Asset Risk Assessment: Liquid Lockers & veSDT
A risk assessment of the proposed “Liquid Lockers” for sdCRV, sdFXS, and sdANGLE pools from Stake DAO.
This research was spearheaded by @evmknows, as a guest researcher for cryptorisks.
Useful links
Abstract
In this risk assessment, we examine the Liquid Locker design from Stake DAO, assess the risks and benefits of such a design, and give an independent comment on this proposal.
A TL;DR for people looking for a quick summary:
There has been an in-depth discussion on the proposal, leading to a collaborative resolution of detected issues with the StakeDAO team.
Smart Contract Risks: Elevated multisig rights > Infinite mints, Arbitrary code execution
Stake DAO is a non-custodial platform that enables users to manage and grow their crypto portfolios easily.
veSDT is StakeDAO’s governance token, allowing its holders to boost their voting power using Frax, Curve, Angle, and other platforms.
With the Liquid Locker’s introduction, StakeDAO seeks to fill an unfilled niche of tradable veTKN derivatives.
The first protocols to be integrated will be Angle, Frax, and Curve, with several others in the pipeline (i.e. Qi DAO & Balancer).
veTKNs deposited into a Liquid Locker are locked perpetually; this mechanism is similar to the perpetual locking of CRV on Convex Finance.
Assuming a successful gauge proposal, users providing liquidity for the derivatives are incentivised with SDT, CRV, and CVX emissions.
sdTKN derivatives LPs forfeit their veTKN vote power. Excess vote power is further repurposed for sdTKN vote power boosts.
8% of the fees imposed on strategy LPs alongside SDT emissions will incentivise the sdTKN derivatives peg.
ChainSecurity is currently auditing sdCRV, which was not accessible to the risk reviews at the time of writing this article.
Stake DAO Protocol Overview
The Stake DAO protocol is a non-custodial platform that offers users simplified access to various yield farming strategies, staking, trading, and metrics on a single dashboard. For every strategy, the Stake DAO charges a 15% performance fee & a 1% harvest fee, with the remaining 84% distributed to strategy LPs. A 0.5% fee is applied when users withdraw assets from a given strategy distributed among holders of SDT (SDT = Stake DAO governance token).
Governance
veSDT has replaced xSDT as Stake DAO’s new governance token. It entitles its holders to vote on governance proposals deciding the inflation and reward allocation between different strategies. By locking veSDT (for up to a maximum of 4 years), a user is granted the following abilities and advantages:
Voting power to direct SDT inflation to all strategies and lockers
Boosted SDT yield from all strategies and lockers
Boosted vote power for sdTKN liquid locker derivatives
+10% APY for sd3CRV tokens
Liquid Lockers, an experiment within the veTKN design space
The market seems to recognise the fundamental value of voting power, with the veTKN primitive at the centre of attention. This primitive can be viewed as a mechanism to secure future yields for early adopters and enforce active governance participation. Thereby the locking mechanism ensures that capital remains on the protocol while at the same time aligning long-term incentives between the protocol and its owners. With the introduction of the Liquid Locker product, StakeDAO is seeking to fill a yet unfilled niche of tradable veTKN derivatives.
The first protocols to be integrated will be Angle, Frax, and Curve, with several others in the pipeline (i.e. Qi DAO & Balancer). CRV/FXS/ANGLE holders who deposit into liquid lockers to receive sdCRV/sdFXS/sdANGLE can either:
Stake these tokens in return for several sources of yield while retaining the underlying voting power and liquidity
Deposit them in the associated strategy (sdCRV/CRV - sdFXS/FXS and sdANGLE/ANGLE Curve LP).
How do Liquid Lockers work?
Stake DAO recently released Liquid Lockers that allow Curve, Frax, and Angle users to deposit their governance tokens to mint a liquid derivative (sdTKN) of the vote escrowed tokens. To bootstrap the Liquid Locker product, the associated liquidity pools must attract more liquidity to support its peg, which is also why StakeDAO is applying for CRV gauges.
As the ‘Liquid Locker’ vault accumulates governance power, the voting rights will be exercised by those who have deposited in the Liquid Locker. This way, the governance power of the underlying token is not diminished, and it allows users to liquidate the derivatives at any time while maintaining their voting power.
Like cvxCRV, veTKNs deposited into a Liquid Locker will be continuously relocked for the maximum allowable period, thus ensuring that the liquid derivatives will carry the maximum vote weight. Users with sdTKNs can stake them on Stake DAO, entitling them to receive:
Native APR
8% share of all corresponding boosted strategy rewards
Ability to sell the voting rights of an underlying asset
All proceeds from selling exceeding boost
Additional SDT incentives (offered for a limited period only)
Alternatively, users can provide liquidity for the derivatives, which will be incentivised with SDT, CRV, and CVX emissions (assuming a successful gauge proposal). However, providing liquidity for sdTKN derivatives comes at a tradeoff whereby LPs forfeit their veTKN vote power. This excess vote power is further repurposed for sdTKN vote power boosts, which liquid lockers can achieve by locking SDT (veSDT) tokens. The formula for the boost is depicted below.
Notably, the veTKN vote power (vu) per sdTKN amounts to 0.4 should the user not have any vote escrowed SDT.
Below you will find a visual summary of the previously mentioned functionality of the Liquid Locker.
StakeDAO charges a 15% + 1% fee to support its operations. Within the scope of this risk assessment, it is important to mention that 8% of the fees imposed on strategy LPs will be used to incentivise the Liquid Locker stakers. Thus, the peg of the sdTKN derivative will be mainly supported by demand for staking sdTKN. Second-order measures to support the sdTKN peg will include SDT emissions to LPs & bribes to veCRV / vlCVX holders.
Liquid Lockers - Risk Vectors
Smart Contract Risks
Below you will find a list of the audits and comments from the StakeDAO team on the elevated multisig rights for the sdCRV and the CRV locker contract.
Useful links:
Infinite mints
The governance multisig has the ability to give any account infinite minting privilege on the sdCRV token by calling `setSdTokenOperator' on the `CrvDepositor` contract and setting `operator` appropriately, e.g. to an EOA (Externally-Owned-Account).
Response: This is a security measure: in case something happens to the CrvDepositor, we need to be able to fix it without having to create a new sdCRV.
Arbitrary code execution
The locker contract has a function, authorized for the governance multisig, similar to the currently deployed CRV locker (CurveYCRVVoter) to allow execution of any contract's functions, such as the transfer of tokens to an EOA. What are the envisioned use-cases and why can't such usage be standardized into regular functions so as to prevent fat-finger errors or abuse of the governance multisig?
Response: Typical usage: in case of an airdrop. Reminder: veCRV is not transferable.
Governance Risks
The following section addresses the various identified governance risks and possible solutions brainstormed with the StakeDAO team.
Flashloans
sdCRV/CRV LP Flashloans
Because sdTKN represents a liquid derivative of (locked) vote escrowed Token, concerns were raised by the community as to how this would allow a flashloan type of attacks on the underlying protocol.
Mitigated by:
TWAVP (Time-Weighted-Average-Voting-Power)
Whenever sdTKN is acquired, the voting power will be linearly increased from 0 within a 30-day range. The final vote power (weight) is determined by the veSDT > veTKN boost formula, as shown in the previous chapter.
Emergency DAO
Each liquid locker will have its own Emergency DAO that will act as a second line of defense in the case of malicious proposals.
Whitelist-as-a-Service / Liquid and “activated” derivative of sdCRV
Technically, a future lego (liquid locker) built on top of sdCRV could be designed in a way that would allow direct access to veCRV through flashloans. In this case, the TWAVP mechanism could be bypassed through the tokenization of accumulated, and TWAVP activated sdCRV. At this point, it is worth mentioning that vlCVX is likewise susceptible to the circumvention of the locking mechanism.
However, for now, such attack vectors do not pose any risks but should be regarded when protocols seek a transition to full on-chain governance. Both teams are aware of this issue and mitigation techniques such as the enactment of a whitelist for sdTKN or vlCVX.
Liquid derivative of veSDT
With regard to the future transition to on-chain governance, a liquid derivative for veSDT could have the ability to repeal the veto and other governance protection mechanisms.
Mitigated by:
Whitelist
Similar to veCRV, only EOAs and selected whitelisted contracts to have the ability to lock veSDT and participate in the StakeDAO governance.
Discussion and Conclusion
Undoubtedly, Curve and legos built on top established themselves as the role model of veTokenomics and its future innovations. Because of this and Curve's predominant position as a core building block of DeFi, a prudent discussion and approach is needed when introducing changes that significantly impact the dynamics around its tokenomics.
A liquid locker for veCRV would certainly make a case for disruptive innovation and increased competition amongst similar products, ultimately leading to a net positive effect for Curve (ref. Schumpeterian Competition). While making vote-escrowed tokens liquid seems to defeat the purpose of locking, we also recognise that the absence of such products is not good either. One could argue that introduction of Liquid Lockers could cater to the yet unfilled needs of investors seeking flexibility in terms of retaining direct exposure to governance while also being able to liquidate their position. As can be deduced from the previously described functionality, this would be accompanied by several trade-offs (e.g. de-peg risk or reduced vote power without veSDT boost) that the user has to accept. Because of this, we also don’t believe that current vanilla veCRV lockers are put at a disadvantage here.
Does the asset meet minimum requirements?
Is it possible for a single entity to rug the user base?
Due to the aforementioned elevated rights, the StakeDAO 4-of-7 multisig has the ability rug its users. However, since all of the core protocol contributors are doxxed to Julien Bouteloup, a trust assumption might be sufficient to lessen this risk.
If the team vanishes, can the project continue?
Besides the addition or removal of different yield farming strategies, the StakeDAO contracts demand plenty of operational overhead, such as claiming airdrops or gauge rewards, and the constant monitoring of gauges due the ability of gauge weights being manipulated by the DAO. This can be managed by a devops team familiar with the operational manual of the existing team, as long as they had access to the multisig.
Regular upgrades would likely still be needed to handle any uncovered bugs or to add features to remain competitive.Do audits reveal any concerning signs?
Most of the issues that were identified by the audit were resolved. The sdCRV audit by Chainsecurity, unfortunately, could not be reviewed as it is currently in progress. Because of the similarity to the sdFXS contract that was audited before, a trust assumption might be sufficient to lessen this risk.
Moving forward with such innovations, we also have to account for future products that could open venues for exploits. At this point, we have to stress the fact that centralised trust layers cannot possibly be the solution for every pain point. In this case, the target direction should be towards a well-designed and secure, trustless system in the long run. And because this has to be realised through the immutable nature of contracts, we again highlight the importance of a prudent approach. However, for the sake of the liquid lockers experiment, we believe the security measures are sufficient (for now).
Summary
Other than veCRV fees or risks to LPs, how does this affect the DAO? While overall volume is low, one may believe that the liquidity for veTKN derivatives should be improved as a public good. At the same time, the DAO will suffer reputational risk should any of the liquid lockers enable governance exploits within the Curve or other DAOs.
Is the tradeoff worth it? Only the DAO can decide. We hope we’ve laid out sufficiently detailed information, including the nature of the Liquid Locker product and its current dependence on centralised backstop mechanisms, so that readers can assess the risks involved.
