← All Reports

Strata

2.8
srUSDe (Senior Tranche USDe) / Ethereum / May 19, 2026
View full report on GitHub → View dependency graph

Score Breakdown

CategoryWeightScore
Audits & Historical20%3.00
Centralization & Control30%3.20
Funds Management30%2.25
Liquidity Risk15%3.00
Operational Risk5%2.50
Final Score2.8 / 5.0
20%30%30%15%
Medium Risk

Overview

Strata is a generalized risk-tranching protocol that splits yield from underlying strategies into two tokenized tranches with distinct risk-reward profiles:

  • Senior Tranche (srUSDe): Over-collateralized, yield-bearing synthetic dollar. Designed for capital preservation with a stable yield floored at a benchmark rate, uncapped upside participation in underlying yield, and first-loss protection from the junior tranche.
  • Junior Tranche (jrUSDe): Provides leveraged upside to the underlying yield, absorbing yield volatility and associated risks in exchange for potentially higher returns.

srUSDe is an ERC-4626 Meta Vault that accepts deposits of USDe, sUSDe, USDT, USDC, and DAI. All deposited assets are routed through the StrataCDO orchestrator into Ethena's sUSDe vault via the sUSDeStrategy. Yield is distributed between senior and junior tranches using a Dynamic Yield Split (DYS) mechanism that references:

  • The underlying sUSDe APY
  • A benchmark rate (supply-weighted average of USDC/USDT lending rates on Aave v3 Core)
  • The relative TVL distribution between the two tranches
  • Risk-premium parameters set by the team (planned to transition to independent risk managers)

The senior tranche always earns at minimum the benchmark rate (floored), with upside participation. In extreme scenarios where junior liquidity is depleted and the underlying APY is below the benchmark rate, the senior tranche simply earns the underlying APY. If the junior tranche is fully depleted, senior tranche may incur principal losses.

Yield source: Ethena's sUSDe yield (delta-neutral basis trade on ETH/BTC), redistributed via Strata's DYS mechanism.

Key metrics (May 19, 2026):

  • Protocol TVL: ~$86.8M (DeFiLlama, aggregated across all Strata markets)
  • srUSDe vault TVL (onchain): ~$51.9M USDe; jrUSDe ~$10.0M USDe (Ethena USDe market only)
  • Peak TVL: ~$326M (October 8, 2025) — protocol is now ~73% below ATH
  • Chain: Ethereum only
  • Protocol now operates five markets (added since the previous assessment): Ethena USDe (srUSDe), Neutrl NUSD (srNUSD), Midas mHYPER (srmHYPER), Midas mM1-USD (srmM1-USD), Saturn USDat (srUSDat). srUSDe is the original and largest market; the others share governance and the same access-control contract but each has its own CDO/Strategy/Accounting/AprPairFeed contracts.

Yearn use cases per issue #47:

  1. Deposit into senior vault srUSDe as part of a strategy
  2. Use srUSDe as collateral on Morpho for srUSDe/USDC markets where srUSDe is collateral and USDC is the loan token (minimal price change exposure)

Links:

Risk Summary

Key Strengths

  • Structured risk tranching: srUSDe benefits from junior tranche (jrUSDe) first-loss protection. Current senior:junior asset ratio ~5.17:1; total-system collateralization ~119.3% of senior assets, well above the 105% circuit-breaker
  • Multi-layered governance: 48h timelock for owner changes (verified active with 53 executions), two-step exit-fee changes, independent Guardian (Patrick Collins/Cyfrin) with CANCELLER role on the 48h timelock
  • Onchain transparency: Exchange rate is programmatic (ERC-4626), accounting is fully onchain, and the codebase is open-source. Implementation contracts unchanged since November 2025 (no recent upgrades)
  • Multiple reputable audits: 8 audit engagements across Cyfrin, Quantstamp, and Guardian Audits (one new Quantstamp engagement on the discrete-accounting mechanism since the previous assessment)
  • Active monitoring: 24/7 monitoring via Hypernative with Guardian oversight
  • Reserve extraction is timelocked (corrected from prior assessment): RESERVE_MANAGER_ROLE is held by the 24h Timelock, not the Admin Multisig — and the 24h Timelock currently has no executor, so reserve withdrawal to treasury is presently blocked outright

Key Risks

  • Persistent TVL volatility: protocol now exhibits three sharp drawdown events (Jan 8-17, Apr 2-4, Apr 23-25, 2026), each shedding 25-55% of TVL within days. Current TVL ($86.8M) is ~73% below the October 2025 peak ($326M) — worse than the 62.6% reported in Feb. The repeated boom-bust pattern is consistent with large-depositor and points-program concentration
  • Single critical dependency on Ethena (for srUSDe): All srUSDe-market funds flow into Ethena's sUSDe. An Ethena exploit or USDe depeg would directly impact srUSDe holders
  • Low multisig thresholds with overlapping signers: Admin Multisig is 3-of-4, Operational Multisig is 2-of-3, and two of the three Operational signers also sit on the Admin Safe. All keys are internal-team-only
  • Pause is callable by a 2/3 internal-team multisig (Operational), correcting the previous report's claim that pause was an Admin Multisig (3/4) function
  • No bug bounty program found: Notable absence for a protocol managing tens of millions in TVL
  • Withdrawal delays: Redemptions subject to cooldown periods tied to Ethena's sUSDe unstaking (~7 days)
  • Anonymous team: Founding team not publicly identified. Patrick Collins (Guardian) is the only doxxed individual, in a security oversight role
  • Rapid multi-market expansion: protocol grew from 1 market to 5 markets (Neutrl, Midas mHYPER, Midas mM1-USD, Saturn USDat) between Feb and May 2026, with no audits found covering the new markets. While srUSDe contracts are unchanged, broader operational and governance bandwidth is now stretched across five integrations
  • Stalled public repo: Public GitHub last pushed Feb 25, 2026 — active development is happening on unmerged branches (strat/morpho, strat/neutrl, strat/superstate, release/performance-fee)

Critical Risks

  • Junior tranche depletion: If the junior tranche is fully depleted (e.g., prolonged negative yield or extreme outflows), senior tranche may incur principal losses. The 105% coverage circuit breaker provides some protection but is not a guarantee. Current jrUSDe totalAssets is ~$10M against ~$51.9M senior assets — adequate but the buffer has shrunk in absolute terms vs. the previous assessment
  • 24h Timelock has no executor and has never executed a single call since deployment in October 2025 — verified by hasRole queries against every known principal (including the zero-address sentinel) and by inspection of the deployment-tx constructor calldata which shows an empty executors[] array. Several roles that the protocol documentation routes through the 24h Timelock (RESERVE_MANAGER, UPDATER_STRAT_CONFIG, COOLDOWN_WORKER) cannot fire on that path. For srUSDe most of these functions are reachable via the 48h Timelock or other principals, but it is an unexplained governance misconfiguration that the team should address
  • Proxy upgrade risk: Core contracts are upgradeable with 48h timelock. While the Guardian can cancel, this requires active monitoring
Full Report

Contract Addresses

Core Ethena USDe Market Contracts (Ethereum)

Contract Address Type
srUSDe (Senior Tranche) 0x3d7d6fdf07EE548B939A80edbc9B2256d0cdc003 ERC-4626 Meta Vault, Upgradeable Proxy
jrUSDe (Junior Tranche) 0xC58D044404d8B14e953C115E67823784dEA53d8F ERC-4626 Vault, Upgradeable Proxy
StrataCDO 0x908B3921aaE4fC17191D382BB61020f2Ee6C0e20 Core Orchestrator, Upgradeable Proxy
Accounting 0xa436c5Dd1Ba62c55D112C10cd10E988bb3355102 TVL calculations, fee accrual
sUSDeStrategy 0xdbf4FB6C310C1C85D0b41B5DbCA06096F2E7099F Deposits into Ethena sUSDe Vault
ERC20Cooldown 0xd6dAD17d025cDdDEd27305aEbAB8b277996A6fAF Token lockup for cooldown period
UnstakeCooldown 0x735edDF50Ca2371aa48466469C742e684c610F74 sUSDe unstaking cooldown
SUSDeCooldownRequestImpl 0x00A96056c30A22b684fF7a09F4A0AfEaE426dde2 Cooldown workflow for sUSDe
TrancheDepositor 0x50E850641F43F65BF8fB3a7d0CF082a1D252F47e Routes deposits into tranches
AprPairFeed 0x2bb416614D740E5313aA64A0E3e419B39e800EC2 Benchmark & Collateral APY inputs
AaveAprPairProvider 0x1c137776e04803F807616c382AbBA12d9BF0AF73 Fetches APR values from Aave
AccessControlManager 0x1d19E18ECaC4ef332a0d5d6Aa3a0f0f772605f60 Role-based access control
TwoStepConfigManager 0x0f93bAC77c3dDD1341d3Ecc388c5F8A180818994 Two-step exit-fee governance

Governance & Multisig Contracts

Contract Address Configuration
Admin Multisig 0xA27cA9292268ee0f0258B749f1D5740c9Bb68B50 3-of-4 Gnosis Safe, cold wallets, internal team + founding contributors
Operational Multisig 0x4be3749a0F6557b8fd98F3967e859DbD7C694eF4 2-of-3 Gnosis Safe, internal team
Timelock (48h) 0xb2A3CF69C97AFD4dE7882E5fEE120e4efC77B706 Proposer: Admin Multisig. Canceller: Guardian
Timelock (24h) 0x4f2682b78F37910704fB1AFF29358A1da07E022d Strategy config changes
Guardian 0x277D26a45Add5775F21256159F089769892CEa5B Patrick Collins (Cyfrin CEO) -- can cancel timelock transactions

Proxy Infrastructure

Contract ProxyAdmin
StrataCDO 0xcAb791D0D44eBaC17378fF2AF6356c012F15c9e6
ERC20Cooldown 0xeD6c7b379F73DF0618406d263b13b2386E398166

On-Chain Verification (Etherscan, May 19, 2026)

All core contracts are verified on Etherscan:

Contract Etherscan Name Verified Proxy
srUSDe TransparentUpgradeableProxy → Tranche (impl 0xe894055ca1c73648927e225f3ca38ed48e30210b) Yes Yes
jrUSDe TransparentUpgradeableProxy Yes Yes
StrataCDO TransparentUpgradeableProxy → StrataCDO (impl 0xb3d4f2c2123f8c3ca85ae7a6d48aa2ef049c79ba) Yes Yes
sUSDeStrategy TransparentUpgradeableProxy → sUSDeStrategy (impl 0x2b9796606c8480312a572742c00f606ef4adb107) Yes Yes
Accounting TransparentUpgradeableProxy Yes Yes
AccessControlManager AccessControlManager Yes No
Admin Multisig GnosisSafeProxy Yes Yes
Operational Multisig SafeProxy Yes Yes
48h Timelock StrataMasterChef (OZ TimelockController) Yes No
24h Timelock StrataMasterChef (OZ TimelockController) Yes No
Guardian EOA (not a contract) N/A N/A

Note: Both timelocks are registered on Etherscan as StrataMasterChef but contain standard OpenZeppelin TimelockController functions (schedule, execute, cancel, getMinDelay). Delays verified onchain (May 19, 2026): 48h = 172,800 seconds, 24h = 86,400 seconds. Implementation contracts for srUSDe, StrataCDO, and sUSDeStrategy are unchanged since November 2025 — no upgrade has been pushed in the past ~6 months.

Audits and Due Diligence Disclosures

Strata has completed an extensive, multi-phased audit process with 3 reputable firms across at least 8 distinct audit engagements (one new Quantstamp engagement added since the previous assessment).

Audit History

# Firm Date Scope C H M L Info Report
1 Cyfrin Oct 8, 2025 Protocol v1 (Tranches) 1 2 6 5 12 PDF
2 Guardian Audits Oct 10, 2025 Protocol v1 (Tranches) 1 5 14 5 8 PDF
3 Quantstamp ~Q4 2025 Protocol v1 (Tranches) - - - - - Certificate
4 Quantstamp ~Q4 2025 Redemption Fee (Update to Tranches) - - - - - Certificate
5 Cyfrin Jan 23, 2026 Coverage-aware redemption / Shares Cooldown mechanism 0 0 6 3 10 PDF
6 Quantstamp ~Q1 2026 (new) Discrete accounting mechanism - - - - - Certificate
7 Cyfrin Jun 11, 2025 Pre-Deposit Vaults 1 1 3 16 9 PDF
8 Quantstamp ~2025 Pre-Deposit Vaults - - - - - Papermark

Quantstamp reports hosted on JS-rendered platforms; finding counts require browser access. Dashes indicate data not programmatically extractable.

Total findings across Cyfrin + Guardian reports: 3 Critical, 8 High, 29 Medium, 29 Low (all resolved).

New since previous assessment: Quantstamp audit of the "Discrete accounting mechanism" (engagement #6, published certificate but exact date and finding counts not programmatically extractable). No new audits cover the recently deployed Neutrl/Midas/Saturn markets — those use the same codebase as srUSDe per protocol docs.

Notable Critical/High findings (all resolved):

  • C: Withdrawers of sUSDe always incur a loss (Cyfrin #1) -- Inverted parameters in Tranche::_withdraw caused users to receive significantly less than entitled
  • C: Reserve withdrawal unit mismatch (Guardian #2) -- StrataCDO.reduceReserve forwarded incorrect amounts, breaking internal accounting
  • C: Attacker can drain entire protocol sUSDe balance (Cyfrin #6) -- Incorrect redemption accounting in pre-deposit vault could drain funds
  • H: Withdrawal active requests DoS (Cyfrin #1, Guardian #2) -- Spam tiny withdrawal requests on behalf of another user causing out-of-gas during finalization
  • H: MEV APR front-run (Guardian #2) -- Front-running of APR changes via onAprChanged
  • H: JR tranche bankrun susceptibility (Cyfrin #5) -- SharesCooldown finalization bypassed minimumJrtSrtRatio

Guardian Audits recommended an independent follow-up review after finding 1 Critical + 5 High issues, which was conducted by Quantstamp.

On-Chain Complexity

The architecture is moderately complex:

  • CDO Pattern: Core orchestrator (StrataCDO) connects tranches, accounting, and strategy contracts
  • Multiple Proxy Contracts: Most core contracts use OpenZeppelin TransparentUpgradeableProxy
  • Cooldown Mechanisms: Two-stage withdrawal with ERC20Cooldown and UnstakeCooldown contracts
  • APR Feed System: Onchain APR calculation using Aave data feeds
  • Multi-token deposits: The srUSDe Meta Vault accepts USDe, sUSDe, USDT, USDC, and DAI

Bug Bounty

No active bug bounty program found. Exhaustive search across Immunefi, Code4rena, Sherlock, HackerOne, Safe Harbor, and the protocol's own documentation and GitHub yielded no bug bounty listing, responsible disclosure policy, or security contact for vulnerability reporting. The security documentation covers audits, multisigs, and monitoring but does not mention a bug bounty. This is a notable gap for a protocol with tens of millions in TVL (~$86.8M as of May 19, 2026).

Historical Track Record

  • Time in Production: srUSDe proxy deployed October 2, 2025 (block 23492392). In production for ~7.5 months as of May 19, 2026. Pre-deposit vaults with TVL existed from July 2025 (~10 months with TVL).
  • GitHub Repository: Created September 16, 2025. Public, Solidity-based; last public push Feb 25, 2026 (~3 months ago). Active development continues on private branches (strat/morpho, strat/neutrl, strat/superstate, release/performance-fee) which are not yet merged to public master.
  • TVL History (DeFiLlama, protocol-wide totals):
Period TVL Notes
Jul 2025 ~$18M Pre-deposit vaults / soft launch
Aug 2025 $18M - $53M Steady growth
Sep 2025 $53M - $172M Rapid growth
Oct 8, 2025 ~$326M Peak TVL (ATH)
Oct 13, 2025 ~$110M (srUSDe market only) Official launch on Ethena USDe
Nov - Dec 2025 $214M - $221M Consolidation
Jan 1, 2026 $226M Stable
Jan 8-17, 2026 $230M → $122M First sharp drawdown (~$108M outflow in ~10 days; -62.6% from peak)
Feb 1-18, 2026 $132M → $153M Recovery
Mar 1-31, 2026 $172M → $258M Strong recovery
Apr 2-4, 2026 $242M → $114M Second sharp drawdown (-53% in 2 days)
Apr 11-22, 2026 $137M → $128M Partial recovery, then renewed decline
Apr 23-25, 2026 $119M → $84M Third sharp drawdown (-29% in 2 days)
May 1-19, 2026 $82M → $87M Current range, stable but near multi-month lows
May 19, 2026 ~$86.8M Current (~73% below ATH)
  • TVL Volatility: The protocol has now experienced three distinct large drawdown events (Jan, early Apr, late Apr 2026), each shedding 25-55% of TVL within days. Current TVL sits ~73% below the October 2025 peak. The repeated boom-bust pattern is consistent with large depositor concentration and is likely driven in part by points-program farming behavior.
  • Incidents: No reported security incidents, exploits, or hacks found in this assessment window (Feb 18 - May 19, 2026).
  • Governance Activity (Feb 18 - May 19, 2026):
    • 48h Timelock: 14 CallScheduled and 14 CallExecuted events. Most activity clustered around Feb 23, Apr 8, and May 3 — corresponding to deployments of the new Neutrl, Midas mHYPER/mM1-USD, and Saturn USDat markets (none affect the srUSDe contracts directly).
    • 24h Timelock: 0 events in this window (and 0 since deployment in October 2025). See onchain finding in Centralization & Control Risks below.
  • Exchange Rate (onchain verified May 19, 2026):
    • convertToAssets(1e18) = 1.021541647465871857 USDe per srUSDe (up from 1.013728 on Feb 18, 2026)
    • totalAssets() = 51,909,893 USDe (down from 113,838,466 on Feb 18)
    • totalSupply() = 50,815,249 srUSDe (down from 112,296,907 on Feb 18)
    • Senior tranche underlying assets dropped ~54% over the 90-day window, mirroring the protocol-wide TVL decline.
    • Exchange-rate growth: 1.021541 / 1.013728 = +0.77% over 90 days → ~3.1% annualized yield to the senior tranche over this window (down from the ~3.7% implied at the previous assessment, but in line with the dynamic-yield-split mechanism floored at the Aave benchmark rate).
    • jrUSDe (junior tranche): totalAssets() = ~10,035,113 USDe; totalSupply() = ~9,556,172 jrUSDe. Senior:Junior asset ratio is ~5.17:1; total system collateral (senior + junior) / senior = ~119.3%, well above the 105% coverage circuit breaker.

Funds Management

Deposit/Withdrawal Flow

Deposit: Users deposit USDe (or sUSDe, USDT, USDC, DAI) into the srUSDe Meta Vault. Deposited assets are exchanged for shares proportional to the current exchange rate and passed to the sUSDeStrategy, which stakes them into Ethena's sUSDe vault.

Withdrawal: Uses a multi-stage cooldown mechanism:

  1. ERC20Cooldown: Strategy locks tokens in a cooldown contract for a specified period
  2. UnstakeCooldown: For sUSDe, triggers Ethena's own sUSDe cooldown (currently 7 days)
  3. Each withdrawal request is handled independently per user; new requests do not extend or affect earlier requests
  4. After the cooldown period, tokens can be finalized/withdrawn

Accessibility

  • Deposits: Permissionless. Anyone can deposit USDe, sUSDe, USDT, USDC, or DAI
  • Redemptions: Permissionless but subject to cooldown periods tied to Ethena's sUSDe unstaking
  • Atomic operations: Deposits are single-transaction. Withdrawals require initiation + cooldown + finalization
  • Fees: Performance fees and redemption fees apply (transparent, visible on the app). Exit-fee changes governed by a two-step process via TwoStepConfigManager

Collateralization

  • Backing: srUSDe is backed by the underlying USDe/sUSDe staked in Ethena's vault, with additional over-collateralization from the junior tranche (jrUSDe) which serves as first-loss capital
  • Senior coverage ratio: When it falls below 105%, the protocol may temporarily halt senior minting and junior redemptions to protect the senior tranche
  • Underlying collateral: USDe is Ethena's synthetic dollar backed by a delta-neutral strategy (ETH/BTC spot + short perpetual futures). Ethena maintains proof of reserves via third-party verification
  • Risk hierarchy: Senior tranche (srUSDe) is principal-protected in the base asset and paid first. The junior tranche absorbs losses before any impact to senior holders. However, if the junior tranche is fully depleted, the senior tranche may incur principal losses
  • Reserve mechanism: Part of strategy gains can be allocated to a protocol reserve (configurable via setReserveBps). The reserve could in principle be redistributed to tranche TVL or withdrawn to treasury via distributeReserve, reduceReserve, and setReserveTreasury — however, all three functions require RESERVE_MANAGER_ROLE, which onchain is held only by the 24h Timelock. The 24h Timelock currently has no executor configured (see Centralization section), so none of these reserve-management paths can currently fire. The reserve buffer is therefore effectively frozen at its current allocation and cannot be relied upon as adjustable senior-tranche support until the executor configuration is fixed.

Provability

  • Exchange rate: Calculated onchain via ERC-4626 standard (convertToAssets()/convertToShares()). Anyone can verify
  • Underlying sUSDe balance: Verifiable onchain by checking the strategy's sUSDe holdings
  • Yield calculation: DYS mechanism computes yields onchain using the AprPairFeed contract. Benchmark rate sourced from Aave v3 Core. However, risk-premium parameters (x, y, k) are set by the team
  • Accounting: Onchain Accounting contract tracks raw TVL, balances, inflows/outflows, fees, and reward distribution for both tranches

Liquidity Risk

Primary Exit Mechanisms

  1. Redeem from srUSDe vault: Initiate withdrawal → cooldown period (tied to Ethena's sUSDe cooldown, currently ~7 days) → finalize. Permissionless but not instant
  2. DEX swap: Extremely thin onchain DEX liquidity. Total across all Uniswap V4 pools: ~$135K. Largest pool is srUSDe/USDe at ~$81K with only $425 in 24h volume. No Curve or Balancer pools exist. CoinGecko does not list srUSDe
  3. Pendle markets: The PT-srUSDe-02APR2026 pool referenced in the previous report expired April 2, 2026 (onchain isExpired() = true, expiry() = 1775088000). The successor market PT-srUSDe-25JUN2026 (market 0xfc82267a9e065aaf407f64dadd49bfbdc9511fb1, PT 0x619D75E3b790eBC21c289f2805Bb7177A7D732E2) is live with ~$11.2M LP liquidity as of May 19, 2026 (Pendle API). This trades the fixed-yield PT, not raw srUSDe
  4. Morpho markets: PT-srUSDe-25JUN2026/USDC market exists but is near-empty (~$4.7K supply, 88% utilization on minuscule borrow per Morpho Blue API on May 19, 2026). A raw srUSDe/USDe market exists on Morpho with $0 supply/$0 borrow. The previously-cited ~$14.6M PT-srUSDe-2APR2026/USDC market is no longer active (PT expired)

Withdrawal Restrictions

  • Cooldown period: Withdrawals require a cooldown period linked to Ethena's sUSDe unstaking (~7 days). Not instant
  • Coverage protection: When senior coverage ratio falls below 105%, senior minting and junior redemptions are suspended. This protects senior tranche but could trap capital in extreme scenarios
  • Self-balancing: The coverage mechanism is designed to be self-balancing -- thinner junior coverage attracts more liquidity via higher junior yields

Liquidity Assessment

  • Primary liquidity: The main exit path is through the cooldown-based redemption mechanism (not instant)
  • Secondary market: DEX liquidity remains negligible. Pendle is the most liquid venue with the active PT-srUSDe-25JUN2026 market holding ~$11.2M LP liquidity (down from the ~$21.9M cited at the previous assessment for the now-expired April PT). Morpho PT-srUSDe-25JUN2026/USDC market has effectively no supply (~$4.7K). Raw srUSDe markets remain empty
  • Large holder impact: Given the TVL volatility (~73% drawdown from peak), large holders can exit but it takes time due to cooldowns and the now-thinner secondary market
  • Same-value redemption: srUSDe redeems for USDe (stablecoin-denominated), so price impact risk is minimal for the Morpho use case

Centralization & Control Risks

Governance

Strata uses a layered Role-Based Access Control (RBAC) system in the AccessControlManager (0x1d19E18ECaC4ef332a0d5d6Aa3a0f0f772605f60). The table below was validated onchain on May 19, 2026 by hashing each role string with keccak256 and querying hasRole(role, address) against every known principal. Note the corrections vs. the protocol documentation and the previous assessment (both contained errors for PAUSER_ROLE and RESERVE_MANAGER_ROLE).

Role Onchain Holder(s) Description Key Functions
DEFAULT_ADMIN_ROLE (0x0000…) 48h Timelock + 24h Timelock AccessControlManager super-admin (can grant/revoke any role) grantRole, revokeRole, grantCall, revokeCall
PAUSER_ROLE Operational Multisig (2/3) (docs/prior report incorrectly state Admin Multisig) Pause/resume deposits and redemptions StrataCDO::setActionStates, StrataCDO::setJrtShortfallPausePrice
UPDATER_FEED_ROLE Operational Multisig (2/3) Trigger APR refresh and recalculation Accounting::onAprChanged, AprPairFeed::updateRoundData
UPDATER_CDO_APR_ROLE AprPairFeed contract + EOA 0x1f3aab5b… Push APR updates into the CDO Accounting::onAprChanged (internal-only path)
UPDATER_STRAT_CONFIG_ROLE 48h Timelock + 24h Timelock (prior report listed 24h only) Update strategy risk parameters and cooldowns Accounting::setRiskParameters, sUSDeStrategy::setCooldowns
RESERVE_MANAGER_ROLE 24h Timelock only (prior report incorrectly listed Admin Multisig) Redistribute reserves or withdraw to treasury StrataCDO::reduceReserve, StrataCDO::distributeReserve, StrataCDO::setReserveTreasury
PROPOSER_CONFIG_ROLE Admin Multisig (3/4) Propose exit-fee configuration changes TwoStepConfigManager::scheduleExitFeeChange
DEPOSITOR_CONFIG_ROLE Operational Multisig (2/3) Configure the TrancheDepositor accepted-token whitelist and routing TrancheDepositor::* config
COOLDOWN_WORKER_ROLE sUSDeStrategy + 24h Timelock + EOA 0x99fe6bb5… Finalize cooldown unstakes on behalf of the strategy ERC20Cooldown/UnstakeCooldown worker hooks
Ownable owner() (not a role in ACM) 48h Timelock High-level protocol configuration on Ownable contracts (StrataCDO, srUSDe, jrUSDe, Accounting, sUSDeStrategy all return 48h Timelock as owner()) Accounting::setAprPairFeed, setReserveBps, setFeeRetentionBps, setMinimumJrtSrtRatio[Buffer], UnstakCooldown::setImplementations, AprPairFeed::setProvider/setRoundStaleAfter

Multisig Details (onchain verified May 19, 2026):

  • Admin Multisig (0xA27cA929…): 3-of-4 Gnosis Safe (getThreshold() = 3). Owners: 0x791fB932…, 0x296400D8…, 0xd796E125…, 0x206cFf3D…. Threshold and owner set unchanged since the previous assessment.
  • Operational Multisig (0x4be3749a…): 2-of-3 Gnosis Safe (getThreshold() = 2). Owners: 0x296400D8…, 0xd796E125…, 0xacE53036…. Two of three signers (0x296400D8…, 0xd796E125…) also sit on the Admin Multisig — the two safes are not fully independent. Unchanged since previous assessment.
  • 48h Timelock (0xb2A3CF69…): getMinDelay() = 172,800. Roles (verified via hasRole): PROPOSER → Admin Multisig; CANCELLER → Admin Multisig + Guardian; EXECUTOR is open (zero-address holds the role, so anyone can execute after the delay). 53 historical CallExecuted events.
  • 24h Timelock (0x4f2682b7…): getMinDelay() = 86,400. PROPOSER → Admin Multisig; CANCELLER → Admin Multisig (Guardian is not assigned CANCELLER on the 24h timelock); EXECUTOR is unset (executor list at deployment was empty per constructor calldata; the zero-address sentinel was not granted, no other principal has been granted since). As a consequence, 0 CallExecuted events in the contract's ~7-month lifetime — see finding below.
  • Guardian (0x277D26a4…): Patrick Collins (Co-Founder & CEO of Cyfrin). Externally-owned account. Holds CANCELLER_ROLE on the 48h Timelock; does not hold CANCELLER on the 24h Timelock and does not hold any role in the AccessControlManager.

Key concerns:

  • Admin Multisig is only 3-of-4 (relatively low threshold) and Operational Multisig is only 2-of-3 (low threshold). Two signers overlap between the two safes, reducing key-set independence.
  • All multisig keys held by internal team -- no external/independent signers.
  • Pause is faster and lower-threshold than previously thought: Operational Multisig (2/3, internal-only) can pause the protocol immediately with no timelock. This is good for emergency response but means a 2-of-3 internal-key compromise can halt user activity.
  • Reserve management is timelocked, not multisig-callable (correcting the prior report): RESERVE_MANAGER_ROLE sits on the 24h Timelock, which must be triggered by an Admin Multisig (3/4) proposal with a 24-hour delay. This materially reduces the "reserve extraction" risk that the previous assessment flagged as critical.
  • 24h Timelock is currently inoperative: no executor was granted at deployment (verified by inspecting both hasRole(EXECUTOR_ROLE, …) for all principals including the zero address, and the deployment-tx constructor calldata which shows executors = []). Combined with the on-chain fact of 0 CallExecuted events since October 2025, this means RESERVE_MANAGER_ROLE and the 24h path of UPDATER_STRAT_CONFIG_ROLE cannot currently fire. For srUSDe this is largely benign because the 48h Timelock holds the same UPDATER_STRAT_CONFIG_ROLE and the same Ownable owner() powers, so strategy configuration can still be updated via the 48h path; reserve treasury withdrawals, however, are blocked outright until an executor is granted (which itself requires a proposal that no one can execute — likely a redeploy or migration would be needed to fix this). Worth flagging to the team.
  • No onchain governance yet (planned for future).

Programmability

  • srUSDe exchange rate: Calculated onchain via ERC-4626 standard. Programmatic, no admin input needed
  • Yield distribution (DYS): Mostly programmatic. AprPairFeed fetches benchmark rate from Aave onchain. However, risk-premium parameters (x, y, k) are set by the team initially
  • APR updates: Triggered by Operational Multisig via updateRoundData. This is a manual trigger for an onchain computation
  • Accounting: Fully onchain. TVL, balances, fees, and reward distribution tracked programmatically
  • Withdrawals: Programmatic cooldown mechanism. No manual intervention needed after initiation

External Dependencies

Dependency Type Criticality Impact of Failure
Ethena (sUSDe/USDe) Yield source & collateral Critical All deposited assets staked in Ethena's sUSDe vault. Ethena insolvency, USDe depegging, or sUSDe exploit would directly impact srUSDe. Senior tranche principal at risk if junior tranche is depleted
Aave v3 Core Benchmark rate oracle High Supply-weighted average of USDC/USDT lending rates used for benchmark. Failure could distort yield calculations and tranche distributions
Gnosis Safe Multisig infrastructure High All governance actions flow through Safe multisigs
Hypernative Monitoring & alerting Medium 24/7 contract monitoring. Not critical for operations but important for security
Ethereum L1 Settlement layer High All contracts deployed on Ethereum mainnet only

Key dependency risk: For srUSDe specifically, Strata has a single critical yield source dependency on Ethena/sUSDe. The benchmark rate relies on a single data source (Aave v3 Core). No documented fallback mechanisms if Ethena or Aave dependencies fail. The AprPairFeed has a setRoundStaleAfter parameter suggesting some staleness detection.

Note on protocol-wide surface area (new since previous assessment): Strata expanded from a single market to five live markets between Feb and May 2026: Ethena USDe (srUSDe — unchanged), Neutrl NUSD, Midas mHYPER, Midas mM1-USD, and Saturn USDat. Each market has its own CDO/Strategy/Accounting/AprPairFeed/AccessControlManager stack but shares the same multisig and timelock governance. This diversifies the protocol's yield mix away from sole reliance on Ethena, but materially increases overall protocol surface area — none of the new markets have undergone the same depth of audit coverage as the original srUSDe codebase, and operational mistakes on any market (e.g. an oracle mis-configuration on the Midas markets) could indirectly affect team focus / incident-response bandwidth for srUSDe. The srUSDe contracts themselves are unchanged.

Operational Risk

  • Team Transparency: Founding team is not publicly named in documentation. Operational team members are not publicly identified. The only publicly named individual is Patrick Collins (Cyfrin CEO), who serves as Guardian (security oversight role, not management). Team is classified as partially anonymous -- known anons at best
  • Documentation: Comprehensive docs at docs.strata.markets covering mechanism, technical architecture, contracts, roles, and risks; updated to cover the four new markets (Neutrl/Midas/Saturn). However, parts of the docs are now out-of-date with onchain state — notably, the docs claim PAUSER_ROLE is held by the Admin Multisig, but onchain it is held by the Operational Multisig. Yearn should treat onchain hasRole results as authoritative
  • Legal Structure: Frontera Labs, Inc., a Delaware (USA) corporation, operates the Interface (front-end) only. The company explicitly disclaims ownership or control of the protocol smart contracts. Protocol contracts are licensed under BUSL-1.1. A planned transition to a Cayman Islands foundation is referenced in the Terms of Service (last updated Nov 28, 2025). US users are geo-blocked. Contact: legal@strata.markets
  • Incident Response: Not formally documented, but the protocol has multiple layers of defense:
    • 24/7 monitoring via Hypernative
    • Guardian (Patrick Collins) can cancel timelock transactions on the 48h Timelock
    • Operational Multisig (2/3) can pause the protocol immediately (no timelock)
  • Open Source: Contracts are public on GitHub. Public branch last pushed Feb 25, 2026; active development is on unmerged feature branches (strat/morpho, strat/neutrl, strat/superstate, release/performance-fee)
  • Points Program: Strata runs a "Strata Points Program" (incentive/airdrop mechanism). Repeated TVL boom-bust cycles in Jan/Apr 2026 are consistent with points-program farming behavior

Monitoring

srUSDe Vault Monitoring

  • srUSDe contract: 0x3d7d6fdf07EE548B939A80edbc9B2256d0cdc003
    • Monitor convertToAssets(1e18) for exchange rate changes (should only increase)
    • Alert: If exchange rate decreases -- indicates potential issue with yield distribution or losses
    • Monitor Deposit, Withdraw events for large deposits/withdrawals (>$1M)
    • Alert: Single deposits/withdrawals >$5M (potential whale activity)

StrataCDO Monitoring

  • StrataCDO: 0x908B3921aaE4fC17191D382BB61020f2Ee6C0e20
    • Monitor senior coverage ratio (should stay above 105%)
    • Alert: Coverage ratio below 105% (triggers protective measures -- junior redemptions halted)
    • Monitor for any pausing events (setActionStates)

Strategy Monitoring

Governance Monitoring

Ethena Dependency Monitoring

  • USDe peg: Monitor USDe price on DEXes
    • Alert: If USDe deviates >0.5% from $1.00 peg
    • Alert: If USDe deviates >2% from $1.00 peg (critical -- srUSDe value directly impacted)
  • sUSDe vault: Monitor Ethena's sUSDe vault for any anomalies, cooldown period changes

Monitoring Frequency

Category Frequency Priority
Timelock scheduled calls (both 48h and 24h) Real-time Critical
Proxy upgrade events Real-time Critical
Multisig signer/threshold changes Real-time Critical
srUSDe exchange rate Every 6 hours High
Senior coverage ratio Every 6 hours High
USDe peg stability Hourly High
Strategy sUSDe balance Daily Medium
Protocol TVL changes Daily Medium

Reassessment Triggers

  • Time-based: Reassess in 60 days (per reassessment-scan threshold) or sooner if any of the below trigger
  • TVL-based: Reassess if TVL changes by more than 50% (from current ~$87M)
  • Incident-based: Reassess after any exploit, governance change, collateral modification, or Ethena incident
  • Dependency-based: Reassess if Ethena modifies sUSDe mechanics, cooldown periods, or undergoes significant changes
  • Bug bounty: Reassess if/when a bug bounty program is launched (should improve Audits score)
  • Governance-based: Reassess when onchain governance is activated, when risk-premium parameters transition to independent managers, or when the 24h-Timelock executor misconfiguration is resolved
  • Market expansion: Reassess if the new Neutrl/Midas/Saturn markets receive separate audits or if any of them experience an incident (operational spillover risk to srUSDe)
Submit report inaccuracy