Asset Risk Assessment: Mountain Protocol (USDM)
A dive into the Bermuda-regulated RWA token backed by short-term U.S. Treasuries
Useful Links
USDM & wUSDM contracts | crvUSD-USDM pool | Gauge proposal
Interviews: Bankless, Twitter Space, On the Brink
TL;DR
USDM is an ERC20 stablecoin issued by Mountain Protocol, a licensed financial institution in Bermuda, regulated by the Bermuda Monetary Authority (BMA). It caters to non-US individuals and adheres to the SEC’s Regulation S.
It is backed 1:1 by short-term U.S. Treasuries held in bankruptcy-remote accounts and accrues yield for holders through rebasing, currently around 5% annually.
Since its launch in September 2023, USDM has amassed over $10 million in TVL, with further DeFi integrations expected via the wUSDM wrapper.
A recent repo partnership with Wintermute allows for faster redemption times (24/7) while minimizing USDM’s exposure to stablecoins and bank cash deposits.
Monthly attestations confirm that USDM remains fully collateralized with details about the underlying portfolio.
Relation with Curve
USDM is a permissionless yield-bearing token that offers exposure to short-term U.S. Treasury Bills (T-bills) with an average duration of less than 60 days. Operated by Mountain Protocol Ltd., the Bermuda Monetary Authority (BMA) licenses and regulates this digital asset. It is the most recent contender among numerous protocols offering on-chain exposure to treasury bonds in the current high-interest macro environment (see our coverage of Ondo’s USDY and OUSG, and Matrixdock’s STBT). The unique feature of USDM is that USDM tokens are permissionless, with no required whitelisting, holding periods, or other features present on similar companies issuing under fund models.
On October 11th, 2023, a secondary market was created via the crvUSD-USDM stableswap pool with an initial seeding of $1 million. The USDM Curve pool supports positive rebasing via the factory implementation. Over time, this property can be observed in the LP token price. A Curve gauge proposal for USDM was submitted on October 2023, with the DAO vote passing at 100%.
As of early November 2023, Mountain is also planning to migrate some liquidity to a new sDAI/USDM pool, which will allow LPs to diversify yield sources and potentially increase the adoption of USDM. This pool uses the newest CurveStableSwapNG implementation, which adds support for ERC-4626 vaults, dynamically adjusts fees based on depeg, and provides an improved EMA oracle.
This report delves into the design and functioning of USDM, focusing on its integration with Curve and potential risks for both LPs and the DAO. Key risks include centralization vectors, such as on-chain operations, reserves custody, collateral soundness, and the regulatory framework. Such complexities demand careful evaluation and ongoing vigilance by prospective USDM holders and liquidity providers.
USDM Overview
Introduction
USDM, launched in September 2023, is a yield-generating token issued by Mountain Protocol, a licensed financial institution in Bermuda. Each USDM token is meant to be fully backed on a 1:1 basis by reserves comprised of short-term U.S. Treasuries held with regulated custodians in segregated accounts.
The stablecoin’s issuance requires users and entities to go through a KYC process, although liquidity is available on secondary markets for permissionless access (similar to well known stablecoins like USDC). Mountain ensures compliance with U.S. Regulation S, details of which we will cover more extensively in the legal section.
As a rebasing token, USDM employs a variable reward multiplier to pass rewards directly to token holders when they are accrued while maintaining a price pegged to $1. This allows stablecoin holders to regularly collect rewards from USDM’s yield-generating reserves.
User Flow
Users access USDM after completing KYC, interacting directly with Mountain Protocol’s portal and API. Such users are described by Mountain Protocol as Primary Users. They can purchase USDM with USDC, with fiat on-ramps in development.
Redeeming USDM for USDC is also facilitated. Under normal conditions, Mountain Protocol provides 24/7 redemption liquidity via USDC provided by Mountain Protocol (company estate, not USDM Reserves), and for large redemptions, through repo agreements with third-party market makers. However, large redemption requests may require up to a T+2 settlement.
When users deposit USDC, a daily process ensues to recollect, off-ramp, and convert the stablecoins to USD. The fiat is then transferred to brokerage accounts where Mountain’s licensed Investment Manager deploys the funds into T-bills and money market instruments per the public investment mandate.
Going from USDC to Tbills and vice-versa both take a full business day. To improve user experience, Mountain Protocol has secured a recent partnership deal with market-making firm Wintermute, which should allow near-instant USDC liquidity for redemptions via USDM/USDC swaps, preventing user delays.
This operational flow resembles other centralized stablecoin issuers, with the difference being Mountain’s use of an external Investment Manager to avoid conflicts of interest.
Underlying Assets
The assets backing USDM are held in accounts referred to as “USDM Reserves”. These reserves are currently invested by E.Q. Capital, an Investment Manager licensed in Bermuda, held distinct from Mountain Protocol’s operational finances. E.Q. Capital is obliged to adhere to a predefined investment mandate:
Collateral can be composed by any of the following instruments, with a dollar-weighted average duration of 60 days or less:
Treasury bills, or treasury notes with near maturity.
Money Market Funds investing in short-term US treasuries.
Treasury ETFs.
Reverse Repurchase Agreements (repos) collateralized with US Treasuries.
In addition to the primary portfolio, there may be cash and stablecoins (USDC) on the USDM attestations due to assets in transit, although Mountain Protocol seeks to minimize cash holdings. USDM Reserves overcollateralize issued USDM via a collateral buffer that protects against interest rate risk.
Proof of Reserves
USDM’s solvency and collateralization are validated through monthly attestations by an independent audit firm. These third-party attestation reports certify the assets held in the USDM Reserves accounts and validate reserves equal or exceed the USDM supply.
An independent accounting firm from the UK, Nephos Group, currently issues monthly attestation reports for USDM that include a breakdown of holdings with current fair market value and
additional disclosures such as CUSIP and maturity date, as applicable. The current composition of the reserves is primarily U.S. Treasury bills, as highlighted in the latest report:
Rather than real-time, on-chain cryptographic proofs, USDM relies on these legal attestations, in line with practices of all fiat-backed stablecoin issuers. This implies trust in Mountain Protocol’s chosen auditors to provide accurate assurances. In addition to attestations, USDM will soon publish full transactional audits of all USDM Reserve activities to verify compliance with policies and regulations.
Refer to the Mountain Protocol docs for a complete list of monthly attestation reports.
Trust Structure
USDM is issued by Mountain Protocol Limited, a licensed financial institution based in Bermuda and regulated under the country’s Digital Asset Business Act (DABA). Mountain Protocol holds a “Class M” license from the Bermuda Monetary Authority (BMA), authorizing it to conduct digital asset business activities. This Class M license is intended for early-stage startups and has a 12-24 month duration with the possibility to extend.
Specifically, Mountain Protocol is approved to issue, sell, and redeem virtual coins and tokens like USDM and provide custodial wallet services. USDM’s solvency is supported by its structure of bankruptcy-remote collateral accounts, known as “USDM Reserves.” These segregated reserves are held with regulated financial institutions and are safeguarded on behalf of USDM holders. In the event of receivership, insolvency, liquidation, or a similar proceeding, these assets would be excluded from such proceedings, as dictated by the DABA legislation.
Stablecoin and Cash Management
KYC’d customers can mint or redeem USDM with USDC. As a result of accepting USDC for the purchase of USDM and by virtue of the operations involving purchasing securities, a smaller fraction of USDM’s reserves is temporarily held as stablecoins (specifically USDC) and/or in bank deposits. These temporary holdings (“assets in transit”) result from delays in bank settlement. They reflect the daily recollection and offramping activities, underscoring Mountain Protocol’s commitment to minimizing non-T-Bill assets in the reserves.
As of the latest attestation in November, cash deposits make up only 6% of the USDM reserves portfolio, and of cash deposits, 95% were funds in transit due to pending settlement as of the attestation date.
Mountain Protocol utilizes Fireblocks for the management of digital assets, specifically stablecoins. USDM held by Mountain Protocol is held under qualified custody, under licensed activity, providing custodial wallet services.
USDC held by Mountain is broken into two categories:
USDM Reserves: USDC from recent purchases of USDM, which is regularly off-ramped to purchase TBills. These assets are called “in transit”, as the balance of USDC is nominal.
Redemption liquidity: USDC provided by the company to support smaller redemptions without having to engage in low-volume repo transactions. This is provided by Mountain Protocol so that USDM Reserves are not exposed to USDC depeg risk.
Moreover, Mountain Protocol’s approach to banking risk is notably cautious. While Bermuda’s deposit insurance guarantees up to $50,000, the protocol acknowledges that such insurance is marginal for stablecoin operations. Consequently, Mountain Protocol avoids long-term bank deposits, utilizing repo partnerships for liquidity solutions.
Mountain Protocol has 2 parallel financial rails (bank, broker/custodian), with a 3rd one coming soon. This provides redundancy from an institutional and geographical/regulator level, to prevent potential debanking/ changes in the risk appetite resulting in liquidity gaps. These partner institutions are confidential as per the specific institutions’ request, to minimize reputational risk.
Wintermute Partnership
Mountain Protocol has partnered with crypto market maker Wintermute, a move designed to expedite the redemption process for USDM while minimizing cash exposure. The essence of this partnership is to provide USDM holders with the ability to seamlessly exchange their tokens for USDC. This operation is now possible 24/7, even during weekends, thanks to Wintermute’s dedicated liquidity support.
The deal will work as follows: Wintermute trades USDM for USDC when users initiate redemption requests as a short-term loan to Mountain Protocol until the traditional finance (TradFi) markets reopen. This grace period grants Mountain Protocol the window needed to liquidate underlying Treasury bills that back USDM and onramp these assets through Coinbase Prime to repurchase the USDM from Wintermute.
This agreement circumvents settlement delays associated with the banking system (T+2 settlement), offering USDM holders an uninterrupted, 24/7 redemption capability. It further reduces USDM’s susceptibility to banking risks by avoiding the need for long-term deposits to manage timely redemptions.
Mountain Protocol strives to fill withdrawal requests as fast as possible, in line with compliance, security, and operational requirements. The team informed us that most transactions are processed in minutes after the customer’s request on a 24/7 basis, with the exceptions so far being tied to users overpassing trading limits. Onboarded users are assigned a trading limit based on their business and risk level, following compliance procedures.
Per the Mountain Protocol Terms and Conditions, the SLA states T+2 business days as the maximum redemption time, which may be extended pending regulatory or compliance obligations and depend on the uptime of its financial partners.
Rebasing
USDM uses a rebasing mechanism, which adjusts its circulating supply based on a reward multiplier within the contract, decided by Mountain Protocol. So far, the reward multiplier has loosely tracked the risk-free rate.
User holdings are represented by “shares” within the USDM system. The value of these shares is multiplied by the current reward multiplier to determine the balance of USDM a user has. As the USDM reserves accrue yield, the reward multiplier increases accordingly, allowing for the creation of additional USDM. The reward multiplier directly reflects the interest earned and helps maintain the token’s peg to $1.
The function addRewardMultiplier() is a critical daily operation performed by Mountain Protocol, updating the rewardMultiplier to encapsulate the day’s accumulated reward. For example, if the reward multiplier increases from 1x to 1.05x, indicating an aggregated 5% Annual Percentage Yield (APY), then a user with 100 shares would see their USDM balance increase to 105 USDM after the rebase while the share quantity remains unchanged.
The ORACLE_ROLE responsible for daily rebasing in the USDM contracts does not have the ability to execute “clawbacks” in the scenario of a negative yield (i.e. negative rebasing is not possible). The rebase functionality is constructed only to reflect positive yields. However, the contract admin is able to set the reward multiplier to any value >=1, which includes the potential for negative rebases.
See the historical daily updates to the reward multiplier in the query below:
Mountain Protocol adjusts the reward multiplier taking many things into consideration, including market conditions, Federal Funds rates, and other variables, intending to revise it as infrequently as possible, in scenarios such as notable fluctuations in the short-term end of the yield curve. The aim is to preserve the stablecoin’s essence as part of a rewards program, akin to Coinbase’s USDC offering a 5% APY, rather than treating it as a security.
For practical reasons, if there are no alterations in the underlying funding rate, the multiplier is only updated at a regular interval of every ~45 days. Over time, the rebase token’s multiplier remains constant while the token supply increases due to rebasing, and the APY naturally starts to diminish. This gradual decay in APY persists until the next scheduled update to the multiplier, reflecting any changes in the yield. The expanding token supply dilutes the effect of the previously set reward multiplier, reducing the rate at which the overall value grows until the yield conditions are reassessed, and the multiplier is updated.
The first chart below shows the yield since launch, where the yield hovers at ~5%. The second chart zooms in, making the slight decline and 45-day RewardMultiplier updates visible:
wUSDM
To improve USDM’s integration across DeFi protocols, Mountain Protocol has launched a wrapped version called wUSDM. This addresses the known composability challenges rebasing tokens face with DeFi applications, which typically rely on static token balances. wUSDM does not rebase, instead, it accrues value from the underlying USDM through an internal wUSDM:USDM rate adjustment. Wrapping USDM into a non-rebasing wUSDM allows these platforms to provide liquidity and trading without frequent imbalance from USDM’s daily reward adjustments.
Protocol Revenue Model and Fees
As a centralized stablecoin, Mountain Protocol may derive revenue from fees charged on services related to USDM. These could potentially include:
Issuance fees - Charged on USDM purchases as a percentage
Redemption fees - Similarly charged on USDM redemptions
Withdrawal/transfer fees - Network or transaction fees passed through
Net Interest Margin - Spread between “USDM Reserves” yield and rewards paid to holders.
Data fees - For enterprise access to analytics and data
Licensing fees - Paid by institutional partners and integrators
Other services - Consulting, technology, other revenue streams
The exact fee structure and revenue breakdown of USDM is not specifically defined. Mountain Protocol’s revenues are the difference between the yield on the USDM Reserves and the rewards paid to users. These fluctuate due to various reasons: natural oscillation of market rates, “cash-drag” percentage and other factors, but can be estimated at ~20bps. Mountain Protocol’s USDM abstracts these variations from users, communicating Reward rates on a “net” basis, without any costs on top.
Given that Mountain Protocol structured USDM as a payment token with a loyalty program (similar to Coinbase 5% APY on USDC), quoting fees on AUM as most other RWAs do is not applicable. Instead, USDM quotes a net reward rate, in line with other similar products such as loyalty programs or high-yield checking accounts. This provides the easiest and most transparent model for users.
Per recent clarifications, Mountain Protocol does not charge fees for minting/burning USDM for KYC users under normal usage. They also do not pass through any third-party fees today, though they reserve the right to adjust the fee model, with banking fees and withdrawal gas fees being two potential candidates. The team emphasizes simple, transparent tokenomics where advertised rewards are net (i.e. Interest earned minus fees). This aims to make USDM’s model and the value proposition to users straightforward.
Market and Adoption
USDM has shown impressive growth as a newly released token, although its utilization and integration across DeFi platforms remain modest. The introduction of wUSDM has accelerated recent expansion, highlighted by creating new Balancer and Uniswap pools and integration with CowSwap solvers.
Despite being the newest entrant in the market, USDM currently has the 2nd most holders and transfers (only behind STBT) on mainnet, compared to other RWA products. This is likely driven by USDM’s permissionless feature and ease to purchase/redeem.
Market Cap
The USDM market cap has rapidly expanded since mid-September to over 10m in two months:
User Adoption
The following query shows the total number of addresses containing USDM over time:
A list of holder addresses is queried below. The 0xef9a address is the Mountain custodial wallet. It includes primary customers’ funds that chose to keep USDM in qualified custody under Mountain Protocol’s Platform.
The following chart shows the daily active users over the last 30 days. Active users are addresses that have initiated a transaction involving USDM:
USDM Transaction Volume and Velocity
The following chart shows the daily USDM trading volume in the past 30 days:
Shown below is the USDM daily transaction volume over the past 30 days. This includes all transfer, mint, and redemption events:
Velocity accounts for all transaction events including transfers, mints, and redemptions. Daily velocity divides all transactional events by the market cap to normalize how rapidly the supply of tokens is transferred:
The following chart shows the daily mainnet liquidity utilization (DEX liquidity/daily volume) in the past 30 days:
The curve USDM/crvUSD pool average liquidity utilization rate is 5.08% for the period. The minimum utilization rate for the same period is 0 and the maximum is 22.6%.
Note also that utilization decline coincides with an increase in the average Ethereum gas price, which has been in an upward trend since late October:
DEX volume
The following query tracks total trade volume across Curve, CoW, and 1inch:
Curve Pools
The crvusd-USDM factory pool is the primary source of liquidity on the secondary market. The following query shows the relative balance of USDM and crvUSD in the pool over time:
Other DEX Pools
DeGate is currently the trading venue with the most buy-and-hold volume. L2 volume has experienced a marked increase since gas fees have recently increased substantially on Ethereum.
There are additional DEX pools paired with wUSDM, although these pools have relatively low liquidity as of mid-November.
Uniswap: sDAI/wUSDM 0.01% pool
Balancer: Balancer 50/50 wUSDM-wstETH Pool
Risk Vectors
Smart Contract Risk
The USDM contract has relatively low complexity and relies on standard dependencies from Openzeppelin. The contract is an upgradeable implementation that lies behind an EIP-1967 Transparent proxy. wUSDM follows the ERC-4626 tokenized vault standard with the addition of the ERC-2612 permit functionality.
Audits
As of mid-November, USDM has two published audits from OpenZeppelin. One focused on USDM and the other on wUSDM. All audits can be found here on the Mountain GitHub repository and audit notes are provided below.
USDM Audit
Scope: USDM token contract
Timeline: May 31st - June 2nd, 2023
Findings: 1 medium severity, two low severity (all acknowledged or resolved)
seven notes and additional information (6 resolved)
wUSDM Audit
Scope: wUSDM token contract
Timeline: October 6th - October 10th, 2023
Findings: 0 vulnerabilities, four notes (all resolved)
Overall, both audits demonstrate that the contracts are well-designed. The issues uncovered were minor and quickly addressed. The Mountain Protocol team was responsive throughout both audits. The auditors recommended monitoring all privileged actions and roles that affect the USDM token contract. This includes monitoring minting, burning, account blocking, reward multiplier changes, contract upgrades, and role changes. They also suggested monitoring the health and activity of secondary USDM markets like the Curve pool.
Security Center
The Mountain Protocol Security Center website, powered by OpenZeppelin, transparently communicates the project’s security policies, audit history, code coverage, updates, bounties, FAQs, and other information to instill confidence in the security of their smart contracts.
Bug Bounty
Mountain has a $50,000 bounty program in place with ImmuneFi since August 2023. The scope covers both Smart Contracts and the front-end. Mountain recently increased the bounty from $10,000.
Operational Risk
Access Control
USDM uses role-based access control to assign different addresses to specific controls over the system. It implements a 3-of-5 multisig as the DEFAULT_ADMIN_ROLE to manage access to critical functions and to set assignments for the other roles. This system mitigates the risk of any single entity having unilateral control over significant actions, with a confidential group of signatories drawn from company members, independent directors, investors, and service providers. Signers are not disclosed for operational and security reasons.
The privileged roles assigned to this multisig include:
MINTER_ROLE: Grants the ability to mint any amount of tokens to any address, including addresses on the blocklist. This role is set to an EOA.
BURNER_ROLE: Grants the ability to burn any amount of tokens from any address except addresses on the blocklist. This role is set to an EOA.
BLOCKLIST_ROLE: Grants the ability to add or remove addresses from the blocklist. Addresses on the blocklist cannot transfer tokens but can still receive them (a decision made for gas efficiency purposes). If the 0x0 address is added to the blocklist, all minting is prevented. This role is set to an EOA.
ORACLE_ROLE: Grants the ability to rebase the USDM supply by incrementing the reward multiplier with an amount >0. There is no limit on the rate of these updates. This address is set to an EOA.
PAUSE_ROLE: Grants the ability to pause/unpause token transfers and other operations. This role is set to an EOA.
UPGRADE_ROLE: Grants the ability to upgrade the contract. This role is unassigned.
ADMIN_ROLE: Grants the ability to grant or revoke roles and to set the reward multiplier to any value >=1, either increase or decrease. The role is set to the 3-of-5 multisig.
The management of minting, burning, and Oracle updates is secured by Fireblocks’ Multi-Party Computation (MPC) technology, renowned for its enhanced defense against unauthorized access. For security purposes, the specifics of the Fireblocks MPC configuration are confidential.
The USDM smart contract utilizes the ERC-1967 Proxy pattern, which provides a framework for potential enhancements to the protocol via a designated Upgrade Role.
Off-chain Operational Procedures
To complement in-protocol safety measures, significant alterations to user-centric features are subjected to an offline timelock process, mandating regulatory consent and a 30-day notice to users prior to execution. This protocol ensures that users receive preemptive notifications of significant updates, with the regulatory body reviewing changes and enforcing the 30-day notification timeline (which is also part of the Terms and Conditions).
Moreover, an independent third-party signer acts as a supervisory body over critical functions. External to the core development team, this entity must authorize significant decisions such as adding new withdrawal addresses, modifying transaction approval protocols, or sanctioning sizable transactions exceeding $10 million. This critical role introduces a system of checks and balances, prohibiting the team from executing substantial actions without the concurrence of this impartial overseer. The third-party signer reduces the ‘rug pull’ risk and instills caution in extensive financial dealings. Their participation enhances trust by serving as a neutral steward of user assets.
This third-party signer is Steakhouse Financial, a strategic adviser to several DAOs, including Maker, Lido, and ENS.
The governance over the rebase amount employs Open Zeppelin Defender and involves a multi-signature procedure facilitated by Fireblocks. This security strategy necessitates the concurrence of multiple authorized parties to modify the Oracle value, thereby guaranteeing that adjustments to the reward multiplier are prudent and reflect shifts in interest rates.
Liquidity Risk
Since its inception, Mountain Protocol has experienced redemptions, but given net positive USDM demand, not experienced any burns. While procedures for token burning are in place, the absence of redemption history may raise concerns among stakeholders. Mints and burns can be reviewed in the following query:
Several withdrawals have been processed, as evidenced by USDC withdrawals from the Mountain Protocol withdrawal wallet (0x426c).
In the event of substantial redemption requests, especially during periods of rising interest rates, Mountain Protocol may be compelled to liquidate T-bills at their Net Asset Value (NAV) before maturity. These sales could result in losses, driven by (i) asset depreciation due to interest rate increases and (ii) increased bid/ask spread due to unstable markets.
Mountain Protocol has instituted an equity buffer in its reserves to counter this risk. This over-collateralization acts as a financial cushion to absorb the impact of interest rate fluctuations, ensuring that USDM remains fully collateralized even if the value of the Treasuries falls due to rising interest rates. This equity buffer is sized at 50bps so that the USDM Reserve can withstand a bank run during a severely adverse scenario of both interest rate increases and widening bid/ask spreads.
The equity buffer parallels the contingency features of other stablecoins, which have proven their worth in turbulent market conditions. However, a buffer could be insufficient in extreme situations involving highly unfavorable interest rate environments or US debt default, especially in conjunction with a reserves management strategy that neglects to adequately insulate the protocol from interest rate risk. Should such a scenario occur, Mountain Protocol may either proceed with redemptions at a rate below the 1:1 peg or delay withdrawals.
As of the latest attestation report, the cash reserves make up a minimal proportion of the overall portfolio.
Bid/Ask Spread Impact
Bid/ask spreads grow in times of crisis. Assuming 2008 stress levels, the bid/ask spread for bonds remained <1bp and especially lower for short-duration bonds.
Interest Rate Impact
As per the below simulation, holding a portfolio of 2-month average duration (the longest allowed by the IM), and stressed with a 200bps rate hike (the largest during this rate hike cycle was 75 bps, allowing for 2.5x buffer) results in a collateral value decline of 32bps.
With the above scenarios, Mountain Protocol can sustain a bank run on an unstable bond market (~1bps) after a very large interest rate hike (32bps) and still hold 17bps of additional buffer for unforeseen events.
Overall, the investment mandate requires the Investment Manager to maintain the overall portfolio at a dollar-weighted average maturity of 60 days or less and a dollar-weighted average life of 120 days or less. Maturities of any bond purchased must be 397 days or less. The preference for short-dated instruments minimizes the potential solvency risk associated with interest rate changes, as these instruments are least impacted by changes in interest rates and are highly liquid even during periods of market turmoil.
Secondary Market Liquidity
Mountain Protocol distinguishes between Primary Users who have KYC’d and are able to mint and redeem USDM directly, and Secondary Users who can permissionlessly trade USDM on secondary markets. Secondary Users are not guaranteed access to liquidity or for USDM to keep a stable peg on secondary markets, although arbitrageurs are expected to maintain the peg in normal market conditions.
USDM demonstrates satisfactory liquidity in the secondary market relative to its market capitalization. The under-utilization of the crvUSD/USDM liquidity pool may be attributed to the early stage of the product which is still in a bootstrapping phase. To improve liquidity, Mountain Protocol is proactively working to introduce new pairings and liquidity pools.
Oracle Risk
An oracle is required to reliably convey the interest earned by the USDM reserves to the USDM contract for the purpose of rebasing the supply and passing interest on to users. A failure of the oracle could result in users not receiving interest or receiving an inaccurate interest rate. In the worst case, the oracle can infinitely mint USDM through rebasing.
USDM forgoes the use of an on-chain oracle, instead depending on manual updates to the reward multiplier by the Mountain Protocol team, informed by current interest rates and yields. This approach reduces the smart contract risk attack surface, requiring user trust in the team’s precision and consistency.
An on-chain Proof of Reserve oracle would likely increase transparency by directly enforcing rebase amounts based on USDM reserves data reported by the third-party auditor. The team has shared that they are in conversations with oracle providers to implement such a measure, with the main challenge being the accounting of fiat transfers and delayed settlements. Blockers currently being faced include requiring either a 24/7 accountant to manually enter values for these assets, having the team manually enter such values, or delaying mint/redeem to assets held in custody - removing the benefit of instant liquidity of both USDM/USDC.
To address the inherent trust issue, Mountain Protocol employs Fireblock MPC key signing services to safeguard access to the oracle and furthermore has a hierarchical role-based access control that allows oversight of the designated oracle. The protocol’s design also prevents the ORACLE_ROLE from executing negative rebasing, providing users with an extra security measure (Note, however, that the contract Admin can set the rebase to any value >=1). As per the Mountain Protocol’s comments, “the trust assumption of us managing T-bill collaterals is higher than managing an oracle. As such, we optimized for minimizing attack surface area”.
Depeg Risk
USDM, like any fiat-backed stablecoin, relies on arbitrageurs and timely purchases/redemptions to maintain the secondary market peg. If unforeseen challenges arise, such as operational issues within Mountain Protocol or its affiliated service providers, there could be a detrimental impact on USDM’s liquidity and, hence, its perceived reliability. Such events may precipitate a deviation from its pegged value on the secondary market.
In the primary market, liquidity is closely tied to Mountain Protocol’s capacity to transact in Treasuries and repurchase agreements, which incur low solvency risk but are slow to transact, increasing potential liquidity risks. On the other hand, the secondary market liquidity relates to the activity within the USDM/crvUSD pool on Curve. During volatile market conditions, monitoring for slippage and ensuring robust market-making activity to sustain liquidity levels is essential.
It is worth noting that Mountain Protocol has limited its exposure to stablecoin and bank deposits. Its cash reserves are primarily comprised solely of USDC from purchases made during that day, which are off-ramped and invested into T-bills daily. During redemption, Mountain Protocol makes use of a partnership agreement with Wintermute, whereby Wintermute fronts USDC to honor redemptions and is later repaid by Mountain Protocol after settlement delays. This strategy reflects an effort to minimize risk exposure to stablecoins and uninsured bank deposits.
In a USDC depeg scenario, the valuation of USDM would typically remain at $1 as long as the USDC exposure of USDM Reserves is kept at nominal levels, with most USDM Reserve assets held in T-Bills. As such, Mountain Protocol allows USDM purchases with USDC only as long as Coinbase Prime supports 1:1 USDC redemptions to protect from such a scenario. Note that in such a scenario, although solvency might not be a concern, 24/7 liquidity will likely not be possible, leading to potential depegs in the secondary market as experienced by multiple stablecoins with exposure to USDC on March 2023.
USDM has not experienced a significant depeg since its inception in October. It does have a short history and limited secondary market exposure, so more time on the market is required to build confidence in the strength of its peg.
Regulatory Risk
DABA and DAIA
Bermuda has a comprehensive regulatory framework for digital assets. The DABA and DAIA are the primary legislative arms governing digital asset businesses and issuances. The Bermuda Monetary Authority ensures these businesses operate within the set guidelines and standards.
Digital Asset Business Act (DABA) applies to any entity in Bermuda conducting digital asset business, regardless of where the activity occurs. The term “digital asset” catches anything in binary format with the right to use. This includes digital representations of value, assets such as debt or equity in the promoter, assets or rights associated with such assets, or access to an application or service via distributed ledger technology.
The “digital asset business” is defined as activities like:
issuing, selling, or redeeming virtual coins or tokens,
operating as a payment service provider using digital assets,
operating digital asset exchanges,
providing digital asset trust services,
offering custodial wallet services,
operating as a digital asset derivative exchange provider, and
operating as a digital asset services vendor.
A “digital asset issuance” pursuant to the Digital Asset Issuance Act (DAIA) is an offer to the public to acquire digital assets or an agreement to acquire them in the future. The DAIA applies to any entity, whether in or outside Bermuda, conducting a digital asset issuance in or from within Bermuda.
Class M License
Class M license obtained by Mountain Protocol is characterized by modified requirements and restrictions for a specified period, compared to Class F (full license) and Class T (for pilot or beta testing). License possession is an attestation by the BMA for meeting criteria related to the fitness and propriety of directors and officers, prudent business conduct, management integrity and skill, and corporate governance standards. Class M licenses are intended for new businesses to undergo enhanced regulatory supervision before they graduate to Class F.
In this capacity, Mountain Protocol has ongoing obligations, including
at least monthly regulatory supervision touchpoints,
client disclosure rules,
cybersecurity rules,
custody and protection of consumer assets,
the appointment of a senior representative,
maintaining an office in Bermuda, and
submitting an annual prudential return.
Bermuda’s AML/ATF regime requires the company to establish policies and procedures to prevent money laundering and terrorist financing, consisting of customer due diligence, ongoing monitoring, reporting of suspicious transactions, record-keeping, internal controls, risk assessment, and management.
License-holding client assets are required to maintain books of account and other records to keep customer assets separate from those of the digital asset service provider. These records should be sufficient to identify customer assets at any given time. All customer funds must be held in a dedicated separate account, and this account should be clearly identified as one holding customer assets. USDM Reserves are “held by Mountain Protocol on behalf of and for the benefit of eligible users backing the USDM, managed by a third party Investment Manager in conjunction with a regulated broker and custodian. Such reserves are composed mostly of short-term U.S. treasuries and, in smaller portions, deposits in regulated banks and other low-risk stablecoins that Mountain Protocol accepts as a means to purchase USDM (currently, only USDC is accepted). Under no circumstance are USDM Reserves commingled with Mountain Protocol operational assets” (T&C Section 2).
The concept of bankruptcy remoteness built by the team envisages client assets being segregated from the company’s assets. This segregation ensures that client assets are not treated as part of the Mountain Protocol’s bankruptcy estate and are protected in case of the company’s financial failure, in line with DABA requirements.
The Risk Factors section of Mountain Protocol T&C fulfills the requirement to disclose to their clients the potential risks associated with digital assets, including the volatile nature of digital asset prices, the potential for loss, and any technological risks.
Regulation S Exemptions
In relation to the legal qualification of USDM in the US, given the lack of regulatory clarity for stablecoins, the team has taken the conservative approach of complying with the U.S. Securities Act. Mountain Protocol has requested advice on whether it may rely on the Regulation S exemptions. Regulation S is an exemption from the registration requirements of the Securities Act for securities offerings made outside the United States by both U.S. and non-U.S. issuers. Under Regulation S, securities may be offered and sold to non-U.S. residents without registration with the SEC, provided that the sale is conducted in accordance with certain conditions (e.g. no directed selling efforts in the U.S., transaction executed in an offshore market, offering restrictions, etc.).
Legal memoranda observed by our legal counsel affirms that the offering of USDM may be carried out under the Regulation S exemptions, taking into consideration that the offer targets non-US persons and the company effectively guards against the participation of U.S. persons in the offering, purchase, or sale of USDM. Customers registered or residing in the U.S. are not allowed to open an account. The Protocol’s Terms of Service expressly prohibits sales, transfers, or other distributions of USDM to U.S. persons. The restrictions are also followed with regard to the secondary market where Mountain Protocol employs blockchain analytics, off-chain news, social monitoring, and on-chain known address monitoring.
Should Mountain Protocol, at its own judgment, ascertain that a user either qualifies as a U.S. person or has intentionally enabled the transaction of USDM tokens to a U.S. person, it may implement suitable measures - e.g. the blocking of addresses, suspension, or closure of accounts, or any other actions deemed necessary by the company. All accounts undergo a stringent review process by Mountain Protocol, which holds the right to refuse, suspend, or terminate any account based on failure to comply with the set of eligibility requirements or for reasons solely determined by the company.
Mountain Protocol adheres to conservative principles of geo-restrictions. Addresses are being added to the blocklist upon receiving requests from esteemed public entities such as the Office of Foreign Assets Control (OFAC), Bermuda Financial Intelligence Agency (FIA), Her Majesty’s Treasury (HMT), the United Nations, and judiciary bodies. This action is taken in instances of hacks, unauthorized appropriation of funds upon verification, or breaches of terms and conditions. Noteworthy breaches include money laundering, terrorist financing, or other infractions not aligned with the terms and conditions, irrespective of whether public agencies have blocklisted the implicated addresses.
LlamaRisk Gauge Criteria
Centralization Factors
Is it possible for a single entity to rug its users?
Unlikely. The bankruptcy-remote legal structure isolates USDM reserves from dependence on Mountain Protocol Ltd. USDM incorporates robust role-based access controls and a third-party signer to prevent unilateral on-chain operations by Mountain Protocol. However, as the licensed issuer and platform operator, Mountain Protocol’s proper management remains crucial.If the team vanishes, can the project continue?
No. USDM relies entirely on Mountain Protocol’s active participation for critical operations like issuance, redemption, rebasing, compliance, reserves management, and integration support. If Mountain ceased operations, the Bermuda Court would recover assets held in the USDM Reserve, liquidate, and return funds to token holders.
Economic Factors
Does the project’s viability depend on additional incentives?
No. The token’s value and yields are derived from underlying U.S. Treasuries. However, the Curve ecosystem does provide additional incentives for liquidity providers, enhancing opportunities to drive USDM’s growth.If demand falls to 0 tomorrow, can all users be made whole?
Effectively, yes, but possibly not in extreme circumstances, such as a default of the US government on debt obligations. The reserve portfolio is conservative, although losses are possible when selling T-bills before maturity in extreme scenarios. Mountain also allows for an equity buffer to cover potential losses. Given the current structure of the yield curve and the project being in the early stage, management strongly prefers having low duration. Liquidity crunch, market volatility, or redemption bottlenecks remain low-risk considerations.
Security Factors
Do audits reveal any concerning signs?
No. The USDM and wUSDM contracts underwent audits by OpenZeppelin, which uncovered only minor issues that were rapidly addressed. The USDM audit found one medium and two low-severity findings and seven notes. The wUSDM audit had four notes but no vulnerabilities. The issues identified do not reveal significant concerns, demonstrating that the contracts are well-designed overall.
Risk Team Recommendation
USDM is designed with a strong foundation in property law, ensuring its reserves are bankruptcy remote, protecting token holders in case Mountain Protocol Ltd. faces financial difficulty. The regulations provided by Bermuda’s legal system also offer a clear understanding of how digital asset tokens like USDM are handled.
Nevertheless, USDM is a new product with room for improvement:
USDM should offer more details about its fee structure and revenue model. This information is explained clearly by the team, which has been shared in this report and in the T&C, but the information should be relayed more transparently on the website and in a fee section in the docs where users are most likely to see it.
There has been no USDM burned from circulation despite the availability of procedures for redemption processing and redemptions having taken place. Demonstrating the effectiveness of the token-burning process through actual examples would increase trust.
RWAs backed by U.S. Treasuries may face increased regulatory scrutiny, given the regulatory status of crypto in the U.S. Unlike analogous product offerings like Ondo’s OUSG and Matrixdock’s STBT, USDM does not have any whitelist for users to gain exposure to the asset on-chain. Keeping up with Regulation S and staying vigilant about changing laws is essential to maintain a coherent compliance strategy. This risk may affect USDM’s continued product offering, but as seen in other SEC precedent actions such as for BUSD, this did not result in any loss of user funds.
Considerations for DeFi integrators, and specifically with Curve and crvUSD, include:
USDM can only be integrated into Defi applications if the
rewardMultiplieris functional, which involves daily operation by the Mountain Protocol oracle to addRewardMultiplier, an entirely centralized operation. Integrators can assess the risks of onboarding as its development progresses.USDM is a good fit for applications looking for a fiat-redeemable trading counterpart. For crvUSD, Stableswap AMMs with USDM or wUSDM are recommended. The recent stableswap-ng provides support for stableswap pairs involving assets with internal rate oracle.
USDM may become a suitable contender for a crvUSD pegkeeper, as its price is tethered to $1 and offers geographical diversity since the issuer is incorporated in Bermuda. Mountain Protocol typically only processes mints/redemptions through USDC, which may lead to delays for mint/redemption in the event that USDC becomes inoperable. There is a manual process for handling direct fiat redemptions via FedWire/SWIFT payments, which will keep the system operational in case of issues with USDC, although the USDC process is preferred by users in normal conditions. Streamlining a system for fiat redemptions with access to API transactional banking will help diversify the risk of USDM from the existing pegkeepers.
Notable advantages for USDM are its legal structure that protects the ownership rights of token holders, careful choice of collateral with a clear investment mandate, and adherence to Bermuda’s regulations. These elements address everyday worries about centralized control and ensure USDM’s reserve backing remains solid. However, the points mentioned need attention to enhance transparency and minimize user risks. As USDM gains adoption, its ability to maintain stability and handle redemptions will be crucial, highlighting the importance of ongoing caution.