Asset Risk Assessment: Prisma Finance mkUSD
A deep dive into the overcollateralized stablecoin backed by ETH liquid staking derivatives
Useful Links
Governance: Governance Forum | DAO
Relation with Curve
Prisma has close ties with the Curve ecosystem, stemming from the involvement of Curve contributors in the project and investments from key Convex and Curve stakeholders. Curve plays a role as the main venue for the exchange of both mkUSD and the PRISMA governance token. Due to the close relationship, both mkUSD and PRISMA have had a large number of successful gauge votes, allowing CRV emissions to the respective pools.
In addition to pools for mkUSD, the launch of the Prisma governance token has sprung the creation of 2 liquidity locker tokens, cvxPRISMA and yPRISMA.
Curve Pools:
mkUSD/USDC (gauge, vote)
PRISMA/ETH (gauge, vote)
PRISMA/cvxPRISMA - locker (gauge, vote)
PRISMA/yPRISMA - locker (gauge, vote)
A vital aspect of this relationship is Prisma’s proposal to whitelist its Prisma CurveProxy contract in Curve’s SmartWalletWhitelist, enabling Prisma’s participation in Curve governance. This allows Prisma to lock CRV and vote for gauge emissions to their pools on Curve. The proposal was, in part, motivated by Prisma’s commitment to maintaining a permanent lock on their acquired CRV position, obtained from an OTC deal with Curve’s founder.
The whitelist vote was the first Curve governance action regarding Prisma. It involved the promise of a PRISMA airdrop to both veCRV and vlCVX voters who voted in favor of the proposal. The airdrop was conducted in November along with support for Prisma pool rewards boosting by Convex.
Protocol Overview
Introduction
Prisma Finance is a decentralized stablecoin protocol that allows users to mint its mkUSD stablecoin by depositing supported liquid staking tokens (LSTs) as collateral. mkUSD aims to maintain its 1:1 peg to the USD through various arbitrage opportunities and by being redeemable at any time for $1 worth of the deposited collateral.
mkUSD is based on Liquity’s codebase but with significant design changes. Like Liquity, Prisma prioritizes decentralization with a set of programmatic functionalities to stabilize the peg. However, Prisma also adds flexibility through governance over parameters like supported collateral assets, fees, and emissions. It adds a similar veTokenomic design, as had been pioneered by Curve, with a timelocked governance token, gauge voting, and pool boosting.
Prisma improves on Curve’s model with optimizations like withdrawal flexibility, vote decay, and configurable emissions. Beyond voting and incentives, Prisma also integrates with external protocols like Curve and Convex for swapping infrastructure and yield optimization.
To generate mkUSD, users open collateralized debt positions (termed “troves”) on Prisma by depositing ETH LSTs. mkUSD is minted against this collateral at a minimum ratio specific to each collateral type. The primary value proposition is that users can earn staking rewards on their collateral that offsets the borrowing cost.
As an Ethereum-native algorithmic stablecoin, mkUSD offers quite strong decentralization attributes for LST holders to borrow against their yield-bearing assets. The system relies on the resiliency of the vault collateral and the protocol’s stabilization features such as the Stability Pool to ensure system solvency and stability of mkUSD. Prisma brings unique innovations to Liquity’s battle-tested model for a robust and flexible stablecoin platform.
Collateral selection
Risk reports are conducted by PrismaRisk, an independent research team operated by Llama Risk, as part of a series on LST collateral risk assessments. These reports comprehensively cover all relevant risk factors of a specific collateral. The Prisma Risk methodology involves both quantitative and qualitative analysis to help determine whether the collateral can be safely onboarded and to what extent there should be restrictions on the protocol’s exposure to the collateral.
As Prisma has onboarded a variety of LSTs as collateral, these reviews involve comparative analysis to determine suitability as collateral. Risks are categorized into:
Market Risk - risks related to market liquidity and volatility
Technology Risk - risks related to smart contracts, dependencies, and Oracle price feeds
Counterparty Risk - risks related to governance, centralization vectors, and legal/regulatory considerations
The methodology aims to provide a complete view of the potential dangers of collateral assets so that Prisma governance can make informed decisions on onboarding, risk parameter calibration, and caps on exposure concentration.
As of today, the collaterals onboarded to Prisma are:
wstETH
rETH
cbETH
sfrxETH
Below is a list of published reports as of the time of writing. The updated list is in the Prisma Docs.
Below are the collaterals that have been scored by PrismaRisk:
Other collateral can be suggested on the Prisma governance forum (e.g. this post for adding Origin’s ETH (OETH) as collateral).
Stability Mechanisms
The mkUSD protocol utilizes a multi-faceted approach to maintain the peg to the US Dollar without reliance on exogenous collateral or custodianship. The mkUSD peg is maintained through internal protocol levers, such as collateral redeemability, that facilitate arbitrage. When mkUSD falls below $1, anyone can redeem mkUSD for collateral in the system, beginning with troves with the lowest collateralization ratio (CR). There are governance-controlled parameters to adjust fees on redemption and programmatic levers such that as redemptions become profitable, borrowing gets more expensive, acting to stabilize the peg.
Prisma also features a Stability Pool where mkUSD holders can deposit to earn trading fees and collateral assets from liquidations. The pool is the protocol’s first defense to maintain solvency by automating the liquidation of troves below the minimum collateral ratio (MCR). The Stability Pool is a single liquidation pool across all supported collaterals. Compared to Liquity, Prisma’s architecture is more diverse (there are multiple collateral markets) and is structured involving yield accruing ETH staking derivatives. With the further expansion of supported collateral markets on Prisma, there is an associated growing complexity of the pool from its constituent assets.
An additional line of defense is the Recovery Mode mechanism, which automatically triggers when the Global Total Collateral Ratio (GTCR) falls below a predefined threshold. This value refers to the aggregate of all open troves and serves to incentivize all participants to increase their CR to healthy levels and reduce the risk of bad debt to the protocol. Recovery Mode involves changing system parameters and liquidation threshold to incentivize increasing the GTCR.
The critical internal stability mechanisms are summarized as:
Vault Collateralization: Loans made in mkUSD require over-collateralization ratios exceeding a minimum collateral ratio (usually 110%-120%, specific to each collateral type) in USD terms. Declines below this threshold enable liquidations, incentivizing collateral preservation behaviors.
The Stability Pool: A pool of mkUSD capital acts as a buffer resource to guarantee mkUSD debts from liquidations. In return for this liquidity and collective backing, Stability Pool depositors gain discounted collateral assets and fee income. Maintaining sufficient participation in the pool is imperative and may require careful incentive alignment. In the absence of liquidity in the stability pool, the collateral and debt from the liquidated trove are redistributed across all other active troves.
Redemption Arbitrage: mkUSD is redeemable for collateralized assets in troves at a 1:1 ratio minus a redemption fee, creating bounding incentives for supply and demand around $1. This arbitrage is critical to maintaining the mkUSD peg but negatively impacts trove owners who may be at risk of redemption despite maintaining CRs safe from liquidation, as redemption selects the troves with the lowest CRs regardless of the nominal value.
Recovery Mode: If the Global Total Collateral Ratio (GTCR) of all active troves falls below a governance-controlled threshold (currently 150%), the system automatically enters Recovery Mode. No borrowing actions can be made that further reduce the GTCR, minting fees are reduced to 0% to incentivize users to add collateral, and liquidations can occur on all troves below the GTCR. This is a backstop mechanism to protect system solvency by incentivizing participants to keep their CR over 150%.
Liquidations
Liquidations in Prisma are permissionless operations enabled under specific scenarios when a vault becomes undercollateralized. Anyone can initiate the liquidation of an unsafe vault to restore its collateralization ratio and settle outstanding mkUSD debts. There are a few distinct liquidation pathways coded into the LiquidationManager contract:
ICR ≤ 100%: If a vault (Individual Collateral Ratio) drops below 100% collateral ratio, its entire collateral and debt get redistributed to active vaults proportional to their collateral ratios. This mechanism shares the liquidation loss across all vaults.
100% < ICR < MCR: Between 100-MCR% collateral ratio (MCR is set per collateral type and typically ranges from 110%-120%), the liquidation occurs using the Stability Pool. An equivalent mkUSD amount to the liquidated debt is destroyed from the Stability Pool, while a proportional amount of collateral is distributed to depositors. Any debt shortfalls are covered through the redistribution mechanism mentioned earlier.
MCR ≤ ICR < TCR and TCR < CCR: When the global collateral ratio (GTCR) dips below 150%, the system enters Recovery Mode. Vaults with individual ratios between MCR-150% become eligible for partial liquidations. Their collateral goes to Stability Pool users. Vault owners can claim any surplus collateral, but their vault gets closed.
Acronyms:
ICR - Initial Collateral Ratio
MCR - Minimal Collateral Ratio
TCR - Total Collateral Ratio
CCR - Critical Collateral Ratio
By accounting for different liquidation conditions and redistribution mechanisms, the system attempts to remain solvent in edge cases, even when the Stability Pool lacks sufficient participation. This may be to the detriment of unwitting users who are not monitoring changes in the global system collateralization. Positions safe from liquidation in normal conditions (110-150% CR) may be at risk of liquidation as a result of the TCR dropping below 150%, prompting the protocol to enter Recovery Mode.
The liquidateTroves function allows batch liquidations of multiple undercollateralized vaults, supporting liquidity provision when mass vault insolvencies appear likely. Keeping gas costs in check for liquidators remains an area of focus.
Historical data on liquidations can be found on the PrismaMonitor Liquidation Analytics page.
Oracles
Oracles play an indispensable role in the mkUSD stablecoin system, primarily by providing essential external price data crucial for maintaining the solvency of the protocol. Given that mkUSD achieves its dollar peg through over-collateralizing liquid staking tokens, the protocol requires highly accurate and reliable price feeds for all its collateral assets. The accuracy of these price feeds is vital because the mkUSD supply could become under-collateralized without them, posing significant risks to the system’s stability and integrity. Additionally, erroneous price feeds could result in troves being unfairly liquidated or redeemed.
To ensure the fidelity and security of these price feeds, Prisma sources prices from decentralized oracle networks such as Chainlink. These networks collate data from numerous independent nodes, distributing the information’s source and minimizing the risk of single points of failure or manipulation by any individual entity. This decentralized approach enhances the robustness and credibility of the price data used in the mkUSD protocol.
To enhance this critical aspect of the protocol, [PIP-004] has been introduced in the Prisma Governance Forum. This proposal suggests upgrading the Chainlink stETH/USD oracle to a combination of Chainlink stETH/ETH and ETH/USD oracles for the wstETH collateral.
The motivation behind this change is to address the observed price deviations with the stETH/USD oracle, which has exceeded 1% at times due to the higher deviation threshold of that particular pricefeed. These deviations have made it possible for MEV bots to profit at the expense of users, especially during volatile market conditions. Shown below is the behavior of the redemption fee upon redemption events, with multiple events in succession indicating persistent profitability despite the dynamically adjusting fee.
By switching to the stETH/ETH & ETH/USD oracles, the protocol aims to achieve more accurate price feeds with a lower deviation threshold, thus enhancing the stability and reliability of the mkUSD system.
Contract Overview
TroveManager.sol: The TroveManager tracks user accounts (“troves”) and collateral ratios for a specific collateral type in Prisma. It handles opening and adjusting troves, interest accrual, redemptions, and liquidations.
StabilityPool.sol: The Stability Pool absorbs debt from liquidations and distributes collateral rewards to depositors to backstop mkUSD and maintain system solvency.
PriceFeed.sol: The Prisma PriceFeed integrates decentralized oracle networks like Chainlink to supply external price data. It validates and caches values, serving as a secure price provider for collateral ratio calculations. The contract maintains oracle parameters and checks responses for staleness and deviations.
LiquidationManager.sol: The Prisma LiquidationManager handles liquidations across all collateral types, integrating with the TroveManager and StabilityPool. Anyone can liquidate an undercollateralized trove. Liquidation modes based on collateral ratio either redistribute or offset debt before the surplus is claimable. The manager plays an essential role in Prisma’s stability by flexibly permitting and coordinating liquidations.
Fees and Revenue Model
Prisma has three types of protocol fees:
Minting Fees: This is a one-time fee upon opening a trove and added to the total debt. The fee is determined algorithmically with a minimum of 0.5% in normal operation and 0% in Recovery Mode.
Borrow Fees: This is continuous interest charged on the loan that is set by governance.
Redemption Fees: mkUSD holders can choose to redeem against a collateral of their choice. The fee algorithmically increases each time a redemption occurs and decreases over time, effectively limiting incentives to redeem.
A unique aspect of Prisma Finance is the governance-driven adjustability of its fees. The fixed fees and borrowing interest rates can be altered through the platform’s governance mechanisms, allowing the protocol to respond to market dynamics and user behaviors. (See: Prisma Improvement Proposal [PIP-002] Debt IR (Interest Rate) Increase from 1% to 2% on all collaterals)
Prisma’s interest rates cannot exceed a hardcoded ceiling of 4%. This decision could be attributed to Prisma’s positioning as a competitor to Liquity, which offers a 0% interest rate. The ceiling likely aims to ensure competitiveness, as rates above 4% might outpace actual LST yields, making Prisma less attractive.
Historical Fees
The FeeReceiver contract currently holds over $5m, from charged fees and incentive rewards:
Below is shown the total protocol revenue over time.
On November 2, over $1m mkUSD and 75k PRISMA was added to the FeeReceiver.
On November 9, there was an influx of 1.1m PRISMA.
Shown below is the daily revenue in USD, showing the spikes on November 2 and 9.
In early November, Prisma introduced the PRISMA governance token, which involved conditions to either lock for 52 weeks or pay a broken lock penalty. Prisma Finance consolidates penalties from broken locks and collected fees (from user vault mint fees and interests) into the fee contract.
Shown in blue below are the unlock penalties that began accruing after the launch of the PRISMA token.
As of December 2, 53% of protocol revenue is from PRISMA broken lock penalties and 43% is from mkUSD minting and borrowing fees. There are also some redemption fees in the form of ETH and LSTs.
Governance
As described earlier, Prisma has a native token, PRISMA, which can be locked as vePRISMA for up to 52 weeks to receive lock weight. vePRISMA tokenholders can vote on weekly gauge emissions that allocate newly minted PRISMA toward whitelisted purposes like Curve pool incentives or Stability Pool incentives. Tokenholders can also vote on protocol changes in onchain DAO votes.
The Prisma DAO can take the following actions:
Modifying fees
Adding/removing collateral
Pausing/unpausing protocol functionality
Transfer protocol fees
Adjust quorum on DAO votes
Votes have a one-week validity period to achieve quorum and a 24-hour timelock after they reach quorum before the vote can be executed. This allows users time to exit in case of a malicious governance action. A guardian multisig controlled by the Prisma team further has the power to veto pending DAO votes. The DAO can replace the guardian in case of malicious action, and this particular vote type cannot be vetoed by the guardian.
Features of the Prisma governance system include:
Flexible Vote Locking
Flexible Vote Locking is a mechanism that allows users to lock their governance tokens for periods ranging from 1 to 52 weeks to gain voting power. This feature offers flexibility in choosing the duration of the lock, with more extended lock periods resulting in increased voting power. Additionally, it supports multiple concurrent locks per account, incentivizing long-term commitment from token holders and aligning their interests with the protocol’s future through higher boosts for longer locks.
Prisma also enables users to delegate their voting rights to any address, enhancing the versatility of the governance system.
Vote Decay
Vote Decay is a governance mechanism where the influence of a user’s vote decreases over time. The voting power obtained from locked tokens gradually lessens unless these tokens are re-locked or the locking period is extended. This feature promotes continuous participation and engagement in the governance process. It ensures users remain actively involved by maintaining their voting influence through re-locking or extending their lock periods.
Lock Weight Freezing
Freezing the lock weight extends all active locks to a maximum duration of 52 weeks and halts the weekly decay of the time-to-unlock. This feature benefits users who intend to wait to withdraw their tokens, as it reduces gas costs associated with emission voting and prevents the decay of their voting power. Tokens added to an already frozen lock inherit this status. Upon unfreezing, the lock weight decay resumes from the end of the week when the unfreeze action occurs.
Note that with locked positions generally, early withdrawal from a locked position incurs a penalty fee proportional to the remaining time until the scheduled initial unlocks, starting at 100% and decreasing linearly with the remaining time.
Configurable Emissions
Prisma introduces a notable difference from the Curve model with its configurable emissions feature. Emission rates in Prisma can be dynamically updated through governance decisions, offering flexibility and control. This adaptability is essential for aligning with changing market conditions or strategic objectives, contributing to the protocol’s stability and attractiveness to users. Additionally, emissions are directed to governance-approved “receivers,” granting significant control to governance and enabling reactive flexibility without compromising system stability.
Markets
Prisma TVL over time (ETH)
A large increase in TVL coincided with the launch of the Prisma DAO and PRISMA token.
Divided by collateral type, wstETH makes up the majority of TVL, followed by sfrxETH, rETH, and a small proportion of cbETH.
mkUSD Trading Volume
The following chart tracks the TokenExchangeUnderlying event in the Curve mkUSD/PRISMA pool.
The following chart tracks the TokenExchangeUnderlying event in the Curve mkUSD/crvUSD pool.
mkUSD Holder Distribution
Most outstanding mkUSD resides in the protocol Stability Pool, followed by the various Curve pools.
Trove Distribution
The following chart shows the distribution of collateral value in the wstETH vault by address. A single address makes up the majority of collateral in the vault.
mkUSD Price Volatility
mkUSD has experienced issues maintaining the peg, which was likely attributable to high yields on mkUSD in liquidity pools and yield on collateral outpacing borrowing costs. Borrowing rates were voted to increase from 1% to 2% on November 8 and increased again to 4% on November 26.
Risk Vectors
Smart Contract Risk
Prisma, modeled after Liquity, includes design features emphasizing immutability and security. It avoids the use of Proxy contracts, which reduces governance attack surfaces.
Audits
Prisma Finance has undergone extensive external security audits by several reputable firms to ensure the protocol’s security before deployment. Three comprehensive audits have been completed, conducted by MixBytes, Zellic, and Nomoi:
MixBytes - September 2023
Identified two critical, three high, six medium, and 12 low-severity findingsZellic - July 2023
Identified one critical and one low-severity findingNomoi - August 2023
Found 17 findings ranging from critical risk to enhancements
Summary of Key Findings
Critical findings dealt with potential fund manipulation via flash loans, incorrect accounting that could disrupt the Stability Pool, and ways to avoid owing interest. Solutions implemented involved removing interest accrual on debt pools and turning off specific actions during Recovery Mode.
High-severity issues involved potential DAO governance attacks if parameters were set improperly initially. Recommendations included guardrails like time delays, cancellation capabilities, and conservative starting parameters.
Medium findings covered inconsistent validation logic, reentrancy risks from external contract calls, and code quality enhancements. Low-impact issues were more minor inconsistencies and optimizations.
Overall, the audits found that Prisma demonstrated excellent code quality and responsiveness to issues raised. All findings were addressed, validating Prisma’s security posture before launch.
Bug Bounty
There is no public information about a bug bounty program for Prisma.
Access Control
Prisma, being an immutable and fully onchain protocol, retains minimal admin functions operated via governance. The platform ensures maximal safety and user trust by limiting admin capabilities.
There are two privileged entities in the Prisma system:
Owner Admin: Responsible for protocol changes and parameter setting. The address is set to the Prisma VotingAdmin contract.
Guardian: Has emergency capabilities, including pause functions. The address is set to the 5-of-9 Guardian multisig.
Guardian Multisig Members
The contract address for the Guardian Multisig can be found here, and its members include:
Michael Egorov - Curve Finance
c2tp - Convex Finance
mrblock - Curve Finance
Sam Kazemian - Frax Finance
0xLlama - DefiLlama
Ivangbi - LobsterDAO
Tetranode
Sidney Gottlieb - Prisma Finance
Owsley Stanley - Prisma Finance
The following admin actions are possible in Prisma:
Emergency Pausing: Designed to halt all operations except those allowing collateral recovery by users. This feature aims to prevent collateral from being stuck due to unforeseen bugs in the immutable protocol and to reassure users that Governance and Guardians cannot unduly lock their capital.
Protocol-wide Emergency Functions: In case of a catastrophic issue, the Guardian multisig can pause critical functions, including opening or modifying vaults and depositing mkUSD into the Stability Pool.
Collateral-Specific Pausing: If urgent issues arise with specific collateral types, the Guardian multisig can pause related Account Manager functions. This includes the creation and modification of vaults related to that collateral.
Unpausing: Protocol-wide and collateral-specific unpausing can only be enacted via governance.
Set Guardian Multisig: Governance can vote to change the guardian address.
Set Fee Receiver: Governance can change the address receiving protocol fees.
Set Price Feed: To future-proof the system, governance can vote to replace the protocol price feed.
Collateral Management: Governance can initiate collateral sunset processes and add new collateral types.
Default Account Manager and Sorted Account Implementations: Governance can modify the default implementations for new collateral types.
Interim Admin Functions
Temporary ownership during the bootstrap phase includes executing arbitrary function calls following a minimum execution time. The protocol guardian can cancel proposals and cannot be replaced. A daily cap on proposals is set to prevent malicious flood attacks.
Configurable Parameters
The following parameters are configurable by governance in Prisma:
Collateralization Ratios
Minimum Collateral Ratio (MCR): The minimum ratio required for trove creation (e.g., 120%).
Critical Collateral Ratio (CCR): The ratio at which the system enters Recovery Mode (e.g., 150%).
Rates and Fees
Interest Rate: Rate paid on trove debt.
Redemption Fee: Fee for redeeming debt for collateral.
Borrowing Fee: Fee for borrowing debt.
Incentives
Reward Duration: The period over which PRISMA rewards accrue.
Reward Rate: Dynamic rate based on PRISMA emissions.
Product P and Sum G: Metrics tracking deposit loss from liquidations and PRISMA rewards earned, respectively.
TroveManager Parameterization
Parameters can be set in the respective vault TroveManager contract.
Custody Risk
As a non-custodial protocol, Prisma Finance poses minimal custody risks. Users retain complete control over their deposited funds at all times.
There are no admin keys or centralized parties with special privileges to block withdrawals or access user assets. Unlike custodial platforms, users directly control private keys to mint or redeem mkUSD and collateral tokens.
An opt-in emergency pause feature allows for halting new activity during exploits. However, withdrawals must remain enabled by design even when paused so deposited funds remain in the custody of the user. The contract only blocks new vault creation and borrowing, prioritizing user access to assets.
By minimizing trust assumptions, Prisma reduces reliance on potentially unreliable third parties. Users need not trust developers, governance participants, or external influences to withdraw or transition funds. The system’s incentives and collateral guarantees provide security assurances that are agnostic to human discretion.
Prisma cannot revoke, block, or prevent access to rightfully owned collateral or stablecoins. The protocol favors availability and user control over functionalities dependent on trusted intermediaries. This trust minimization enhances censorship resistance and protects funds from undue restriction.
Oracle Risk
Prisma relies on accurate, real-time price feeds to track vault collateralization ratios for the purpose of processing liquidation and redemptions. As an algorithmic stablecoin, negligent oracle management poses severe risks. Failure of the oracle can result in bad debt to the protocol, faulty liquidations, and MEV extraction on redemptions due to inaccurate pricing.
Prisma sources prices from reliable decentralized networks like Chainlink, using high-quality data to calculate collateral ratios. In cases where a Chainlink price feed is unavailable, Prisma may use an alternative oracle. For sfrxETH, the oracle is a custom contract used by Frax with their FraxLend product. The contract aggregates the Curve EMA oracle and Uniswap TWAP oracle with guardrails to produce an aggregate onchain price for frxETH.
Decentralization involves inherent tradeoffs. Delays from congestion or inaccurate data could enable issues like oracle frontrunning. Moreover, governance attacks on the oracle remain theoretically possible, although unlikely. Continuous awareness of these risks is essential.
Prisma may consider implementing a fallback oracle, similar to Liquity’s use of Chainlink as the primary and Tellor as the fallback. This may provide additional protection in case the primary oracle times out or produces an unacceptable value.
Depeg Risk
The mkUSD stablecoin relies on several arbitrage opportunities and stability features to preserve its 1:1 peg to the US dollar.
mkUSD remains perpetually redeemable by anyone for $1 worth of vault collateral assets. This redeemability establishes a reliable price floor and exit option for users.
Active vaults must maintain over-collateralization ratios exceeding the MCR (typically set between 110% and 120% by vault). Dropping below this threshold triggers liquidation, enabling arbitrageurs to realign mkUSD with its backing.
The Stability Pool allows depositors to absorb risky debt in exchange for discounted collateral during systemic shortfalls. This incentive bolsters participation when stability demands it.
The redemption fee formula plays an important role in preserving the price floor of mkUSD. The baseRate increases depending on a redeemed amount and gradually decays over time. Setting the value too high could inhibit redemption arbitrage. See the redemption dynamic in LUSD:
The price ceiling of mkUSD is set by the MCR. There is an instant arbitrage available to borrowers who max borrow and sell on the market beyond that price. For instance, if MCR is 110%, any mkUSD price over $1.10 can be instantly arbed.
Within the bounds of the redemption fee and the MCR is considered the “soft peg” zone where mkUSD could potentially drift in certain market situations. Within this zone, there are rough monetary policy levers that can improve peg performance. For instance, low interest rates upon the launch of mkUSD have put downward pressure on the peg. This was met with several governance proposals to increase borrowing interest rates to 4%. The algorithmic design of mkUSD, therefore, sacrifices some peg stability with the tradeoff of strengthening the assurance of system solvency.
Collateral Risk
Liquid staking derivatives intend to maintain a peg with the underlying ETH, but a variety of risks associated with these protocols may compromise their ability to maintain peg. These may be intrinsic issues related to smart contract bugs, governance attacks, or operational errors involving node operators, oracle daemons, or smart contract admins. There may also be generalized issues involving the Ethereum network or staking that cause network congestion. Each LSD product has unique designs that may expose token holders to a risk of partial or total loss of funds.
Prisma leverages several strategies to mitigate risks from accepted token collaterals. Only reputable liquid staking derivatives were initially included, with conservative collateral requirements. Based on the asset’s risk profile, the minimum ratio is 110-120%. Paramatization per asset ( MCR, debt ceiling, etc) allow for nuanced risk management. Through governance, critical parameters like collateral debt caps and liquidation thresholds are configurable per asset type. Additions of new collateral also involve governance votes aligning community incentives.
Independent research group PrismaRisk provides in-depth vetting of potential new assets through a published risk assessment methodology. This careful review covers factors like volatility, dependencies, and legal considerations.
By tailoring restrictions to individual collateral properties, setting conservative buffers, and subjecting assets to rigorous examination, Prisma constructs layered defenses against onboarding risky collateral types that may jeopardize the mkUSD peg. However, some level of intrinsic risk remains inevitable. Continuous enhancement of risk frameworks in line with market developments remains essential for robust collateral management as the adoption develops.
Governance Risk
Onchain Governance
Governance in decentralized finance (DeFi) protocols plays a crucial role in shaping their functionality, trustworthiness, and long-term sustainability. Prisma Finance has adopted a unique approach to governance, particularly in distributing and managing its PRISMA token.
Prisma transitioned to onchain governance controlled by tokenholders after the announcement of the DAO and token launch on October 30. Major protocol changes are managed by a DAO through the AdminVoting contract. Votes have a one-week eligibility time to reach a quorum of 30% vePRISMA signaling support. There is a 24-hour timelock after the quorum is met before a vote can be executed to give users time to exit in case of a governance attack. The Guardian multisig also retains the right to veto malicious proposals. The DAO can replace the Guardian via onchain vote, which cannot be vetoed by the Guardian.
PRISMA Token Distribution
The PRISMA token has a fixed supply of 300m and is held by the PrismaVault contract. Unlike users of the protocol who received locked vePRISMA, the allocation for Core Contributors and Early Supporters is disbursed as PRISMA tokens vested linearly over 1 year (via the AllocationVesting contract).
The locking period for vePRISMA is set for 26 weeks, gradually decreasing by one week every two weeks. This structure suggests that emissions will start as raw, unlocked PRISMA at the end of the first year. A rough calculation indicates that around 90 million PRISMA tokens, vesting linearly over 12 months, would result in a daily unlock of approximately 246,000 PRISMA.
Governance and Token Emission Implications
The token distribution of Prisma Finance has raised some concerns. For instance, the fact that the team and investors receive unlocked PRISMA tokens while others receive locked tokens is a significant discrepancy. This means no emissions will occur as unlocked PRISMA until all insiders receive their total allocation. After one year, assuming full utilization of boosts, approximately 74.4 million tokens would have been emitted, leaving the team with about 54.7% of the supply.
This structure has led to discussions about the fairness and balance of power within the Prisma Finance ecosystem. The locked nature of 59% of PRISMA tokens also contributes to these debates. However, token distributions that weight heavily toward insiders and gradually transition weighting toward community members via gauge emissions is a common veToken strategy to gradually decentralize protocol governance power over time.
Legal Risk
Prisma protocol operations are not functionally related to a specific legal entity. The recently launched DAO has yet to start any discussion about the necessity of creating off-chain legal structures.
While the inherently decentralized nature of the protocol suggests that it is not tied to any one jurisdiction or subject to its local laws and regulations, this does not automatically grant exemption. Effective decentralization ensures that no single individual or entity significantly influences the protocol’s operations. Failure to achieve this level of decentralization could lead national or international authorities to assert jurisdictional claims and potentially subject the services provided to specific licensing requirements. In this context, the concentration of more than 50% of PRISMA tokens within the core team could undermine the protocol’s decentralization strategy and pose regulatory challenges.
Prisma has yet to address a critical aspect of legal decentralization: the access to its protocol via one or several frontends and the associated responsibilities for operating these frontends. UI management must be clarified, particularly regarding who holds the administrative responsibilities. It is still being determined whether the information presented is solely for informational purposes or if the frontend operator possesses the authority to intervene with or modify protocol features, which raises questions about the extent of control and influence over the UI and its functionalities.
Currently, no disclaimers are in place that inform users about the extent of software developers’ involvement, clarify the nature or absence of legal relationships, or outline the terms of use and other relevant legal considerations. Clear communication could lead to clarity regarding user rights and developer responsibilities. Comprehensive disclaimers would enhance transparency and define the legal boundaries for all parties involved.
Further inclusion of risk warnings could significantly bolster Prisma’s legal stance. By explicitly acknowledging, for instance, the innovative and experimental characteristics of crypto tokens and blockchain networks, along with highlighting regulatory uncertainties and security challenges, Prisma can more effectively delineate user rights and limit the liability of protocol developers.
There is no mention of legal issues or enforcement actions against Prisma Finance.
LlamaRisk Gauge Criteria
Centralization Factors
1. Is it possible for a single entity to rug its users?
No. Users have a strong assurance from a custody risk perspective. An onchain DAO with timelock on execution controls most governance functions with a Guardian multisig only being able to veto and emergency pause. Users can always withdraw funds from the system.
2. If the team vanishes, can the project continue?
Yes. An onchain DAO effectively has control over the system and can set the Guardian address, if needed.
Economic Factors
1. Does the project’s viability depend on additional incentives?
Somewhat. Prisma uses a gauge emission system that incentivizes liquidity providers. Most importantly, this involves directing liquidity to the Stability Pool. The pool requires sufficient liquidity to process liquidations without affecting open troves. In the absence of additional incentives, the system may be exposed to additional solvency risk.
2. Can all users be made whole if demand falls to 0 tomorrow?
Yes. Prisma troves are overcollateralized and all users would be able to exit their positions. Users may be exposed to depeg risk of mkUSD due to excessive demand for withdrawal from troves.
Security Factors
1. Do audits reveal any concerning signs?
Prisma has undergone several audits from independent auditors and has resolved issues. The foundation of the system is based on the mature and heavily forked Liquity codebase. One concern is there is not an explicit bug bounty program at this time.
Risk Team Recommendation
Despite being an early-stage protocol, having only around 6 months in production, Prisma has placed a priority on providing strong user assurances. It can do this by leveraging the battle-tested Liquity codebase. There is a division of control over the system that primarily resides with an onchain DAO protected by a 24-hour timelock and a Guardian multisig that has the power to veto malicious proposals and emergency pause the system. In all cases, even when paused, users can withdraw funds from the system.
There are risks users must understand before interacting with Prisma, although these risks are generally transparent and inherent to the protocol design. Troves may be exposed to the aggregate behavior of all troves in cases where the overall system collateralization drops enough to trigger Recovery Mode. Trove owners who are not closely monitoring their position may become at risk of liquidation or redemption, depending on external factors. There are also risks related to the LST collateral types listed on the protocol, the failure of these assets may result in bad debt to the protocol that causes mkUSD to depeg. The Stability Pool should also be monitored, especially in relation to collateral concentration among small numbers of addresses. There may be situations where excessive liquidation exceeds the available liquidity in the Stability Pool, resulting in the liquidated collateral and debt being distributed across active troves.
Overall, Prisma demonstrates a strong level of decentralization while maintaining controls needed to advance the needs of the protocol. Namely, collateral types can be added/removed and parameters can be adjusted to optimize for collateral properties and market conditions. The balance between decentralization and flexibility makes mkUSD a good contender in the DeFi stablecoin market commensurate with the deep level of integration with Curve that has been observed over its short span on mainnet.