← All Reports

Reserve Protocol

1.8
ETH+ / Ethereum Mainnet / May 18, 2026
View full report on GitHub → View dependency graph

Score Breakdown

CategoryWeightScore
Audits & Historical20%1.00
Centralization & Control30%2.50
Funds Management30%1.50
Liquidity Risk15%2.00
Operational Risk5%1.30
Final Score1.8 / 5.0
20%30%30%15%
Low Risk

Overview

ETH+ is a yield-bearing diversified Ethereum LST basket built on Reserve Protocol. It is an over-collateralized RToken backed by a basket of liquid staking tokens. Staking rewards from underlying LSTs accrue to ETH+ holders through an appreciating basket-to-token ratio (basketsNeeded / totalSupply). RSR stakers provide a first-loss overcollateralization buffer in exchange for a share of revenue.

Yield Source: Ethereum staking rewards from the underlying LSTs (currently 3.85% APY per DefiLlama).

Current Basket (basket nonce 9, set 2026-04-23):

Asset Issuer Quantity per BU ETH per BU Share of basket
wstETH Lido 0.40500 0.5001 50.0%
weETH Ether.fi 0.20094 0.2200 22.0%
sfrxETH Frax 0.08630 0.1000 10.0%
rETH Rocket Pool 0.08595 0.1000 10.0%
ETHx Stader 0.07346 0.0800 8.0%

Onchain values fetched from BasketHandler.quote(1e18, ROUND) and each LST's exchange-rate function. Total ETH per BU ≈ 1.00.

Supply / Backing (as of 2026-05-18, block ~25,124,102):

Metric Value Source
ETH+ totalSupply 21,065.86 ETH+ totalSupply()
basketsNeeded 22,720.73 BU RToken.basketsNeeded()
ETH+ → BU ratio 1.0786 BU per ETH+ computed
Backing held by BackingManager ~22,803 ETH-equivalent LST balances × exchange rates
fullyCollateralized() true BasketHandler.fullyCollateralized()
status() 0 (SOUND) BasketHandler.status()
Trading paused / Issuance paused / Frozen false / false / false Main

TVL:

  • ETH+ alone: ~$47.59M (DefiLlama yield pool, ETH price $2,102)
  • Reserve Protocol total: $77.55M on Ethereum / ~$87M total (DefiLlama, peak $530M on 2025-09-13)
  • Net change since last refresh (2026-04-27): −29% in USD ($67.0M → $47.6M), −22.7% in ETH+ (27,248 → 21,066). Cumulatively since 2025-12-22 assessment: −56% USD ($108M → $47.6M), −42% ETH+ (36,246 → 21,066) — supply contraction continues; current TVL is ~19% above the $40M reassessment trigger

Links:

Risk Summary

Key Strengths

  • Fully onchain, verifiable backing. fullyCollateralized() is true; any holder can prove the basket onchain in one call
  • Direct, permissionless redemption at the basket value with no fee and only a throttle-based pace limit
  • Diversified LST basket. No single LST exceeds 50%; idiosyncratic risk is meaningfully spread
  • Comprehensive audit history. Trail of Bits, Code4rena, Trust Security, Solidified, Halborn, Ackee, Oak Security, Certora — and v4.2.0 specifically was audited before activation
  • Programmatic operations. No admin-controlled exchange rate, no off-chain accounting, no minting role

Key Risks

  • Recently rotated governance (25 days old). The v4.2.0 upgrade and new timelock/governor went live on 2026-04-23. Inside the 30-day post-deployment monitoring window; no incidents observed
  • Guardian Safe concentration. A 3-of-6 multisig can pause, freeze, and cancel governance proposals — the binding constraint inside any 3-day timelock window
  • Deployer EOA still holds PAUSER role. Re-verified onchain on 2026-05-18; in place since the 2023 deployment without incident; bounded (cannot freeze redemption, cannot seize funds) but a single private-key compromise could disrupt issuance/trading. Tracked on the role-holder watch list
  • Thin RSR overcollateralization (~2.90%). Up from 2.4% at the prior refresh, but only because TVL contracted faster than the RSR buffer; the first-loss buffer remains small in absolute terms (~$1.38M) and scales with RSR price, not ETH+ TVL
  • Sustained TVL contraction. Supply has dropped ~42% in ETH+ and ~56% in USD since the 2025-12-22 assessment, with another −22.7% in the 21 days between refreshes. Current TVL ($47.6M) is within 19% of the $40M reassessment trigger; no obvious onchain cause — worth understanding before increasing exposure

Critical Risks

  • None identified that would block integration. The EOA-pauser finding is fixable by Reserve governance and does not threaten user funds directly
Full Report

Audits and Due Diligence Disclosures

Audit Status: Comprehensive, with audits covering each major version including the recently-deployed v4.2.0.

Audit reports are published in reserve-protocol/protocol/audits and on the Reserve Security docs:

Firm Scope Date
Trail of Bits Reserve Protocol (security review + fix review) 2022-08
Solidified Reserve Protocol core 2024-04
Solidified Reserve Protocol 3.4.0 2024
Halborn Reserve Protocol smart contracts
Ackee Blockchain Reserve Protocol
Code4rena Releases 2.1.0, 3.0.0 (core + collaterals), 4.0.0 2023–2025
Trust Security Releases 3.1.0, 3.2.0, 3.4.0 Spell, 4.2.0 2024–2026
Oak Security Reserve Updates (4.x) 2026-03-12
Certora Formal verification of FixLib 2026-04

The current onchain Main implementation (version() = "4.2.0") was deployed and granted ownership at block 24,944,370 (2026-04-23) via the Upgrade4_2_0 spell (0xbff761d367291281f3c4db4bda2c591d6dde3601).

Findings: No critical unresolved issues disclosed. v4.2.0 audits (Trust Security, Oak Security, Certora) were completed before mainnet activation.

Smart Contract Complexity: Moderate–High. Multi-contract architecture (Main, RToken, StRSR, BackingManager, BasketHandler, AssetRegistry, Distributor, Furnace, Broker, RSRTrader, RTokenTrader) plus per-collateral plugins. All contracts are upgradeable ERC-1967 proxies behind the Main access controller.

Bug Bounty

Platform: Cantina Maximum Payout: $10,000,000 (Critical tier) Severity tiers: Critical $10M / High $100k / Medium $5k / Low $1k Status: Live (launched 2026-03-26; 106 findings submitted as of this assessment) Link: https://cantina.xyz/bounties/3709ca85-4050-407e-9b36-51f5d5ea9b00

Reserve Protocol is not enrolled in the SEAL Safe Harbor agreement (verified via safeharbor.securityalliance.org).

Historical Track Record

Time in Production:

  • Reserve Protocol RTokens: live since 2023-04 (~3 years)
  • ETH+ specifically: deployed in basket nonce 1 at block 17,086,178 (2023-04-26), ~3 years
  • Current architecture upgraded to v4.2.0 on 2026-04-23 (25 days before this assessment) — still inside the 30-day post-upgrade monitoring window, no incidents observed

Past Security Incidents:

  • No exploits or hacks on Reserve Protocol or ETH+
  • No collateral default events triggered for ETH+
  • StRSR exchange rate is monotonically increasing (1.1654 RSR/stRSR currently, up from 1.162 at prior refresh) — no RSR has been seized to cover losses

Peg / Basket Stability:

  • ETH+ has no fixed peg to ETH; it tracks the appreciating basket value (currently 1.079 ETH per ETH+)
  • No significant deviations from basket value have been observed
  • Direct redemption provides a hard floor

TVL History:

  • Peak: ~36,246 ETH+ (~$108M) at 2025-12-22
  • Today: 21,066 ETH+ (~$47.6M) — supply has contracted ~42% in ~5 months, including ~22.7% in the last 21 days
  • Reserve total TVL peaked at $530M on 2025-09-13, now ~$87M ($77.55M Ethereum + $2.34M Base + ~$10k Arbitrum + staking)
  • The supply contraction is large enough to warrant continued monitoring; protocol remains fully collateralized and status() is SOUND. Current ETH+ TVL is within 19% of the $40M reassessment trigger

Team Track Record:

  • Reserve has been building since 2018; previously launched RSV (USD-pegged stablecoin)
  • Active development continues: most recent commits add RToken Deprecation tooling, Certora verification, weETH whale tests
  • Operator entity is ABC Labs, LLC (per reserve.org legal notice) — not "Reserve Labs" as commonly written. The Reserve trademark is held by Confusion Capital

Funds Management

Fund Delegation: Yes. ETH+ holds five LSTs as collateral, each wrapping its own underlying staking protocol:

  • wstETH → Lido (50.0%)
  • weETH → Ether.fi (22.0%) — added since prior assessment
  • sfrxETH → Frax (10.0%)
  • rETH → Rocket Pool (10.0%)
  • ETHx → Stader (8.0%)

Due Diligence on Underlying Protocols:

  • wstETH (Lido) and rETH (Rocket Pool) are blue-chip LSTs with the longest track records
  • weETH (Ether.fi) is the largest restaking-LST and has Chainlink price feeds
  • sfrxETH (Frax) has historically lacked a Chainlink ETH-denominated PoR; LlamaRisk flagged it as more centralized — Reserve uses an alternative oracle plugin
  • ETHx (Stader) is the smallest, both in basket weight (8%) and standalone TVL — highest single-name idiosyncratic risk in the basket

Monitoring Fund Delegation:

  • Basket is fully onchain and queryable via BasketHandler.quote() and nonce()
  • Basket changes emit BasketSet(uint256 nonce, address[] erc20s, uint192[] refAmts, bool disabled)
  • Governance proposals to change the basket pass through Governor Anastasius (2-day voting delay, 10% StRSR quorum, 3-day vote) plus a 3-day timelock — total floor ~8 days from proposal to execution

Accessibility

Minting:

  • Permissionless. Anyone can call RToken.issue() / issueTo()
  • Atomic in a single transaction; users deposit the proportional basket of LSTs (or a single asset using the Reserve "zap" router)
  • Subject to issuance throttle: amtRate = 1,700 ETH+/hr, pctRate = 10%/hr. Effective hourly cap is the larger of the two; issuanceAvailable() = 2,106.59 ETH+ at the time of writing
  • Backing is required to mint. There is no admin-controlled mint function; MAIN cannot mint ETH+ directly, and there is no role labeled "minter"

Redemption:

  • Permissionless. RToken.redeem(amount) returns the prorata basket (or a custom basket if redeeming during a basket switch via redeemCustom)
  • Throttle: amtRate = 2,000 ETH+/hr, pctRate = 12.5%/hr. redemptionAvailable() = 2,633.23 ETH+ currently
  • A full redemption of the entire supply would take ~8 hours under the current pctRate cap
  • No fees, no cooldown. Redemption is paused only if tradingPaused or system frozen

Slippage:

  • Mint/redeem is a basket operation — no slippage from the protocol itself
  • Slippage applies only when a user converts the redeemed LSTs back to ETH on a DEX

Collateralization

On-Chain Collateralization: Yes — 100%, fully onchain.

  • All collateral is held in the BackingManager (0x608e1e01EF072c15E5Da7235ce793f4d24eCa67B)
  • Verified directly: backing manager holds ~9,233 wstETH, ~4,581 weETH, ~1,970 sfrxETH, ~1,959 rETH, ~1,675 ETHx → ~22,803 ETH-equivalent vs. 21,066 ETH+ supply
  • BasketHandler.fullyCollateralized() returns true

Collateral Quality: High. All five collateral assets are established Ethereum LSTs, each with independent audits, Chainlink-style price feeds (or vetted alternates), and active markets.

Over-Collateralization (RSR buffer):

  • StRSR contract holds ~794M RSR as a first-loss buffer (down ~12% from ~898M at the prior refresh)
  • At the current RSR price (~$0.001735), this is ~$1.38M of buffer for $47.59M of ETH+ TVL → ~2.90% OC
  • The OC ratio is up from ~2.4% (prior refresh) because ETH+ TVL contracted faster than the RSR buffer in USD terms; still close to LlamaRisk's 2024 finding (2%) and remains the protocol's main material weakness. The buffer scales with RSR price, not ETH+ TVL

Default Handling:

  • BasketHandler.refresh() checks each collateral's price/peg every interaction
  • A collateral that depegs persistently transitions through IFFY → DISABLED and is removed from the basket
  • The protocol then triggers automatic auctions to swap the disabled collateral, using the backup basket and, if needed, seizing RSR from StRSR
  • Emergency collateral: WETH (0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2) is in the asset registry as a fallback

Risk Curation:

  • Basket composition, collateral plugins, and throttle parameters are all governance-managed
  • Changes require Governor Anastasius proposal + 3-day timelock execution

Off-Chain Components: None. Fully onchain — no custodians, no off-chain reserve management, no T-bills, no real-world assets.

Provability

Reserve Verification: Easy.

  • BasketHandler.basketsHeld() and RToken.basketsNeeded() are public view functions
  • Backing computation is deterministic from onchain state plus oracle prices
  • Anyone can call BasketHandler.refresh() and the protocol's status updates atomically

Yield Calculation: Transparent. Yield is the appreciation of basketsNeeded / totalSupply, driven entirely by the appreciation of the underlying LSTs.

On-Chain Reporting: Programmatic. There is no admin-controlled exchange rate.

Off-Chain Reserves: None.

Third-Party Verification: Chainlink price feeds are used for collateral plugins (with curated alternates where Chainlink is not available, e.g., sfrxETH).

Minting Without Backing: Not possible. There is no minter role and no admin function to mint ETH+ outside of RToken.issue(), which requires the user to deposit the basket.

Liquidity Risk

Direct Redemption: Always available (subject to throttle). 1:1 with the basket.

On-Chain DEX Liquidity (per DefiLlama, 2026-05-18):

Pool TVL
Curve ETH+/WETH $12.6M
Convex ETH+/WETH (boosted Curve) $7.8M
Beefy ETH+/WETH $5.8M
StakeDAO ETH+/WETH $5.1M
Curve ETH+/EUSD-RSR $2.5M
Curve ETH+/ETH $0.4M
Uniswap v3 WETH/ETH+ $0.9M
Morpho Blue ETH+ $2.3M

The primary spot pool (Curve ETH+/WETH) has ~$12.6M TVL. With Convex/Beefy/StakeDAO wrappers around the same Curve pool, the underlying Curve LP TVL is the binding liquidity for direct DEX exits. Morpho Blue ETH+ collateral exposure has contracted from $3.9M to $2.3M since the prior refresh.

Slippage Analysis (rule-of-thumb):

  • <$100k: Minimal (<0.5%) via direct redemption
  • $100k–$1M: 0.5–2% via redemption or DEX

  • $1M: Direct redemption preferred; selling components on their own deep markets is the cleanest exit

Withdrawal Restrictions:

  • Throttle limits redemption to ~12.5% of supply per hour (~2,633 ETH+ now)
  • A full exit of the entire ETH+ supply would take ~8 hours

Historical Liquidity:

  • No liquidity-stress incidents recorded
  • DEX liquidity has tracked the supply contraction since Q1 2026; primary Curve pool TVL is roughly flat over the last 3 weeks

Centralization & Control Risks

Governance

Contract Upgradeability: Yes. All core contracts are ERC-1967 proxies. Implementations can be swapped by the OWNER role on Main.

Governance Path (post-2026-04-23 upgrade):

Component Address Notes
Main (proxy) 0xb6A7d481719E97e142114e905E86a39a2Fa0dfD2 version() = 4.2.0
Main implementation 0xc5bf686cfb85786fcfff557297d4aff8f4e15e44
Governor (Governor Anastasius v1) 0xa8a608b9b558235e7f87d7024cc05e6f47d62022 OZ Governor, voting token = StRSR
Timelock 0xd7985a7c617febc4a833b5f70cfa79b40c313ad2 OZ TimelockController, getMinDelay() = 259,200s (3 days)
Guardian Safe (canceller + pauser + freezers) 0xd5fe2780eb882d1da78f2136b81c2a4395488c98 3-of-6 Gnosis Safe

Governor Anastasius parameters (verified onchain):

  • Voting delay: 172,800s (2 days)
  • Voting period: 259,200s (3 days)
  • Quorum: 10% of staked RSR (quorumNumerator/quorumDenominator = 10/100)
  • Proposal threshold: 66,236.65 stRSR (down from 76,720.92 at the prior refresh — this is a percentage of stRSR supply, so it tracks RSR un-staking)

End-to-end change cadence: ~2 days (voting delay) + 3 days (vote) + 3 days (timelock) = ~8 days from proposal to execution, assuming quorum.

Privileged Roles on Main (verified via hasRole):

Role Holder(s) Power
OWNER (bytes32("OWNER")) Timelock 0xd7985a7c… Upgrade implementations, change basket, modify parameters, manage all other roles
PAUSER Guardian Safe 0xd5fe2780… and an EOA 0xe3e34fa9… Pause issuance & trading (cannot freeze redemption)
SHORT_FREEZER Guardian Safe 0xd5fe2780… Freeze the system for 6 hours
LONG_FREEZER Guardian Safe 0xd5fe2780… Freeze for an extended period (governance-set)
Timelock CANCELLER Guardian Safe 0xd5fe2780… Cancel queued timelock proposals

Finding: The deployer EOA 0xe3e34fa93575af41bef3476236e1a3cdb3f60b85 still holds the PAUSER role on Main (re-verified onchain on 2026-05-18 via hasRole). It was granted at deployment (block 17,086,220) and was not revoked in the 4.2.0 upgrade transaction. PAUSER cannot freeze the system or seize funds, but a single private-key compromise here would let an attacker pause issuance and trading, disrupting the protocol. The condition has existed since 2023 deployment with no incident; documented here for the role-holder watch list rather than scored as a discrete penalty.

Old governance (pre-upgrade, no longer authoritative): the previous timelock 0x5f4A10aE2fF68bE3cdA7d7FB432b10C6BFA6457B was revoked from OWNER, PAUSER, SHORT_FREEZER, and LONG_FREEZER at block 24,944,370.

Powers Analysis:

  • Governance cannot seize user funds directly
  • Governance can swap collateral, change implementations, modify throttles, and change oracles — all subject to the 3-day timelock, giving holders a window to redeem
  • The Guardian Safe can pause and freeze, and can cancel governance proposals — concentrating real-time emergency power in a 3-of-6 multisig
  • The deployer EOA can pause issuance/trading

Risk Assessment: Medium. The 3-day timelock and 8-day proposal cycle are at the lower end of acceptable; the guardian Safe and active EOA pauser are the main centralization vectors.

Programmability

System Programmability: Highly programmatic.

  • Basket valuation, default detection, redemption, and reward distribution are all onchain
  • Furnace.melt() and Distributor.distribute() can be called by anyone (no privileged keeper)
  • PPS is basketsNeeded / totalSupply — no oracle, no admin update, no offchain accounting

Non-Programmatic Elements:

  • Basket composition and weights are set by governance
  • Oracle plugin addresses are governance-controlled (some collateral plugins use non-Chainlink oracles where Chainlink lacks coverage)

External Dependencies

Critical dependencies:

  1. Chainlink — used for the bulk of collateral price feeds. Failure of a single feed only impacts the corresponding collateral
  2. Five LST issuers — Lido, Ether.fi, Frax, Rocket Pool, Stader. A solvency event at any single issuer would trigger that collateral's default path; ETH+ would revert to the backup basket and slash RSR to recapitalize
  3. Ethereum L1 — fully onchain, no cross-chain bridges

Concentration:

  • Lido (wstETH) is 50% of basket value — the largest single-name dependency
  • The remaining 50% is split across four LSTs, which materially diversifies idiosyncratic risk

Operational Risk

Operating Entity: ABC Labs, LLC (per reserve.org legal notice). The "Reserve" trademark is held by Confusion Capital, a separate entity.

Team Transparency: Public, doxxed core team with established reputation; long history of public communication.

Documentation: Comprehensive technical and developer documentation; per-version audit reports published in-repo.

Communication Channels:

  • Discord (active, multiple thousand members)
  • Twitter: @reserveprotocol
  • Forum: discourse.reserve.org
  • GitHub: reserve-protocol/protocol (active)

Development Activity: Active. Recent commits (last 90 days) include weETH integration tests, Certora formal verification, RToken deprecation tooling, and the v4.2.0 audit cycle.

Incident Response:

  • Active Cantina bug bounty ($10M max payout)
  • Pause/freeze mechanisms at multiple severity levels
  • Guardian multisig with timelock-cancellation power for live-incident response
  • No prior incidents to assess response from

Monitoring

1. Governance Monitoring (MANDATORY)

Component Address Events / Functions to monitor
Governor Anastasius v1 0xa8a608b9b558235e7f87d7024cc05e6f47d62022 ProposalCreated, ProposalExecuted, ProposalCanceled, VoteCast
Timelock 0xd7985a7c617febc4a833b5f70cfa79b40c313ad2 CallScheduled, CallExecuted, Cancelled
Guardian Safe 0xd5fe2780eb882d1da78f2136b81c2a4395488c98 Owner changes, threshold changes, all executions (yearn safe-monitoring)
Main (hasRole) 0xb6A7d481719E97e142114e905E86a39a2Fa0dfD2 RoleGranted, RoleRevoked for OWNER / PAUSER / SHORT_FREEZER / LONG_FREEZER

Action: add to yearn/monitoring. Recommended cadence: hourly poll for queued timelock calls; immediate alert on any RoleGranted/Revoked or Guardian Safe execution.

Important: the deployer EOA 0xe3e34fa93575af41bef3476236e1a3cdb3f60b85 still has PAUSER. Add to the role-watch list and alert on any transaction from it.

2. Backing / Collateralization Monitoring (MANDATORY)

Check Function Threshold
Fully collateralized BasketHandler.fullyCollateralized() must be true
Basket status BasketHandler.status() must be 0 (SOUND); alert on 1 (IFFY) or 2 (DISABLED)
Backing ratio RToken.basketsNeeded() / RToken.totalSupply() must be ≥ 1.0
Basket nonce changes BasketHandler.nonce() and BasketSet event alert on any change

Recommended cadence: hourly.

3. RSR Buffer Monitoring

Component Address Check
StRSR 0xffa151Ad0A0e2e40F39f9e5E9F87cF9E45e819dd exchangeRate() — alert on any decrease (RSR seizure)
RSR balance held by StRSR RSR.balanceOf(StRSR) track absolute value; alert on >10% drop

OC ratio = (RSR_balance × RSR_price) / ETH+_TVL — currently ~2.90%. Alert if it drops below 1%.

4. Throttle Monitoring

RToken.issuanceAvailable() and redemptionAvailable() should normally track 10–12.5% of supply. Persistent depletion of redemptionAvailable indicates large coordinated exits; alert if it stays below 1% of supply for >2 hours.

5. Implementation Upgrade Monitoring

ERC-1967 implementation slot (0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc) on every core contract: alert on any change.

Appendix: Contract Architecture

                                  ┌──────────────────────────────────┐
                                  │        Governance layer          │
                                  │                                  │
                           ┌──────│ Governor Anastasius v1           │
                           │      │ 0xa8a608b9…                      │
                           │      │ • 2d voting delay                │
                           │      │ • 3d voting period               │
                           │      │ • 10% StRSR quorum               │
                           │      │ • 66,237 stRSR proposal threshold│
                           │      └──────────────────────────────────┘
                           │ proposals
                           ▼
                  ┌────────────────────────────┐         ┌────────────────────────┐
                  │ TimelockController         │◀────────│ Guardian Safe (3-of-6) │
                  │ 0xd7985a7c…                │ cancel  │ 0xd5fe2780…            │
                  │ minDelay = 259,200s (3d)   │         │ + PAUSER, S/L_FREEZER  │
                  └─────────────┬──────────────┘         │ on Main                │
                                │ executes               └────────────────────────┘
                                │ (OWNER role)                         │
                                ▼                                      │ (also pauser:
                  ┌──────────────────────────────────┐                 │  EOA 0xe3e34fa9…)
                  │  Main (ERC1967Proxy)             │                 │
                  │  0xb6A7d481…    impl 0xc5bf686c… │◀────────────────┘
                  │  version 4.2.0                   │
                  │  AccessController for all roles  │
                  └────────────┬─────────────────────┘
                               │ wires
        ┌──────────┬───────────┼────────────┬──────────┬──────────┬──────────────┐
        ▼          ▼           ▼            ▼          ▼          ▼              ▼
  ┌───────────┐ ┌────────┐ ┌──────────┐ ┌─────────┐ ┌────────┐ ┌─────────┐ ┌────────────┐
  │ RToken    │ │ StRSR  │ │ Backing  │ │ Basket  │ │ Asset  │ │ Furnace │ │ Distributor│
  │ ETH+      │ │ stRSR  │ │ Manager  │ │ Handler │ │ Reg.   │ │ +Broker │ │ +Traders   │
  │ 0xE72B…   │ │ 0xffa1…│ │ 0x608e…  │ │ 0x56f4… │ │ 0xf526…│ │         │ │            │
  └─────┬─────┘ └───┬────┘ └────┬─────┘ └────┬────┘ └────────┘ └─────────┘ └────────────┘
        │           │           │            │
        │ issue/    │ stake/    │ holds      │ defines
        │ redeem    │ unstake   │ collateral │ basket
        │           │           ▼            ▼
        │           │      ┌─────────────────────────────────┐
        │           │      │      LST collateral plugins     │
        │           │      │  wstETH 50%  weETH 22%  rETH 10%│
        │           │      │  sfrxETH 10% ETHx 8%            │
        │           │      └────────────┬────────────────────┘
        │           │                   │
        │           │                   ▼
        │           │      ┌─────────────────────────────────┐
        │           │      │   Underlying staking protocols  │
        │           │      │   Lido / Ether.fi / Rocket Pool │
        │           │      │   / Frax / Stader               │
        │           │      └─────────────────────────────────┘
        │           │ provides 1st-loss capital (≈2.90% OC)
        │           ▼
        │      ┌──────────────┐
        └─────▶│ ETH+ holders │
               └──────────────┘

Key trust boundaries:

  • The Timelock owns Main; the only path to upgrade or change parameters is governance-proposed and 3-day delayed
  • The Guardian Safe (3-of-6) is the only counterparty that can act inside the timelock window — by pausing, freezing, or cancelling proposals
  • The deployer EOA can pause but cannot freeze or upgrade
  • All collateral is held by BackingManager; ETH+ holders' redemption is a direct claim on it

Overall Risk Score: 1.8 / 5.0

Risk Tier: LOW RISK

Recommendation:APPROVED for Yearn integration with standard monitoring, conditional on:

  1. Completing the 30-day post-v4.2.0 monitoring window (5 more days from this refresh); no incidents observed to date
  2. Adding all governance / role / backing checks listed in Monitoring to yearn's monitoring repo, including the EOA pauser address
  3. Watching the supply contraction trend closely — TVL now $47.6M, within 19% of the $40M reassessment trigger; trigger a full reassessment immediately on breach

Reassessment Triggers

  • Time-based: Reassess in 6 months or sooner if any trigger below fires
  • TVL-based: Reassess if ETH+ TVL drops below $40M or grows above $200M
  • Basket-based: Reassess on any BasketSet event (basket nonce change)
  • Governance-based: Reassess on any of:
    • New OWNER, PAUSER, SHORT_FREEZER, or LONG_FREEZER role grant on Main
    • Guardian Safe owner or threshold change
    • Governor or timelock contract replacement
    • PAUSER role grant or revoke involving the EOA 0xe3e34fa9… (positive: revocation reduces risk score)
  • Collateral-based: Reassess on any LST issuer incident (Lido, Ether.fi, Rocket Pool, Frax, Stader)
  • OC-based: Reassess if RSR over-collateralization ratio falls below 1%
  • Incident-based: Reassess after any pause, freeze, IFFY/DISABLED collateral status, or RSR seizure
Submit report inaccuracy