Asset Risk Assessment - Fei Protocol
A risk assessment on Fei Protocol - Fei USD (FEI) for Curve veCRV holders
Fei Protocol’s stablecoin FEI is an asset on a few pools on Curve.fi, and it potentially wants to list a few others. They’ve applied for a gauge for their FEI-3CRV pool. This assessment aims to provide information on FEI’s risks to veCRV holders.
A TL;DR for people looking for a quick summary:
No single entity can rug the pool. Currently, the Fei Protocol guardian multi-sig is under the core team’s control (3/7 multisig, all doxxed), intending to transition it to community-held multisig.
With the upcoming v2 update, the Fei Protocol may exist even without the core team, as the control of the protocol is handed over to the community.
The audits do not reveal any particularly damning details. However, a few concerns need to be addressed (discussed later in this article).
The FEI-3CRV pool already has over 220 million USD in liquidity even without a gauge: this is usually an excellent sign.
Fei is backed by VCs.
The recommendation is that FEI should get their gauge.
FEI as an asset
The Fei Protocol is an attempt to create a decentralised stablecoin algorithmically backed by decentralised assets. Their stablecoin framework is decentralised, scalable, and DeFi-native, with two token components.
Protocol Controlled Value (PCV): The PCV is used to protect the FEI peg to $1, similar to how a central bank works, with more transparency and a community-driven approach with (currently) few centralisation vectors.
Fei USD (FEI): the native stablecoin with transparent, on-chain 1:1 redeemability directly from PCV reserves. This is a crucial value boost over centralised alternatives such as USDC or USDT.
TRIBE: The native governance token. TRIBE holders manage the PCV and back FEI with its community-owned reserve.TRIBE holders have skin in the game as beneficiaries and risk bearers of PCV performance and losses.
In short: Fei is a community-driven protocol, and TRIBE holders are the collective stewards of the PCV and the FEI ecosystem.
FEI price stability
Immunefi Fei Protocol Vulnerability Postmortem (April 10, 2021)
OpenZeppelin PostMortem on Fei Protocol Economic vulnerability (May 13, 2021)
Fei Protocol Governance discussions on current peg stability (December 2021)
The v1 genesis depeg fiasco
Due to its overhyped genesis event, FEI/USD had a rocky start (Fei V1) in April 2021. The various parameters governing its stability (such as reweights), code vulnerabilities, and direct incentives mechanisms to keep the FEI peg to $1 did not perform as intended, leading to restrained selling pressure. In short:
Early investors could mint FEI at a 50% discount by supplying ETH in the FEI/ETH Uniswap pool.
Having minted FEI at a massive discount, profit-seekers sold FEI into ETH: this caused an increased selling pressure, causing de-pegs.
Fei-core devs attempted to re-peg the asset by introducing two reweights. In short, a reweight:
Buys ETH from the Uniswap FEI/ETH pool.
Trades within that pool to bring back FEI/ETH parity.
Deposits remaining ETH back to the pool.
Burns excess FEI.
This, however, only led to more depeg, as noted by Banteg (Yearn):
Critical security vulnerability involving a flashmint was discovered, and the core devs decided to pause specific contracts to mitigate risks.
This is as rocky as a protocol launch can get. This led to further constructive governance proposals and actions, which has led to a more stabilised FEI peg.
Fei’s redemption arc - improvements towards a more robust peg backed by its PCV
The Fei protocol has had an extended redemption arc, with several peg mechanism improvements bringing tangible stability to FEI’s peg. The v2 iteration of the Fei Protocol has now been launched, with audits currently underway and its rollout staged to minimise technical risk.
Fei v2 incorporates its PCV model, introducing 1:1 FEI redeemability with PCV reserves. Considering that the PCV reserve is massive (700+ million USD), this can meet extreme levels of market demand.
Fei Protocol is designed to support generalised PCV. The protocol can fundraise PCV in any ERC-20 token by issuing a bonding curve denominated in that asset, contingent upon a reliable oracle to handle asset pricing.
PCV Controllers manage PCV among the various PCV Deposits. Future Fei Protocol upgrades can algorithmically adjust PCV based on market conditions or include unique two-way integrations with other protocols. These integrations can leverage the utility tokens of different platforms or their functionality with other ERC-20 tokens held by the protocol.
The Fei protocol analytics dashboard provides a transparent insight into the backing of FEI. The impression is Fei v2 looks well-executed and sufficiently over-collateralised with a 233% C-ratio (at the time of writing).
The Fei protocol adjusts risks by defining different weights for varying levels of PCV leverage, known as a risk curve. As the PCV moves closer to 100% collateralisation (high leverage), the risk curve algorithmically adjusts PCV weights towards stable assets like DAI and RAI. More information about the exact implementation of the risk curves is still under audit and will be released soon.
The Fei Protocol prioritises liquidity when deploying this reserve to ensure users can trade FEI at high volumes. Critically, FEI can be over or under-collateralised depending on volatility on the PCV and other market conditions. The C-ratio of FEI at any time is calculated as follows, with the denominator being User-controlled FEI:
The formula ignores Protocol-controlled FEI because any FEI that the protocol holds will never be sold for PCV, only burned. Protocol-controlled FEI can have second-order, short-term inflationary effects. For instance, FEI deposited into a lending market by the Fei Protocol could increase the circulating supply when borrowed. The interest accrued and eventual withdrawal of that FEI will ultimately have a net deflationary effect in the long term.
Final thoughts on FEI stability
Fei has seen immense volatility since genesis. This has seen vast improvements, with active governance from community members on improvement proposals to solve any remaining peg instability issues. Currently, the peg is very slightly under-peg (nothing alarming)
TRIBE Governance and price stability
The Fei protocol introduces the concept of protocol equity, which is the amount of PCV that would remain if all user-circulating FEI were redeemed for PCV collateral. This comes from the PCV yield and appreciation of PCV with
partial allocated towards TRIBE buybacks to help align the incentives of TRIBE holders with the rest of the FEI ecosystem, and
the remainder serving as a buffer to absorb volatility and earn yield.
TRIBE holders are incentivised to maximise protocol equity, which maximises TRIBE buybacks (buying pressure on TRIBE). The market-bought TRIBE is allocated towards the following in governance-controlled ratios:
If the PCV dips below the target reserve ratio, TRIBE is minted in exchange for FEI to defend FEI’s peg (should any FEI holders want to redeem); this is called a TRIBE backstop. As users redeem, the circulating FEI lowers to restore the target level for the reserve ratio.
By combining buybacks and backstop mechanics, the TRIBE token becomes incentive-aligned to steward the PCV optimally and defend the protocol against tail risks. And by limiting the minting to as much TRIBE as FEI holders want to redeem, the protocol helps mitigate runaway inflation.
Fei Core Team multi-sig
The multisig Gnosis Safe address can be found here.
The Fei protocol access control system is limited to 5 roles: Minter, Burner (Revoked), PCVController, Governor, and Guardian. The Fei Guardian is the single address for the Guardian role at Genesis. This is currently held by the core team in a multi-sig, to renounce the role or transition to a community-held multi-sig eventually. There is also a unique role Tribe Minter which can only be held by a single contract and can mint TRIBE. It is currently secured by a Timelock (managed by Fei DAO/GovernorAlpha) and will be transitioned to the TribeReserveStabilizer.
FEI as an asset on curve pools
FEI has deployed two factory pools on Curve.
D3 Pool (FRAX / FEI / alUSD) factory pool 57
The current FEI / 3CRC pool has no CRV emission but brings consistent fees and volume for veCRV holders and liquidity providers.
The FRAX / FEI / alUSD pool has CRV emission but could be better utilised and generate more fees.
Fei v2 Phase 1 has been fully audited by reputable auditors. Besides two solid audits, an Immunefi bug bounty program is also active with a 1.1 million USD bounty. This section discusses parts of the audit reports that might constitute risk factors.
Audit Report of proposed incremental protocol updates performed in July 2021.
Latest OpenZeppelin audit report of proposed incremental protocol updates performed in July 2021 https://blog.openzeppelin.com/fei-audit-2/
Previous audit reports:
OpenZeppelin audit report in February 2021 https://blog.openzeppelin.com/fei-protocol-audit/
TribalChief staking contract upgrade audit report performed in July 2021.
Consensys Diligence report presents the results of its engagement with Fei Protocol to review Fei v2 Phase 1, conducted over two weeks, from September 13–24, 2021. A total of 30 person-days were spent.
[H02] Introduction of additional BondingCurves creates a period of volatility
In the OpenZeppelin audit, we can see a concern regarding the
BondingCurve contract that enables the use of generic bonding curves for any ERC20 token and the ETH bonding curve already being used in the protocol. The
BondingCurve mints new FEI tokens in exchange for a specified ERC20
token at a discounted price until a
scale number of FEI have been minted. Once the curve is at scale, the price will increase and maintain a
The Fei team have stated that they intend for
scale to be 1m-100m, and the discount to be 0-5%. Assuming the most extreme of these parameters, 100M FEI will be available to purchase for $95M of the token. This large incentivisation will likely lead to bots rapidly buying discounted FEI and immediately selling it for a profit on various exchanges. This means that every time a new
BondingCurve is launched, the price of FEI will drop across the market, causing volatility in the FEI price.
Consider removing the offering of discounted FEI for new tokens, to remove the added volatility of the price of FEI. Alternatively, consider significantly reducing the parameters of 100M and 5% so that the effect of launching a new
BondingCurvecontract will not be so large.
Update: Not fixed. The Fei Protocol team states:
This is expected behavior. The parameters used will be conservative and account for risks of volatility in FEI.
Inconsistent use of oracles
OpenZeppelin and Consensys point to oracle issues that do not seem to be fully fixed.
4.2 CollateralizationOracle - Fei in excluded deposits contributes to userCirculatingFei Major
Throughout the protocol, oracles are relied upon to keep FEI stable, calculate payouts to users, and judge whether actions are eligible to be carried out. In addition to the vulnerabilities caused by oracles described in C01, and H01, we found the use of oracles throughout the code to be inconsistent and confusing.
Consider updating the codebase to remove the above inconsistencies and vulnerabilities, and updating all comments and documentation to reflect the intended use of all functions and booleans.
Partially fixed in PR#69. The implementations of updating and inverting oracle prices have been fixed in this PR. The PR additionally makes the use of
isOutdatedconsistent throughout the codebase – the function is now not used at all. However, given that the purpose of
isOutdatedis to flag whether an oracle price is stale, reading oracle prices without first calling
isOutdatedcould lead to incorrect prices being used throughout the protocol to determine critical conditions.
Fei Protocol Conclusion
The Fei team/community has been helpful, open, and responsive to any questions, and we want to thank them. The Fei team seems solid, knows what they are doing, and pioneers the DeFi ecosystem. Being a pioneer never comes without risks: we have seen that V1 or (V0) has been a struggle, but there was a quick and solid fix due to improvements. The protocol has only been further strengthened with the release of Fei V2.
The transition towards Fei V2 Phase 1 has been fully audited, with a staged rollout of v2. The core team controls the guardian multi-sig that can revoke or pause functionality, with the additional ability to force a reweight. A concern is that the v2 risk curve implementation is unclear: more information will be made available when all phases have been launched.
The price stability of FEI is not optimal: it would be good to get more Curve liquidity that will reduce price volatility. The Fei v2 Phase 1 audits show a few signs of inconsistent oracles and bonding curves, which may incur additional risk. This project remains in its experimental phase.
Does the asset meet minimum requirements?
Is it possible for a single entity to rug its users?
No, this is not possible since the guardian multi-sig is still under core team control. There is the intention of eventually renouncing the role or transitioning to a community-held multi-sig.
If the team vanishes, can the project continue?
Yes, if v2 is fully implemented. At this stage, in the middle of a V2 full rollout, this could damage progress. Once v2 is fully implemented, a complete transition to the community is possible.
Do audits reveal any concerning signs?
No, there are no critical unfixed issues; however, some medium and significant risks are to be addressed soon.
Recommendation: FEI-3CRV should get a gauge.
Thanks for reading Curve Risk Assessments! Subscribe for free to receive new posts and support our work.