Asset Risk Assessment: Ethena USDe
Examining the risks posed by the fastest-growing stablecoin and its basis trade yield strategy
Useful Links
Protocol Website: ethena.fi
Docs: ethena-labs.gitbook.io
Github: github.com/ethena-labs
Governance: Forum | ENA token | Multi-sigs: dev (4/8) | hot swap (4/8) | payout fund (4/8) | treasury (5/9) | trading operations (4/8) | reserve fund (4/8)
Market Data: Official dashboard, IntoTheBlock dashboard
Summary
Ethena's USDe, a synthetic dollar backed by delta-neutral positions on perpetual futures exchanges, was launched in February 2024 and reached over $2 billion in total value locked (TVL) less than 100 days later. This rapid expansion has made it the fastest-growing stablecoin in existence. However, this rapid growth also raises concerns about potential risks to USDe/sUSDe holders, liquidity providers, and other assets using it as collateral. This report identifies several key risk factors, including:
Centralized components and failure points: Reliance on centralized components, e.g., centralized exchanges, for critical operations introduces additional failure points that are not readily auditable via smart contracts.
Concentration of collateral and effectiveness of delta-neutral hedging strategies: High collateral concentration raises concerns about the market depth and liquidity during volatile periods, potentially compromising delta-neutral hedging strategies, especially during market stress.
Leverage and liquidity concerns: Perpetual futures used in Ethena's delta-neutral strategy are inherently leveraged. Reduced liquidity on centralized exchanges during market downturns could be problematic for Ethena when rebalancing positions. The ratio of secondary market liquidity to total USDe supply is also a concern.
Insurance fund adequacy: The insurance fund appears insufficient, given Ethena's scale of operations and potential risks. With significant portions allocated to USDe/USDT liquidity provision on Uniswap V3 and deposits in sDAI, a yield-generating vault involving USDe, circular ties could compromise the fund's value in a de-peg scenario. The fund's true value may be lower than reported due to partial backing by endogenous collateral.
Governance structure, token distribution, and limited public information: The proposed governance functionalities are yet to be activated, with no active forum discussions or the ability for ENA holders to weigh in on protocol decisions. Furthermore, more detailed public information about Ethena's operational procedures and mechanisms for interfacing with centralized exchanges and managing governance is needed to ensure transparency, making it easier for users to assess the platform's robustness and potential vulnerabilities.
Legal and regulatory compliance: Impending regulations like MiCAR in the E.U. could pose significant operational hurdles.
This report assesses the risks and benefits of USDe's integration into DeFi platforms like Curve. Ethena's governance, risk management, transparency, and smart contract security are crucial in evaluating USDe's suitability as a reliable stablecoin and collateral asset.
As the DeFi ecosystem becomes increasingly interconnected, the actions and performance of individual protocols can have far-reaching effects on other platforms. This report aims to provide valuable insights for the Curve community and other DeFi stakeholders, enabling informed decision-making and risk assessment regarding USDe and its role in the ecosystem.
Ethena USDe - Background
The Ethena protocol is centered around USDe, a synthetic dollar. USDe is collateralized by on-chain assets and backed by arbitrage on perpetual futures markets. It relies on capturing funding rate payments through a delta-neutral strategy. Delta-neutral positions are established by taking opposing long spot and short perpetual futures positions on various centralized exchanges, hence pegging the "stablecoin" to the dollar.
Ethena's business model thus relies on the expectation that speculators are often willing to pay a premium (the funding rate) to take leveraged long positions on an asset via perpetual futures contracts. Ethena capitalizes on this by taking the opposing trade, shorting these perpetual contracts while holding an equivalent amount of the underlying asset, creating a delta-neutral position not exposed to the asset's price movements. The key revenue stream for Ethena comes from the funding rate payments it receives from the short perpetual positions, which are intended to grow the collateral base over time. For users to receive this yield, they must stake USDe to receive sUSDe tokens, which are subject to a cooldown period when unstaking.
The USDe stablecoin was launched on the public mainnet in February 2024. Since its launch, USDe has experienced rapid growth, becoming one of the fastest-growing USD stablecoin assets. Most notably, it reached a total value locked (TVL) of $2 billion in under 100 days.
Minting, Redeeming, and Yield generation
Only whitelisted addresses, i.e., those that satisfy KYC/AML checks, can mint and redeem USDe through Ethena's U.I. or API. The minting process is as follows:
Select a backing asset (e.g., stETH, ETH, USDT, BTC) and specify the amount for minting.
Agree to the amount of USDe to receive and sign an EIP712 transaction with their wallet.
Upon successful transaction confirmation, the backing asset is atomically swapped for the agreed amount of USDe.
The collateral is pledged to exchanges via custodians and used to establish the delta-neutral futures positions. When users mint or redeem USDe, Ethena adjusts the size of the delta-neutral position accordingly. It is important to note that holding USDe alone does not generate any yield for the holder.
USDe is also available on the secondary market, where transfers are permissionless. Non-allowlisted users can obtain USDe by exchanging stablecoins through external liquidity pools accessible via Ethena's U.I.:
Select a stablecoin asset to exchange for USDe.
The transaction is routed using MEV protection through CowSwap to various on-chain liquidity pools in exchange for USDe.
This process removes the complexity for non-allowlisted users, allowing them to use stablecoins as an input asset. The resulting imbalances in the on-chain AMM pools create opportunities for market makers to proceed with the minting workflow outlined above.
To earn yield, users must stake their USDe to receive sUSDe tokens. sUSDe represents staked USDe and conforms to the ERC-4626 tokenized vault standard. The exchange rate between USDe and sUSDe is determined by the total amount of USDe held by the vault divided by the number of outstanding sUSDe shares. This exchange rate increases over time as the vault accrues yield. Each week, typically on Thursday, rewards from the prior week are distributed by minting the corresponding amount of USDe and sending them to the sUSDe contract. These newly minted tokens are then streamed to the vault over the next 7 days via the transferInRewards
function, which is called at an interval of 8 hours. This gradual distribution mechanism helps to ensure a steady and predictable flow of rewards to sUSDe holders and prevents unwanted arbitrage.
Unstaking sUSDe involves a cooldown period, which helps to ensure the system's stability by preventing sudden mass withdrawals. Due to its revenue-generating potential, sUSDe often trades at a premium to USDe on the secondary market. This premium reflects the market's valuation of the expected yield earned by holding sUSDe compared to the base USDe stablecoin.
Stability mechanisms
The USDe stablecoin aims to maintain a soft peg to the U.S. dollar through two primary stability mechanisms:
Adjustments to Ethena's delta-neutral position in response to supply and demand:
The core mechanism involves creating delta-neutral positions by offsetting long spot and short perpetual futures on various centralized exchanges, using assets such as ETH, USDT, BTC, and liquid staking derivative tokens as collateral. This "basis trading" method exploits the difference between an asset's spot and futures prices. The protocol takes a long position in the spot market by holding the collateral assets and a short position in the futures market by selling perpetual futures contracts, aiming to maintain a delta-neutral position where the value of the long and short positions offset each other, effectively hedging against price fluctuations.Arbitrage between the USDe mint/redeem price and secondary market prices:
Whitelisted users can mint new USDe by depositing collateral assets into the Ethena Protocol. At the same time, the protocol determines the mint price based on factors like the collateral ratio and the current value of the collateral assets. If the market price of USDe is higher than the mint price, arbitrageurs are incentivized to deposit collateral and mint new USDe, increasing the supply until the market price converges with the mint price. Conversely, if the market price of USDe falls below the protocol's redeem price, arbitrageurs can profit by buying USDe on the secondary market at a discount and redeeming it with the protocol for the full redeem price, reducing the circulating supply and driving the market price back up towards the peg.
Governance asset
The ENA token is intended as Ethena's governance token, allowing holders to vote on protocol parameters such as accepted collateral types, collateral ratios, fees, and system settings. However, the proposed governance functionalities still need to be operational. There is no snapshot voting, and the governance forum is inactive as of the time of writing, with only a welcome post and no other discussions or activity.
Sats Campaign
Ethena's Season 2 campaign, named "Sats", commemorates onboarding BTC as a backing asset. It is projected to run for another five months, until September 2, 2024, or when the USDe supply reaches $5bn, whichever occurs first.
The Sats campaign rewards early adopters with boosted Sats points for existing positions. Several new strategic awards have been introduced to further incentivize participation:
Locked ENA tokens will accrue the highest daily sats earnings;
Users maintaining at least 50% of their total holdings in ENA, relative to their USDe balance, will receive a 50% boost;
Depositing and borrowing on Morpho or Gearbox, depending on the collateral (USDe/sUSDe), can amplify sats earnings by 5 to 20 times;
Deployment of Pendle pools to more cost-effective networks (Mantle, Arbitrum, and Zircuit) enhances accessibility, with Mantle additionally offering depositors exposure to EigenLayer points revenue streams;
Liquidity provision on Curve yields at 30x sats;
Layer2 activities such as deposits on Swell or LPing on Merchant Moe pay off between 15x and 30x sats;
Web3 wallets of platforms integrated with Ethena (i.e., Binance, Bybit, OKX, Bitget) secure an additional 20% sats boost for users.
Until there is official confirmation, the second airdrop remains speculative. However, Ethena's communications are crafted to suggest that the current sats rewards might be pointers to another round of token distribution. No terms and conditions for the sats campaign are currently available. Users should consider multiple factors when participating in points-based or similarly branded reward initiatives. Our LRT Points legal checklist may help them understand the legal nuances well.
Market
While Ethena uses several centralized exchanges in its operations, including Binance, Bybit, and OKX, the liquidity for USDe and sUSDe mainly resides in the EthenaMinting
contract and different secondary market venues, primarily Curve and Uniswap V3.
USDe is integrated into various Curve pools, enabling users to trade USDe against other stablecoins and earn yields by providing liquidity. The most significant USDe pools by total value locked (TVL) as of May 14th, 2024, are:
FRAXUSDe: $52M TVL
sDAIsUSDe: $37M TVL
USDeUSDC: $33M TVL
USDeDAI: $31M TVL
USDecrvUSD: $18M TVL
GHOUSDe: $10M TVL
mkUSDUSDe: $3M TVL
Integrations with USDe
The following examples of DeFi integrations with USDe are notable but only partial. This report focuses on the most significant integrations, but USDe may have additional integrations with other DeFi platforms and protocols not discussed in detail.
Curve Lending
Curve, the primary venue for secondary market liquidity for USDe, recently passed a proposal to create a LlamaLend market for Ethena sUSDe with a custom price oracle and new gauge. Due to the absence of a direct sUSDe/crvUSD pool on Curve, the custom Oracle solution combines price feeds from three existing pools: sUSDe/sDAI, sDAI/FRAX, and FRAX/crvUSD. This enables the determination of the sUSDe/crvUSD price for the lending market, allowing users to borrow crvUSD using sUSDe as collateral.
The custom oracle combines price data from three Curve pools:
sUSDe/sDAI
sDAI/FRAX
FRAX/crvUSD
Furthermore, the custom oracle is designed to handle redemption rates, which are present in some of the pools. Donation attacks can potentially manipulate redemption rates, where an attacker artificially inflates the redemption rate by donating assets to the pool. To mitigate this risk, the oracle incorporates limits on the rate at which the redemption rate can change, providing additional protection against such attacks:
Bybit Centralized Exchange
On May 7, 2024, Ethena Labs announced in a blog post that Bybit crypto exchange has integrated Ethena's synthetic dollar USDe for use as collateral in trading activities. The integration includes:
USDe as Collateral for Perpetual Futures: As of the announcement date, users can now use USDe as collateral to trade perpetual futures on Bybit, potentially earning yield on their USD-pegged collateral.
BTC and ETH - USDe Spot Pairs: Bybit has introduced spot trading pairs for BTC/USDe and ETH/USDe.
USDe on Bybit's "Earn" Platform: USDe will be available on Bybit's "Earn" platform, allowing users to capture a USD-denominated yield.
In addition to the potential yield from Bybit, USDe held on the platform will receive 20x sats (Satoshis) per USDe. This will allow users to take positions on crypto assets via perpetual futures while receiving yield from the exchange and sats rewards.
Maker's DAI Exposure to USDe/sUSDe
Maker has approved a strategy to gain exposure to Ethena's hedged perpetual yield through the "DIRECT-SPARK-MORPHO-DAI" loan facility. By minting DAI to a Spark DAI MetaMorpho vault, Maker supports the supply of DAI to multiple markets that can be borrowed against USDe/sUSDe collateral.
This decision from Maker has sparked discussions within the DeFi community about potential risks and implications for Maker and the broader DeFi ecosystem. The facility's high demand prompted a proposed increase in the Spark DAI vault's DAI debt ceiling from 100 million to 600 million, with a maximum of 1 billion DAI. This rapid growth in Maker's exposure to USDe/sUSDe presents potential benefits in terms of increased fees and profits while also increasing risks associated with the stability of these collateral assets.
The integration aligns with Maker's 'Endgame' plan, which includes launching new tokens and sub-DAOs. The yield opportunities allow Maker to build cash buffers for the sub-DAOs and provide liquidity for the new tokens. At the time of writing, less than 10% of DAI's collateral comprises exposure to Ethena through Morpho isolated markets.
To assess the potential impact on DAI if Maker incurs losses on USDe lending, it is essential to monitor LTV parameters, liquidation thresholds and bonuses, uncollateralized DAI minting, and supply caps for USDe collateral vaults. Comparing USDe and sUSDe liquidity to the values of their respective collateral assets in Curve pools can help assess the potential for USDe looping. Utilizing IntoTheBlock's dashboard to monitor other relevant liquidity metrics is also advised.
Risk Vectors
This section will cover the counterparty, oracle, economic, collateral, regulatory, and smart contract risks associated with the Ethena Protocol.
Counterparty Risk
Ethena trades across multiple cryptocurrency exchanges, which requires rotating positions between these platforms to realize profits and losses and manage liquidation risk. Ethena employs a globally distributed team available 24/7 to handle manual interventions when necessary. The team includes professionals with experience from firms such as Wintermute, Flow Traders, Genesis Trading, DRW, and Tower Research, who are knowledgeable in system maintenance and understand the risk management systems of various exchanges. A recent job opening for a head of risk/senior risk manager suggests that Ethena is looking to expand its risk management team with additional experienced professionals.
a) Liquidation Risk - Ethena claims to mitigate this risk through these measures:
Systematic Collateral Management: Ethena manages collateral by allocating additional reserves to improve its hedging trades' margin positions, protecting against sudden market movements.
Dynamic Collateral Cycling: Ethena can temporarily shift collateral between exchanges to bolster positions most susceptible to market volatility, ensuring a more resilient trading strategy.
Insurance Fund Utilization: Ethena maintains access to a dedicated insurance fund, which can be deployed to fortify hedging positions on trading platforms, providing an additional layer of security against unexpected market downturns.
b) Funding Risk arises from the potential for persistent negative funding rates, where Ethena might profit from positive funding but could incur losses during negative phases.
To safeguard the protocol against such scenarios, Ethena utilizes its reserve (insurance) fund. This fund is strategically deployed to cover situations where the combined yield from LST assets (e.g., stETH) and the funding rates for short perpetual positions turn negative, thereby temporarily protecting the underlying value of USDe.
The strategy for mitigating funding risk is underpinned by several factors: historically positive funding rates for ETH over the past three years, the additional safety margin derived from yields on LST collateral, and the mean-reverting nature of funding rates—a phenomenon consistently observed over extended periods.
c) Off-Exchange Settlement Risk is rooted in:
Accessibility and availability: Ethena's trading operations rely on depositing, withdrawing, and delegating assets to and from exchanges. Any interruption or degradation in these capabilities could disrupt trading workflows and affect the availability of the USDe mint/redeem functionality and
Performance of operational duties: In the scenario of an exchange failure, the protocol's ability to recover any profits or losses at risk hinges on the cooperation and lawful conduct of its off-exchange settlement providers. These providers are essential for the practical transfer of assets.
Ethena engages multiple off-exchange settlement providers for the same exchanges to protect the protocol against potential failures of any single counterparty. Off-exchange settlement providers enable Ethena to offer efficient on-demand minting and redeeming of USDe workflows efficiently.
The recently launched risk dashboard by IntoTheBlock is a helpful resource for risk monitoring and measurement.
Governance Structure
As of the time of writing, Ethena still needs to finalize its governance model, and the specifics of the governance structure need to be sufficiently detailed in the available documentation. Ethena's governance token has no defined utility within the platform's ecosystem.
To engage its user base, Ethena has implemented an incentive program through which ENA tokens are airdropped. Specifically, 750 million ENA tokens are allocated for distribution among holders of Ethena shards in the first season of the loyalty campaign. Ethena shards represent a user's pro-rata share of the total USDe supply and are used to track and reward user participation in the ecosystem. As of April 2, 2024, users can claim their tokens, with the distribution window remaining open for 30 days. A mandatory vesting period is also in place for the 2,000 largest wallet holders during the airdrop. Ethena also plans to offer a subsequent opportunity for token claims later in 2024, though details regarding this second airdrop have yet to be disclosed.
With a total supply of 15 billion and an initial circulating supply of 1.425 billion, ENA is projected to play a crucial role in the protocol's governance. ENA token holders are expected to be granted voting rights on various governance proposals affecting Ethena's operations, including the general risk management frameworks, the composition of USDe backing, exposures to exchanges and custodians, integrations with DEXs and blockchain networks, the sizing and composition of the Reserve Fund, as well as the distribution strategy between sUSDe and the Reserve Fund.
There is no concrete evidence or documentation to confirm the formation of DAO by ENA holders. However, the token launch announcement refers to a "DAO-controlled multisig" that will be controlling ENA allocations for ecosystem development.
The future governance of Ethena hinges significantly on the distribution of ENA tokens.
30% of ENA tokens are allocated to the Ethena Labs team and advisors, subject to a structured vesting schedule - all core contributors are locked on a one-year 25% cliff of their tokens, with three-year linear monthly vesting after that,
Investors receive 25% of the ENA tokens. Like core contributors, investors are also bound by a vesting schedule that includes a one-year cliff of 25% of their tokens, followed by linear monthly vesting over three years;
15% of the ENA tokens are reserved for the Foundation to support activities that extend the usability and adoption of USDe;
The remaining 30% of ENA tokens are designated for the growth and enhancement of the Ethena ecosystem. Initially, 5% of ENA supply has been distributed through airdrops to users participating in the first season of the Shard Campaign. 25% of ENA supply is reserved for future ecosystem development.
Improving Governance Structure Clarity
A well-defined and transparent governance structure is crucial for building trust and fostering accountability within the Ethena ecosystem. In this regard, Ethena is expected to provide information on the following aspects of its governance framework:
Composition and roles of governance bodies - selection process, term limits, and any eligibility criteria for participating in these bodies.
Specific responsibilities and powers of governance entities.
Decision-making process - proposal submission process, stages of deliberation, and the criteria used to evaluate proposals.
Voting - quorum requirements, voting power distribution, time limits or restrictions on voting activities, voting platforms, or tools for announcing results.
The protocol documentation and official announcements need to include these critical details. The most recent update indicates that users who lock their ENA tokens in the "Sats" campaign will retain their governance rights without clarifying how this participation is facilitated.
Custody Risk
Ethena's USDe backing assets are secured by three custodial providers—Copper, Ceffu, and Cobo— according to the latest attestations. Each custodian comes with specific legal standing that reflects the counterparty and custody risks they represent.
Copper Markets (Switzerland) A.G. operates as a platform offering storage, transfer, and settlement services for digital assets to corporate and institutional clients. It holds membership approval from the Swiss Financial Services Standard Association (VQF), a Self-Regulatory Organization (SRO) in Switzerland, which is officially authorized by the Financial Market Supervisory Authority (FINMA).
Ceffu/C.H. Europe Digital Solution sp. z o.o, based in Poland, is registered under number RDWW-749 with the Register of Activities in the Field of Virtual Currencies, managed by the Director of the Tax Administration Chamber in Katowice. It is important to note that no authoritative body in Poland currently regulates virtual assets. Consequently, Ceffu's Terms of Use disclose that custodial services for virtual assets are not covered under any financial services licenses, nor is the Company recognized as a licensed financial institution within Poland.
Cobo Global H.K. Limited asserts licensure in four jurisdictions; however, verifiable information is limited to a self-published statement regarding provisional approval from the Government of Dubai's Virtual Assets Regulatory Authority (VARA).
The limited transparency these custodians provide makes it difficult to fully assess the segregation of Ethena's funds and the specific risks associated with their custody practices. This lack of visibility could lead to unexpected losses or delays in accessing funds during times of stress, further compounding the risks to USDe's stability.
While allocations of assets held by custodians remain undisclosed, the collateral composition of Ethena reveals a high concentration on Binance.
Given the origins of Ceffu as Binance Custody, concerns persist regarding its complete separation from Binance—circumstances questioned by the SEC. In light of these connections, it is prudent to infer that a considerable portion of the collateral may reside with Ceffu, given their close relations with Binance. Even though an institutional interplay is assumed, Ceffu attests that all Ethena-related assets under their custody are held in off-exchange solutions and not kept by any digital asset exchange.
A more thorough breakdown would help assess the overall risk to the structure. Greater transparency would also assist users in understanding the differences between reported collateral balances and USDe in circulation. It is important to note that the data on the dashboard is delayed by 6 hours, which may explain the discrepancies observed between the amount of USDe in circulation and the "Collateral Notional" values.
Ethena also sources off-chain price information from the individual exchanges it trades derivatives on, such as Binance, OKX, Bybit, and Deribit. Ethena also works with "Off-Exchange Settlement Providers," such as Copper, Ceffu, and Cobo, who provide custody services and the functionality to enable Ethena to use its collateral, which is custodied with these providers, to margin its derivatives positions on CeFi exchanges. These providers are not trading counterparties to Ethena for derivatives trades.
Trusted Third-Party Agreements
Ethena has entered into Trusted Third-Party Agreements with all three custodians, establishing clear legal boundaries for their joint activities. While LlamaRisk has reviewed a model agreement with Copper, its specifics are not disclosed herein to honor Ethena's commercial confidentiality.
Under contract provisions, the trusted third party, distinct from Copper, is committed to providing extensive support, including wallet creation, safeguarding MPC signatory partitions, and handling access data and materials. This entity is responsible for using these resources to process transactions, leveraging backups when necessary, and furnishing MPC data and materials to Ethena and Copper in scenarios where they cannot sign transactions themselves.
The same party is entrusted with executing Safeguarding Services and playing a pivotal role in activating a Disaster Recovery Scenario should there be a misplacement or loss of MPC signature data or materials. This entity is also tasked with processing transactions based on explicit directives from Ethena or Copper.
Crypto assets transfers, withdrawals to trading accounts, or EOAs, are controlled by 2/3 multisig, typically requiring signatures from Ethena and Copper to execute transactions. The trusted party acts as a critical safeguard, held in reserve to facilitate the recovery of crypto assets in cases where Ethena or Copper cannot provide signatures due to operational failures or other unforeseen circumstances.
Further, the trusted third party is authorized to process transactions under additional stringent conditions, such as during the dissolution proceedings or liquidation of Copper or in compliance with orders from competent authorities. It is explicitly mandated that the trusted party refrain from processing transactions if there is an awareness or notification from Copper that such action would constitute a legal breach.
Detailed representations and warranties support these responsibilities, ensuring adequate insurance levels, compliance with applicable laws and regulations, and execution of activities with requisite skill, care, and diligence.
This framework ensures a robust system for transaction management, where the trusted party’s role as an emergency operational backstop adds a layer of security against mismanagement or potential conspiracy between the primary signatories—Ethena or Copper.
The safeguarding responsibilities encompass a thorough list of protocols to manage data files and passwords, including their storage, control, monitoring, access rights, and regular audits to ensure robust security measures are perpetually in place.
The appointment of the trusted third party is Ethena's sole responsibility, highlighting that Copper bears no liability or responsibility for this entity's suitability, actions, or inactions.
Proof of Collateral Assets
Ethena has recently taken steps to improve the transparency of its collateral assets by providing custodian legal attestations. These attestations verify that the backing assets of USDe reside with off-exchange custodians and include the amount held with each custodian.
As of May 2024, the attestations provided a breakdown of the USDe supply and the corresponding custodied assets held with each provider. The total backing assets, excluding the reserve fund, and the percentage of USDe supply covered were also reported. The reserve fund was also noted, and the total backing, including the reserve fund, was calculated as a percentage of the USDe supply.
Ethena has committed to releasing these attestation reports every month to provide regular updates on the amount and location of the assets backing the protocol, and it has expressed its intention to later publish an on-chain proof-of-reserves for improved transparency. Future reports will be shared in the Ethena governance forum, which was inactive at the time of writing, with only a welcome post and no other discussions or activity at the moment.
Oracle Risk
Internal Pricing Oracles
Ethena's internal pricing system calculates collateral values in USDe terms using real-time data feeds from centralized exchanges like Binance, Bybit, and OKX, where Ethena holds derivative positions. This pricing is crucial for determining the amount of USDe minted, the size of hedging positions, and managing margin requirements.
To protect against single-source manipulation, Ethena sanity checks its internal pricing against on-chain oracles from Pyth and Redstone before accepting mint/redeem requests.
According to Ethena, their system detects and mitigates invalid or outdated data through the following mechanisms:
Exchange data is compared against Pyth and must fall within a manually set tolerance, wide enough to allow for rapid moves while avoiding reactions to trade-through events.
Ethena optimizes data processing during high volatility to ensure responsiveness and prevent bottlenecks.
Continuous-time synchronization with exchanges is maintained, and RFQ look-back periods are updated to ensure acceptance only with up-to-date market data, protecting against adverse selection by faster market makers.
Trading is temporarily suspended if market data latency exceeds a predetermined threshold and resumes only when latency improves and stays below the threshold for a certain period, preventing rapid toggling due to minor fluctuations.
However, it is important to note that these claims regarding Ethena's internal systems cannot be independently verified as they are not publicly accessible or auditable.
USDe Price Feed for 3rd Parties
The following price feeds are available for USDe:
DeFi protocols wanting to integrate sUSDe can use the convertToAssets
and convertToShares
functions, as sUSDe conforms to the ERC4626 vault standard.
Economic Risk
Effectiveness of Delta-Neutral Hedging
Ethena employs a delta-neutral hedging strategy using perpetual futures contracts on centralized exchanges to maintain the USDe peg. This basis trade involves taking a long spot position in the collateral (e.g., staked ETH) and a short position in perpetual futures contracts to offset market risk exposure.
The long spot position in the collateral exposes the underlying asset's price movements. In contrast, the short position in perpetual futures contracts allows Ethena to hedge declines in the collaterals' prices. This approach aims to profit from the funding rate while neutralizing the impact of price fluctuations on the collateral's value, thereby helping stabilize the USDe peg.
The effectiveness of this approach relies on several factors:
Accurate pricing data: The hedging positions must be based on reliable and up-to-date price information to ensure proper alignment with the collateral's value.
Efficient execution: Ethena needs to execute the necessary trades to maintain the delta-neutral position efficiently, minimizing slippage and transaction costs.
Sufficient market liquidity: The futures markets used for hedging must have adequate liquidity to absorb Ethena's trades without significant price impact.
Management of funding rates: Ethena must pay to maintain its position if funding rates turn negative. In such a scenario, it is logical for Ethena to start unwinding its positions to minimize losses, which would nullify its yield generation strategy. This could lead to a liquidity crunch and a mass sell-off of assets, ultimately threatening the stability of USDe's peg.
However, the effectiveness of delta-neutral hedging in crypto assets may be limited by high volatility and boom-bust cycles. Schmeling, Schrimpf, and Todorov (2023) show that the futures basis, or "crypto carry," can become very large and varies strongly, driven by fluctuations in "convenience yields." Convenience yields represent the benefits of holding an underlying asset directly, such as using it as collateral or meeting liquidity needs. Higher crypto carry predicts an increased risk of price crashes and liquidations as leveraged investors borrow to profit from the positive carry. If convenience yields decrease, it can trigger a cascade of liquidations and rapid unwinding of positions, leading to a price crash. The interplay between leveraged trend-followers, slow-moving arbitrage capital, and high leverage may contribute to these destabilizing dynamics.
Although the funding rates of the derivatives utilized by Ethena have been predominantly positive over the past year, there have been brief periods of negative rates. During these times, Ethena would have been required to take swift action to rebalance its positions and mitigate potential losses.
Ethena's use of derivatives positions for hedging purposes is critical to its risk management strategy. To allow for a thorough assessment of the associated risks, Ethena should provide detailed information on these positions, including:
Notional size: The total value of the derivatives contracts held by Ethena
Leverage: The amount of leverage employed market-wide in short derivatives and the potential impact on Ethena's balance sheet
Counterparties: The specific entities Ethena has entered into derivatives contracts with and their respective credit ratings
While Ethena provides sufficient information on its counterparties, no information is available on its positions' notional size and leverage. This lack of transparency makes it challenging to assess the overall risk profile of Ethena's derivatives holdings and its potential impact on the stability of the USDe stablecoin accurately.
Historical Price Stability
As USDe is a relatively new stablecoin, historical price data is limited, making it challenging to assess its long-term peg stability. While short-term stability has been observed, the stablecoin's performance during extended market volatility and stress periods remains untested.
To gauge the potential risks associated with USDe's growth and its impact on the markets used for hedging, it is essential to monitor the following metrics:
Historical CEX Perp Yields and Avg Perp Yields for BTC and ETH: These graphs help identify periods of negative funding, which could impact USDe's stability.
Ethena % of O.I.: This metric indicates Ethena's market impact and the potential for slippage during liquidity crunches or high-USDe redemption periods.
Protocol APY and sUSDe APY: Comparing these yields can help assess the impact of perpetual funding rates on the protocol. A disconnect between perpetual funding and protocol yield could indicate a portfolio transition to other derivatives, such as futures.
sUSDe Spread vs 3m Treasury: This metric may serve as a leading indicator for USDe demand. If sUSDe loses yield relative to 3m Treasury, it could foretell a loss of interest in sUSDe and USDe among Ethena depositors or stakers, leading to selling or redemption.
Taker buy/sell volume and Trader long/short ratio for BTCUSDT and ETHUSDT perpetual futures (period 1D): These metrics provide insights into spot market sentiment and potential hedging market imbalances that could affect USDe's stability.
The rapid growth of USDe and its integration into DeFi protocols like Maker (D3M), Curve, and Morpho raises concerns about potential risks if the protocol grows too large relative to the available liquidity in the markets used for hedging. If Ethena's hedging positions become too large or concentrated, they could cause slippage and be difficult to unload in times of crisis, potentially disrupting secondary markets.
Liquidity and Market Maker Behavior
As Ethena grows, the ratio of available perpetual liquidity to the protocol's size becomes increasingly important. Suppose Ethena's derivatives trades are expected to impact the market significantly. In that case, market participants will naturally demand large discounts on any contracts that Ethena will seek to sell or premiums on any contracts that Ethena will seek to buy.
This is not an issue at the current scale at which Ethena operates. For example, Ethena's total BTC position appears to be less than 1% of the average daily volume on Binance.
This behavior can exacerbate the liquidity crunch during market downturns, where the protocol sells its short hedges at sharp discounts due to insufficient liquidity, potentially causing negative funding rates and, thus, collateral losses, which would impact the stability of the USDe peg.
To mitigate this risk, it is essential for Ethena to monitor the ratio of available liquidity to its size and to ensure that there is sufficient liquidity in the markets it relies on for its hedging activities. Additionally, increased transparency from Ethena regarding its trading activities and risk management practices could help market participants better assess the potential impact of the protocol's trades on market liquidity and adjust their strategies accordingly.
Inherent exchange risks, such as major exchanges going offline for extended periods, could also contribute to liquidity crunches and increase the risk of an Ethena implosion. While creating an exit queue for Ethena that matches staked ETH's exit queue could help manage this risk, it may not be sufficient in extreme scenarios where market liquidity dries up entirely.
Ethena can pause Ethena's off-chain system at any time, and unforeseen extreme circumstances may force Ethena to fully halt services like minting and redeeming USDe, staking and unstaking USDe, and loading and offloading derivatives on exchanges, all of which would exacerbate stress in USDe and sUSDe markets throughout. To protect its users, Ethena enforces a 7-day cooldown period for unstaking sUSDe to buffer the amount of USDe collateral necessary to retrieve for redemptions by selling derivatives in any given timeframe.
DeFi Contagion Risk
As a multi-collateral synthetic dollar that relies on derivatives, a potential failure of Ethena or USDe could have far-reaching consequences across the DeFi ecosystem. The rapid integration of USDe into Maker's Direct Deposit Module (D3M) has already raised concerns among other DeFi protocols. Aave has proposed reducing its exposure to DAI and limiting the potential contagion risk.
If Ethena were to experience significant disruption, it could trigger cascading liquidations and a rapid drawdown of USDe liquidity. This, in turn, could cause knock-on effects on other protocols that use USDe or LSTs as collateral, leading to a broader contagion event.
Guy Young, founder of Ethena, emphasized the need to monitor the growth of these leveraged positions to avoid systemic risk, given that Aave's assets are still relatively small in the context of the broader DeFi ecosystem.
Collateral Risk
Collateral Composition
The latest information on Ethena collateral composition can be found here. The current mix is currently comprised of BTC (42%), ETH (36%), ETH LSTs (14%), and USDT (8%).
Currently, the decision regarding collateral backing is being made internally, with plans to be presented to governance for consideration within the coming weeks. Whitelisted users have the ability to select from any of the mint assets that are available on Ethena's decentralized application.
Ethena has set an ambitious target to scale its Total Value Locked (TVL) to over $5 billion by September 2024. This rapid growth plan will likely be driven by the diverse collateral options, attractive yields, and the protocol's expanding integration with other DeFi platforms like Maker and Morpho.
LST Collateral Concentration
Ethena's exposure to liquid staking token (LST) collateral, namely stETH, could create a systemic risk to USDe's stability. The value and liquidity of LSTs are closely tied to the performance and security of their underlying staking protocols and the Ethereum network itself.
Any LSTs' price, liquidity, or security disruptions could force Ethena to rapidly unwind its derivative positions or sell off its LST holdings in an illiquid market.
Insurance Fund
An adequately sized and well-managed insurance fund is critical to Ethena's risk management framework. The insurance fund serves as a buffer against potential losses and helps maintain the stability of the USDe stablecoin.
The Reserve Fund, as described in Ethena's documentation, serves as a vital safeguard—the protocol's ultimate contingency mechanism. This fund is intended to provide necessary capital during periods of negative funding and act as a last-resort buyer for USDe in the open market, ensuring liquidity and stability under adverse conditions.
The control of the reserve fund is entrusted to a 4/8 multi-sig solely composed of Ethena Labs contributors. No further information on the signatory is provided.
A significant concern is that a large portion (about 30% at the time of writing) of the insurance fund provides USDe/USDT liquidity on Uniswap V3. In a de-peg scenario, the insurance fund's capital could lose value, compromising its primary purpose. Another large portion (about 40% at the time of writing) is invested in the DAI Savings Module, which has a small portion of USDe as its underlying asset. These circular ties are a concern; the fund's value must be further discounted if it is primarily endogenous collateral.
In clarifications with Ethena, they confirmed that proceeds from the mint fee (10-15bps, dynamically adjusted) are typically transferred manually from the custody account to the insurance fund. The trigger for these transfers is the weekly payment every Thursday on sUSDe yields: funds flow from the custody account to the sUSDe payout fund, distributed to both the sUSDe yield contract and the reserve fund.
To improve transparency and allow for a proper assessment of the fund's effectiveness, Ethena should disclose:
The specific scenarios or conditions under which the fund can be deployed
The governance process for making decisions related to the insurance fund, such as topping it up or using it to cover losses
Any plans for further growing or diversifying the insurance fund
The long-term vision for the insurance fund's capitalization remains vague. Currently, the shard campaign is anticipated to be a primary source of yield generation. However, Ethena's governance is expected to make future decisions regarding the capitalization and strategic direction of the fund. Ethena's governance model still needs to be defined. Consequently, the decision-making authority over critical features of the Reserve Fund needs to be clarified.
Overcollateralization and Liquidations
A "liquidation" mechanism that automatically redeems a minter's USDe and returns the corresponding amount of collateral does not exist. Instead, Ethena maintains an over-collateralization ratio, thanks to its reserve fund and a mint fee, to protect against collateral price fluctuations and ensure that the value of the collateral always exceeds the value of the outstanding USDe tokens. This over-collateralization acts as a safety buffer, allowing the system to absorb some level of price volatility without compromising its solvency.
The USDe mint fee, dynamically adjusted between 10 and 15bps according to market conditions, is collected in custody accounts for use as USDe redemption liquidity or extra derivatives collateral.
Chaos Labs, in its report Perpetual Futures Liquidity and Funding Rate Considerations for Ethena, backtested a maximum collateral drawdown of 4.3% between Jan 2021 and Nov 2023 due to perpetual funding rates flipping negative during the merge of Sep 2022. It thus recommended an initial "$33m insurance fund to ensure full coverage in all conditions as it grows to $1bn supply" (p. 42). The current reserve fund appears inadequate using this metric: it contains $36m to cover over 2bn USDe.
This simulation from IntoTheBlock provides a visual representation of the reserve fund's depletion timeline, showing how many days it would take to exhaust the fund based on various annualized negative funding rates. This projection is updated hourly, using the current reserve fund assets and 8-hour funding fees to estimate the annualized values.
As previously mentioned, the insurance fund is partly composed of a USDe Uniswap V3 liquidity provider (LP) position. This implies that the fund's value may deplete more rapidly than the simulations conducted by IntoTheBlock predict. In the event of a significant market downturn or a de-pegging of USDe, the LP position could suffer substantial losses due to increased selling pressure and potential impermanent loss. Consequently, the insurance fund's ability to absorb losses and maintain the stability of USDe may be compromised, potentially leading to a more severe impact on the stablecoin's value than initially anticipated.
Regulatory Risk
Regulatory stances towards Ethena
Ethena Italia S.r.l. (the Company) operates the website www.ethena.fi, with the protocol's smart contracts and off-chain infrastructure under the stewardship of the Ethena Foundation and its associated entities. The Company holds a VASP (Virtual Asset Service Provider) registration from Italy's Organismo Agente E Mediatori (OAM), affirming its status as a recognized service provider within the Italian jurisdiction. This designation enables Ethena Italia to engage in a range of authorized activities  delineated in the Italian VASP register:
Services functional to the use and exchange of virtual currencies and their conversion from or into legal tender currencies or into digital representations of value, including those convertible into other virtual currencies
Issuing services, offering virtual currencies
Virtual currency transfer and clearing services
Any other service functional to the acquisition, negotiation, or intermediation in the exchange of virtual currencies (e.g., execution, reception, transmission of orders relating to virtual currencies on behalf of third parties, virtual currency placement services, consultancy services on virtual currencies)
Digital wallet services
The regulatory landscape must provide a VASP passporting framework in the broader European and national contexts. Consequently, by securing a VASP registration with the Italian national authority, OAM does not exempt Ethena from adhering to additional regulatory mandates across other European countries where it may seek to extend its services. It is incumbent upon VASPs to navigate and comply with the registration prerequisites specific to each country of operation.
Ethena's Terms of Service address the current structure and level of compliance: "Aside from this registration, the Company is not registered in any capacity with any other regulatory body in any jurisdiction"
Recent advancements have significantly transformed the European Union's approach to crypto asset regulation. Introducing the Markets in Crypto-Assets Regulation (MiCAR) heralds a unified regulatory scheme for crypto-asset service providers (CASPs). This legislation imposes strict authorization, supervision, and operational standards on CASPs, ensuring robust consumer protection and equitable conditions across the sector.
In light of MiCAR's enactment, the Italian Treasury has introduced draft legislation that outlines the transitional provisions for existing crypto providers. Those registered with OAM under the preceding regime are granted a transitional period until October 2025, provided they apply for MiCAR licensing within any E.U. member state by December 30, 2024.
Amid these regulatory shifts, Ethena must articulate its strategy for MiCAR compliance transparently. This includes detailing the licensing trajectory for its unique token offerings and addressing the incorporation jurisdiction of the Ethena Foundation. The governance and operational framework of the Ethena protocol, including its alignment with MiCAR standards and strategies for E.U. market engagement, remain critical considerations in the Company's compliance journey.
Ethena is encouraged to maintain diligent oversight and actively interact with regulatory entities to guarantee that its operations are in strict conformance with legal mandates. Engaging in public dialogues and consultations is recommended to enhance the regulatory bodies' comprehension of the unique characteristics of USDe.
By initiating open and constructive communication with regulatory officials, Ethena can more effectively navigate the complex landscape of regulatory compliance. This approach mitigates the risk of encountering obstacles during the formal application procedures, which could lead to unwarranted delays or rejections due to misunderstandings or inadequate evaluation of the token's distinct attributes. Ethena's team is urged to take a proactive stance, detailing the innovative aspects of their token design to facilitate thorough and informed assessments by the authorities.
Evaluating Ethena's compliance with applicable laws and regulations
While no specific framework is dedicated exclusively to crypto assets in Italy, entities offering crypto-related services must register within a specialized OAM Register for Anti-Money Laundering (AML) compliance segment. As a registered provider of crypto services, Ethena must diligently ascertain the origins of the funds it is asked to handle, whether for storage, exchange, or settlement and to acquire detailed information on the identities of its clientele. This includes occupation, tax status, domicile, and whether they reside in countries recognized for terrorism financing. Customer due diligence is an ongoing requirement, extending beyond initial customer onboarding to continuous monitoring of customer transactions. Ethena must also preserve records for ten years and alert regulatory bodies of suspicious transactions.
Ethena professes strict adherence to regulations combating money laundering and the financing of terrorism. Its Terms of Service explicitly bar any individual or entity identified on U.S. Government lists of sanctioned or restricted parties situated in or organized under the laws of embargoed nations or countries labeled by the U.S. as supporting terrorism. This includes citizens, residents, or entities from countries sanctioned by the FATF and the U.S. or any jurisdiction where transactions with such parties would contravene U.S., E.U., U.K., or other relevant international laws. To uphold these restrictions, Ethena may employ measures like IP-based geolocation filters.
Nevertheless, the current regulatory obligations focusing solely on AML aspects do not encompass the comprehensive spectrum of consumer protection anticipated with the implementation of MiCAR. Specifically, for Ethena's issuance of asset-referenced or electronic money tokens, a detailed white paper is necessary, providing critical information such as:
a) information about the issuer of the asset-referenced token;
b) information about the asset-referenced token;
c) information about the offer to the public of the asset-referenced token or its admission to trading;
d) information on the rights and obligations attached to the asset-referenced token;
e) information on the underlying technology;
f) information on the risks;
g) information on the reserve of assets;
h) information on the principal adverse impacts on the climate and other environment-related adverse implications of the consensus mechanism used to issue the asset-referenced token.
Ethena clearly distinguishes that USDe is not akin to traditional fiat stablecoins like USDC or USDT. A differentiation indicating that USDe encompasses a unique set of risks, necessitating tailored risk mitigation strategies. In this sense, Ethena's Risk documentation serves not only as info sheet but highlights the differences between USDe and existing fiat and real-world asset (RWA) stablecoins. Different risk trajectories are identified therein: Funding Risk, Liquidation Risk, Custodial Risk, Exchange Failure Risk, and Collateral Risk.
When analyzing the risk management strategies of Ethena in comparison to the detailed requirements set forth by the European Securities and Markets Authority (ESMA) as part of the MiCAR technical standards specification, it is evident that upcoming disclosures from Ethena will need to encompass a more extensive range of risk factors. ESMA mandates a detailed exposition of risks associated with the issuer's financial health, operational activities, industry-specific threats, legal and regulatory challenges, internal control mechanisms, and environmental, social, and governance factors. Additionally, risks related to public offerings of crypto-assets must be articulated, highlighting market volatility and liquidity. Furthermore, there is a requirement to describe the technological underpinnings of the crypto-assets, identify potential vulnerabilities, and determine the measures put in place to mitigate these risks.
Ethena's current disclosures need to meet the upcoming MiCAR standards. As regulations evolve, it is imperative for Ethena to continuously refine and update its user notifications, ensuring they are accurately informed through timely updates prominently displayed on the Company's website.
Assessing the potential impact of evolving regulations on USDe's usability as collateral
We assume that Ethena significantly depends on its current VASP registration as a testament to compliance standards when engaging with potential partners such as custodians and exchanges. This advantageous stance, however, may be put at risk if Ethena fails to apply for MiCAR license within the designated period, which is by the end of 2024.
The evolving nature of regulatory frameworks poses potential challenges to the acceptance and utility of USDe as collateral. Should Ethena encounter hurdles in obtaining the necessary MiCAR licensing—due to the token not meeting the specific criteria for E-Money Tokens (EMT) Asset-Referenced Tokens (ART) or failing to comply with the conditions for Crypto-Asset Service Provider registration—the Company's operations involving the Ethena token and related services could be classified as unauthorized. Consequently, this would expose the Company to regulatory sanctions.
An important aspect of the upcoming regulatory regime that Ethena needs to consider is the restriction against offering interest on EMTs. Attributing yield-bearing features to a token could expose it to a financial instrument classification, subjecting it to different requirements. To navigate this complex terrain, Ethena is advised to closely monitor the European Securities and Markets Authority's (ESMA) ongoing consultation round on the conditions and criteria for the qualification of crypto-assets as financial instruments. According to ESMA's deliberations, crypto-assets might be deemed financial instruments if they meet the definition of transferable securities under MiFID II, which includes criteria such as:
'Transferable securities' means those classes of securities that are negotiable on the capital market, except instruments of payment, such as:
a) shares in companies and other securities equivalent to shares in companies, partnerships, or other entities, and depositary receipts in respect of shares;
b) bonds or other forms of securitized debt, including depositary receipts in respect of such securities;
c) any other securities giving the right to acquire or sell any such transferable securities or giving rise to a cash settlement determined by reference to transferable securities, currencies, interest rates or yields, commodities, or other indices or measures;
Should USDe fall within this classification, it would be governed by the comprehensive E.U. regulatory framework established for financial instruments.
When the legal status of USDe offerings becomes compromised, the repercussions for protocols utilizing USDe as collateral could be severe and adverse.
To mitigate such risks, Ethena must remain vigilant and responsive to changes within the regulatory landscape. Proactively engaging with legislators and industry bodies could be pivotal in steering the conversation around stablecoins in a more favorable direction. By actively participating in these discussions, Ethena can contribute to shaping a regulatory environment that supports innovation while ensuring compliance and stability.
Additional considerations for sUSDe
USDe staking adds an extra layer of regulatory complexity to the legal design of the protocol, as staking is unexplored territory (specifically in the E.U. legislative field). sUSDe is a receipt token that evidences the token holder is entitled to receive a portion of the protocol's generated yield. The existing European legal framework needs to address the staking services, particularly the qualification of liquid staking tokens. In the unclear regulatory environment, staking considerations are left to analyze if they fall within the scope of existing frameworks such as the Alternative Investment Funds Directive or the Markets in Financial Instruments Directive.
Legal assessment of staking has been addressed in multiple reports and position papers by industry stakeholders. The two below offer invaluable insights:
Their findings are that staking activities can fall under the AIFMD's purview under specific conditions. This is determined by how crypto assets are gathered collectively from multiple investors and whether adherence to a well-defined investment policy exists. On the other hand, there are strong arguments that technical staking falls outside the scope of AIF, as it does not involve coordinated strategic pooling of assets or centralized management.
Secondly, liquid staking tokens do not align with the MiFID's classification of financial instruments, e.g., treasury bills, certificates of deposit, and commercial papers, while expressly excluding payment instruments. The staking receipt tokens fulfill none of these criteria due to their unique nature and the specificities inherent in their design.
The reports referenced above point to the probable exemption of liquid staking tokens, i.e., sUSDe per our assumption, from the current financial laws. Nonetheless, the regulatory landscape can quickly change and impact the standing of the token.
In the absence of negative opinion articulated by the E.U. competent authorities or enforcement actions against CASPs offering staking activities, there are no signs of immediate threat of regulatory sanctions against staking products. They should be brought into compliance with the applicable legal framework in the Union.
Smart Contract Risk
Ethena's smart contract codebase is relatively small, with the core components being the ERC20-based USDe and ENA tokens and an ERC4626-based staking contract (sUSDe). The use of battle-tested standards helps to minimize complexity and attack vectors.
However, off-chain systems handle most of Ethena's critical operations, including collateral management, delta-neutral trading, risk management, and price feeds. These centralized components introduce additional failure points that must be readily auditable via the smart contract code.
While smart contract audits are prudent, Ethena's overall risk profile is heavily weighted toward its internal systems, collateral management, and interaction with centralized exchanges.
Core contracts
Mint and Redeem Contract:
0x2cc440b721d2cafd6d64908d6d8c4acc57f8afc3
Staking Rewards Distributor Contract:
0xf2fa332bd83149c66b09b45670bce64746c6b439
USDe Token Contract:
0x4c9edd5852cd905f086c759e8383e09bff1e68b3
sUSDe Token Contract:
0x9d39a5de30e57443bff2a8307a4256c8797a3497
ENA Token Contract:
0x57e114B691Db790C35207b2e685D4A43181e6061
Audits
Ethena has demonstrated a strong commitment to security by conducting a multi-phased audit approach, engaging various industry-leading firms, independent experts, and the wider community. The list of up-to-date audits can be found here. At the time of writing, the protocol had undergone the following audits on its V2 codebase:
Quantstamp (October 18, 2023): Quantstamp's audit revealed 13 findings, with no high-severity issues. The audit identified four medium-severity issues (2 fixed, 2 acknowledged), 3 low-severity issues (all fixed), and six informational findings (4 fixed, 2 acknowledged).
Spearbit & Cantina (October 18, 2023): The Spearbit & Cantina audit uncovered 24 findings, with no critical, high, or medium severity issues. The audit identified 2 low-severity issues, 14 gas optimization suggestions, and 8 informational findings.
Independent Audit by Pashov (October 22, 2023): Pashov's independent audit concluded with 4 low-severity issues found (2 fixed, 2 acknowledged). No critical or high-level issues were identified.
Public Code4rena (13th Nov, 2023): The public Code4rena audit found no critical or high-level issues. The audit identified four medium-severity issues, 98 low-severity/non-critical issues, and 41 gas optimization recommendations.
In addition to the V2 codebase audits, Ethena has also conducted:
Initial audit on V1 contracts by Zellic
Architecture design review and economic risk factor analysis with Spearbit's Kurt Barry (former Lead Engineer at MakerDAO)
Economics audit and risk analysis by Chaos Labs on system design
No critical or high-severity issues were identified in any of the audits, which is a positive sign for the security of Ethena's smart contracts.
Bug Bounty Program
As of April 4, 2024, Ethena has launched a public bug bounty program with Immunefi, offering rewards of up to $3,000,000 for discovering critical vulnerabilities. This ongoing initiative demonstrates Ethena's commitment to maintaining their protocol's highest level of security—more details about the bug bounty program can be found here.
Access control
The following has been collected during Pashov security review, dated October 21st, 2023:
USDe minter
- can mint any amount ofUSDe
tokens to any address. Expected to be theEthenaMinting
contractUSDe
owner - can set token minter and transfer ownership to another addressUSDe
token holder - can not just transfer tokens but burn them and sign permits for others to spend their balanceStakedUSDe
admin - can rescue tokens from the contract and also redistribute a fully restricted staker'ssUSDe
balance, as well as give roles to other addresses (for example, theFULL_RESTRICTED_STAKER_ROLE
role)StakedUSDeV2
admin - has all the power of "StakedUSDe
admin" and can also call the setCooldownDuration methodREWARDER_ROLE
- can transfer rewards into theStakedUSDe
contract that will be vested over the next 8 hoursBLACKLIST_MANAGER_ROLE
- can do/undo full or soft restriction on a holder ofsUSDe
SOFT_RESTRICTED_STAKER_ROLE
- address with this role cannot stake hisUSDe
tokens or getsUSDe
tokens minted to himFULL_RESTRICTED_STAKER_ROLE
- address with this role cannot burn hissUSDe
tokens to unstake hisUSDe
tokens, nor to transfersUSDe
tokens. His balance can be manipulated by the admin ofStakedUSDe
MINTER_ROLE
- can mintUSDe
tokens and also transferEthenaMinting
's token or ETH balance to a custodian addressREDEEMER_ROLE
- can redeem collateral assets for burningUSDe
.EthenaMinting
admin - can set the maxMint/maxRedeem amounts per block and add or remove supported collateral assets and custodian addressesGATEKEEPER_ROLE
- can turn off minting/redeeming ofUSDe
and removeMINTER_ROLE
andREDEEMER_ROLE
roles from authorized accounts
Governance can enforce a sUSDe unstaking cooldown duration of up to 90 days; the current parameter is seven days:
Roles were verified as of May 10, with Ethena providing this script for quick verification on-chain.
MINTER_ROLE & REDEEMER_ROLE granted to:
0x8cCD4dc9919A4FC6f490188146e76c7B51BDbbb4
0x6Be5679E945cd5aEa1BD9aB84A54f2b7DF237CB3
0xc83e2C530438d7CbB5FaAF630F9A346aB48B284C
0x6E29661e99e90b8029d1F9aAcd63ECA668dde541
0x95B11eb662AFaA71209C3Fd92CBfc12D3c106C64
0x1908dB35Ba2c762d23eC3aFaC58e0b5AbF50B813
0x8D27957F835B2602E4bee716203f230788f4c967
0xeFCd00A877B7822a9eDc1722e2A25AeEAC4F97E7
0x3A36399A4AaA889ecd4ED19279F1Af79c7848090
0xBa45f3Cb69b23c988782d082B8bc0c3D8Db79E7c
0x80DAee0F1fbE722d7E67544D53046981aC8AF143
0x0853c55dA9A397932A2D425BA34Bde5d42E0c4e5
0x45d4Fc7628b68a386f48605b437c9611602A7e2C
0x670eecD642655075c259F810F8Fc65C326dE7100
0x05E88BB25089239AfBFeb68e7E33b9363f6f0944
0x34C7bDC93459297a69f9fad693272Bc09F82684b
0xCe797C764aBbF00182f7079aed2Dfd21D2c9906F
0x56F48F33efc9F9bDEc853CA3C94D806da935d5e5
0x64C93808B7a4B6b8EAb13c3689836fD949c294ca
0xD759eD9c72185b7f1b955075FE4ff7f4E49C518A
GATEKEEPER_ROLE granted to:
0xb6ECaE7413A3E78a3e10f15aFE3066e79566CCA3
0xAB9110d36B030bAe812CD3BB7B9dE805A64AA7dC
0xbfCFd49761497D0Da333d9bB01E55ec3620E50Fd
0xd2845325d7348c5DaE630BA236bcB53163b07057
REWARDER_ROLE granted to:
0x3B0AAf6e6fCd4a7cEEf8c92C32DFeA9E64dC1862
0x71E4f98e8f20C88112489de3DDEd4489802a3A87
0xf2fa332bD83149c66b09B45670bCe64746C6b439
BLACKLIST_MANAGER_ROLE granted to:
0x3B0AAf6e6fCd4a7cEEf8c92C32DFeA9E64dC1862
FULL_RESTRICTED_STAKER_ROLE granted to:
0x9fA7bB759641FCd37fe4aE41f725e0f653f2C726
Proxy and timelock
Ethena does not use any proxy or timelocks. Contracts are fully immutable.
[USDe] Curve-specific considerations for Ethena
LlamaRisk Gauge Criteria
Centralization Factors
Is it possible for a single entity to rug its users?
The model tri-party agreement, reviewed by LlamaRisk, includes security measures to minimize the risk of a single entity compromising user assets. However, centralization factors still exist. The agreement involves a 2/3 multisig setup with Ethena, the Custodian (e.g., Copper), and a Trusted Party appointed by Ethena. This setup enhances security by requiring two out of three parties to sign off on transactions. The Trusted Party acts as a failsafe, ensuring the recovery of lost assets or filling in for signing failures.Collusion risk between Ethena and the Trusted Party is mitigated by strict procedural conditions for the Trusted Party to execute transactions, which are only activated under specific circumstances. However, centralization risks persist. A hack on a major integrated exchange like Binance could compromise user assets, disrupt USDe liquidity, and undermine confidence in the stablecoin. The reliance on a Trusted Party also introduces a potential point of failure or vulnerability.
While the agreement provides some security measures, users should be aware of the centralization risks associated with Ethena's reliance on custodians, exchanges, and trusted parties. Transparency regarding these relationships and potential risks is crucial for users to make informed decisions.
If the team vanishes, can the project continue?
The report clearly states that Ethena's system can only function with the Company's presence. Critical activities such as portfolio hedging, mint or redeem request handling, and insurance fund upkeeping require human oversight. Therefore, the project could not continue operating if the team were to vanish.
Economic Factors
Does the project's viability depend on additional incentives?
Under normal operations and current market conditions, Ethena's system architecture should produce organic yield from its basis trade, suggesting that the project's viability does not depend on additional incentives. However, it is important to note that the additional incentives from the sats campaign have significantly contributed to Ethena's rapid TVL growth and notoriety.If demand falls to 0 tomorrow, can all users be made whole?
The ability to make all users whole in the event of a sudden drop in demand depends on Ethena's capacity to unwind its position without substantial loss. The report raises concerns about the concentration of collateral, delta-neutral hedging strategies' effectiveness, and the insurance fund's adequacy relative to the scale of operations and potential systemic risks. These factors may impact Ethena's ability to make users whole in such a scenario.
Security Factors
Do audits reveal any concerning signs?
According to the report, Ethena has undergone several audits, with no critical or high-severity issues identified. While smart contract audits are prudent, it is important to recognize that Ethena's overall risk profile is more heavily influenced by its internal systems, collateral management, and interaction with centralized exchanges. The audits alone may not comprehensively assess the project's security.
Curve Specific Considerations
Curve plays a pivotal role in the USDe ecosystem, leading in DEX liquidity by USDe and sUSDe against other stablecoins for a total TVL of over $175 million. As the most convenient on-chain exchange for purchasing USDe to stake for yield, Curve wields significant influence over the stablecoin.
While Ethena's allowlist restricts USDe minting from collateral to KYC'd and KYB'd parties, depositors face minimal limitations on their USDe usage. Consequently, some may engage in "looping" USDe and collateral through Curve to increase leverage, while others may use Curve for deleveraging. The interaction between protocols like Morpho, Gearbox, Aave, and Curve (both pools and Curve Lending) may amplify this behavior.
This behavior is expected because, in the event of a liquidity crisis or perceived insolvency of Ethena, parties will likely attempt to exit USDe before Ethena liquidates their hedges or collateral, potentially leading to significant losses. The primary exit methods will be selling USDe or sUSDe against Curve pools. Thus, Curve may provide crucial services to the USDe ecosystem, such as maintaining the stability of the USDe peg.
It is essential to note the relationship between USDe and sUSDe. USDe is the underlying stablecoin, while sUSDe is the yield-bearing derivative token. If the market perceives Ethena as insolvent, sUSDe will likely face significant selling pressure, causing its price to fall below the peg. In such a scenario, many users would prefer to sell their sUSDe holdings rather than face potential issues such as withdrawal queues, system halts, or concerns about the liquidity of Ethena's hedging positions.
However, it is crucial to consider the primary risks that USDe & sUSDe may pose to Curve:
Risk is isolated to participants in individual Curve Lending markets accepting sUSDe as collateral. When considering these markets, users should review the market parameters, such as the A factor, fees, and loan-to-value ratios, and ensure the underlying pool used for Oracle has ample liquidity.
Curve LPs risk losses naturally if USDe experiences a sharp depeg, but they generally understand and accept this risk as part of their participation in the ecosystem.
If Maker's endgame plan fails and DAI loses its peg, it would significantly impact Curve Finance:
3pool disruption: The 3pool's balances and functionality would be severely impaired as LPs withdraw non-DAI stablecoins, leaving the pool overwhelmingly composed of depreciating DAI.
Protocol revenue decline: The 3CRV LP token (which includes DAI) would depreciate, directly reducing the value of veCRV staking fees. This impairs Curve's long-term fee revenue and ability to attract liquidity.
An unpegged DAI would undermine Curve's core infrastructure and overall revenue model. Llamarisk has analyzed the extensive implications of Maker's endgame plan on Curve in this report.
In conclusion, while Curve plays a vital role in the USDe ecosystem, the platform must carefully manage the risks associated with USDe and sUSDe. By implementing appropriate risk parameters, isolating risk to specific participants, and monitoring the stability of the USDe peg, Curve can continue to provide essential services to the ecosystem while mitigating potential adverse impacts on its infrastructure and users.