Github Overview

Summary of Ethena Core Contracts

USDe.sol

USDe.sol is the contract of USDe. It extends ERC20Burnable, ERC20Permit and Ownable2Step from Open Zepplin. There's a single variable, the minter address that can be modified by the OWNER. Outside of Ownable2Step contract owner only has one custom function, the ability to set the minter variable to any address.

The minter address is the only address that has the ability to mint USDe. This minter address has one of the most powerful non-owner permissions, the ability to create an unlimited amount of USDe. It will always be pointed to the EthenaMinting.sol contract.

EthenaMinting.sol is the contract and address that the minter variable in USDe.sol points to. When users mint USDe with stETH (or other backing) or redeems backing for USDe, this contract is invoked.

The primary functions used in this contract is mint() and redeen(). Users who call this contract are all within Ethena. When outside users wishes to mint or redeem, they perform an EIP712 signature based on an offchain price provided to them. They sign the order and sends it back to Ethena's backend, where a series of checks are run and are the ones who take their signed order and put them on chain.

By design, Ethena will be the only ones calling mint(),redeem() and other functions in this contract.

In the mint() function, order and signature parameters comes from users who wish to mint and performed the EIP 712 signature. route is generated by Ethena, where it defines where the incoming assets from users go to. The address in route defined must be inside _custodianAddresses as a safety check, to ensure funds throughout the flow from users end up in custodial solutions within a single transaction. Only DEFAULT_ADMIN_ROLE can add custodian address.

Similar to minting, user performs an EIP712 signature with prices provided by the system. Their signature is submitted and order into redeem() function. The funds from redemption come from the Ethena minting contract directly. Ethena aims to hold a certain amount of backing assets at all times for hot redemptions. Users intending to redeem a large amount will need to redeem over several blocks. Alternatively they can sell USDe on the open market.

Some users trade through smart contracts. Ethena minting has the ability to delegate signers to sign for an address, using setDelegatedSigner. The smart contract should call this function with the desired EOA address to delegate signing to. To remove delegation, call removeDelegatedSigner. Multiple signers can be delegated at once, and it can be used by EOA addresses as well.

By setting a delegated signer, the smart contract allows both the order.benefactor and delegated signed to be the address that's ecrecovered from the order and signature, rather than just order.benefactor.

Security

EthenaMinting.sol have crucial roles called the MINTER and REDEEMER. Starting with MINTER, in the original design, they have the ability to mint any amount of USDe for any amount of backing assets. Given MINTER is a hot wallet and is an EOA address, in the scenario where this key becomes compromised, an attacker could then mint a billion USDe for no backing, and dump them on pools, causing a black swan event the reserve fund cannot cover.

The solution is to enforce an on chain mint and redeem limitation per block. In addition, the contracts have GATEKEEPER roles with the ability to disable mint/redeems and remove MINTERS,REDEEMERS. GATEKEEPERS acts as a safety layer in case of compromised MINTER/REDEEMER. They will be run in separate AWS accounts not tied to Ethena, constantly checking each transaction on chain and disable mint/redeems on detecting transactions at prices not in line with the market. In case compromised MINTERS or REDEEMERS after this security implementation, a hacker can at most mint 100k USDe for no backing, and redeem all the backing within the hot contract, for a max loss in a single block, before GATEKEEPER disable mint and redeem. The loss would not be expected to materially affect operations.

Further down the line, there has been considerations to give external organisations a GATEKEEPER role. Such an external organisation would only be expected to invoke the gatekeeper functions when price errors occur on chain. Abuse of this privilege means their GATEKEEPER role will be removed.

The DEFAULT_ADMIN_ROLE is required to re-enable minting/redeeming. DEFAULT_ADMIN_ROLE also has the power to add/remove GATEKEEPERS,MINTER and REDEEMER.

DEFAULT_ADMIN_ROLE is the most powerful role in the minting contract, but is still beneath the OWNER role of USDe.sol, given that the owner can remove the minting contract's privilege to mint.

StakedUSDeV2.sol is where holders of USDe stablecoin can stake their stablecoin, get stUSDe in return and earn yield. Protocol yield is transferred out by having a REWARDER role of the staking contract send protocol yield in USDe, increasing the sUSDe value with respect to USDe.

This contract is a modification of the ERC4626 standard, with a change to vest in rewards linearly over 8 hours to prevent users frontrunning the transfer of protocol yield, then unwinding their position right after (or even in the same block). This is also the reason for REWARDER role. Otherwise users can be denied rewards if random addresses send in 1 wei and modifies the rate of reward vesting.

There's also an additional feature to add a 14 day cooldown period on unstaking sUSDe. When the unstake process is initiated, from the user's perspective, sUSDe is burnt immediately, and they will be able to invoke the withdraw function after cooldown is up to get USDe in return. Behind the scenes, on burning of sUSDe, USDe is sent to a seperate silo contract to hold the assets for the cooldown period. And on withdrawal, the staking contract moves those funds from silo contract out to the user's address. The cooldown is configurable up to 90 days.

Due to legal requirements, there's a SOFT_RESTRICTED_STAKER_ROLE and FULL_RESTRICTED_STAKER_ROLE. The former is for addresses based in countries that are restricted from accessing the protocol for regulatory reasons, for example USA. Addresses under this category will be soft restricted. They cannot deposit USDe to get sUSDe or receive USDe for sUSDe.

FULL_RESTRCITED_STAKER_ROLE is for any address associated with sanctioned individuals or associated with users suspected to be operating within a country subject to comprehensive sanctions, or for addresses associated with criminal activity, or if we get a request from law enforcement to freeze funds. Addresses fully restricted cannot move sUSDe, and only Ethena can unfreeze the address. Ethena also has the ability to repossess funds of an address subject to full restrictions. It is understood that having the ability to freeze and repossess funds could be a cause of concern for defi users deciding whether to stake USDe; while the aim is to make operations as secure as possible, interacting with Ethena still requires a certain amount of trust outside of code on the smart contract, given the nature of the architecture.

Note this restriction only applied to staking contract, there are no restrictions or ability to freeze funds of USDe.

Ethena utilises a gnosis safe multisig to hold ownership of its smart contracts. All multisig keys are cold wallets and each multisig requires 7/10 or more confirmations before transactions are approved. This multisig is purely for the purpose of owning the smart contracts, and will not hold funds or do other on chain actions.

Last updated