneta DAO. Nevertheless, there is limited bottom-up community engagement, with the core team coordinating recent activities (i.e., formation of community grants committee), raising the question of how much decentralization is actually achieved.
MON Token distribution: There is a need for updated messaging and documentation as the team has conflicting statements about the role of MON token holders. There are also governance risks regarding the distribution of MON tokens. Although the distribution is public and transparent, there may be questions about allocation decisions made before the formation of the DAO.
Overall, Llama Risk believes the protocol risks are on par with other early-stage DeFi protocols. The Moneta team has made a good faith effort by improving security in the Owner multi-sig and moving toward decentralized governance. It's our opinion that the protocol meets the requirements to receive a Curve gauge.
DCHF - Introduction
History & Context
DeFi franc (DCHF) is an overcollateralized stablecoin pegged to the Swiss franc, created on September 25, 2022 by Moneta DAO Deployer. On January 25, 2023, a proposal to add the DCHF+3CRV pool to the Gauge Controller was made by Andrés Soltermann, founder of Grizzly.Fi and current DCHF core team member. Grizzly.Fi is a liquidity mining aggregator with a presence on Binance Smart Chain and on Ethereum.
DCHF initially launched with governance controlled solely by the Moneta team. The native MON token was used only for distributing protocol fees to stakers, and for a liquidity mining scheme. DCHF transitioned into a DAO governance model with the launch of Moneta DAO on February 5, 2023. MON token holders govern the DeFi franc protocol through a dual-governance structure and have proposed initiatives such as a liquidity strategy, expanded signers on the Moneta DAO multi-sig, and a community grants program.
A Curve DAO vote took place from March 20, 2023 to March 27, 2023 to add the DCHF gauge, but it did not pass quorum. The team has stated an intention to attempt another vote to add a gauge to the DCHF-3CRV pool, citing the transition to DAO governance and improved multi-sig parameters as reasonable steps taken to alleviate concerns of custody risk.
Comparison to Liquity
The DeFi franc (DCHF) protocol is a fork of Vesta Finance, which is itself a fork of Liquity. The foundation of the protocol family involves an over-collateralized, crypto-backed stablecoin, and a philosophical preference for decentralized collateral and governance minimization. The protocols have many common features, including stability pools that facilitate liquidations, universal redemption (anyone owning the protocol stablecoin can redeem for system collateral), and a recovery mode that programmatically protects against system insolvency in case the Total Collateral Ratio (TCR) falls below 150%.
While DCHF has the same basic peg mechanics as Liquity, there are some significant differences. For instance:
DCHF is pegged to the value of one Swiss franc (CHF) instead of one US Dollar.
DCHF allows two collateral tokens: ETH and wBTC, with the capability to add new collateral types, instead of just ETH.
DCHF is governed by the Moneta DAO through its native MON token, while Liquity is governance-free.
DCHF currently has system access control granted to a 4-of-6 multi-sig, while Liquity has no such access control.
Protocol Mechanics
When opening a position, users can lock ETH and/or wBTC into the protocol to borrow against, with a minimum collateral ratio of 110%, which creates a price floor and ceiling through arbitrage opportunities. DCHF can be redeemed for ETH or wBTC at face value (1 DCHF for 1 Swiss franc’s worth of ETH / wBTC) whether DCHF is below or above peg. The user can add collateral, repay debt, or close out the position at any time.
There are several parameters, adjustable through the dfrancParameters contract, that a user experiences upon opening a position. The DeFi franc (DCHF) protocol currently requires a minimum debt of 2,000 DCHF and will charge an algorithmically-determined borrowing fee between .5% and 5%. It also sends 200 DCHF to the GasPool contract as a "Liquidation Reserve". This reserve counts toward the overall debt and is used to pay liquidator gas fees in case the position becomes eligible for liquidation, but is otherwise refunded upon position close.
Dynamic baseRate
The protocol maintains its peg to the Swiss franc through redemption and borrow fees, and a stability pool. Borrow and redemption fees adjust algorithmically to regulate borrowing and redemption velocity, in what is calculated as the "baseRate". The baseRate increases when DCHF is redeemed, and decays over time according to a predefined DECAY_FACTOR
, with a lower and upper bound of 0.5% to 5%.
Higher redemption volumes imply DCHF is below peg. Therefore, borrow and redemption fees are increased to discourage borrowing and redemption of DCHF for ETH/wBTC. Both forces combine to push the peg towards 1 DCHF = 1 CHF.
The baseRate is calculated as follows (from the Liquity whitepaper):
Here’s an example where 1 DCHF is trading at 0.95 CHF (below peg). Assuming 1,000 DCHF supply and 1,500 ETH collateral at a 150% collateral ratio and a 1% baseRate:
A user borrowing 100 DCHF pays 1 CHF in borrow fees (1% of 100 DCHF)
50 people redeeming 10 DCHF each results in 50% of DCHF supply redeemed, causing baseRate to increase from 1% to 1.5%
Higher baseRate increases borrowing costs, limiting DCHF supply in the market, and is expected to push its value toward peg
Redemption fees, calculated as (baseRate + 0.5%) * ETH drawn, incentivize holding DCHF instead of redeeming, reducing excessive redemption
Increased demand for DCHF due to these mechanisms may increase its price towards the 1 CHF peg.
Stability Pool
The Stability Pool is crucial for maintaining protocol solvency. There is a unique pool for each collateral asset and each one accepts DCHF deposits. The DCHF supplies liquidity for liquidation events and allows depositors to profit from their contribution. When a debt position is liquidated, the remaining debt is burned from the Stability Pool while the collateral for the debt position is transferred to the pool. Depositors gain a proportionate share of liquidated collateral in exchange for a proportionate share of their DCHF deposits over time. This ensures a healthy collateral ratio is maintained to back the supply of DCHF.
Anyone can initiate a liquidation, and they will receive 200 DCHF as compensation for gas costs + .5% of the position collateral. Positions are liquidated below 110% collateral ratio (CR), and due to the 10% liquidation fee, Stability Providers typically will experience a net gain. It may be possible that Stability Pool depositors lose money, in cases where liquidation occurs below a 100% CR. Even in normal conditions, the pool provider may wish to actively reduce exposure to volatile collateral, if they believe prices will continue to decline.
Recovery Mode
When the Total Collateral Ratio (TCR) of the DeFi franc protocol falls below 150%, Recovery Mode is activated, allowing for the liquidation of all positions with a collateral ratio (CR) below 150%. There are also additional parameters on borrowing: borrowing can only occur if the position CR would be >150% and the borrow fee is set to 0%. This is intended to encourage borrowers to increase the TCR above 150% and for DCHF holders to replenish the Stability Pool. Details on the liquidation mechanics during Recovery Mode are available in the documentation.
The chart below shows the daily TCR from October 2022 to the present, indicating that the system has remained sufficiently collateralized since inception. As such, DCHF has never experienced Recovery Mode in production.
Governance
DeFi franc draws inspiration from Liquity, but sets itself apart by introducing DAO governance and having the ability to update the system with new features. Governable aspects of the system include:
Add new collateral types, including an associated Stability Pool and oracle
Adjust system parameters, including set oracle pricefeed, set minimum collateral ratio before triggering liquidation (101%-1000%), set critical collateral ratio before triggering Recovery Mode (101%-1000%), set min/max borrow fee (0%-10%), set Liquidation Reserve fee (1-200), set minimum borrow amount (0-10,000), and set min redemption fee (.1%-10%)
Introduce a whitelist for DCHF redemptions (note: this is separate from repaying debt, and governance cannot prevent depositors from withdrawing their collateral)
Upgrade to a new AdminContract, TroveManager, and BorrowingOperations contract
Handling of protocol fees between the CommunityIssuance and StabilityPool contracts
Emergency pause of MON staking deposits and pause of DCHF minting
While the protocol allows for adding additional collateral types, the core team currently has no immediate plans to add any. Based on informal discussion, the team believes a logical next collateral may involve staked ETH. In any case, Moneta DAO has discretion over supporting new collateral types for DCHF, and the 4-of-6 owner multi-sig has the power to enact it.
Moneta DAO
The most significant addresses for Moneta governance are the 4-of-6 Owner multi-sig and the 4-of-6 Treasury multi-sig. The Treasury and Owner addresses are composed of the same individuals.
The Moneta DAO has two governance bodies:
Token House is hosted by MON token holders who govern strategic decisions, including who should be in the Delegate House. It governs the allocation of treasury funds and protocol upgrades.
Delegate House is comprised of elected members who oversee day-to-day governance decisions.
To put it plainly, Moneta is structuring itself similar to many early-stage DeFi projects: tokenholders can signal a vote through Snapshot and a multi-sig of trusted individuals has the power to enact (or not) the wishes of tokenholders. The Moneta DAO has recently raised the multi-sig threshold from 3-of-5 to 4-of-6 to address concerns of potential collusion among multi-sig signers.
The six multi-sig signers are:
Andrés Soltermann (Moneta Co-Founder)
Christian Killer (Moneta Advisor)
Roman Fritschi (Moneta Co-Founder)
Nils (elnilz @ FiatDAO)
Hubert (StakeDAO)
Mimaklas (Curve)
Moneta DAO hosts community discussions on the Commonwealth forum where they made their inception announcement on February 26th, 2023. There are 55 members in the governance forum, with 138 voting members on Snapshot. To date, the DAO has held four governance votes, including a test vote, launching Moneta DAO, adopting a liquidity strategy, and expanding multisig signers. You can find additional governance details in this forum post and the Moneta Tokenomics page.
On April 7th, 2023, a proposal was made to create a Community Grants Committee with a 5-of-9 multi-sig. The Community Grants Committee consists of representatives from Moneta DAO and the team, including Dr. LM, Andrea, Markus, Nilic, Daniel, ViTo, Tom, Leon, and Andrés. The Moneta DAO Token House (MON token holders) reserves the right to dissolve the Community Grants Committee, to which it has granted the Treasury Multi-sig full allowance over its MON treasury.
MON Governance Token
The MON token, issued by Moneta DAO, is intended to govern the DCHF protocol and is described as a revenue-sharing token that can only be obtained by staking DCHF in one of the stability pools, or by supplying liquidity to the Curve pool. Users can stake their MON to earn a proportionate share of borrowing and redemption fees in DCHF, ETH, and wBTC.
There are inconsistencies between the Moneta DAO documentation and governance forum announcements regarding the governance role of MON token holders. On one hand, the documentation states: “staked MON tokens are not used for governance as there is no DeFi franc governance”, but the announcement post for launching Moneta DAO suggests MON token holders and stakers “govern over strategic DAO decisions” including allocation of DAO treasury funds, critical risk parameters, and protocol upgrades. This discrepancy is likely due to the recent introduction of the DAO (March 2023) and the docs should be updated for clarity.
According to the Moneta DAO Tokenomics page, MON was launched with a max supply of 100m tokens that have been allocated toward four main purposes:
72.5% - Treasury reserve for future distribution (decided by the DAO)
15% - Airdrop to tokenholders of Grizzly (GHNY), Liquity (LQTY), and token lockers in the Grizzly Freezer
10% - Team and advisors
2.5% - Liquidity bootstrapping (Supply liquidity and incentives to a MON/ETH pool)
The Protocol Owner multi-sig was initially seeded with 100,000,000 tokens on September 23, 2022. The docs list the contracts used in the initial distribution, but many have been deprecated with the Moneta DAO launch. Moneta documentation should be updated to reflect new decisions around treasury management and allocation. The following chart shows funds that have been returned to the owner multi-sig since the original distribution.
We have additionally built a Moneta Dune dashboard that shows onchain transactions to and from the Protocol Owner multi-sig; see "MON Received and In Circulation".
The following chart shows the actual distribution of MON as of April 17, 2023. The majority of funds have been transferred to a new Treasury multi-sig and to a Grizzly.Fi multi-sig. The latter had provided Moneta DAO with $1m of seed funding denominated in USDC, CRV, and LIT. The owner multi-sig continues to be a regular funding source for Curve gauge rewards, Stability Pool incentives (CommunityIssuance), and airdrop claims.
Contract addresses:
Uniswap MON pool (tx) - MON/WETH UniV3 pool
UniV3 rewards vest - Rewards for MON/WETH pool LPs
Team vest - Original team allocation
lockedMON - Vest for new team member @elnilz
Treasury multi-sig - Treasury created with the formation of Moneta DAO
Grizzly.Fi multi-sig - Seed fund raise of $1m at the formation of Moneta DAO
Moneta DAO: Deployer - Giveaway campaign hosted by Moneta team
Curve Gauge Rewards - DCHF pool rewards, distributed weekly
CommunityIssuance - Stability Pool incentives, distributed monthly
MON airdrop - GHNY, LQTY, and Grizzly Freezer airdrop. Claims are through the airdrop contract and distribute funds from the owner multi-sig
The Treasury multi-sig currently holds around 50% of all tokens. Of the circulating supply, the majority is in the MONStaking contract (17m) and the Uniswap pool (3m). Since all allocations were made before the DAO was formed and without community input, there may be questions regarding the airdrops. The Grizzly.Fi community received the most tokens (11.17m), and it is worth noting that members of the core team are also co-founders of Grizzly.Fi. This overlap may be a cause for concern, as the majority of MON circulating supply is from airdrops and the team's overall MON allocation is obscured by this airdrop strategy.
Market and Utility
Over 90% of circulating DCHF is held in the WBTC/ETH Stability Pools and the Curve DCHF/3CRV pool. The UniV3 DCHF/USDC pool also ranks among the top addresses, although only making up ~2% of the supply. The top addresses as of April 2023 are as follows:
Currently, the DCHF token is traded on two major DEXes including Uniswap and Curve, and does not appear to be traded on any CEXes. The vast majority of liquidity resides in the Curve pool.
Curve has historically led in DEX volume, although Uniswap has gained ground in recent months. These two charts show daily sell and buy volume, respectively:
TVL and outstanding DCHF declined after the initial release in September of 2022 and adoption appears to be relatively flat since November 2022.
DCHF has traded above its CHF peg for most of its history and currently has a substantial premium of ~1.04:1. This is not entirely surprising, as there are no readily accessible CHF tokens to arb against, and the Liquity mechanics allow for a fairly wide deviation above the peg. Due to the 110% MCR, an upward depeg >1.1 would create an instant arb opportunity for a user to borrow the max amount and sell for a profit. Liquity describes this as the price ceiling. Historically, LUSD has also traded above peg because of its conservative collateral choice (even when trading above peg, arbs may choose not to step in) and the system's accommodative soft peg range. An upward depeg is less worrisome for users but may raise questions about a stablecoin's utility.
Risk Vectors
Smart Contract Risk
DCHF is a fork of Vesta Finance, which itself is a fork of the Liquity decentralized stablecoin protocol. Although Liquity is a well-audited protocol, engineers from Vesta have cautioned against forking these projects due to messy and unoptimized code that may not be up-to-date with new features. Despite this warning, DCHF remains a fork of Vesta with no apparent effort to keep up with changes in the original code base, possibly due to their use of non-upgradeable contracts.
Audits
DeFi franc Version 1.0 has undergone two audits from CertiK and General IT. The latter is an audit by a foreign company. An in-browser translation was required to decipher the contents of the audit. Two critical issues were found including:
Possible re-entrancy attacks: This vulnerability was found for the StabilityPool and ETHTransferScript contracts. The auditors advised the use of “ReentrancyGuard” library and the team appears to have fixed the issue with a commit to a private repository (source).
Wrong ether value: This vulnerability is featured in the PriceFeed and PriceFeedV2 contracts and involves the conversion of “int256” to “uint256”, which could lead to an arithmetic overflow. The team has taken the issue into account, but it is unclear if this issue has been fully addressed (source).
There were four medium issues identified including:
Violation of the ERC-20 standard: This issue has been fixed.
Lack of gas to complete all loop iterations (DoS): This issue has been taken into account.
It is possible to block tokens on the balance of the contract: This issue has been taken into account.
Wrong token price: This issue has been taken into account.
The CertiK audit has reported 0 unresolved and 0 critical issues from this project. Here’s a sample of major/medium issues that may be related to additional risk vectors outside of smart contracts:
GLOBAL-01 | Centralization Related Risk: In the AdminContract, the _owner
role has extensive authority over several functions that could affect borrow/redemption fees, addition or removal of collateral assets from Stability Pool, transferring funds out of Stability Pool, changing vesting periods or, worse yet, changing the AdminContract itself including, among others:
* setAddresses
* addNewCollateral
* emergencyStopMinting
* setDfrancParameters
* setCollateralParameters
* setPriceFeed
* setAdminContract
* removeFundFromStabilityPool
* transferFundToAnotherStabilityPool
* setAdminContract
* changeTreasuryAddress
* setRedemptionWhitelistStatus
* addUserToWhitelistRedemption
* removeUserFromWhitelistRedemption
Moreover, the AdminContract has the power to upgrade several contracts without community consensus including SortedTroves, StabiltiyPool, StabiltiyPoolManager, and TroveManager, among others. This opens the door for an attacker to change the contract implementation and drain tokens.
MOT-01 | Initial Token Distribution (mitigated): Another major issue within the centralization/privilege risk category involves how MON tokens were sent to a _treasurySig
address when deploying the contract. This implies that MON tokens can be distributed without community consensus. To mitigate this risk, the team has documented their tokenomics and how MON tokens are distributed.
GLOBAL-02 | Lack of Storage Gap (resolved): Several contracts were upgradable including AdminContract
, StabilityPoolManager
, TroveManager
etc. This means there needs to be a storage gap to allow the addition of new state without compromising existing deployments. In response, the Certik report indicates the team has modified the design and opted for non-upgradeable contracts. While non-upgradeable contracts prevent future changes that could compromise the protocol, there are still options for the system to make updates. The Protocol Owner multisig could still addNewCollateral through the AdminContract) or they could make updates to parameters through the DFrancParameters contract.
DPK-01 | Lack of Input Validation (partially resolved): A minor contract risk exists in the dfrancParameters
contract setMCR() and setCCR() functions that can potentially be set such that a user's MCR is greater than the CCR, which would essentially prevent recovery mode from activating (source). This has not been changed in the deployed code.
Audit Recommendations
The team followed Certik's recommendations by assigning privileged roles to multi-sig wallets and transitioning to a DAO governance/voting module. The Treasury multi-sig and Protocol owner multi-sig (which controls the AdminContract) addresses can be found here and here, respectively.
Certik also advised implementing a timelock contract with a 48-hour latency for privileged operations. The team has considered this but opted not to give ownership to a time-lock contract at this time to remain agile. A permanent solution could be to renounce ownership or remove the owner role's ability to affect collateral assets from the stability pool, transfer funds, change vesting periods, or alter the AdminContract. This would put DCHF's trust assumptions in line with Liquity, but would sacrifice flexibility, as new collateral types and oracles could no longer be altered.
Another solution could be to introduce fully on-chain governance controlled by a DAO of tokenholders. The transition to a DAO is still in its early stages with limited community activity outside of the team. Questions could be raised about the fairness of the MON token distribution, given the overlap between core Treasury multi-sig signers and Grizzly.Fi airdrop recipients. The team has set up a multi-sig proxy address and transferred ownership of the AdminContract to this address, providing transparency to users about the token distribution (proof of transfer). This provides a reference to help users check whether MON tokens have been distributed as advertised.
Centralization & Custody Risk
The 4-of-6 multi-sig ownership of the AdminContract (as well as ownership of all relevant system contracts) grants it extensive authority over critical protocol functions, raising custody risk concerns. The team has opted for non-upgradeable contracts, which means the Owner multi-sig must add new collateral through the AdminContract or update existing collateral parameters through the DFrancParameters contract. This multi-sig has the power to:
Add new collateral types, including an associated Stability Pool and oracle
Adjust system parameters, including set oracle pricefeed, set minimum collateral ratio before triggering liquidation (101%-1000%), set critical collateral ratio before triggering Recovery Mode (101%-1000%), set min/max borrow fee (0%-10%), set Liquidation Reserve fee (1-200), set minimum borrow amount (0-10,000), and set min redemption fee (.1%-10%)
Introduce a whitelist for DCHF redemptions (note: this is separate from repaying debt, and governance cannot prevent depositors from withdrawing their collateral)
Upgrade to a new AdminContract, TroveManager, and BorrowingOperations contract
Handling of protocol fees between the CommunityIssuance and StabilityPool contracts
Emergency pause of MON staking deposits and pause of DCHF minting
Although centralization risks found in the audit have been mitigated to an extent, extensive privileges remain available to the core team to exercise.
The team has expanded the multi-sig threshold from 3-of-6 to 4-of-6 and added a Curve team member (Mimaklas). They have additionally transitioned to a DAO, which is still in its early stage of development. It remains to be seen how well Moneta can garner community involvement in decision-making and onchain governance. At this time, the core team is necessary for the DAO to operate effectively.
The recommended next step to reduce custody risk is to pass ownership to a timelock contract for all functions that are not time-sensitive. The multi-sig without timelock should ideally be reserved for emergency actions (pause MONStaking/pause DCHF minting). The long-term goal should be to transition either to fully onchain governance or to opt for governance minimization by renouncing ownership of the relevant contracts.
A list of access controls for the system contracts has been compiled on this Google Sheet.
Governance Risk
Here’s an overview of major MON token holders:
Grizzly.Fi incubated both the DeFi franc and Moneta DAO. The team and advisors have been allocated 10% of tokens (10m MON), and Grizzly.Fi was allocated a treasury seed of 1M USD worth of assets (9,174,312 MON) (source).
There are two entities within Moneta DAO governance: Token House and Delegate House. As discussed above Moneta DAO token holders will have a say over strategic protocol decisions including the allocation of DAO treasury funds, critical risk parameters, and protocol upgrades. However, in the early stage of development, there continues to be an absence of a clear process for prominent community members to serve as delegates and permissioned roles within the DAO.
Additionally, the distribution of MON tokens was made before the formation of the DAO, without community input. Given that there is no clear process for delegation, we can assume that the current multi-sig signers of the Treasury and Protocol Owner proxy are the de facto delegates. While delegates execute the wishes of tokenholders, this relationship is non-binding and trust-based.
While the token holders will have a say in strategic protocol decisions, the extent of governance remains uncertain. Clear communication of a governance process and plans for delegation will be helpful.
Oracle Risk
DCHF uses Chainlink for its price feeds. Chainlink is a well-regarded oracle provider, although DCHF does not have a fallback oracle. The fetchPrice function involves a sanity check that allows a maximum deviation of 50% between updates, otherwise, it will accept the last good price. As a result of oracle failure, CHF may become inaccurately priced. It could lead to negative effects on liquidations and the redemption mechanism, ultimately resulting in potential loss of funds (source).
Liquity, by comparison, uses Chainlink as a primary oracle and Tellor as a backup. It will algorithmically reject the primary oracle if it fails to update or produces a value outside of the specified guardrail. The strategy was designed to ensure the price feed can autonomously react to black swan events without requiring manual intervention. The DCHF strategy, on the other hand, may require more active monitoring and manual updates in case of oracle failure.
Depeg Risk
The DeFi franc protocol currently has 6,694,401 DCHF tokens minted, valued at $1.15, totaling approximately $7.6m, and holds collateral worth around $17m (ETH and wBTC combined). Redemptions are supported by sufficient collateral.
To control the supply of DCHF, the protocol utilizes borrow and redemption fees. A 110% collateral ratio provides a price floor and ceiling, and arbitrageurs are incentivized to maintain price stability. The protocol does not rely on an external AMM for supply expansion or contraction, and burning/withdrawal amounts are executed through onchain peg mechanisms.
As a fork of Liquity- a resilient and battle-tested stablecoin, the risk of insolvency is currently low. Liquity does, however, have a history of prolonged depeg >$1. By maximizing decentralization, it sacrifices scalability and tends to have a substantially variant soft peg compared to centralized stablecoins.
The collateral selection (ETH/WBTC) Moneta has opted for is likewise reasonably conservative. It is our opinion that the greatest risk of future depeg is the possibility of governance mismanagement. Suppose low-quality collateral types are ever added to the protocol (e.g. the protocol's native governance token MON, or complex derivative assets). This may increase the chance of failure or manipulation of the underlying collateral, causing system insolvency, and therefore a depeg.
Users (borrowers) should keep in mind external factors, such as currency exchange rate risk in TradFi markets. Considering that CHF loses value against USD, there is a lag between DeFi reflecting this price change. In a scenario where DCHF depegs vs CHF, the assumptions of a repeg are undermined by borrowers having an opportunity to pay back their loans for a cheaper rate, given that borrowers swapped to USD after borrowing. In the other scenario where DCHF depegs above 1 CHF (but under <1.10 CHF), it looks different. Since in that case there is no way to directly arbitrage DCHF and CHF to balance the peg, the only dynamic that could lead to DCHF repegging back to 1 is demand for supplying DCHF to DeFi.
LlamaRisk Gauge Criteria
Centralization Factors
1. Is it possible for a single entity to rug its users?
The risk of a single entity rug-pulling users has been reduced by transferring ownership privileges to a multi-sig, which currently has a 4-of-6 signer setup and includes a member from the Curve team. It is still possible for this multi-sig to take action that can impact user funds.
2. If the team vanishes, can the project continue?
The protocol can continue operating normally in the absence of the team, but there would be no way to update the system or respond to an emergency. Although the DAO has been recently launched, there is still no direct way for tokenholders to directly assert control over the protocol.
Economic Factors
1. Does the project's viability depend on additional incentives?
The protocol depends on its own incentives to drive liquidity to its Stability Pools and DEXs like Curve. It does not depend on additional incentives except as a bootstrapping tool.
2. If demand falls to 0 tomorrow, can all users be made whole?
Yes, there’s roughly $17m in ETH and wBTC collateral supporting $7.6m in DCHF value. Users can redeem their deposits tomorrow.
Security Factors
1. Do audits reveal any concerning signs?
The audits did not identify any critical issues but flagged a few major concerns that have been partially or fully addressed. The primary concern was the overreaching powers of the AdminContract, which has been transferred to multi-sig signers. Although the DCHF protocol uses non-upgradeable contracts, it does have a path to update the system through the AdminContract) or make parameter updates through the DFrancParameters contract.
Risk Team Recommendation
We have three recommendations that would be beneficial to the DCHF ecosystem and community:
Update documentation to be explicit about MON token holders’ strategic role in governing DCHF protocol
Be explicit about allowance/powers the Treasury / Protocol multi-sig continues to have through all relevant system contracts, and provide a clear roadmap toward decentralization.
Create a policy for acceptable forms of collateral and process for adding collateral types that Moneta DAO is willing to stand by.
Overall, we see the challenges Moneta DAO faces to decentralize as typical for a DeFi protocol in its early stage of deployment. While there certainly exist risks and uncertainties, we see there has been a good-faith effort by their team to reasonably alleviate concerns. Our hope is that they continue to exercise good judgment by remaining conservative when adding any new collateral types. We support the team's proposal to add a Curve gauge for the DCHF/3CRV pool.
Awesome analysis!