Asset Risk Assessment - QiDao
A risk assessment on QiDao/Mai (MAI) for Curve veCRV holders
By Amadeo Brands follow me on Twitter
Useful links
Abstract
QiDao is a decentralized protocol that issues the asset-backed stablecoin MAI. QiDao recently submitted a proposal to add MAI+3pool on Polygon and a proposal to add MAI-USDC-fUSDT on Fantom to the Gauge controller. This assessment aims to review and highlight MAI’s potential risks to veCRV holders.
A TL;DR for people looking for a quick summary:
Protocol analytics need to be improved. While a manual inspection suggests that all vaults are sufficiently overcollateralized, the system-wide collateralization ratio is not displayed.
No single entity can rug the pool. Currently, the QiDao Protocol is under the core team’s control (3/5 multisig, all doxxed), with the longer-term intention to transition to community-held multisig. The timeline for this has not been disclosed.
Audits have not revealed any critical errors. A few minor concerns exist (discussed later in this article) and should be addressed.
An OpenZeppelin audit is upcoming. A full review of the codebase will be helpful to review. It would make sense to establish a bug bounty program as an added measure.
There is no clear roadmap to full decentralization. QiDao is nominally committed to ceding full control to the community, but the path to this goal is not fleshed out in detail.
Recommendation: Approve QiDao’s request for gauge.
QiDao: Home of MAI
QiDao is a protocol with the purpose of making DeFi accessible to a broader group of investors. It is self-sustaining, community-governed, and aims eventually to become fully decentralized. It consists of two tokens:
Mai (MAI): Polygon’s first native stablecoin, soft-pegged to the USD (like USDC on the Ethereum blockchain). Users can borrow MAI against collateral and buy or sell directly at the QiDao website.
QiDao (QI): the governance token for the overall DAO. It enables the holder to submit, vote on and approve proposals relating to the running of the platform (collateral types, revenue distribution, etc.).
How MAI is managed
MAI’s value is backed by assets in user accounts, known as vaults. Investors deposit assets to the QiDao platform and mint MAI tokens. This debt position is over-collateralized (as is typical in DeFi).
Approved collateral includes static tokens such as ETH, MATIC, LINK, YFI, and CRV and more exotic assets such as Beefy ($BIFI).
MAI is minted when users deposit collateral and burned when the loan is repaid. MAI that is minted against collateral incurs 0% interest and entitles the borrower to additional rewards in the form of QI tokens.
The QiDao Protocol is not reliant on an algorithm to maintain the MAI peg. Instead, the peg is managed via a series of measures, including user incentives and penalties.
Different types of vaults have different debt “ceilings” (i.e. a maximum amount of MAI that can be minted). The ceiling of each vault is dynamic and can be raised or lowered in response to demand and the price of MAI relative to the peg. The goal of the debt ceiling is to prevent a large amount of MAI from flooding the market that could negatively affect the MAI price.
To ensure the stability of the MAI peg, the QiDao protocol also has an ‘Anchor’ mechanism, similar to the Peg Stability Module (PSM) from Maker DAO. The Anchor allows users to buy/sell MAI tokens minted/burned by the Treasury accordingly.
The Anchor transaction fee is 1%, which means that when the price of MAI falls below $0.99 or rises above $1.01, users can engage in risk-free arbitrage (i.e. pocketing the spread).
Despite some initial volatility resulting from aggressive yield-farming rewards following the platform launch, the price of MAI has stayed relatively close to its $1 peg.
There is scope to stabilize the price further by adding the MAI token to a Vurve Stableswap pool. This would offer a more efficient way to exchange MAI tokens with lower fees and slippage, encouraging arbitrage activity to keep the value between $0.99 and $1.01.
QiDao Revenue streams
With 0% interest on collateral and a QI reward scheme, the QiDao protocol requires revenues to be sustainable. The following fees generate these revenues:
Anchor: 1% fee to buy/sell MAI through Anchor (mentioned above).
Repayment: 0.5% of the repayment value, denominated in the collateral currency.
Deposit: 0.5% of the value of liquidity pool (LP) tokens deposited.
Following the passage of QIP 004, 30% of all revenue is distributed as QI staking rewards, with the remainder held by the protocol.
Anchor fees are stored in the Anchor smart contract, repayment revenue is stored in Vault 0, and deposit fees are stored in the Treasury.
Repayment revenue is stored in Vault 0, deposit fees are stored in the Treasury, and Anchor fees are stored in the Anchor smart contract.
All revenue data can be viewed on the analytics pages or via Dune Analytics (updated soon).
Approved Collateral Assets
The MAI token can be minted on Fantom, Polygon, Avalanche, Moonriver, and Harmony. It is available on 12 chains through AnySwap (Fantom, Polygon, Avalanche, Moonriver, Harmony, Cronos, xDAI, IoTeX, Solana, Arbitrum, Metis, and BSC). It is hence an ideal asset for operating across chains.
The complete list of 33 approved collateral assets on each chain can be viewed below.
Polygon:
MATIC, WETH. WBTC, LINK, AAVE, CRV, camWMATIC, camWETH, camAAVE, camWBTC, camDAI, BAL, dQUICK, GHST
Fantom:
WETH, yvDAI, yvWFTM, WFTM, WBTC, LINK, SUSHI, AAVE, mooScreamBTC, mooScreamWETH, mooScreamFTM, mooScreamLINK, mooScreamDAI, mooAaveAVAX, mooBIFI
Moonriver:
ETH, MOVR
Harmony:
ETH, ONE
The largest collateral asset is wETH. No centralized asset (e.g. USDC) is approved as collateral.
Liquidations
Analytics on liquidation activity and its effects on the overall price stability of MAI is currently limited.
The collateral ratio ranges between 130-150% (decided by community vote). The Liquidation fee is fixed at 10% for all pools. The policy of partial liquidation (documented here) ensures that losses for users are minimized while economic security and capital efficiency are increased.
The role of the Liquidator is open to all. Community members indicated liquidator.sol and Liquidator-V3 as example scripts.
QiDao Governance
The QI governance token holders have a say in all major decisions, casting their votes on QiDao Improvement Proposals (QIPs).
Voting power is based on a user’s “Qi Powah”. This is calculated based on all the QI held by a user, including unvested tokens or locked in liquidity pools (eQI).
While the mechanics of QiDao still involves the use of multi-sig wallets and proxy contracts, the bulk of the tokens are in the hands of the community, and the QiDao team is slowly but surely delegating the remaining centralized powers to the collective.
As of now, the QiDao community can vote on the following issues:
Assets accepted as collateral
How revenue is distributed
Price Oracle changes
Risk parameters (i.e. liquidation ratio)
Repayment fee level
System upgrades
QI community treasury decisions
All QIPs can be viewed here. The QiDao Discord can be accessed here.
QiDao has retained earnings in reserve and will use the QiDao treasury as a backstop when the system is under stress. This decision is, in theory, the responsibility of the DAO, but the process has not been fully decentralized yet.
Adding MAI to Curve
QiDao plans to allocate 100,000 QI per week to incentivize participation in the proposed MAI-3Pool LP on Polygon and the MAI-USDC-fUSDT Lp on Fantom.
As QiDao states in the proposal (see Proposal to Add MAI Gauge on Polygon & Proposal to Add MAI Gauge on Fantom here), this move will not only enable MAI more to increase trading volume but will also benefit Curve’s multichain activities by adding another decentralized stablecoin to the stable.
“Curve is the natural next step for MAI on Polygon & Fantom. Adding an incentivized pool for MAI on Curve would address the growing demand for borrowing MAI. It would also provide low slippage transactions for those leveraging with MAI. MAI is by far the largest use case for CRV on Polygon (Fantom growth plans), holding over 23% of the total supply there. CRV can be used as collateral to mint MAI at 0% interest. CRV holders are then continually rewarded with Qi tokens for minting MAI against CRV.”
Security audits
The QiDao protocol has already undergone two smart contract audits:
Bramah Systems, LLC: audited March 2021
Cloakwire Critical Cyber Security: audited March 2021
Neither firm appears on the Rekt leaderboard. While Bramah Systems appears to have audited some notable names (dydX, Set Protocol, and others), they are both small and otherwise relatively unknown. A 3rd audit by OpenZeppelin is on the way.
One concern uncovered is the centralization of the oracles via the admin (owner) address, which controls the price oracle feed (via function changeEthPriceSource) across multiple contracts.
function changeEthPriceSource(address ethPriceSourceAddress) external onlyOwner() {ethPriceSource = PriceSource(ethPriceSourceAddress);
Cloakwire also identified the existence of “Overly Permissive Administrative Roles” (SMA.03 see excerpt below):
Finding:
Multiple instances exist wherein administrative roles should be decoupled into a granular permissions model (wherein each action possesses a singular role).
Remediation:
Establish granular permissions on a per function-verb (e.g., getX, setY) permission basis. In the case of permissive roles that fall within a “bucket” of permissions (e.g., the Owner role, Operator role), execution should be tasked to a multi-signature wallet.
A similar concern was also raised in the Bramah Systems report. Since the audits, the single address has been moved to a multisig. However, a greater degree of separation is needed, and as yet, there is no clear roadmap towards full decentralization.
QiDao requires 3/5 approvals to execute transactions:
Addresses:
Polygon: 0x3FEACf904b152b1880bDE8BF04aC9Eb636fEE4d8
Fantom: 0x679016B3F8E98673f85c6F72567f22b58Aa15A54
Avalanche: 0x3Cf6A36876BDecadEab420AfF93171439AbF9CA2
Moonriver: 0x84EB747f40a13Ec56f07E5EE2f36AaDdB24e0cbD
Harmony: 0xd9963d53b6Bb8d0B30c620f94560D5A47e595326
Arbitrum: 0xF32e759d5f1c63ed62042497d3a50F044eE0982b
The five signer addresses are:
0x0be165C6906365F7C3b5B25995D95Af067E4b935
0xbFEF4Bf4cB89B414e1fb2357b2b763E240890059
0x86fE8d6D4C8A007353617587988552B6921514Cb
0xa475aF18A0D5f3De67a498d91dAb86F6ecCbf843
0xBA9611dE78FB2f2Fb6529899783bAf3eD439Aa68
The findings of the upcoming OpenZeppelin audit will be informative and will reveal the full extent of subsequent remedial changes to the codebase. In general, there appear to be no critical flaws, and the QiDao protocol has been active for a significant amount of time without any major hacks or issues. This implies that the team has built a robust protocol.
We hope to see a clearer roadmap to full decentralization and community governance in the long term. It is possible that implementing Compound’s governorAlpha multisig set-up will transfer more control to the community.
Another initiative to assure the platform's security would be to establish an ongoing bug bounty program to attract whitehat hackers.
QiDao Protocol Conclusion
The QiDao protocol is a well-executed implementation of an overcollateralized stablecoin.
It effectively integrates various existing concepts (e.g. from Maker DAO and other protocols) and is interoperable with multiple Layer 2’s and sidechains.
As a relatively new protocol, QiDao is subject to a certain degree of risk. However, its widespread use and acceptance by many DeFi communities is an endorsement of its robustness.
We have found the QiDao team and community to be highly responsive. We’ve also been impressed at the amount of community-run documentation available, including guidance on investment strategies.
The following is a list of points that we feel need addressing:
The overall QiDao collateral ratio is not 100% clear. Judging by the MAI Finance analytics page and the protocol TVL, it would appear that the protocol is undercollateralized. As observed above, this is likely since the Dune analytics page has not yet been updated. All vaults appear sufficiently over-collateralized.
By community vote, only tokens with a Chainlink oracle are accepted as collateral. However, it seems that MAI itself does not have any Chainlink data feeds (for example, see the Polygon data feed).
As per the audit findings, the QiDao multisig seems to have an overly permissive definition of roles. In the interests of progressing towards full decentralization, it would be good to establish more granular permissions on a per function-verb (e.g. getX, setY) basis.
If QiDao manages risk poorly and a major amount of selling/hyper-borrowing occurs, the opportunity for risk-free arbitrage via Anchor should, in theory, act as a price stabilizer. However, if the speed and volume of activity are sufficient and/or debt ceilings are poorly set, the arbitrage process may drain the protocol reserves, requiring an emergency shutdown.
We observed above that MAI would bring diversification benefits to Curve Pools. By adding MAI to the Gauge on Polygon, we would onboard the dynamic QiDao community and increase decentralized stablecoin volume on other L2’s and sidechains. Despite these benefits, we should remember that MAI is still a relatively young token with a low market cap and brings a certain measure of risk.
Does the asset meet minimum requirements?
Is it possible for a single entity to rug the user base?
No. There is a 3/5 multisig in place. However, the administrative roles seem to be overly permissive. It would be good to see a decentralization roadmap from the team, with details on how to phase out and replace the multisig solution.
If the team vanishes, can the project continue?
Yes. The QiDao community seems assertive, educated, and energized to maintain the project. However, if the multisig issue is not fixed (see the previous point) and core developers leave the project, it is unclear how the project will continue.
Do audits reveal any concerning signs?
No. The audits have so far not revealed any material risks. Nevertheless, when the full audit from Open Zeppelin is released, we will be in a position to update this assessment.
Recommendation: We recommend that QiDao should be approved for a gauge.
Follow me on Twitter and share this information to inform and educate more people.
