← All Reports

InfiniFi

3.2
siUSD (Staked iUSD) / Ethereum Mainnet / May 18, 2026
View full report on GitHub → View dependency graph

Score Breakdown

CategoryWeightScore
Audits & Historical20%2.50
Centralization & Control30%3.20
Funds Management30%3.50
Liquidity Risk15%4.00
Operational Risk5%2.50
Final Score3.2 / 5.0
20%30%30%15%
Medium Risk

Overview

InfiniFi is a stablecoin protocol that allows users to deposit assets (USDC, USDT) to mint iUSD, a stablecoin pegged to the US Dollar. The protocol automatically deploys deposited collateral into a portfolio of farm contracts categorized as Liquid (instant withdrawal), Illiquid (perpetual but exit-controlled), and Maturing (locked until fixed maturity dates). As of this assessment the largest allocations are Midas-tokenized Fasanara Global (~37% of TVL), Cap Protocol stcUSD (~20%), CoW-swap fixed-maturity baskets into PYUSD and cUSD/stcUSD (~21% combined), Spark sUSDC (~7%), an active RWA escrow (~6%), Steakhouse-curated MetaMorpho (~4%), and Maple HYSL (~3%). See Appendix A for detailed analysis of the largest farm deployments.

The protocol offers three tiers of tokens:

  1. iUSD: The base stablecoin (deposit receipt). Not yield bearing directly but liquid.
  2. siUSD: Staked iUSD. Yield-bearing and liquid (can be exited via secondary markets).
  3. liUSD: Locked iUSD. Highest yield, governance power, but locked for 1-13 weeks. Serves as "first loss" capital.

Links:

Risk Summary

Key Strengths

  • Strong risk segmentation design with liability ladder (liUSD first-loss → siUSD → iUSD)
  • Comprehensive audit coverage: Spearbit/Cantina Code main review + 6 ongoing upgrade reviews + Certora formal verification + public competition
  • Robust governance: 4/7 multisig + dual timelock (7d/1d) + separation of powers. DEFAULT_ADMIN renounced. emergencyAction bypass prevented via no-op override in Timelock.
  • All contracts verified onchain, all farms properly target expected DeFi protocols
  • Backed by reputable investors (Electric Capital, Sam Kazemian)

Key Risks

  • Liquid reserves fully depleted: Onchain Accounting.totalAssetsValueOf(Liquid) returns <$1; all four Liquid-type farms (MintController, RedeemController, SwapFarmV2, LiquidationFarm) currently hold dust. iUSD instant redemption is effectively disabled — every redeemer must enter the FIFO queue.
  • Heavy concentration in tokenized RWA: Midas-Fasanara mGLOBAL is ~37% of TVL ($30.6M) and matures 2026-06-15. This is the single largest position and a pure offchain counterparty.
  • Heavy concentration in Cap Protocol: Direct stcUSD + the cUSD/stcUSD swap basket combine to ~30% of TVL. Cap is a 2025-vintage stablecoin issuer with limited track record.
  • Concentrated maturity wall: Roughly $26M of maturities cluster between 2026-05-19 and 2026-05-25 — protocol relies on these rolling off (or being rolled forward) to restore any liquidity.
  • TVL down 54% since prior assessment ($177.69M → $82.66M) — directionally consistent with the loss of liquid buffer and may reflect ongoing redemption pressure.
  • Offchain/RWA exposure: Contrary to initial marketing as "100% onchain DeFi", at least 43% of TVL (Midas-Fasanara + unidentified RWA escrow + Aave Horizon RWA + Maple) sits in offchain or RWA-backed strategies whose valuations cannot be verified onchain.
  • Multisig powers expanded since prior assessment: multisig now directly holds EMERGENCY_WITHDRAWAL, MANUAL_REBALANCER, UNPAUSE, MINOR_ROLES_MANAGER, PAUSE, and EXECUTOR_ROLE on InfiniFiCore — meaning it can both propose and execute its own timelock actions. This concentrates effective control to a 4/7 anonymous signer set.
  • Short operational history (<1 year in production since June 2025).
  • Compounded smart contract risk from layered protocols (Cap stcUSD, Spark, Maple, Morpho/MetaMorpho, Auto Finance, f(x) Protocol, Midas vault flow).
  • Pseudonymous team with notable history concerns: key contributor (RobAnon) authored Revest Finance contracts exploited for $2M; lead dev's prior projects (Fei, ECG) have wound down.
  • No disclosed legal entity or incident response plan.
  • Certora formal verification report published but finding severity breakdown not available on the landing page (full PDF required for detailed review).

Critical Risks

  • Effective queue-only redemption today. Liquid reserves are essentially $0. Combined with the 54% TVL contraction since the prior report, this looks like an active redemption stress event being managed by waiting for maturities to roll off rather than honoring instant withdrawals. Operators of any vault that requires reliable USDC exit should treat InfiniFi as queue-mode until the Liquid bucket is rebuilt.
Full Report

Contract Addresses

All contracts verified on Etherscan. Compiled with Solidity 0.8.28 (except Gnosis Safe: 0.7.6).

Core / Governance:

Team Multisig & Timelocks:

Active farms (see Funds Management § Asset Allocation for full table and Appendix A for risk analysis).

Audits and Due Diligence Disclosures

InfiniFi has undergone extensive security review via Certora, Spearbit/Cantina Code, and a Cantina public competition, plus multiple ongoing upgrade reviews.

  • Spearbit / Cantina Code (March-April 2025): Main protocol security review. Report published April 1, 2025. Findings: 8 High, 6 Medium, 25 Low, 4 Gas, 24 Informational. Auditors: Noah Marconi (Lead), R0bert (Lead), Slowfi, Jonatas Martins. Report PDF.
  • Certora: Formal Verification & Security Assessment (March 21 – May 20, 2025). Report published June 4, 2025. Covers formal verification via Certora Prover and manual review. Report.
  • Cantina Public Competition (April 2025): Public audit competition. Competition link. Reward pool claimed ~$40,000 ($35k + $5k) — amount unconfirmed via automation.
  • Ongoing Cantina Code / Spearbit Managed Reviews (6+ additional reviews of upgrades):
    • siUSD rewards interpolation update
    • Pendle SY farm integration
    • Multiasset farms (new farm types)
    • PR 209: Multiple new farms
    • PR 228: J-Curve Smoother, ReservoirFarm, Fluid rewards
    • PR 224: Crosschain support (CCIP + LayerZero) All PDFs accessible via auditor portfolio. Note: The initial Spearbit audit and "Cantina Code" review appear to be the same engagement (same auditors, same date, same file size). They should not be counted as separate audits.

Bug Bounty

Historical Track Record

  • Production History: The protocol launched in June 2025 with a points program beginning June 1, 2025, designed to reward participation during its six month launch phase.
  • TVL: $82.66M (verified onchain via Accounting.totalAssetsValue() and corroborated by DefiLlama on 2026-05-18). TVL has contracted ~54% since the previous assessment ($177.69M → $82.66M).
  • Incidents: No reported security incidents or exploits found. iUSD oracle still reports 1.0 (no loss-socialization event).
  • Peg Stability: iUSD is designed to be redeemable 1:1. Users can mint iUSD against deposits.

Funds Management

The protocol acts as an asset manager, deploying user funds into other protocols.

  • Strategy: Funds are deployed via 21 enabled farm contracts grouped into three AssetType buckets in FarmRegistry: Liquid (4 farms — instant withdrawal), Illiquid (5 farms — perpetual but slow to unwind), and Maturing (12 farms — locked until a fixed maturity date). The current portfolio is concentrated in tokenized RWA (Midas-Fasanara), Cap Protocol stablecoins, and CoW-swap fixed-maturity baskets. Critical: Several farms involve high-risk strategies — see Appendix A.

  • Asset Allocation (verified onchain via Accounting.totalAssetsValueOf(type) and per-farm assets(), 2026-05-18):

    Bucket Value (USD) Share
    Liquid (USDC instant) ~$0.7 ~0%
    Illiquid (perpetual) $23.26M 28.1%
    Maturing (fixed-term) $59.40M 71.9%
    Total $82.66M 100%

    Critical observation: The Liquid bucket is currently empty in practice (only dust in SwapFarmV2/RedeemController). All ~$82.66M of TVL is sitting in Illiquid or Maturing farms. The previous report showed $37.78M in liquid reserves; that buffer has been fully redeployed. There is currently no instant-redemption capacity for iUSD holders without entering the queue.

    Top farms by deployed value:

    Farm Type Target Assets Share
    MidasFarm Maturing mGLOBAL — Midas Fasanara Global (0x7433…98A8). Maturity 2026-06-15. $30.60M 37.0%
    CapFarm Illiquid stcUSD — Cap Protocol staked cUSD (0x8888…8888) $16.48M 19.9%
    SwapFarmV2WithMaturity Maturing CoW-swap USDC ↔ PYUSD / senPYUSDmain. Maturity 2026-05-25. $9.00M 10.9%
    SwapFarmV2WithMaturity Maturing CoW-swap USDC ↔ cUSD / stcUSD. Maturity 2026-05-19. $8.29M 10.0%
    SparkSUSDCFarm Illiquid Spark USDC Vault sUSDC (0xBC65…45FE) $6.06M 7.3%
    RWAEscrowFarm Maturing RWA escrow 0x868C…741A → receiver 0x4831…D926 (EOA). Maturity 2026-06-16. Counterparty TODO. $5.08M 6.1%
    ERC4626FarmWithMaturity Maturing Steakhouse infiniFi USDC (0xBEEF…3aC9) — dedicated MetaMorpho V1.1 vault $3.52M 4.3%
    MapleFarm Maturing Maple High Yield Secured Lending Pool USDC1 (0xC39a…b8B9) $2.37M 2.9%
    AaveV3Farm Illiquid Aave Horizon RWA market (aHorRwaUSDC) $0.72M 0.9%
    FxSaveFarm Maturing f(x) Protocol fxSAVE / fxUSD via CoW $0.53M 0.6%
    Remaining (dust / matured / inactive) mixed sGHO, autoUSD/infinifiUSD AutoFinance pools, RWA escrows at 0, Euler eUSDC-70, USDT Aave market ~$0.01M <0.1%

    Notable concentrations: Midas-Fasanara ≈ 37%, Cap Protocol exposure (CapFarm + cUSD/stcUSD swap) ≈ 30%, PYUSD swap basket ≈ 11%, Spark + Steakhouse MetaMorpho + Aave Horizon ≈ 12%, RWA escrow ≈ 6%, Maple ≈ 3%.

    Compared to the previous report, explicit Gauntlet Frontier, Reservoir wsrUSD, direct Pendle, direct Ethena, regular Aave aEthUSDC, and Fluid fUSDC farm positions are no longer present (those farm addresses are either removed or sit at $0). However the Fasanara exposure has not gone away — it has moved into Midas's tokenized mGLOBAL wrapper and grown to be the single largest position. The new heavyweights (Cap Protocol stcUSD and the cUSD/stcUSD swap basket) introduce a fresh concentration in a single younger stablecoin issuer.

  • Risk Hierarchy: Losses are socialized based on a "liability ladder":

    1. liUSD (Locked) holders take the first loss.
    2. siUSD (Staked) holders take the next loss.
    3. iUSD (Stablecoin) holders are the last to be affected.

Accessibility

  • Enabled Deposit Assets (verified onchain via FarmRegistry.getEnabledAssets()): USDC (0xA0b8…eB48) and USDT (0x8292…17eD). The previous report listed USDe and sUSDe as accepted assets; those are no longer enabled on FarmRegistry. The protocol's frontend may still accept them via wrapper logic — TODO verify gateway behavior.

  • Minting: Users deposit USDC/USDT through the Gateway → MintController to mint iUSD.

  • Redemption:

    • Instant: Capped by liquidity in the four Liquid farms (MintController, RedeemController, SwapFarmV2, LiquidationFarm). Currently effectively $0 — instant redemptions are paused in practice until allocators rebalance funds back into liquid farms or maturing positions roll off.
    • Queue: With liquid reserves depleted, redemption requests enter a FIFO Queue. Pending requests are fulfilled as capital is unwound from illiquid strategies or new deposits enter.
    • Whitelisting: No whitelist for redemption; anyone holding iUSD can redeem or enter the queue.

Token Mint Authority

Mint mechanism:

  • siUSD (0xDBDC…7389bCB): standard ERC-4626 (StakedToken) wrapping iUSD. Anyone with iUSD can call deposit() / mint() and receive siUSD. No privileged role on the share token.
  • iUSD (0x48f9…3D89c): role-gated mint via RECEIPT_TOKEN_MINTER on InfiniFiCore (0xF6d4…25490). Only contracts holding the role can call mint(...). User-facing mint flow: deposit USDC/USDT → GatewayMintControlleriUSD.mint.

Mint requires backing: Yes for the user-facing path — MintController only mints iUSD against USDC/USDT collateral pulled in the same transaction. The protocol-internal mints (YieldSharing, PLSmoother) are bounded by the same loss-socialization accounting (PPS can only rise by realized yield) and do not represent admin-mintable supply.

Per-address mint authority (verified onchain on May 18, 2026 by enumerating RECEIPT_TOKEN_MINTER and RECEIPT_TOKEN_BURNER on InfiniFiCore):

Address Can Mint Can Burn Role / Mechanism Notes
Any caller of siUSD deposit() / mint() Permissionless ERC-4626 Atomic against iUSD
MintController RECEIPT_TOKEN_MINTER User-facing mint controller; only mints against USDC/USDT collateral
MigrationController RECEIPT_TOKEN_MINTER Additional ENTRY_POINT for migrations
YieldSharing (proxy) RECEIPT_TOKEN_MINTER + RECEIPT_TOKEN_BURNER Distributes farm yield as new iUSD; bounded by realized yield
PLSmoother RECEIPT_TOKEN_MINTER + RECEIPT_TOKEN_BURNER Smooths profit/loss across siUSD epochs
siUSD (StakedToken) RECEIPT_TOKEN_BURNER Burns iUSD on stcUSD redemptions
UnwindingModule RECEIPT_TOKEN_BURNER Burns iUSD during liUSD early-exit settlement
LockingController RECEIPT_TOKEN_BURNER Burns iUSD when liUSD positions are slashed
RedeemController RECEIPT_TOKEN_BURNER Burns iUSD when redemptions clear the FIFO queue
PLSmootherHelper RECEIPT_TOKEN_BURNER Helper for PLSmoother burn flow

Adding a new RECEIPT_TOKEN_MINTER: DEFAULT_ADMIN_ROLE on InfiniFiCore has been renounced (0 holders), so OpenZeppelin's default grantRole path is closed. Role grants flow through GOVERNOR (held by Long Timelock, 7-day delay). MINOR_ROLES_MANAGER (held by multisig + Long Timelock) only covers PAUSE / PERIODIC_REBALANCER / FARM_SWAP_CALLER and explicitly cannot add a new mint role — adding a minter requires Long Timelock execution.

Rate limits / supply caps: None onchain. Mint capacity is implicitly bounded by deposit-asset supply (USDC/USDT held by MintController) and by the maxLossPercentage first-loss buffer that auto-pauses on excessive losses.

Backing check at mint time:

  • MintController path (user-facing USDC/USDT deposits): atomic. Collateral must transfer in the same call before iUSD.mint(...) fires. Cannot mint unbacked.
  • MigrationController path: atomic against the migration source (same pull-collateral-then-mint pattern).
  • YieldSharing and PLSmoother paths (protocol-internal yield distribution and P&L smoothing): not atomic with backing. The minter contract has no transferFrom(asset, ...) before mint(...). PLSmoother's smoothProfit(receiptTokenProfit, duration) literally calls ReceiptToken(receiptToken).mint(address(this), receiptTokenProfit) with no on-chain assertion that USDC has arrived in the protocol — the caller is trusted to only call it when farms have already reported receiptTokenProfit of realized USDC profit. The trust surface here is layered:
    1. The FINANCE_MANAGER role-holder set (currently 3 contracts: YieldSharing, LiquidationFarm, PLSmootherHelper). No EOA or multisig holds the role directly. Adding a new holder requires GOVERNOR (Long Timelock, 7d).
    2. The calling contract correctly accounting realized farm profit before calling smoothProfit. A bug in YieldSharing's profit math, or a compromised farm that over-reports yield, would let PLSmoother mint unbacked iUSD. The PLSmoother contract itself would not catch the discrepancy.

Slashing-order quirk (from PLSmoother source comment): "the vesting yield held by this contract … isn't included in the slashing order. As a result, it could hold undistributed rewards (i.e. pending profit) that would otherwise could have been used to mitigate losses." If losses materialize while iUSD is still mid-vest inside PLSmoother, that pending profit does not absorb the loss — losses skip the smoother and hit liUSD / siUSD directly. An audited and acknowledged design property, not a bug, but a real risk-review-relevant point.

Collateralization

  • Backing: iUSD is backed by the assets deployed in the underlying strategies.

  • Verification: The protocol uses a "Self-Laddering Engine" to match asset duration with liability duration (locked periods).

  • Offchain / High-Risk Exposures (verified onchain, see Appendix A for detail):

    • Midas-tokenized Fasanara Global (mGLOBAL) — single largest position at $30.6M (37%). Midas is a tokenization issuer; the underlying is Fasanara Capital's hedge-fund strategy. Custody and valuation are entirely offchain.
    • Cap Protocol stcUSD — $16.5M direct deposit + $8.3M maturing swap basket = ~$24.8M combined (30% of TVL). Cap is a relatively young (2025) stablecoin issuer.
    • Maple HYSL Pool — $2.37M of institutional secured lending exposure.
    • Aave Horizon (aHorRwaUSDC) — $0.72M in RWA-collateralized lending market.
    • RWA Escrow Farm — $5.08M sent to an EOA receiver (0x4831…D926), value maintained by RWAEscrowRateManager (0x11F6…4189). Pure trust-based offchain exposure during the lock period.

  • Token Breakdown (verified onchain 2026-05-18, all in iUSD-equivalent):

    Component Value Source
    iUSD totalSupply 82.66M iUSD.totalSupply()
    — held by siUSD (Staked) 45.60M iUSD.balanceOf(siUSD)
    — held by LockingController (liUSD active) 26.87M iUSD.balanceOf(LockingController)
    — held by UnwindingModule (liUSD in unwind) 4.48M iUSD.balanceOf(UnwindingModule)
    — held by YieldSharing (dust) 0.03M iUSD.balanceOf(YieldSharing)
    — circulating / in user wallets ~5.69M residual
    siUSD totalSupply 42.66M shares exchange rate 1.069 iUSD/siUSD
    LockingController totalBalance (liUSD) 31.35M LockingController.totalBalance()

    Compared to previous assessment: siUSD-backed iUSD dropped from 115.07M → 45.60M (-60%), liUSD positions from 43.34M → 31.35M (-28%), free iUSD from 24.86M → ~5.69M (-77%).

Provability

  • Transparency: Reserves and allocations are verifiable onchain via FarmRegistry.getFarms() and per-farm assets().
  • Reserves: Onchain DeFi positions (Spark, Aave Horizon, MetaMorpho, Cap, Maple, sGHO, FxSave, AutoFinance) are fully verifiable. Offchain-backed positions (Midas mGLOBAL, RWAEscrow, partially Cap) cannot be independently audited on-chain.

Liquidity Risk

  • Exit Liquidity:
    • iUSD: ~$5.69M circulating outside protocol contracts. Instant-redemption buffer is currently ~$0; any iUSD holder wanting to exit today must enter the FIFO queue and wait for maturing positions to roll off or new deposits to come in.
    • siUSD: Staked holders can withdraw to iUSD via siUSD.withdraw() (ERC4626) but then face the same redemption queue.
    • liUSD: Locked positions (1-13 weeks). Early exits route through UnwindingModule and incur a slashing penalty.
  • Withdrawal Queues: With the liquid buffer at $0 the queue is the only path for iUSD-to-USDC. The earliest material relief is 2026-05-19 ($8.29M Cap swap basket maturity), followed by 2026-05-25 (~$9.0M PYUSD swap + Auto Finance positions), and 2026-06-15/16 ($30.6M Midas-Fasanara + $5.08M RWA escrow). In practice the queue can only be cleared as these maturities trigger.

Centralization & Control Risks

Governance

The governance system is split into three branches to check and balance power:

  1. Allocators (Active Management): Decide "How much" capital goes to specific strategies. They cannot route funds to arbitrary addresses.
    • Timelock: Changes to capital allocation parameters (e.g., Farm Registry updates) use the Short Timelock (1 day delay).
  2. Verifiers (Token Holders - liUSD): Vote to approve the "Allowlist" of safe protocols.
    • Scope: Adding a new protocol to the allowlist requires a governance vote and must pass through the Short Timelock (1 day delay).
  3. Vetoers (Guardians): A council of 5 entities. A single Vetoer can block any new protocol or product. This acts as a safety brake.

  • Team Multisig: Gnosis Safe v1.4.1 at 0x80608f852D152024c0a2087b16939235fEc2400c. 4/7 threshold, 7 anonymous EOA signers (verified onchain via getOwners() and getThreshold() on 2026-05-18). Nonce 452. Signer #1 has been rotated since the prior report.

    # Signer Additional Roles (verified onchain)
    1 0x7A823623B18335A9c1284AC45315fe89972FD421 — (new since prior report; replaced 0x7055E782B94b15BB6142aaFB326a9CeC36399eE5)
    2 0xDAdB38219425c761dd0f3a4d684Fc36f533af7bD EXECUTOR_ROLE
    3 0xa9BDBEb17c81677Cb1830B74B1832C16Ec5CEF61
    4 0x6DFa1A32604088EB969242AafFb92420F78373f6 EXECUTOR_ROLE
    5 0xd53Ffb2DB125015aB4D461bAD3fA959Ef1a1e685 PAUSE
    6 0xfd4691dfA327Adb0d6f3c7b4224B3cc881D4F6fa EXECUTOR_ROLE
    7 0x383965940c950008a4B67BfaA477Fdf6AC91a7F7 EXECUTOR_ROLE, PAUSE

  • Timelocks: Both are custom Timelock.sol extending OZ TimelockController. They override hasRole() to delegate role checks to the central InfiniFiCore contract. Both have DEFAULT_ADMIN_ROLE renounced (immutable role configuration).

    Timelock-controlling roles on InfiniFiCore (verified by enumerating getRoleMember()):

    Role Holders
    PROPOSER_ROLE 1: multisig (4/7 required to schedule)
    CANCELLER_ROLE 1: multisig (4/7 required to cancel)
    EXECUTOR_ROLE 6: signers #2/4/6/7 + deployer EOA (0xdecaDAc8778D088A30eE811b8Cc4eE72cED9Bf22) + the multisig itself (new since prior report — multisig can now execute its own scheduled proposals)

    Governance flow: Multisig proposes (4/7) → Timelock delay → Any 1 of 5 executor EOAs or the multisig itself triggers execution.

  • GOVERNOR role holders (verified via getRoleMemberCount(keccak256("GOVERNOR")) = 2):

    • Long Timelock (0x3D18…48a9) — full GOVERNOR scope behind 7-day delay
    • FluidRewardsClaimer (0xD0ec…241E) — narrowly scoped to claiming Fluid rewards
    • Deployer EOA has renounced GOVERNOR. DEFAULT_ADMIN_ROLE has 0 holders on Core (verified).
    • Note: prior report listed MinorRolesManager as a third GOVERNOR holder. That is no longer the case — MinorRolesManager currently holds no roles on Core, and minor-role grants now go through the multisig (which holds MINOR_ROLES_MANAGER) or the Long Timelock.

  • Actions by timelock tier:

    Long Timelock (7 days) — GOVERNOR role (and PROTOCOL_PARAMETERS, PAUSE, MINOR_ROLES_MANAGER it also now holds): enableBucket, setMaxLossPercentage, setAddress (gateway), setAfterMintHook, setBeforeRedeemHook, setYieldSharing, enableAsset, disableAsset, setLendingPool, setSafeAddress, emergencyAction, proxy upgrades (owns ProxyAdmin), all role grants/revokes.

    Short Timelock (1 day) — PROTOCOL_PARAMETERS role: setBucketMultiplier, setMinAssetAmount, setSafetyBufferSize, setPerformanceFeeAndRecipient, setLiquidReturnMultiplier, setTargetIlliquidRatio, setCap, setMaxSlippage, addFarms, removeFarms, setEnabledRouter, setPendleRouter, setCooldown, setAssetRebalanceThreshold.

    Short Timelock (1 day) — ORACLE_MANAGER role: setOracle, setPrice. Verified onchain: ORACLE_MANAGER has 4 holders — Short Timelock, Accounting (0x7A5C…42B3), YieldSharing proxy (0x90E9…AE3b), and OracleFactory (0xA2b3…Ed91).

    Multisig WITHOUT timelock (the multisig directly holds these roles on InfiniFiCore):

    Role Capability
    UNPAUSE (2 holders: multisig + EmergencyWithdrawal) Unpause any paused contract
    EMERGENCY_WITHDRAWAL (1 holder: multisig) Move funds from farms to predefined safe address, deprecate farms
    MANUAL_REBALANCER (3 holders: multisig + Short Timelock + LiquidationFarm) Rebalance funds between whitelisted farms
    FARM_SWAP_CALLER (3 holders: multisig + EOA 0x7345…2cbB + Short Timelock) Trigger swap operations in farms
    MINOR_ROLES_MANAGER (2 holders: multisig + Long Timelock) Grant/revoke PAUSE, PERIODIC_REBALANCER, FARM_SWAP_CALLER
    CANCELLER_ROLE / PROPOSER_ROLE Cancel/propose timelock actions
    PAUSE (multisig holds it directly) Emergency pause

  • PAUSE role holders (verified via getRoleMemberCount(keccak256("PAUSE")) = 8, up from 4 in prior report):

  • Other onchain role membership (verified 2026-05-18 by enumerating keccak256 of each role name in CoreRoles):

    Role Count Notable holders
    ENTRY_POINT 2 Gateway proxy, MigrationController
    RECEIPT_TOKEN_MINTER 4 YieldSharing, MintController, PLSmoother, MigrationController
    RECEIPT_TOKEN_BURNER 7 siUSD, UnwindingModule, LockingController, YieldSharing, RedeemController, PLSmootherHelper, PLSmoother
    LOCKED_TOKEN_MANAGER 1 LockingController
    TRANSFER_RESTRICTOR 1 AllocationVoting
    FARM_MANAGER 4 ManualRebalancer, AfterMintHook, BeforeRedeemHook, EmergencyWithdrawal
    FINANCE_MANAGER 3 YieldSharing, LiquidationFarm, PLSmootherHelper
    PERIODIC_REBALANCER 1 EOA 0x2Cba…aB1a (keeper bot)
    PROTOCOL_PARAMETERS 3 Short Timelock, Long Timelock, MaturedFarmCleaner
    DEFAULT_ADMIN_ROLE 0 — (renounced)

  • emergencyAction bypass analysis: The Timelock.sol contract overrides emergencyAction to a no-op, preventing any GOVERNOR holder from using it to bypass timelock delays. This is a deliberate safety mechanism confirmed in source code (unchanged since prior assessment).

Programmability

  • Hybrid Model: The "Self-Laddering Engine" algorithmically matches asset duration with liability duration. "Allocators" actively manage the amount of capital deployed to specific allowlisted strategies.
  • Oracle: Protocol uses Chainlink price feeds for asset pricing to maintain the 1:1 mint ratio and calculate collateral value.
  • Oracle Updates: Oracles are upgradeable via governance (Short Timelock, 1-day delay). The iUSD price oracle (0x8ABc952f91dB6695E765744ae340BC5eA4B344c1) is a FixedPriceOracle — price changes only during loss socialization events (de-peg).

External Dependencies

  • Top dependencies (by deployed value): Midas (mGLOBAL tokenization layer over Fasanara Capital) ~37%, Cap Protocol (cUSD/stcUSD as direct deposit and swap target) ~30%, PYUSD / Paxos ~11%, Spark / MakerDAO ~7%, Unidentified RWA escrow counterparty (TODO) ~6%, Steakhouse-curated Morpho MetaMorpho ~4%, Maple Finance ~3%, Aave Horizon RWA ~1%, f(x) Protocol ~1%. Smaller exposures to Auto Finance (formerly Tokemak) and Aave sGHO via dust positions.
  • Stablecoin dependencies: USDC and USDT enabled as deposit assets (verified onchain). The protocol also takes indirect exposure to PYUSD (via maturing swap basket), cUSD/stcUSD (Cap), USDS (via Spark), and indirectly to T-Bill-backed RWAs (via Midas mGLOBAL and unidentified RWA escrow counterparty). USDe and sUSDe are no longer enabled deposit assets on FarmRegistry.

Operational Risk

  • Team: InfiniFi Labs. Pseudonymous/semi-anonymous team. Key contributors identified via GitHub:
    • eswak (Erwan Beauvois): Lead architect. Former Fei Protocol core dev (2021-2022), Ethereum Credit Guild core dev (2022-2024). Toulouse, France.
    • RobAnon (@RobAnon94): Contributor. Former sole developer of Revest Finance core contracts. Note: Revest Finance was exploited for ~$2M via reentrancy in March 2022.
    • nikollamalic (Nikola Malic): Developer. Former Revest Finance infrastructure contributor.
    • No public team page. GitHub org has zero public members listed.
  • Funding: $3M Pre-Seed (Feb 2025) led by Electric Capital, with participation from New Form Capital, Axiom, Kraynos Capital, Sam Kazemian (Frax Finance founder), Defi Dad.
  • Legal Structure: No disclosed legal entity, jurisdiction, or DAO structure. TODO.
  • Documentation: Technical documentation in the GitHub README is comprehensive. Public docs at docs.infinifi.xyz behind Cloudflare protection (content not independently verified).
  • Communication: Twitter/X at @infinifilabs. No public governance forum found (not on Snapshot, Tally, or Commonwealth).
  • Incident Response: No documented incident response plan found. Emergency capabilities exist via EMERGENCY_WITHDRAWAL role (multisig, no timelock) and system pause (now 8 PAUSE-role holders — multisig, Long Timelock, EmergencyWithdrawal/MaturedFarmCleaner contracts, and four individual EOAs).

Monitoring

Contracts to Monitor

Contract Address Why Monitor Directly
Long Timelock 0x3D18480CC32B6AB3B833dCabD80E76CfD41c48a9 All critical governance actions (GOVERNOR role)
Short Timelock 0x4B174afbeD7b98BA01F50E36109EEE5e6d327c32 Parameter changes (PROTOCOL_PARAMETERS, ORACLE_MANAGER)
EmergencyWithdrawal 0xa406aFC7967C63C5c454AD1f0e0dB9a761fe26e9 Multisig-direct, no timelock
ORACLE_IUSD 0x8ABc952f91dB6695E765744ae340BC5eA4B344c1 De-peg event (autonomous, triggered by loss socialization)
LockingController 0x1d95cC100D6Cd9C7BbDbD7Cb328d99b3D6037fF7 First-loss buffer for liUSD holders. LossesApplied = protocol taking damage. Auto-pauses if losses exceed maxLossPercentage threshold.
siUSD 0xDBDC1Ef57537E34680B898E1FEBD3D68c7389bCB VaultLoss = losses exceeded liUSD first-loss buffer, now hitting siUSD stakers
UnwindingModule 0x7092A43aE5407666C78dBEa657a1891f42b3dFcc Handles forced liquidation of illiquid positions (e.g. Pendle fixed-term). CriticalLoss = losses during unwinding exceed module balance.

Note: Contracts whose state changes only via timelocks (InfiniFiCore, Gateway, FarmRegistry, Accounting, MintController, RedeemController, YieldSharingV3, MinorRolesManager, MaturedFarmCleaner, MigrationController, PLSmoother(Helper), AfterMintHook, BeforeRedeemHook, ManualRebalancer, LiquidationFarm, AllocationVoting, OracleFactory, etc.) do not need separate monitoring — all their changes appear as CallScheduled/CallExecuted on the timelocks.

Governance Monitoring (Timelocks + Multisig)

All timelocked actions (GOVERNOR, PROTOCOL_PARAMETERS, ORACLE_MANAGER) are captured by monitoring the timelock events. No need to separately monitor downstream contract events that can only be triggered via timelocks.

Contract Event Significance
Long/Short Timelock CallScheduled(bytes32 id, uint256 index, address target, uint256 value, bytes data, bytes32 predecessor, uint256 delay) New governance action proposed — decode data to understand what will change. Early warning window (7d or 1d).
Long/Short Timelock CallExecuted(bytes32 id, uint256 index, address target, uint256 value, bytes data) Governance action executed — verify expected outcome
Long/Short Timelock Cancelled(bytes32 id) Scheduled action cancelled — may indicate contested governance
Long/Short Timelock MinDelayChange(uint256 oldDuration, uint256 newDuration) Timelock delay changed — reduction is critical

Non-Timelocked Events — Immediate Alert

These events bypass the timelock and can be triggered directly by the multisig or individual role holders.

Contract Event Triggered By Significance
Any CoreControlled Paused(address account) 8 PAUSE-role holders (multisig + Long Timelock + EmergencyWithdrawal + MaturedFarmCleaner + 4 individual EOAs) Emergency pause — no multisig or timelock required when triggered by an EOA pauser
Any CoreControlled Unpaused(address account) Multisig (UNPAUSE, no timelock) System resumed
EmergencyWithdrawal EmergencyWithdraw(uint256 timestamp, address farm, uint256 amount) Multisig (no timelock) Emergency fund extraction from farm

Protocol Health Events — Immediate Alert

Autonomous events triggered by protocol state, not governance actions.

Contract Event Significance
ORACLE_IUSD PriceSet(uint256 timestamp, uint256 price) iUSD price changed — price below 1.0 = de-peg (loss socialization to iUSD holders)
LockingController LossesApplied(uint256 timestamp, uint256 amount) First-loss tranche consuming — liUSD holders taking losses
siUSD VaultLoss(uint256 timestamp, uint256 epoch, uint256 assets) Losses cascading past first-loss tranche to siUSD holders
UnwindingModule CriticalLoss(uint256 timestamp, uint256 amount) Losses during forced liquidation of illiquid positions exceed module balance

Key State to Poll

  • TVL: Monitor total protocol TVL via liquid + illiquid farm balances
  • Liquid Reserve Ratio: Liquid reserves vs total TVL

Reassessment Triggers

  • Time-based: Reassess in 60 days (target 2026-07-17), or immediately after the 2026-06-15/16 Midas-mGLOBAL and RWAEscrow maturities settle.
  • Liquidity-based: Reassess immediately if (a) the FIFO redemption queue forms a backlog that does not clear at the next scheduled maturity, or (b) Accounting.totalAssetsValueOf(Liquid) remains <1% of total supply for more than 30 days after the May/June maturity wave.
  • TVL-based: Reassess if TVL moves by more than 30% in either direction from the current ~$82.66M.
  • Concentration-based: Reassess if any single farm exceeds 40% of TVL, or if combined Cap Protocol exposure (CapFarm + cUSD/stcUSD swap baskets) exceeds 35% of TVL.
  • Issuer-based: Reassess on any material event at Midas, Fasanara Capital, Cap Protocol, or Maple Finance (depeg, custodian change, restructure, regulatory action).
  • Governance-based: Reassess after any signer change on the multisig, any new EXECUTOR_ROLE / PROPOSER_ROLE / CANCELLER_ROLE grant, any change to the Timelock.emergencyAction no-op override, or any role grant on InfiniFiCore outside the Long Timelock.
  • Incident-based: Reassess after any exploit, oracle failure, or material loss event at the protocol or in any farm with >$2M of InfiniFi exposure.
  • Architecture-based: Reassess on any new farm category (new AssetType bucket), new asset enablement on FarmRegistry, or any change to YieldSharing/Accounting beyond the V2→V3 line.

Appendix A: Top Farm Exposure Analysis

Onchain inspection of FarmRegistry.getFarms() and per-farm assets() on 2026-05-18 shows the portfolio is concentrated in a small number of large positions, most of which are "Maturing" (locked until a fixed date) or "Illiquid" (perpetual but exit-controlled). The Liquid bucket is currently empty in practice. The farms below cover ~98% of TVL.

Per the previous assessment's appendix, the Gauntlet Frontier (gtUSDa), Reservoir wsrUSD, direct Fasanara Genesis Fund deposit, and Tokemak autoUSD positions are no longer present at material weight — those farm addresses are removed from FarmRegistry or hold $0 / dust. The Fasanara strategy is, however, still indirectly held via Midas-tokenized mGLOBAL (see entry 1).

Summary Table: Top Farms by Deployed Value

Farm Type Underlying Assets (USD) Share Individual Risk
MidasFarm (mGLOBAL) Maturing (2026-06-15) Midas-tokenized Fasanara Global hedge-fund strategy $30.60M 37.0% 4.5/5
CapFarm (stcUSD) Illiquid Cap Protocol staked cUSD $16.48M 19.9% 4.0/5
SwapFarmV2WithMaturity (PYUSD) Maturing (2026-05-25) CoW-swap basket USDC ↔ PYUSD / senPYUSDmain $9.00M 10.9% 3.0/5
SwapFarmV2WithMaturity (cUSD/stcUSD) Maturing (2026-05-19) CoW-swap basket USDC ↔ cUSD / stcUSD $8.29M 10.0% 4.0/5
SparkSUSDCFarm Illiquid Spark USDC Vault (sUSDC) $6.06M 7.3% 2.5/5
RWAEscrowFarm Maturing (2026-06-16) Funds sent to offchain receiver EOA; rate-managed onchain $5.08M 6.1% 4.5/5
ERC4626FarmWithMaturity (Steakhouse) Maturing Steakhouse-curated MetaMorpho V1.1 USDC vault $3.52M 4.3% 2.5/5
MapleFarm Maturing Maple Finance High Yield Secured Lending USDC1 $2.37M 2.9% 3.5/5
AaveV3Farm (Horizon) Illiquid Aave Horizon RWA market (aHorRwaUSDC) $0.72M 0.9% 3.5/5

Detailed Farm Risk Assessments

1. MidasFarm — Midas-tokenized Fasanara Global (mGLOBAL)

Risk Score: 4.5/5

Description: MidasFarm (0x7373A7ce3C023C56Cb66747AFbdF827627D31679) holds mGLOBAL, an ERC-20 token issued by Midas (a tokenization-as-a-service issuer) that represents a claim on the Fasanara Capital "Global" strategy. The underlying is the same Fasanara hedge-fund family flagged in the prior report — but now wrapped in Midas's permissioned-issuance + offchain-NAV-attestation architecture rather than held directly. Maturity in this farm: 2026-06-15.

Key Risk Factors:

Risk Category Assessment Details
Concentration Very High 37% of total InfiniFi TVL in a single position
Off-Chain Custody Very High Underlying hedge-fund strategy assets held by traditional custodians at Fasanara
NAV / Valuation High mGLOBAL price reflects an off-chain NAV attestation from Midas / Fasanara
Issuer Risk High Two stacked issuers (Midas + Fasanara) plus their respective custodians
Regulatory Risk High Tokenized fund products are subject to securities regulation in EU/UK/US
Liquidity Risk High InfiniFi position is locked until the 2026-06-15 maturity; secondary mGLOBAL liquidity is thin

Why This Matters:

  • Single largest exposure: a loss event large enough to impair mGLOBAL value would consume the liUSD first-loss buffer before iUSD holders are protected.
  • The strategy is the same one (Fasanara) the prior report flagged at 4.5/5; the wrapping change reduces direct counterparty surface but adds a second issuer (Midas) on top.
  • The 2026-06-15 maturity is the single most important upcoming event for InfiniFi liquidity.

References:

2. CapFarm — Cap Protocol stcUSD

Risk Score: 4.0/5

Description: CapFarm (0x35F9EbDc02F936e199826778bc06A13272a06B87) holds stcUSD, the staked yield-bearing version of Cap Protocol's cUSD stablecoin. Cap is a 2025-vintage stablecoin issuer whose yield is sourced from delegated operator strategies backed by restaked collateral. Note: a second InfiniFi farm — SwapFarmV2WithMaturity for the cUSD/stcUSD basket — adds another $8.29M of Cap exposure, bringing the combined Cap concentration to ~30% of TVL.

Key Risk Factors:

Risk Category Assessment Details
Issuer Maturity High Cap is <1 year old, limited stress-test history
Concentration (combined) Very High CapFarm + cUSD/stcUSD swap basket ≈ 30% of TVL — exceeds the liUSD first-loss buffer's notional
Peg Risk High cUSD peg integrity relies on Cap's reserve attestations and operator soundness
Smart Contract Medium Cap's contracts have been audited but are young in production
Liquidity (secondary) Medium stcUSD secondary liquidity is thin

Why This Matters:

  • A Cap depeg or operator insolvency event would hit InfiniFi twice: directly via CapFarm and indirectly via the maturing cUSD/stcUSD swap basket.
  • Combined Cap notional exceeds the protocol's available first-loss buffer.

References:

3. SwapFarmV2WithMaturity (cUSD/stcUSD basket)

Risk Score: 4.0/5

Description: Maturing CoW-swap farm at 0xe945de0D08E2F39B0740FE2d6e50FE2Bb9751eA4 used to route USDC into a cUSD/stcUSD basket. Maturity: 2026-05-19 (imminent). $8.29M deployed.

Key Risk Factors: Same Cap Protocol issuer risk as entry #2; plus a CoW-Protocol solver dependency for settlement around the maturity window.

Why This Matters:

  • 2026-05-19 maturity is the first material redemption-queue relief, but it is fully Cap-Protocol-denominated — so depeg or settlement issues at that exact window are the highest-impact short-term risk.

4. SwapFarmV2WithMaturity (PYUSD basket)

Risk Score: 3.0/5

Description: Maturing CoW-swap farm at 0x84FF7Ef9568807c93436F09E2E613dE2aF3FE4EE, denominated in PYUSD / senPYUSDmain. Maturity: 2026-05-25. $9.00M deployed.

Key Risk Factors: PYUSD is a Paxos-issued, NYDFS-regulated stablecoin — the credit standard is materially higher than for cUSD. Primary risks are CoW solver dependency at maturity and the senPYUSDmain wrapper's redemption mechanics.

5. SparkSUSDCFarm — Spark USDC Vault

Risk Score: 2.5/5

Description: SparkSUSDCFarm (0xd880D7C5CaFdbE2AEc281250995abF612235e563) holds sUSDC, the Spark Protocol USDC vault. $6.06M.

Key Risk Factors: Spark/MakerDAO ecosystem dependency; sUSDC is a known well-audited integration. Low independent risk; included for completeness.

6. RWAEscrowFarm — Offchain Counterparty

Risk Score: 4.5/5

Description: RWAEscrowFarm (0x9E5efC5F387D8661C1AFB2469B7EeF6972451852) sends underlying USDC to escrow address 0x868C82b7BAa3675F9Da1404510DB60c1f6A7741A, with funds onward-routed to receiver EOA 0x4831C121879d3DE0E2B181d9d55E9B0724f5D926. Position value during the lock is set by RWAEscrowRateManager (0x11F6FAb3f4D8635880C3e80cbae8AEF8136D4189). Maturity: 2026-06-16. $5.08M.

Key Risk Factors:

Risk Category Assessment Details
Counterparty Risk Very High Funds custodied by an EOA receiver during the lock — pure offchain trust
Identity (TODO) Unknown Counterparty identity behind 0x4831…D926 is not disclosed in public docs
Valuation High Position value during lock is driven by a rate-manager contract whose inputs come offchain
Audit trail Low Onchain only sees the escrow + rate; offchain operation is not verifiable
Recovery Low If the receiver EOA does not return funds at maturity, recovery is a legal matter, not a smart-contract one

Why This Matters:

  • The most opaque exposure in the portfolio. Even Midas mGLOBAL has a tokenization issuer with public attestations; this farm relies on a private bilateral arrangement.
  • 2026-06-16 maturity coincides almost exactly with the Midas-mGLOBAL roll-off, so a delay or default at either would compound queue pressure.

7. ERC4626FarmWithMaturity — Steakhouse-curated MetaMorpho

Risk Score: 2.5/5

Description: ERC4626FarmWithMaturity (0x76D2E84009dAE457f8667D823c7c96e9A7c35B78) deposits into a dedicated Steakhouse-curated MetaMorpho V1.1 USDC vault 0xBEEF1f5bD88285E5b239B6AACB991D38CCa23aC9 ("infiniFi USDC"). $3.52M.

Key Risk Factors: Standard MetaMorpho stack risk (Morpho Blue isolated markets + curator allocation) under a reputable curator. Low independent risk; included for completeness.

8. MapleFarm — Maple Finance HYSL

Risk Score: 3.5/5

Description: MapleFarm (0xF56E946e92FeF6a050F482C560b5f8DcCB8163B3) deposits into Maple's High Yield Secured Lending Pool USDC1 (0xC39a5a616F0aD1Ff45077fa2DE3F79ab8EB8B8B9). $2.37M.

Key Risk Factors: Institutional secured-lending credit exposure with offchain borrower workflows and pool-level default history (Maple has had pool defaults in prior cycles, though the current HYSL design uses overcollateralization and waterfall protections).

9. AaveV3Farm — Aave Horizon RWA market

Risk Score: 3.5/5

Description: AaveV3Farm (0x817d93DbdFd8190bbef0a73fCf5Dd9DA5A87E032) supplies USDC into Aave's Horizon RWA market (aHorRwaUSDC receipt token). $0.72M.

Key Risk Factors: Borrower side is collateralized by tokenized RWA collateral types; depends on RWA-specific liquidation paths Aave Horizon has not yet had to exercise at scale.

Aggregate Risk Assessment

Concentration: ~67% of TVL is in three issuers/strategies — Midas-Fasanara (37%), Cap Protocol (combined 30%) — well above the protocol's $31.35M liUSD first-loss notional. Either issuer suffering a material adverse event would test, and could exhaust, the liability ladder before iUSD holders are protected.

Liquidity: The Liquid bucket holding zero is itself a material change versus the prior assessment. iUSD-to-USDC is queue-only until the maturity sequence (2026-05-19 → 2026-05-25 → 2026-06-15 → 2026-06-16) begins to settle.

Offchain exposure: Midas-Fasanara (37%) + RWAEscrowFarm (6%) + Maple HYSL (3%) + Aave Horizon RWA (1%) = ~47% of TVL has material offchain custodial, valuation, or counterparty dependence.

Stress sequence to monitor:

  1. 2026-05-19 — Cap cUSD/stcUSD swap basket maturity (~$8.29M). First test of CoW-swap solver maturity routing under load.
  2. 2026-05-25 — PYUSD swap basket maturity (~$9.00M).
  3. 2026-06-15 — Midas mGLOBAL maturity (~$30.60M). The single largest scheduled event for the protocol.
  4. 2026-06-16 — RWA escrow maturity (~$5.08M). Counterparty identity unverified — most binary outcome of the wave.

Recommendation: Treat current InfiniFi exposure as primarily a credit exposure to (a) a tokenized Fasanara hedge-fund position, (b) Cap Protocol's young stablecoin issuance, and (c) one undisclosed RWA escrow counterparty, rather than as a diversified DeFi yield strategy. Reassessment should be triggered immediately if any of the four upcoming maturities fail to settle on schedule.

Data Sources:

  • Onchain: FarmRegistry.getFarms(), per-farm assets(), Accounting.totalAssetsValue() and .totalAssetsValueOf(AssetType) (verified 2026-05-18).
  • InfiniFi Transparency Dashboard — cross-checked but not used as the primary source.
Submit report inaccuracy