Detailed explanation of RWA DeFi protocol Ondo Finance, which raised $24 million in funding

Overview of Ondo Finance, a RWA DeFi protocol that secured $24M in funding.

Ondo is committed to developing decentralized and composable protocols and providing tailored services to meet the needs of organizations, DAOs, and high-net-worth individuals. The platform aims to bridge the gap between TradFi and DeFi by bringing real-world assets (RWAs) into DeFi.

Original title: “Asset Risk Assessment: Ondo and Flux Finance (OUSG)”

Written by: LLAMARISK

Translated by: Kxp, BlockBeats

Ondo Finance Introduction

Ondo Finance is a blockchain services company that creates and manages institutional-grade financial products such as US Treasury bonds and money market funds, and builds DeFi protocols around these products. Ondo is committed to developing decentralized and composable protocols and providing tailored services to meet the needs of organizations, DAOs, and high-net-worth individuals. The platform aims to bridge the gap between TradFi and DeFi by bringing real-world assets (RWAs) into DeFi.

Ondo Finance was founded by Nathan Allman in 2021 and has raised $24 million in funding from investors including Blockingntera Capital, Founders Fund, Coinbase Ventures, and Tiger Global. Team members have backgrounds at various institutions and protocols including Goldman Sachs, Fortress, Bridgewater, and MakerDAO.

Legal Structure

Link: Ondo Legal Documents

Ondo Finance adopts a standard fund structure, including limited partners and general partners, as well as third-party service providers such as qualified custodians, fund administrators, and treasury auditors.

The following is an overview of Ondo’s own legal structure:

  • Ondo Finance Inc: Parent company

  • Ondo I GP: General partner (GP) responsible for managing the fund and guiding service providers.

  • Ondo Capital Management LLC: Investment manager (Ondo IM) that works with the GP to manage the fund.

  • Ondo I LP: A Delaware limited partnership that receives capital contributions from investors and holds assets with third-party service providers. It is the issuer of OUSG.

Ondo Finance takes extensive security measures and partners with reputable service providers such as Coinbase and Clear Street to ensure the safe and efficient management of funds. Qualified custodians are institutions approved by regulatory authorities that hold customer assets in separate accounts in the customer’s name.

Ondo uses the following third-party fund service providers:

  • Clear Street : Securities broker and qualified custodian that manages the fund’s off-exchange assets and trade orders.

  • NAV Consulting Inc. : Provides third-party administrative services, including daily calculation of the fund’s net asset value.

  • Coinbase Prime : Holds stablecoins, converts stablecoins to USD, and sends money to Clear Street as instructed by the investment manager.

The following chart shows the relationships between these entities (from a MakerDAO forum proposal):

  1. Ondo Finance wholly owns the investment manager and general partner

  2. The investment manager is responsible for buying and selling ETFs

  3. The general partner acts as the fund’s general partner

  4. OUSG investors send stablecoins to the fund’s Coinbase account, purchase OUSG, and the fund sends OUSG to OUSG investors

  5. The fund engages Coinbase to hold stablecoins, convert stablecoins to USD, and send money to Clear Street as instructed by the investment manager

  6. The fund engages Clear Street to provide primary brokerage services and uses Clear Street to hold and trade assets

  7. The investment manager instructs Clear Street (CS) to execute trades, settle, and hold the fund’s assets in the fund’s CS account

The fund has established access controls to ensure security, particularly with regard to third-party transfers. Coinbase’s account only allows for USD wire transfers to be sent to Clear Street’s account. Clear Street’s account wires are sent and received via its bank, BMO Harris, while Coinbase’s wires are sent and received via its bank, Customer’s Bank. To approve another account for wire transfers, the fund must first receive a wire transfer from that bank account to the fund’s Coinbase account, then work with a Coinbase representative to configure that bank as a trusted withdrawal destination. In addition, Ondo also retains standards for approving new bank accounts as transfer destinations.

Ondo I LP: OUSG Fund

Link: Ondo I LP Investor Files

Ondo I LP Fund was created in February 2023, and its first product is Ondo US Short-term Government Bonds (OUSG). The iShares Short-term Bond ETF (SHV) is the only underlying asset of the fund, which is an index of US government bonds with a term of less than one year. As of May 15th, the ETF’s net assets were $23.4 billion, with an average daily trading volume of over $300 million.

The fund automatically reinvests the dividends generated by its holdings. The fund’s expenses include the ETF management fee (0.15%) of the underlying asset and the management fee (0.15%) charged by Ondo, with a total expense cap of 0.3%.

NAV Consulting issues daily account balance and balance sheet proofs. Based on this calculation, Ondo updates the contract price of OUSG every day. OUSG investors also regularly receive monthly updates on the fund’s net asset value from NAV Consulting, and the fund will undergo an annual audit.

The following figure shows the most recent proof of the fund administrator, which discloses the portfolio asset accounts (“Long Portfolio Value”) and various cash accounts of the fund’s liabilities.

This proof can be compared with the outstanding supply of OUSG and the latest on-chain share price update (lastSetMintExchangeRate() in the CashManager contract). The current on-chain value is $118.4 million, which matches the NAV proof in the above image.

Through an examination of Ondo Finance’s documents, including trial balances, account statements, and balance sheets, and a comparison with on-chain data, we found no substantial differences between NAV Consulting’s reports and on-chain data.

On the over-the-counter protection side, OUSG holders have SIPC insurance coverage at Clear Street, with a maximum insurance amount of $500,000, as Ondo Finance has an account with Clear Street, which is a SIPC member broker-dealer. However, the amount of SIPC insurance coverage is not significant compared to the value of Ondo I LP fund assets. It is also worth noting that the “Ondo I LP” account is a “cash account” (not a “margin account”), so Clear Street cannot re-pledge account securities.

The legal documents involved in the fund can be obtained in this Dropbox, including a detailed disclosure of the risk factors related to the fund in the Private Placement Memorandum.

Investment Process

OUSG shares are issued as Tokens on the Ethereum blockchain and can be minted/redeemed on US business days. These operations are handled by the Ondo Ops team, with accounting services provided by the fund administrator (NAV Consulting). When redemption demand is high, the fund may not have sufficient liquidity on hand, and Ondo expects that redemption requests may take 2-3 days to process.

OUSG can be minted with at least $100,000 of USDC or DAI. It is available to both US and non-US persons, although access to mint, redeem, and transfer OUSG is restricted. Ondo uses smart contracts to enforce these transfer restrictions. Investors must undergo KYC/AML/CFT screening and must be both “accredited investors” and “qualified buyers”. Whitelisted users can only transfer their Tokens to other whitelisted addresses on-chain. Whitelist addresses are stored in the KYC registration contract and processed by Ondo’s multi-signature management.

The following workflow outlines the process for investors to subscribe to and redeem the stablecoin:

Subscription (Issuance) Workflow:

  1. Complete KYC/AML process with Ondo, provide required documents and pass automated screening.

  2. Review and sign fund documents.

  3. Provide Ethereum wallet address for whitelisting to subscribe, receive fund Token, and redeem.

  4. Send USDC to the fund’s smart contract to subscribe.

  5. The smart contract records your subscription request and immediately transfers the USDC to Coinbase Custody’s fund account.

  6. After calculating the next daily net asset value and accepting your subscription request, you will receive OUSG representing your share in the fund.

  7. Ondo IM uses Clear Street to purchase ETFs in USD.

  8. Increases the value of the fund by reinvesting by purchasing more ETF shares.

Redemption Workflow:

  1. Submit a redemption request by sending OUSG to the cash manager’s smart contract.

  2. The smart contract records your redemption request.

  3. Once the next daily net asset value is calculated and your redemption request is accepted, Ondo IM will sell enough ETF shares to pay your redemption amount.

  4. Clear Street will wire the corresponding USD to Coinbase and convert it into USDC.

  5. Ondo IM will complete the redemption request and distribute USDC to the user’s wallet.

OUSG Access Control

Ondo authorizes fund flows between its authorization blockchain and its fund account service providers (Coinbase Prime for stablecoin and USD conversions and Clear Street brokerage accounts for ETF custody and trading). Permissions and approvals for fund transfers have been established through custody agreements between Ondo, Coinbase, and Clear Street. Measures have been taken to securely build access between brokerage and bank accounts to minimize employee access to fund accounts.

Ondo uses two multisignatures to manage the on-chain portion of its system. The team claims that each member is an Ondo employee and requires the use of a hardware wallet for signing.

Ondo 3-of-6 Cash Management Multisignature

  • Configure minimum redemption and subscription amounts on the CashManager contract.

  • Configure rate limiter parameters on the CashManager contract (i.e., the number of redemptions and subscriptions that can be processed in a day).

  • Configure fee receiver on the CashManager contract (currently fee is turned off).

  • Set the OUSG minting rate.

  • Mint OUSG to fulfill subscription demand.

  • Suspend CashManager contract functionality in an emergency.

  • Burn OUSG in an emergency.

  • Upgrade OUSG implementation contract in an emergency.

  • Execute one-to-many functionality on the CashManager contract in case users accidentally transfer tokens to the CashManager contract.

Ondo 3-of-7 Redemption Multisignature

  • Can send stablecoins owned by it to fulfill redemption demand via the CashManager contract.

Flux Finance Overview

Flux Finance is a decentralized lending protocol developed by the Ondo Finance team and governed by the Ondo DAO (ONDO token holders). It is a fork of Compound v2 with minor modifications to handle permissioned tokens like OUSG. The protocol offers various tokens available for borrowing, such as USDC, DAI, USDT, and FRAX. OUSG is the only collateral asset and cannot be borrowed.

The main goal of Flux is to create utility for OUSG assets and promote the process of bringing real-world assets onto the blockchain in a compliant manner. This decentralized finance (DeFi) approach aims to ensure that each token operates within the appropriate framework, promoting an environment of balanced accessibility and compliance.

The following figure shows the interaction between the Ondo and Flux ecosystems:

fTokens

fTokens are similar to the common cToken standard of Compound. Flux Finance allows borrowers to earn interest by providing stablecoins to the platform and minting fTokens. These ERC-20 tokens represent balances on the protocol and earn interest through the fToken/token exchange rate. The interest earned by the protocol is not directly distributed to borrowers, but over time the exchange rate of fTokens increases, allowing users to exchange more assets as interest accumulates. The supply and lending rates of Flux Finance are algorithmically determined based on supply and demand.

fTokens have additional functionality to support restrictions on permission tokens, so fOUSG can only be transferred between addresses that are on the whitelist. Any interaction with fOUSG, including minting, redemption, or transfer, is checked against the kycRegistry contract, which stores whitelisted addresses. In addition, if a transfer would cause a borrower’s account liquidity to become negative, the transfer will fail, ensuring the stability and security of the protocol.

Several parameters that affect the OUSG lending market are set in the Unitroller contract:

  • Collateral factor: a value between 0 and 98%, representing the value that can be borrowed relative to the value provided.

  • Close factor: a value between 5% and 90%, representing the amount of borrowings that can be repaid in a single liquidation transaction for a liquidatable account.

  • Liquidation discount: the additional percentage share of the liquidation value sent to liquidators as compensation.

Currently, the OUSG collateral factor is set to 92%, the close factor is set to 50%, and the liquidation discount is set to 5%.

Tokens that can be borrowed or lent on Flux (with fToken contracts) are as follows:

  • Flux USDC (fUSDC)

  • Flux DAI (fDAI)

  • Flux USDT (fUSDT)

  • Flux FRAX (fFRAX)

Tokens that can be used as collateral on Flux (with fToken contracts) are as follows:

  • Flux OUSG (fOUSG)

According to the TVL calculation method used by DeFi Llama, as of early May 2023, the total locked value of the Flux protocol was $57.95 million, of which 60% was OUSG. USDC has the largest supply (lendable) of assets, followed by DAI.

OUSG/fToken Market Dynamics

Currently, there are 33 OUSG holders. The largest holder is Flux Finance (fOUSG), which accounts for approximately 31.05% of the total supply. Considering that OUSG currently only generates capital gains as collateral on the Flux protocol, the relationship between fOUSG supply and total OUSG supply can be used as an indicator to measure the relationship between utilization rate and potential (maximum) OUSG capacity.

Regarding the permissionless portion of the protocol, fUSDC has 420 token holders, fDAI has 160, fUSDT has 76, and fFRAX has only 7 holders. Although the supply (lending) rate is competitive compared to larger money market protocols, on-chain adoption seems relatively low.

From the above figure, we can see that the utilization rate of permissionless fTokens is about 90%, reaching an equilibrium state, where OUSG income (basic asset – SHV ETF income) matches the borrowing cost of supported stablecoins. Given that permissionless fTokens can only be borrowed, while permissioned token OUSG is specifically used as collateral, it can be inferred that permissionless fTokens represent the maximum capacity for borrowers to borrow without negative debt annual percentage yield (APY) at 90% utilization rate.

  • Loan APY at 90% utilization rate: 4.41%

  • Loan APY at 91% utilization rate: 4.78%

By calculating the management cost and correspondingly reducing the annualized yield of the underlying collateral, the current depositors’ yield for OUSG is 4.3%. In contrast, the average borrowing cost is 4.575%, which is relatively small for borrowers overall.

Given the utilization rate of the current lending protocol (and corresponding fTokens), it is beneficial to add/allocate some external productivity to fTokens to meet the demand for using OUSG as collateral.

Curve fUSDC/fDAI Pool

The usage of the Flux Curve pool has been very low despite being deployed only a month prior to the writing of this article. The pool has had $2 million in funds contributed by the team’s multi-signature wallet, but there has been no substantial trading volume yet.

The pool was deployed as a V2 pool for assets that are not held in a 1:1 peg. This is to account for the differences in interest accrual between fUSDC and fDAI. The team aimed to get as close to an XY=k parameter pool as possible while rebalancing liquidity. They chose the minimum values for A and gamma parameters, which is an unconventional choice that the team believed was most appropriate for the pool’s purpose.

The protocol aims to achieve the optimal borrowing rate, with borrowing rates quickly increasing once surpassing the optimal rate. The Curve pool can help with fToken arbitrage near the optimal rate, while additional incentives on Curve may increase demand for Flux lending.

Other DeFi Integrations

The Ondo Finance team has started working on the composability of fTokens. Aside from the current Curve proposal, they have also submitted a proposal to MakerDAO. MIP119 proposes to create a reserve of 500 million DAI for Flux Finance’s DAI lending pool.

Recently, another proposal with Frax went through a snapshot vote to activate an AMO that lends up to 2 million FRAX on Flux. The funds for this proposal are still awaiting deployment.

Flux Finance Governance

Flux Finance is governed by the Ondo DAO. ONDO holders have control over the protocol’s economic parameters, smart contract upgrades through on-chain proposals, and OUSG oracle and lending protocol rate model contracts. Although ONDO is currently not transferable, users can use the token to vote on DAO proposals or delegate voting power to other accounts.

The governance of the Ondo DAO follows a standard two-step process:

  • Forum discussion

  • On-chain voting (managed by Tally)

The maximum total supply of ONDO is set to 10 billion ONDO and is distributed according to the following token allocation and unlocking schedule:

When this article was written, ONDO had 9,770 holders, all of whom completed KYC in public sales and private placement activities. These token distribution plans were carried out through the Coinlist platform, which allocated 11.31% of the total ONDO supply. The remaining undistributed ONDO accounts for 88.69% of the supply and is held in a treasury multisignature wallet.

According to the Ondo DAO governance configuration file on Boardroom, the platform has proposed six proposals since its launch, with 762 participating voters casting a total of 1,589 votes. When reviewing delegation, the two largest accounts (Account 1 and Account 2) collectively account for approximately 70% of the total DAO voting power. Although these accounts have voting restrictions, they can create and submit new proposals.

The two accounts with the highest voting power in Ondo DAO hold 202,806,000 ONDO, contributing approximately 70% of the DAO’s voting weight. However, these accounts are subject to voting restrictions, and the remaining 30% of weighted voting power is available, which is equivalent to approximately 86,916,850 ONDO. Three representatives collectively occupy 65.28% of the total weighted voting power, including:

  1. glassmarkets.eth – about 240.63 million VP (894 delegates)

  2. 0xcd7979e12E2A502a280270827077Fd7f206f9a44 (inactive in previous proposals) – about 205.2k VP (193 delegates)

  3. vexmachina.eth – 12.164 million VP (33 delegates)

The voting restrictions on the two accounts mentioned above are set by the Tally page administrator.

It is clear that the Ondo Finance team has control over all decisions regarding the Flux protocol. Although the Tally page declares that the two accounts with the highest voting power are non-voting accounts, this provision is not implemented (restricted) in the Governor smart contract. In this case, “non-voting” accounts can participate in the voting process at any time.

Flux Finance multisignature account

Flux uses two multisig accounts for treasury and operational management in addition to the Ondo multisig accounts used to manage OUSG assets. Flux claims that all members are employees of Flux Finance, a company based in the British Virgin Islands. These wallets include:

Flux Protocol Treasury Account 3/6 multisig

  • Holds over 88.7% of the ONDO supply

Neptune Foundation (fluxfinance.eth) 3/6 multisig

  • Controls Flux protocol’s interest rate model and Oracle contract until FIP-04 is implemented. The multisig authority has been transferred to the DAO.

fluxfinance.eth provides ongoing periodic price data for OUSG, but restricts daily price changes to no more than 100 basis points. This restriction is enforced by this address. Integration with Chainlink is being tested on the mainnet and is expected to be completed in the near future.

Risk vectors

Smart contract risk

The Ondo Finance smart contracts have been audited by code4rena, which assessed the security and potential vulnerabilities of the code. The audit evaluated 19 smart contracts, 5 abstracts, and 6 interfaces, totaling 4,365 lines of Solidity code.

The Ondo team worked with C4A to address any major vulnerabilities in the smart contracts. C4A auditors identified 6 unique vulnerabilities, with one categorized as a high-risk vulnerability and five categorized as medium-risk vulnerabilities. In addition, the audit included 54 reports detailing low-risk or non-critical issues, as well as 24 suggested gas optimization reports.

A critical high-risk issue was identified as “loss of user funds when completing cash redemptions,” which involved the completeRedemptions function in the CashManager contract. The issue arose when the amount refunded in a given period was not updated in the totalBurned storage variable for that given period. If the administrator uses multiple calls to the completeRedemptions function to complete refunds and redemptions at different steps or stages in the given period, any refunded amounts will not be considered in subsequent calls to the function. This discrepancy may result in users receiving fewer collateral tokens than expected, even if they redeem the same amount of CASH, resulting in loss of user funds. The Ondo team worked with C4A to address this vulnerability.

Among the medium-risk issues, the “initial deposit vulnerability” found in the Compound v2 smart contract is worth noting. This vulnerability allows attackers to take over the funds of the initial depositor of a newly deployed cToken contract. The Ondo team has solved this problem by forcing a minimum deposit, which is achieved by minting a small amount of cToken units to the 0×0 (burn) address during the first deposit, which cannot be withdrawn.

Flux Finance maintains an active bug bounty program on its protocol smart contracts, hosted on ImmuneFi. The program is divided into four categories based on the severity or impact of the discovered vulnerabilities, offering bounty payments ranging from $1,000 to $550,000:

Ondo Finance has already paid out a bug bounty, awarded to security researcher Ashiq Amien on January 26, 2022. The issue was related to the TrancheToken smart contract, which was part of Ondo Finance’s first product, Ondo Vaults. Ondo Vaults was a financial protocol built on top of Uniswap, predating OUSG, and has since been discontinued.

Governance Risk

Flux Finance employs a two-stage governance process, consisting of forum discussion and on-chain voting, to ensure community participation and mitigate potential risks. Governance proposals are typically posted on the Flux Finance governance forum, where community members and the team can provide feedback. While this step is not mandatory, it increases the likelihood of a proposal achieving good consensus and success.

After the forum discussion, the final proposal is submitted for a binding on-chain vote. Flux Finance’s DAO is a fork of Compound’s Governor Bravo, and on-chain voting is managed through Tally. Voting power is determined by ownership of ONDO, and holders can delegate their voting power to other wallets.

Key DAO parameters include:

  • Proposal threshold: requires at least 100 million ONDO voting power to submit a proposal, which helps prevent spam or malicious proposals.

  • Voting period: community members can vote within a 3-day window.

  • Quorum: a proposal requires at least 1 million ONDO voting power to pass.

  • Time lock: there is a 1-day delay period between the end of the voting period and the successful execution of a proposal.

This governance structure ensures community participation, reduces risk, and promotes transparency in the Flux Finance decision-making process.

When reviewing the voting distribution of Ondo DAO on Tally, we observe that the governance appears highly centralized. Two governance accounts, “glassmarkets.eth” and “vexmachina.eth,” collectively hold approximately 34.91 million ONDO (including delegated tokens). These two accounts collectively hold a significant voting power compared to the proposal with the highest participation rate, accounting for approximately 73.57%.

Furthermore, the voting power distribution within the platform is relatively centralized, with three wallets holding a total of 65.28% of the total voting power (currently eligible to vote). This centralization of influence may raise concerns about platform governance and decentralization, emphasizing the need for a more balanced distribution of voting power among participants.

This centralization of voting power has raised concerns about the influence of these entities on Ondo DAO’s governance decision-making process. For example, an entity like GlassMarkets only holds 57 ONDO but has 894 addresses delegated to it, making it the largest voter in the DAO.

Custodial Risk

When assessing centralized risks, it is important to consider the underlying assets and infrastructure supporting the Ondo Finance ecosystem. OUSG is not directly backed by US Treasuries but by the SHV ETF, which tracks the ICE Short US Treasury Bond Security Index. SHV is the iShares Short Treasury Bond ETF managed by Blackrock with an asset size of approximately $23 billion.

Another centralized risk aspect within the Ondo Finance platform is its reliance on centralized exchanges such as Coinbase and Clear Street brokerage platforms. Dependence on centralized service providers may expose the platform to counterparty risk and regulatory uncertainty from these institutions.

To address concerns about token support and transparency, Ondo Finance leverages third-party service providers such as NAV Consulting, a fund management company responsible for directly verifying fund assets from bank and custodial accounts. In addition, the fund undergoes independent annual audits. While Ondo Finance manages tokenization through its smart contract, the fund administrator is responsible for maintaining off-chain records and providing monthly reports to investors. This process ensures daily reconciliation between token records and off-chain records.

Mortgage Risk / Solvency Risk

During extreme market volatility, there is a possibility of accumulating bad debts, although this risk can be considered quite low. Users should be aware of the limitations and vulnerabilities that may lead to solvency risk.

The settlement on Flux is similar to Compound V2. When the loan-to-value ratio (LTV) of an account is insufficient, the account will be liquidated. At this point, third-party liquidators can pay off some of the borrower’s debt and take over the corresponding collateral at a discounted price. However, unlike Compound, Flux’s liquidation complies with OUSG’s KYC requirements. To liquidate with OUSG as collateral, the liquidator must complete KYC and be whitelisted to hold the Token. A limited pool of authorized liquidators may increase the likelihood of liquidation not being completed in a timely manner.

Liquidation is expected to be rare. Flux currently only supports stablecoin markets, which are usually not very volatile. However, in extreme volatility, when the LTV increases rapidly and cannot be liquidated in time, the net value of the account may become negative, resulting in the protocol and its borrowers accumulating bad debts. The assets of Flux Finance are usually very stable, so the accumulation of bad debts is highly unlikely. As an additional security mechanism, Flux’s stablecoin oracle will never price stablecoins above 1 USDC, reducing the risk of external oracle manipulation.

The Flux team’s assessment of the possibility of bad debts is as follows:

Considering that the assets of Flux (tokenized bonds) are usually very stable, bad debt accumulation on Flux should be highly unlikely. Since its founding in 2007, the maximum weekly frequency of SHV short-term bond ETF is less than 0.5%. Considering that the loan liquidation for OUSG starts from 92% LTV, this provides a huge safety margin for Flux borrowers.

In the unlikely event of bad debt accumulation, Flux’s market reserve will be used first to make up for the losses. If the reserve is insufficient, some borrowers may not be able to withdraw their assets.

Oracle Risk

The tokenized security protocol adopts NAV Consulting’s daily updated price feedback mechanism to ensure accurate valuation of underlying collateral. This is only a temporary solution, and the Ondo team is developing an on-chain oracle to provide real-time price updates.

NAV Consulting has limited API access to Coinbase and Clear Street fund accounts, with read-only access to data. NAV Consulting calculates the net asset value (NAV) of each token using a specific method, which can be described in three steps:

  • Sum the present value of all fund assets (SHV shares, cash, and stablecoins)

  • Subtract the fund’s accrued fees and management fees

  • Finally, divide the result by the total number of tokens

Using NAV Consulting’s calculation, Ondo updates the contract price daily.

Flux Finance recently implemented a governance proposal to increase transparency in price feedback and reduce dependence on the team. One of the key components of the proposal is the deployment of a new oracle controlled by Ondo DAO. This oracle will serve as the primary mechanism for retrieving underlying asset prices for the Flux Finance protocol. The proposal also implemented a 100 basis point limit on daily price fluctuations for OUSG, effectively reducing risks associated with price volatility.

The newly implemented price oracle, FluxOracle, is used to manage the market. The contract hardcodes the prices of the underlying assets for stablecoin fTokens (oracle type -1) and checks for authorized fTokens using RWAOracleRateCheck, currently only for fOUSG (oracle type -2). Additionally, the contract provides the option to configure Chainlink oracles (oracle type -3).

FluxOracle contract also implements role-based access control, where DEFAULT_ADMIN_ROLE can set roles for any address for each oracle type:

  • STABLECOIN_HARDCODE_SETTER_ROLE

  • TOKENIZED_RWA_SETTER_ROLE

  • CHAINLINK_ORACLE_SETTER_ROLE

All roles are set to a time-lock contract controlled by Ondo DAO.

Flux has been testing Chainlink price feedback for SHV/USD. The price feedback has been deployed and they are testing a contract on the mainnet that updates prices based on SHV/USD feedback restrictions. In the near future, this contract will be used by the official Flux oracle.

Llama Risk Assessment Criteria
Centralization Factor

1. Is a single entity capable of deceiving users?

Although individual entities may manipulate the protocol, multiple safeguards have been implemented to minimize this risk. Ondo Finance uses three multisignature wallets (Ondo management multisig, OUSG redemption multisig, and ONDO holder multisig), each of which requires at least three signatures to execute.

While this theoretically allows for collusion among the three multisignature signers to manipulate the system, the multisignature requirement adds an additional layer of security. This structure helps mitigate the risk of a single entity disrupting the protocol and ensures decision-making power is dispersed among multiple parties.

2. Can the project continue to operate if the team disappears?

As an entity-based securities issuer, OUSG has a full reliance on the team’s ongoing operations to manage Ondo I LP (Fund).

The Flux protocol currently requires manual price updates by the team, although it may transition to Chainlink price feeds in the near future. At that point, Flux can operate entirely autonomously (although the project still relies on Ondo’s ongoing operations as the Flux team is also the Ondo team).

Economic Factors

1. Does the project’s feasibility depend on additional incentive measures?

Ondo Finance’s ongoing feasibility does not depend on additional incentive measures. The project prioritizes its fundamental financial services in its development, indicating its sustainability isn’t reliant on external incentive measures. However, monitoring any future developments or changes to the project’s structure that may affect its risk profile is crucial.

2. If demand falls to zero tomorrow, can all users be reimbursed?

If demand were to fall to zero tomorrow, OUSG is backed by the SHV ETF, which aims to provide a basis for redemption. In this scenario, the SHV ETF’s backing is designed to ensure Ondo Finance has the ability to continue fulfilling redemption requests, providing all users with reimbursement, and offering a degree of financial security and assurance. SHV is highly liquid, with an average daily trading volume of over $300 million, and short-term bonds are less susceptible to changes in interest rates.

The risks of fixed income generally still exist, with interest rate risk and credit risk being the primary focus. Generally, as interest rates rise, bond values tend to decline. Credit risk involves the possibility that the bond issuer may be unable to fulfill obligations related to principal and interest payments. Investors should understand clearly that their investment in the Fund is not insured or guaranteed by the FDIC or any other government agency. These risks are related to the overall US Treasury market and not to Blackrock/Ondo specifically.

Security Considerations

1. Did the audit uncover any worrisome signs?

The audit of Ondo Finance’s smart contract by C4A did indeed uncover several vulnerabilities, including one high-risk issue and five medium-risk issues.

However, the Ondo team worked closely with C4A to address any critical vulnerabilities in the smart contract. The high-risk finding, titled “User Fund Loss upon Completion of CASH Redemption,” has been resolved in collaboration with the auditing team.

Risk team recommendations

After evaluating Ondo Finance and Flux Protocol, we believe they operate well within acceptable risk parameters, but we also recognize areas for improvement to enhance the platform’s security, decentralization, and transparency:

Address the centralization of governance and voting power in the Ondo DAO. Implementing mechanisms to reduce the centralization of voting power can promote a more decentralized and democratic governance system. Ensuring that the decision-making process is more inclusive and that influence is distributed among more participants is essential.

Improve the security and stability of Ondo Finance by addressing potential risks in smart contracts, oracles, and collateral. Regular audits and updates to the platform’s security features will help build a stronger and more reliable ecosystem. It is crucial to address all identified vulnerabilities and take measures to prevent future issues.

Enhance the transparency of Ondo Finance’s operations by providing more detailed documentation on platform functions, risks, and mitigation strategies. This will enable users to make informed decisions about participating in the platform and increase understanding of project goals and potential risks.

In our collaboration with the Ondo and Flux teams, we found them to be highly professional and taking all reasonable precautions to ensure the security of the system and provide assurances to users. We believe Flux is an excellent demonstration of bringing real assets that comply with regulatory requirements into DeFi and look forward to further integration with Curve.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more