Asset Risk Assessment: Reserve Protocol (eUSD)
A look into the protocol for custom stablecoin deployment and relevant risks to Curve LPs
This research was spearheaded by @paulapivat.
Useful Links
Protocol Website
Docs
Important contracts / eUSD Access Control
Relation to Curve
Reserve has three RTokens in Curve pools with proposed or enacted gauges: eUSD, hyUSD, and ETH+. A proposal to add the eUSD+FraxBP Curve pool to the gauge controller was posted on March 6th, 2023. A second gauge was proposed for the hyUSD+eUSD pool on May 16th. Both proposals passed a DAO vote on March 13th and May 31st. Most recently, a gauge proposal was posted for a third RToken pool for the ETH+/ETH pool.
This article aims to provide information relevant for Curve LPs about Reserve Protocol and the mechanics behind RTokens, with a particular focus on its flagship stablecoin eUSD (Electronic Dollar). To unpack eUSD, we’ll start with an overview of MobileCoin, a protocol for confidential tokens that enables payment on mobile devices. We then introduce Reserve Protocol, a DeFi platform built on Ethereum that enables the permissionless creation of stablecoins. Finally, we will cover relevant risk parameters for the benefit of LPs exposed to eUSD.
Much of the information in this report is applicable to the hyUSD and ETH+ RTokens, but for the sake of clarity, this report will focus primarily on eUSD.
MobileCoin Introduction
MobileCoin is a directed acrylic graph (DAG) cryptocurrency blockchain based on the Stellar Consensus Protocol and Monero. It was launched in 2017 with the objective to develop a high-throughput, private, and easy-to-use cryptocurrency that could be integrated into mobile apps like WhatsApp or Signal. Because of its focus on privacy, earlier technical developments from 2021 focused on cryptographic concepts like ring signatures and secure enclaves.
eUSD from Conception to Deployment
In 2022, MobileCoin released the white paper for Electronic Dollars (eUSD). It would be the first asset to natively use MobileCoin’s confidential tokens functionality, making it the first private digital dollar and circumventing the need to use mixers as has been done on Ethereum and Bitcoin.
eUSD was deployed as a partnership between MobileCoin and Reserve Protocol to both Ethereum and MobileCoin on February 24th, 2023, along with a KYC/AML-permissioned bridge. The architecture combines the high-security assurances and DeFi composability of Ethereum with the low-fee and privacy features of MobileCoin. Ethereum secures eUSD's basket of collateral types where core protocol mechanics are governed by a DAO. eUSD can then be bridged to MobileCoin where it can scale as a medium of exchange by being an accessible payments platform optimized for mobile devices.
eUSD Bridge
The process for wrapping and unwrapping eUSD between MobileCoin and Ethereum involves a bridge managed by Reserve Protocol using elliptic-curve signatures co-signed by pre-approved liquidity providers. There is a 1:1 relationship between wrapped eUSD tokens on the MobileCoin blockchain and eUSD ERC20 tokens stored in a Gnosis Safe multisig on Ethereum. Minting and burning of wrapped eUSD is verifiable on the MobileCoin blockchain, while correspondent deposits and withdrawals from the custodian multisig are verifiable on the Ethereum chain.
While eUSD is intended to be a private digital dollar on the MobileCoin network, its architecture includes a manual, permissioned bridge with core protocol functionality taking place on Ethereum. A primary signer (Reserve) co-signs verified transactions for locking/unlocking and minting/burning on either side of the bridge between MobileCoin and Ethereum. A visual diagram of the process is provided below:
With that context, the next section will introduce the Reserve Protocol and protocol mechanics for eUSD on Ethereum.
Reserve Protocol Introduction
The Reserve Protocol is a DeFi platform that allows the permissionless creation of assets (called "RTokens") backed by a user-defined basket of ERC20 tokens. Once deployed, anyone can mint the RToken by depositing the specified proportion of all basket assets, and likewise redeemed for a proportional share of the basket assets. RTokens are mintable/redeemable for the ERC20 collateral basket at all times, so long as the Reserve Protocol is fully collateralized. Holders of the Reserve Rights (RSR) governance token are incentivized with yield earnings to stake in various RTokens to provide additional overcollateralization of the RToken backing.
Newly deployed RTokens can theoretically be pegged to any unit, with existing RTokens being denominated in US Dollars (e.g. eUSD) and Ether (e.g. ETH+). The highest market cap RToken as of June 4th is eUSD (~$17MM), followed by hyUSD (~$540K) and ETH+ (~$500K).
History of Reserve
The Reserve Protocol’s original white paper was released in 2018. Much of the protocol implementation first described in the original paper still exists today, including the OG native stablecoin Reserve Dollar (RSV) and the Reserve Rights governance token (RSR).
Changes that led to its current iteration of Reserve Protocol involve the following:
The Reserve Dollar (RSV) was primarily used in the Reserve Mobile App
Reserve felt that RSV was too centralized and would need to be superseded by decentralized RTokens.
The reasoning given by the Reserve team: "Centralization of control and liability. It doesn’t make sense economically for any party to take on liability of depegs of underlying. Generally, the economics & incentives didn’t seem scalable. But by leveraging yield bearing collateral and allowing governors to direct yield to various parties, it seems like it has best chance at scaling and lasting into future."
The Reserve Protocol has evolved into a platform to enable the permissionless creation and governance of many stablecoins (called “RTokens”).
The Reserve Rights (RSR) token facilitates the stability of all RTokens created on the platform.
RSR is not used to overcollateralize RSV, and it has mostly been deprecated in favor of the upgraded RToken platform.
RToken Collateral
Reserve Protocol incentivizes RSR staking (and therefore accelerated adoption of the RToken) by generating revenue from the yield-bearing collateral basket. RTokens are typically backed by interest-earning receipt tokens, such as deposits in lending protocols like Aave and Compound. Available collateral tokens are included in the AssetRegistry. There are limitations to what can serve as collateral including non-compatible ERC20 assets like:
Rebasing tokens
Tokens that take a fee on transfer
Tokens that do not expose the decimals() in their interface
ERC777 tokens which could allow reentrancy attacks
Tokens with multiple addresses
Tokens that do not adhere to the ERC20 standard in general
Tokens with any of these limitations will need to be wrapped into a compatible ERC20 to qualify as collateral assets. For example, eUSD uses wrapped Aave deposits (saTokens) rather than the standard aToken to prevent rebasing.
In addition to the basket of ERC20 tokens that back each RToken 1:1, the protocol enables overcollateralization by allowing its native token RSR (Reserve Rights) to be staked on any RToken. RSR holders may choose to stake to earn a share of yield generated by the collateral basket, a configurable parameter specific to each RToken. Staked RSR (stRSR) can be slashed in case of collateral default, as reported by onchain price feeds that do not rely on governance or human decision-making. Unstaking involves a cool-down time between 7 and 30 days, during which the protocol retains the right to seize the RSR in the event of default.
An overview of the collateral baskets for eUSD, hyUSD, and ETH+ is shown below, along with the revenue split between RToken holders and RSR stakers:
Since RTokens generate yield by lending their collateral assets and governance can direct a portion of revenue to RSR stakers, RTokens that generate and share revenue are the ones likely to attract stakers and be protected by overcollateralization, as opposed to RToken governance that choose not to direct revenue to RSR stakers. Aside from being the first RToken on the Reserve Protocol (not counting its native RSV), eUSD allocates 100% of its revenue to RSR stakers. This likely contributes to its considerably larger market cap compared to other RTokens.
Revenue for RToken Holders and RSR Stakers
(Note: Links in this section use eUSD contracts as an example, as it is the predominant RToken and the main focus of this report)
The basic process for sharing revenue begins with the Backing Manager contract where collateral assets are managed. When the yield-bearing basket increases in value relative to the outstanding RToken supply, the Backing Manager will either mint new RToken or trade profits from its backing for RToken or RSR through the RToken Trader/RSR Trader contract. Revenue shared with RToken holders is sent to the Furnace contract where it gradually burns the RToken, increasing the redemption value. Revenue shared with RSR stakers is sent to the stRSR pool where it is slowly distributed as rewards to increase the stRSR/RSR value.
Note that it is also possible to share revenue additionally with an arbitrary address, such as to compensate the token deployer. For example, hyUSD makes a 3% allocation to the hyUSD treasury, which they provide an explanation for in their Reserve proposal.
The following flowchart shows revenue distribution to RToken holders and RSR stakers with a theoretical 40/60 revenue split.
Stakers earn rewards based on three factors:
Amount of revenue the RToken generates
Portion of revenue governance directed to stakers
Proportion of total stake an individual has on the RToken
For eUSD, 100% of the revenue earned is directed to eusdRSR stakers.
stRSR to Overcollateralize eUSD
eusdRSR stakers provide overcollateralization to eUSD and are subject to seizure in case the collateral backing for eUSD defaults. For example, during USDC’s depegging in March 2023, eUSD required emergency action. Since it is 50% backed by USDC (approx 25% saUSDC, 25% cUSDC), the protocol had to sell off its backing for emergency collateral (USDT). Through the process, eusdRSR stakers helped re-collateralize eUSD in defense of its peg.
In this instance, eusdRSR stakers provided overcollateralization for eUSD as the USDC portion of the backing collateral defaulted. The general process of recapitalizing any RToken is shown below:
Unstaking eusdRSR requires a 2-week delay as specified by governance. This is necessary to prevent self-interested actors from frontrunning an impending default event and provide additional assurances to anyone with eUSD exposure. During the delay, the staker does not earn rewards to prevent stakers from misusing the staking mechanic by repeatedly unstaking and re-staking into the contract.
eUSD Basket Rebalancing
The capitalization and backing of eUSD can be characterized by two distinct states:
Fully collateralized: the Backing Manager contract holds the right balance of the collateral tokens to offer 100% redeemability.
Fully funded: there is the right amount of value, but not necessarily the right amount of collateral to offer 100% redeemability.
While the Reserve Protocol aims to be fully collateralized at all times, it won’t always be. For example, if governance decides to change the collateral basket or, in cases of market volatility (see USDC depeg scenario above), emergency collateral has to be swapped in as the defaulting collateral is auctioned off. eUSD may be fully funded (the right amount of value), but not be fully collateralized (the right amount of collateral tokens). When not fully collateralized, the protocol will attempt to sell off the excess asset until the system is either fully collateralized or RSR is required to recapitalize the system.
Rebalancing during normal operations and recapitalizing during emergencies are conducted through Gnosis Auctions. The protocol uses a Gnosis Trade contract to trade against the Gnosis EasyAuction mechanism. Governance can set the auction length that strikes a balance between allowing time for arbitrage and swiftly executing trades. The default value is 15 minutes per auction.
RToken Governance
Governance is conducted by eusdRSR holders, so there is an incentive alignment to keep eUSD safe from unnecessary risk, as their funds are literally at stake.
All RTokens launched on Reserve Protocol are governed separately by their respective communities with governance parameters codified upon RToken deployment. For example, eUSD (Electronic Dollars) will make governance choices independent of other RTokens like RSV (Reserve Protocol’s native stablecoin), ETH+ (an Ethereum-aligned Liquid Staking Token basket), or hyUSD (a decentralized flatcoin that provides access to DeFi yields which also recently received a Curve gauge).
Reserve Protocol has a modified version of the OpenZeppelin Governor called Governor Alexios which is suggested to RToken deployers by default. However, deployers are able to specify governance parameters as they see fit, from single EOA governance to any arbitrary DAO structure. Governor Alexios allows RSR holders to propose, vote and execute proposals. RSR holders can also delegate their voting power to other addresses.
Governor Alexios is the governance contract implemented by all RTokens relevant to Curve (eUSD, hyUSD, and ETH+). For example, eUSD's governable parameters are viewable here and are configurable by eusdRSR stakers (RSR stakers on the eUSD RToken):
Proposal threshold (0.01%)
Quorum (15%)
Voting Snapshot Delay (2 days, 14,400 blocks)
Voting Period (3 days, 21,600 blocks)
Execution delay (3 days)
Governance contracts significant for eUSD operation include:
The Governor Alexios contract, a modified version of OpenZeppelin Governor, allows eusdRSR holders to propose, vote and execute proposals. The TimelockController mediates this process by introducing a timelock once a proposal is approved, adding a delay between approval and execution, and giving RToken holders time to react. The process of approval to execution is 8 days for eUSD (i.e., voting snapshot delay: 2 days, voting period: 3 days, execution delay: 3 days).
Governance Params: eUSD Collateral Basket
In addition to providing overcollateralization, governance will also define the basket backing eUSD, as well as a list of emergency collateral.
Here is the configuration of ERC20 tokens that serve as collateral as proposed and voted by eusdRSR holders:
Static Aave Interest Bearing USDC (saUSDC) (25%)
Static Aave Interest Bearing USDT (saUSDT) (25%)
Compound USD Coin (cUSDC) (25%)
Compound USDT (cUSDT) (25%)
Source contract: Basket Handler
The Prime Basket defines the collateral needed to be deposited for issuance and it consists of an array of triples: <collateral token, target unit, target amount>. The logic is contained in the basket handler contract. For example, the interest-bearing Aave USDC token (saUSDC) is represented in the array as <saUSDC, USD, 0.25> (see also bytes32 serialization for USD). In the case where the prime basket is updated by governance due to collateral defaults, the protocol will determine a new reference basket and make changes to the collateral makeup. Finally, the ordered list of pre-defined emergency collateral consists of pure stablecoins including USDC, USDT, USDP, TUSD, and DAI.
eusdRSR stakers are in charge of registering, unregistering, and swapping ERC20 assets as either collateral or revenue assets. This is achieved through governance to interact with the Asset Registry contract, with the following functions:
Register: Add assets to Asset Registry
swapRegistered: Allows to modify/update details and functionality of the previously registered asset
Unregister: Removes asset from Asset Registry
With eUSD’s prime basket of collateral defined, anyone can deposit the required collateral tokens (i.e., saUSDC, saUSDT, cUSDC, cUSDT) to issue eUSD and conversely, burn eUSD to redeem the collateral tokens.
Advanced RToken parameters
There are a multitude of other RToken parameters as set in the Backing Manager that regulate mint/redeem action including:
Trading delays(s) define how many seconds should pass after the basket has been changed before a trade can be opened. For eUSD, this is set by the Backing Manager contract to 2 hours or 7,200 seconds
Backing buffer (%) as collateral tokens appreciate, eUSD can be minted whenever the correct ratio of collateral tokens is gathered, providing revenue capture. Collateral tokens get sent to the Revenue Trader contract to mint additional eUSD that can be used as yield for eusdRSR stakers. This is currently set to 0.01%
Max trade slippage (%) is the maximum deviation from oracle prices that any trade the protocol can clear. Maximum trade slippage permits additional price movement beyond worst-case oracle pricing. The setting for eUSD is 1%
Minimum trade volume represents the smallest amount of value worth executing a trade for; eUSD minimum trade volume is set to $1,000
RToken Maximum trade volume is the maximum sized eUSD trade allowable for Reserve Protocol operations (e.g. trading through Auctions), currently set to 1e29
Auction Length(s) is determined by the Broker contract and sets how long auctions stay open. If set too low, arbitrageurs won’t have enough time to complete arbitrage loops; if set too high, fewer auctions will fill due to volatility risk. Currently, this is set to 900 seconds (15 minutes) for eUSD
Stablecoin Peg Mechanisms
eUSD is designed to trade at $1.00 reflecting the market value of the entire collateral basket while 100% of revenue from earned interest is directed by governance to go towards eusdRSR stakers. Any deviation from $1.00 is designed to get arbitraged toward the reference price.
This will happen through issuance and redemption mechanisms. The eUSD RToken contract has specific functions to regulate the process of issuance and redemption. Issuance throttle limits how much eUSD can be issued, to limit value extraction in case of an exploit. After a large issuance, the issuance limit ‘recharges’ to the defined maximum. The redemption throttle works similarly where the protocol tries to ensure the net percentage redemption of outstanding eUSD never exceeds an hourly limit. The specific parameters for eUSD are as follows:
Issuance throttle: 1,000,000 eUSD maximum amount per hour
Issuance throttle rate: at 2.5% of eUSD supply
Redemption throttle: 1,500,000 eUSD maximum amount per hour
Redemption throttle rate: 5.0% of eUSD supply
The following section provides case scenarios for when eUSD deviates from peg:
Scenario 1: eUSD trading below peg
Assume that eUSD is currently trading at $0.95 cents. An arbitrageur notices the price difference and decides to buy eUSD at the discounted price. The vast majority of liquidity for eUSD is in the eUSD/FraxBP Curve pool, so eUSD is most likely to be sourced there.
After buying eUSD, the arbitrageur would then redeem it for the basket of collateral tokens backing its peg (see Prime basket). The redemption throttle limits the maximum amount that can be redeemed to 1,500,000 eUSD or 5% of the supply in a given hour. If the redemption throttle/throttle rate has been triggered, the arb may revert for up to an hour until the throttle becomes inactive (This is an unlikely scenario meant to mitigate losses during a potential exploit).
The arb would redeem a proportional share of the eUSD basket ie. $0.25 saUSDC, $0.25 saUSDT, $0.25 cUSDC, $0.25 cUSDT per 1 eUSD redeemed. This would net the arb a 5% profit - exchange fees and gas cost.
Overall, arbitragers would help eUSD regain its peg by buying the stablecoin at a discount, redeeming it for the underlying collateral, and thereby reducing the supply of eUSD in circulation until its price returns to the peg.
Scenario 2: eUSD trading above peg
If eUSD is trading above peg at $1.05 cents, arbitragers would take advantage of this price discrepancy by minting new eUSD and selling on the market (likely into the Curve eUSD/FraxBP pool) until regaining the peg value of $1.00 USD.
Arbitragers would first attain the underlying eUSD collateral tokens by swapping and wrapping them to the correct proportion of the basket. They would then deposit these collateral tokens to mint eUSD at the 1:1 peg value. The arbitragers would then sell the eUSD back on the market as long as it is trading above peg.
Token Distribution
As of June 7th, five entities account for 99% of eUSD supply on Ethereum:
~6,100,000 eUSD in eUSD/FraxBP Curve pool
5,990,000 eUSD in a 2-of-4 Multisig
This is the multisig of funds held on the RPay app. One of the signers is also on Reserve’s Slow Wallet Multisig.
~5,400,000 eUSD in an EOA that appears to do arbitrage operations.
510,002 eUSD in a 2-of-2 multisig
This multisig is verifiable as the MobileCoin bridge multisig managed by Reserve (There is a correspondent 510,002 eUSD on MobileCoin). This 2-of-2 multisig is itself controlled by 2 additional multisigs. These two additional multisigs are held by a 1-of-3 and 2-of-3 multisigs themselves.
~500,000 eUSD in eUSD/hyUSD Curve pool
Market
Electronic Dollars (eUSD) trading is currently limited to decentralized exchanges. Coingecko lists the DEX 4swap with trading pairs eUSD/USDC and eUSD/MOB, although liquidity there is very low. Onchain data suggests most of the trading activity is on Curve within the eUSD/FraxBP pool consisting of eUSD, FRAX, and USDC.
The swap pairs have shown up in different pair patterns on DEXes as depicted here:
The date and amount traded between the pairs can be queried in the table below:
eUSD only recently had its first transaction on Ethereum as of February 23, 2023, the starting date from which we can check Coingecko for its price stability. For the most part, eUSD has maintained its peg during its short history, with the exception of March 11th, when USDC depegged bringing nearly all stablecoins in DeFi off their respective peg. Fortunately, eusdRSR stakers were able to help eUSD regain peg as emergency collateral (USDT) was swapped in.
Since the first time eUSD was minted for its underlying collateral basket (saUSDC, saUSDT, cUSDC, cUSDC) on February 23, 2023, eUSD supply has expanded to $18.6MM by June 7th. A notable uptick in total supply occurred on March 23, 2023 after the passing of the Curve gauge vote.
The following chart shows RSR that has been staked on eUSD as eusdRSR over time. We see the largest spike in staked eusdRSR on March 23rd, following the addition of the Curve gauge.
For other additional charts showing the state of Electronic Dollars, we have created a Dune Dashboard.
Risk Vectors
Smart Contract Risk
Trail of Bits submitted a security assessment on August 11, 2022. The audit found five high, two medium, three low severity, and five informational issues. The high-severity issues are summarized in the table below. The team has taken action to mitigate the severity around Access Control (see Centralization Risk), but it is unclear how the other four high-severity issues were addressed.
High-severity issues found:
Lack of a two-step process for contract ownership changes
All auction initiation attempts may fail (see EasyAuction contract)
All attempts to initiate an auction of defaulted collateral tokens will fail (affects Recapitalization strategy and Backing Manager contract)
An RSR seizure could leave the stRSR contract unusable
The system owner has excessive privileges. The owner of the Main contract has excessive privileges (see next section for mitigation actions).
A Code4Arena audit was conducted in April 2023 and two high and twenty-seven medium severity issues were found. The status of the two high-severity issues is provided here:
Adversaries can abuse a quirk of Compound redemption to manipulate the underlying exchange rate and maliciously disable cToken collaterals. | Mitigation confirmed
The basket range formula is inefficient, leading to unnecessary haircuts for the protocol. | Not fully mitigated.
Ackee Blockchain also provided an audited report to the Reserve Protocol on October 7, 2022 finding three medium issues and six warnings. The issues have either been acknowledged or fixed.
The Reserve Protocol has been audited by Solidified as of January 4, 2022. There were no critical, major, or minor issues found. The one issue around missing input address validation had been resolved. While code complexity was at a medium level, code readability, documentation, and test coverage were all high.
Halborn also conducted a Smart Contract Security Audit from August 28th, 2022 - October 10th, 2022, and did not find any critical flaws in the protocol. Any security risks found were mostly addressed by the Reserve team.
Finally, there is an ongoing bug bounty program by Immunefi that has been live since April 27, 2023. The bounty program is offering $100,000 to a staggering $5,000,000 for disclosure of critical bugs.
In summary, the Reserve Protocol team has undergone several rounds of audits. Two of the auditors found several high-severity issues. It is recommended the team takes steps to publicly report their progress in addressing these issues.
Editorial note (June 14,2023): The Reserve team have clarified that all high severity issues referenced above have been resolved in the current mainnet deployment (2.1.0). They provided references for all resolved issues below:
TOB Audit
Lack of a two-step process for contract ownership changes
Mitigation: OwnableUpgradeable removed in favor of AccessControlUpgradeable
All auction initiation attempts may fail (see EasyAuction contract)
All attempts to initiate an auction of defaulted collateral tokens will fail (affects Recapitalization strategy and Backing Manager contract)
An RSR seizure could leave the stRSR contract unusable
The system owner has excessive privileges. The owner of the Main contract has excessive privileges (see next section for mitigation actions).
Mitigated, as detailed in this report
C4 Audit
Adversaries can abuse a quirk of Compound redemption to manipulate the underlying exchange rate and maliciously disable cToken collaterals.
The basket range formula is inefficient, leading to unnecessary haircuts for the protocol.
Centralization Risk
The Main contract is central to the functioning of eUSD. The Main contract is linked to other contracts essential to various protocol operations including Asset Registry, Backing Manager, Basket Handler, eUSD, eusdRSR, Broker, Furnace, Distributor, RToken Trader, and RSR Trader (see Access Control sheet).
The Owner role (add/remove permissions, change parameters, upgrade contracts) in eUSD is given to the Governor Alexios contract. This is a DAO module that gives eusdRSR stakers governance rights over the system. However, each RToken has a unique governance configuration, so each must be considered in isolation. Users should not assume that because eUSD has taken precautionary measures against centralization risk that another RToken will have the same assurances.
In an attempt to balance decentralization with precautionary levers, the eUSD team has assigned two entities (Alexios Governor and a 2-of-3 Multisig) permission over TimelockController, which is the timelock that governs the Main contract. Alexios Governor has the TIMELOCK_ADMIN_ROLE and the multisig has the CANCELLER_ROLE. This allows the multisig to revert a potentially malicious governance action.
Access Control
Reserve Protocol uses Role Based Access Control (RBAC) to mitigate potential centralization risk. These are core system states and roles in Reserve Protocol’s RToken governance system.
Owner: The top-level role that can grant/revoke roles to any address, pause/unpause the system, freeze/unfreeze the system, set governance parameters, and upgrade smart contracts.
RToken Pauser: can pause and unpause an RToken’s (i.e., eUSD) system in case of an emergency such as a Chainlink feed failing. There can be multiple Pausers. Pausing means RToken issuance, un-staking RSR, withdrawing RSR, trading, and RToken melting are disabled
Short Freeze: can freeze an RToken’s system for three days, generally assigned to an entity that can spot bugs and react swiftly. There is some tolerance for false positives, though less than the Pauser role. There can be multiple Short Freezers, as is the case with eUSD, as well as robot-controlled entities.
Long Freeze: can freeze an RToken’s system for one week. This role is allocated more conservatively to avoid false positives. There are fewer Long Freezers, with TimelockController being one of two for eUSD.
There are certain contracts that have ownership and/or permissions over Main. Critical ownership privileges are granted to the TimelockController contract for the Governor Alexios contract and additional roles are spread out to two EOAs and two multisig wallets.
Pausers that can emergency pause eUSD: 1-of-3 msig, Timelock contract, EOA1, EOA2, EOA3
Short Freezers that can temporarily freeze eUSD for 3 days: Timelock contract, 1-of-3 msig, EOA1, EOA2, EOA3
Long Freezers that can temporarily freeze eUSD for a week: Timelock contract, 2-of-3 msig
Although Governor Alexios allows eusdRSR holders to directly participate in governance, there are privileges granted to the 2-of-3 Multisig that shares power over the TimelockController (see: Access Control). We were unable to find documentation on this address, although the Reserve team clarified to us that the multisig comprises members of the Reserve and Mobilecoin team, and its authority is limited to preventing malicious governance proposals. The role of this address should be clearly described in the documentation if not done so already.
It is the opinion of this author that the Reserve Protocol team has taken steps to address this potential centralization risk by distributing limited permissions over Main with RToken_Pauser, Short_Freeze, and Long_Freeze roles to four EOAs and two multisig natures wallets as depicted in our Access Control sheet. While certain addresses have significant privileges for protocol operations and governance, the system has been designed to mitigate potential centralization risk with a diversity of non-overlapping EOAs and multisig wallets. Should any of the multisig signers disappear, there is a sufficient distribution of permissions such that the protocol could continue functioning.
Collateral Risk
The Electronic Dollar (eUSD) is 100% backed by a basket of yield-bearing stablecoins during normal operation (cUSDC, cUSDT, saUSDC, saUSDT) with emergency collateral of pure stablecoins (USDC, USDT, USDP, TUSD, DAI) that can be exchanged for prime basket assets in times of emergency. Additionally, eUSD is overcollateralized with staked RSR (eusdRSR). As of this writing, the eUSD supply is 20% overcollateralized with RSR.
Although eUSD backing is entirely made up of stable assets, certain circumstances can cause insolvency, necessitating the use of RSR to recapitalize the outstanding supply. This has indeed happened once in eUSD's short history, during the USDC depeg on March 10th, 2023. Reserve was fortunate that this black swan event occurred before the introduction of Curve gauge incentives and a consequent supply expansion. The total market cap of eUSD was only ~1,000,000 at the time, and the shortfall required $32,000 worth of RSR to recapitalize.
The recapitalization process involved three steps:
Tx | Call manageTokensSortedOrder() to the Backing Manager. This is the contract that handles the eUSD collateral basket. It transfers 7,997,787 RSR from the stRSR contract, socializing losses to RSR stakers. Funds are transferred to the Gnosis Trader contract that handles auctions with Gnosis EasyAuction.
Tx | The highest bid for the 7,997,787 RSR is made for 32,400 USDT.
Tx | settleTrade() is called to the Backing Manager, claiming the 32,400 USDT to the Backing Manager.
Interestingly, the address that placed the bid for RSR back in March 22nd has not claimed the funds and they still reside in the EasyAuction contract. This suggests perhaps that this was an internal bailout by either a team member or Reserve investor not necessarily motivated by profit opportunity from the action.
The event serves to demonstrate the performance of the recapitalization mechanic in prod and highlight possible issues that may arise during a larger-scale event. The system may be too slow to react in transitioning to emergency collateral, and in the case of temporary depegs, may result in unnecessary losses by triggering changes to the basket at the most inopportune times. The auction process may be too slow during times of high volatility and network congestion, which are times when recapitalization is most likely to become necessary. Market participants may front-run an expected recapitalization event, making it more difficult to raise necessary funding from RSR.
It is unclear whether RSR can scale as overcollateralization protection as the eUSD market cap expands. RSR has a relatively thin market, with only $1.3MM in the RSR/FraxBP pool. Furthermore, a major event that slashes RSR stakers may deteriorate community morale to the point that all RTokens face difficulty in recovering and attracting stakers in the future. The protocol mechanic is certainly a comforting feature, but the effectiveness at scale remains to be seen.
As an additional point, as identified in the audit report from Code4Arena, there is a quirk in Compound that could maliciously disable cToken collaterals in eUSD (currently: cUSDC and cUSDT). There is always compounded collateral risk when making use of yield-bearing assets by introducing exposure to external protocols like Compound and Aave.
Governance can change the basket of assets backing eUSD, which can expose users to risk from the protocol shifting the allocation and potentially becoming undercollateralized. Users furthermore must remain aware of changes to the backing based on governance decisions to make informed decisions on their risk appetite.
Oracle Risk
The oracle is significant because it informs the system of collateral default, which will cause the system to sell collateral for emergency collateral alternatives or rebalance the collateral backing.
The Reserve Protocol uses only Chainlink price feeds with no apparent backup. The Backing Manager contract has maxTradeSlippage, setting maximum deviation from oracle prices that a trade can clear at. Moreover, the protocol has pause, short freeze, and long freeze functions to mitigate any extensive oracle failure situation.
LlamaRisk Gauge Criteria
Centralization Factors
Is it possible for a single entity to rug its users?
No. eUSD has put a DAO contract (Governor Alexios) governed by eUSD stakers as the central governing entity. There is additionally a diverse set of EOAs and multisigs that share precautionary permissions over the protocol (e.g. Pauser role). Users should be aware, however, that every RToken can establish its own governance, which could offer a different level of user assurances.
If the team vanishes, can the project continue?
Yes. The Reserve Protocol platform is designed such that anyone can permissionlessly create a new RToken through a system of factory smart contracts. The Electronic Dollars (eUSD) project is permissionlessly governed by eusdRSR stakers who can change parameters, assign any necessary roles, and upgrade contracts for eUSD.
Economic Factors
Does the project's viability depend on additional incentives?
No. The project is currently viable without incentives, but a deeper Curve pool that combines eUSD with other stablecoins could further strengthen its peg.
If demand falls to 0 tomorrow, can all users be made whole?
Yes. eUSD is currently sufficiently overcollateralized such that users can be made whole if demand fell to 0. The process of redemption is permissionless, including unwrapping the underlying collateral tokens (Aave and Compound deposits).
Security Factors
Do audits reveal any concerning signs?
Audits revealed a number of high-severity issues, but Reserve appears to place a high priority on security. They have undergone multiple audits and have an active bug bounty program with a maximum $5MM payout. Although the code and protocol design is fairly complex, the team has made efforts to ensure high readability and clarity in their documentation and test coverage.
Risk Team Recommendation
Reserve Protocol has built a unique system for permissionlessly deploying a stablecoin that allows a high degree of customization in terms of governance approach and risk profile. Of the three RTokens present on Curve (eUSD, hyUSD, and ETH+), eUSD is clearly the flagship product with the highest market cap and longest history. Each RToken must be evaluated independently, given the unique properties that can be assigned to each token.
In terms of centralization, Reserve has taken care to eliminate central points of failure wherever possible. eUSD governance is secured by a DAO of eusdRSR stakers, and access controls are carefully shared between multisigs and EOAs that balance fast response times with system security. Core features such as recapitalization after a shortfall event have an algorithmic process to determine the shortfall and conduct the recapitalization process. There has even been an instance when USDC depegged and this functionality was tested in prod on a relatively small scale. Given the complexity of the processes involved, it remains to be seen how the system and its community are able to handle a large-scale shortfall event.
Reserve has done a great job, given the short history of this iteration of Reserve Protocol, to create a transparent system with good documentation and plenty of smart contract audits. It is, however, a unique system design with a great deal of complexity, and Reserve should be diligent in further explaining the mechanics of the system to its users in detail. For the part of users and anyone with exposure to RTokens, be sure to review the parameters (of which there are many), the governance, and the collateral basket to ensure the token represents an acceptable risk. Overall, we believe eUSD has taken satisfactory measures and meets our requirements for a Curve gauge.