Oct 7, 2024
This is an archive of our post on Aave governance forum. Read the full thread here.
Summary
LlamaRisk recommends onboarding cdcETH to a new instance with ETH-Correlated eMode enabled, conditional on establishing a bug bounty program. Significant liquidity, access control, dependency, and governance risks nonetheless remain specific to cdcETH, namely:
Circulating supply on mainnet is limited and largely controlled by Crypto.com addresses, especially DEX LP positions.
Many critical contract parameters, including blacklist, ownership change, and, most severely, the Oracle source, can be upgraded without timelock by an alleged MPC wallet (which cannot be verified due to off-chain computation).
The asset relies entirely on Crypto.com’s selection of staking providers, with no governance structure or transparency in the custody and provider selection process.
With that being said, the dedicated instance structure of this proposal and Crypto.com’s strong track record mitigate these risks to the point that we feel comfortable recommending onboarding, pending parameter alignment with @ChaosLabs and creating a bug bounty.
1. Asset Fundamental Characteristics
1.1 Asset
cdcETH is a liquid staking token issued by a leading centralized exchange, crypto.com. It has 2,000 ETH on mainnet staked through its solution, with another 34,000 on Cronos Chain. The asset was deployed on mainnet 270 days ago, and mainnet ownership is highly concentrated, with over 50% held directly by Crypto.com itself. On Cronos Chain, it was deployed over 300 days ago. It is a non-rebasing token earning up to 3.06% yield. There is no DAO, and staking is handled by Crypto.com.
Limited information is available about this asset aside from a whitepaper, an FAQ and a portal.
Aave has already onboarded many liquid staking tokens, meaning that onboarding another of this asset class presents limited incremental fundamental asset risk.
1.2 Architecture
Source: LlamaRisk
Users can stake ETH by using the custodial Crypto.com App. They first send ETH to the exchange’s address and then stake it. They will receive an amount of cdcETH based on an exchange rate (since it is non-rebasing), which they are free to use.
Should they wish to unstake it, they may either instantly unstake it (at the exchange rate) or unstake it for the underlying value if they want to sit in the withdrawal queue.
Limited information about the custody, staking organization, or operational infrastructure is available. There is mention that ETH is staked in industry-grade validators in the whitepaper that meet internal security assessments and have enjoyed 99.9% uptime and no slashing. However, given that collateral is held in permissioned addresses, this solution presents significant centralization and custody risks that warrant careful consideration.
1.3 Tokenomics
As a liquid staking token, there are few tokenomic structures to mention. It is a non-rebasing token whose supply reflects the amount of ETH staked into it. The cdcETH contract utilizes a redemption rate calculated by a ratio of issued cdcETH tokens and ETH staked in the protocol. This simple calculation means tokenomic risk is low.
2. Market Risk
2.1 Liquidity
Source: 1inch Aggregator, 2nd October, 2024
Onchain Ethereum mainnet liquidity for this asset is limited. While arbitrageurs may bridge cdcETH from the Cronos chain (where it is significantly more liquid), this presents a risk for liquidation.
Liquidators may encounter significant friction due to the limited onchain liquidity of cdcETH. This constraint could necessitate the redemption of cdcETH for underlying ETH through the Crypto.com exchange, introducing a substantial operational hurdle. The exchange’s KYC requirements present an additional layer of complexity for liquidators, potentially impeding the efficiency of the liquidation process.
2.2 Volatility
Source: CoinGecko cdcETH, October 3rd, 2024
cdcETH is as volatile as would be expected for a liquid staking token. There have been no large sustained depeg events in its history.
2.3 Exchanges
cdcETH is available primarily via the Crypto.com App. The majority of onchain trades are made on the Uniswap V3 pool, though this has limited liquidity and few transactions are made with only one trade in the past month.
2.4 Growth
Source: DeFiLlama, October 7th, 2024
cdcETH has seen a decrease in TVL on Cronos Chain since creation in dollar terms after a strong jump to over 100M$ in market capitalization. On mainnet, supply has remained largely static.
3. Technological Risk
3.1 Smart Contract Risk
This contract was audited in 2024. A bug bounty still needs to be implemented. There is no public GitHub repository, though contracts are verified onchain. A private GitHub repository presents additional risk as it reduces code transparency. Nevertheless, their clean audit provides reassurance that smart contract risk is mitigated.
Their team indicates cdcETH will be added to their HackerOne program by the end of the week.
3.2 Price Feed Risk
Source: Example redemption ratio update via Etherscan, October 7th, 2024
An internal price feed reflecting the cdcETH to ETH redemption rate is documented. Its heartbeat is infrequent (in days), but as an exchange rate to a volatile underlying asset, this is to be expected. It is an onchain mathematical calculation based on a redemption rate so it is likely censorship resistant, making price feed risk relatively low.
It is worth noting that price feeds for this asset are upgradeable, making price feed risk significant.
3.3 Dependency Risk
Since Crypto.com controls this, significant dependency risk is placed on their custody practices. One security incident is documented occuring with user funds missing. Nevertheless, this centralized exchange operates a Proof of Reserve facility for many market cycles. It is a more reliable actor in the space. While dependency risk is significant, the entity with which the risk lies is responsible.
4. Counterparty Risk
4.1 Governance and Regulatory Risk
cdcETH has no governance. It is maintained entirely by Crypto.com. This puts governance risk at the highest level because no checks and balances are visible in this asset’s management.
cdcETH has significant terms and conditions accepted by users staking the product. Crypto.com, more generally speaking, is a highly regulated entity that complies with jurisdictional regulation across many of the strictest and more favorable regimes ranging from the United States to Cyprus to Singapore. While it notably closed its United States Institutional exchange due to low demand in 2023, it’s the same market self-reportedly led recent volume resurgence - raising questions as to if the stated reason was actually why their institutional offering left the United States. This indicates an entity that spends significant resources dealing with regulatory matters before they arise, meaning that regulatory risk is lowered in some way. This makes sense as a centralized exchange custody of user funds - a more legally scrutinized activity.
After reviewing the terms and conditions of staking with Crypto.com, it is worth noting section 7.2 limits liability damages to $100 per customer for “FOR ANY LOSS OR DAMAGE ARISING IN CONNECTION WITH ON-CHAIN STAKING AND/OR LIQUID STAKING”. Other notable terms include:
Fee adjustments at will
Termination of access to staking at will
Unstaking of your assets at will
Ability to change these terms
While these do not inherently present risk to Aave DAO in their current form, as risk providers, we should be mindful of monitoring them should any changes be made. Terms and conditions are a potential risk vector. While significant regulatory risk remains, a good effort has been made to clarify and mitigate it.
4.2 Access Control Risk
The asset in question presents substantial access control risk. The designated owner address possesses the following elevated permissions:
Updating the oracle
Blacklisting other addresses
Pausing contracts
Minting and burning tokens
Ownership transfers
Rescuing tokens sent to the contract address
This address is an alleged MPC wallet (which cannot be verified due to off-chain computation). These are significant permissions that introduce significant risk. The strictest key management policies must be respected here; otherwise, the instance this is introduced is placed at considerable risk.
Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.
5. Aave Crypto.com Instance Specific Parameters
To be provided after discussion with @ChaosLabs
6. Price feed
We recommend using the internal exchange rate, ETH/USD Chainlink feed, and CAPO.
Disclaimer
This review was independently prepared by LlamaRisk, a community-led non-profit decentralized organization funded partly by the Aave DAO. LlamaRisk is not directly affiliated with Crypto.com and did not receive any compensation from the protocol(s) or their affiliated entities for this work.
The information provided should not be construed as legal, financial, tax, or professional advice.