[ARFC] Add rlUSD to Core Instance

[ARFC] Add rlUSD to Core Instance


title: [ARFC] Add rlUSD to Core Instance
author: Tokenlogic & ACI (Aave Chan Initiative)
created: 2024-12-16

ARFC has been updated with latest Risk Parameters 2025-03-25

Oracle has been updated 2025-04-15


Summary

This publication proposes onboardin Ripple’s rlUSD stablecoin to the Core instance of Aave v3 on Ethereum.

Motivation

rlUSD has received NYDFS approval and is anticipated to launch in the near future. Whilst the date is unknown and subject to speculation, this proposals prepares the Aave Protocol to support the listing.

With rlUSD now transferrable and circulating supply at 52.9M (15th December 2024), this ARFC proposes onboarding rlUSD with conservative risk parameters pending a Chainlink Oracle.

Specification

Ticker: rlUSD

Contract address on mainnet: 0x8292Bb45bf1Ee4d140127049757C2E0fF06317eD

Chainlink oracle:
0xf0eaC18E908B34770FDEe46d069c846bDa866759

Project: https://ripple.com/

GitHub: GitHub - fbtc-xyz/fbtc-contract

Docs: https://docs.ripple.com/stablecoin/developer-resources/rlusd-on-ethereum

Twitter: https://x.com/Ripple

Initial Risk Parameters are shared, being aware that those can be subject to changes per Risk Service Providers feedback, and ARFC would be updated accordingly.

Parameter Proposed Value (Ethereum)
Isolation Mode No
Borrowable Yes
Collateral Enabled No
Supply Cap 50,000,000
Borrow Cap 5,000,000
Debt Ceiling -
Loan-to-Value (LTV) -
Liquidation Threshold (LT) -
Liquidation Bonus -
Liquidation Protocol Fee -
Variable Base Rate 0%
Variable Slope 1 6.5%
Variable Slope 2 50%
Optimal Utilization (Uoptimal) 80%
Reserve Factor 10%
Stable Borrowing Disabled
Flashloanable Yes
Siloed Borrowing No
Borrowable in Isolation No
E-Mode Category N/A
Parameter Value Value Value Value Value
Asset sUSDe sUSDe USDT USDS USDC rlUSD
Collateral Yes No No No No
Borrowable No Yes Yes Yes Yes
Max LTV 90% - - - -
Liquidation Threshold 92% - - - -
Liquidation Bonus 3.0% - - - -

Disclosure

Neither TokenLogic or ACI have received payment for the publication of this proposal.

Next Steps

  1. Gather feedback from the community.
  2. If consensus is reached on this ARFC, escalate this proposal to the Snapshot stage.
  3. If Snapshot outcome is YAE, an AIP will implement proposal.

Copyright

Copyright and related rights waived via CC0.

3 Likes

In accordance with the 5-day ARFC timeline, we are submitting our interim report on RLUSD. The token is currently in its launching phase, and we will update the community with further parameters and recommendations as more information becomes available.

Summary

RLUSD (Ripple USD) is a regulated stablecoin issued by Standard Custody & Trust Company, LLC (SCTC), a Ripple subsidiary operating under a limited-purpose trust charter from the NYDFS since May 2021. The stablecoin aims to maintain a 1:1 peg with the US dollar and is live on the XRP Ledger (XRPL) and Ethereum mainnet. The token is a non-yield bearing asset, although RLUSD’s reserves are kept in US cash equivalents capable of accruing yield and protected by a bankruptcy-remote structure. The investment framework incorporates Level 1 HQLA (High-Quality Liquid Assets), adhering to Basel Committee standards while strictly observing NYDFS-permitted asset guidelines with T/0 – T+1/2 settlement parameters.

The stablecoin operates within a permissioned framework that restricts token issuance to verified institutional clients meeting bank-level KYC/AML standards, while tokens are freely transferable on the secondary market. On the technical side, RLUSD implements the ERC-20 standard, with specific permissions for minting, burning, pausing, and clawback functionality. Roles are attributed to different multisigs. The contract uses an upgradeable proxy without a timelock. There does not appear to be an active bug bounty on the RLUSD contract; however, there is coverage for all publicly accessible web applications and APIs owned by Ripple.

Chainlink will integrate its services throughout 2025, beginning with price feed integration, then Assets Under Management (AUM) reporting mechanisms and Proof of Reserve (PoR) capabilities.

The stablecoin is listed on NYDFS’s Greenlist of approved stablecoins, though some aspects remain pending, including the disclosure of specific custodial institutions and the independent CPA firm responsible for attestations. Our initial assessment of RLUSD is conducive to onboarding on Aave. As part of our commitment to comprehensive coverage, we will update this analysis thread with new developments.

Expand to see the Collateral Risk Assessment

1. Asset Fundamental Characteristics

1.1 Asset

Ripple USD (RLUSD) is a fiat-backed stablecoin issued by Standard Custody & Trust Company, a Ripple subsidiary regulated under the New York Department of Financial Services (NYDFS). Designed to maintain a 1:1 peg with the US dollar, RLUSD is deployed on the XRP Ledger (XRPL) and Ethereum (using the ERC20 standard)

1.2 Architecture

The stablecoin architecture is very simple, based on the ERC-20 standard.

Source: Ripple’s public GitHub, December 19th, 2024

1.3 Tokenomics

Several potential use cases are presented in the whitepaper:

  • B2B Cross Border Payments - RLUSD will be integrated into Ripple Payments, which serves hundreds of institutional customers across over 50 countries. Transactions can be completed almost instantly, while RLUSD will ensure low transaction costs.
  • Foreign Exchange Markets - By utilizing RLUSD, traders can benefit from lower spreads and faster settlements.
  • Global Access to a Digital Dollar - RLUSD aims to provide a stable medium of exchange that is particularly beneficial for businesses and individuals in economies with volatile local currencies.
  • Trade Settlement Asset for Banks and Fund Managers - RLUSD can be an efficient settlement asset for financial institutions.
  • Real-World Asset Tokenization - RLUSD can facilitate tokenizing tangible assets like real estate and commodities.
  • On and Off Ramps - converting between digital assets and fiat currencies can be simplified by the low fees and fast processing offered by RLUSD.

Many items above have not become operational, and details on planned incentivization or profitability projections are unavailable.

1.3.1 Token Holder Concentration

Not available

2. Market Risk

2.1 Liquidity

Not available

2.1.1 Liquidity Venue Concentration

Not available

2.1.2 DEX LP Concentration

Not available

2.2 Volatility

Not available

2.3 Exchanges

List of partner exchanges disclosed on the Ripple website:


Source: Ripple Docs, December 19th, 2024

Following the webpage disclaimer, the information above does not cover all available venues where RLUSD is supported.

2.4 Growth

Not available

3. Technological Risk

3.1 Smart Contract Risk

While not publicly available, two confidential audit reports have been shared with our team under NDA. One assessment concluded that the codebase demonstrates robust security, identifying only minor concerns. The second auditor played an integral role in the stablecoin’s architectural development. Regarding privileged roles, Ripple has implemented the MultiSign contract management. The security framework addresses potential critical smart contract vulnerabilities, including reentrancy attacks, access control protocols, gas limitation considerations, signatory management systems, and multisig logic.

3.2 Bug Bounty Program

There is no mention of bug bounty covering rlUSD contracts. Ripple has a (web2) bug bounty program covering all publicly accessible web applications and APIs owned by Ripple.

3.3 Price Feed Risk

Chainlink price feed implementation will follow a three-stage rollout:

  • The initial phase introduces a direct price feed scheduled for January deployment.
  • Chainlink smart data feed mechanism synchronizes AUM reporting with regulatory submission frequencies.
  • The final phase, implementing Proof of Reserve, is projected for a later deployment, though specific timing remains undefined.

3.4 Dependency Risk

  1. General dependence on OpenZeppelin Contracts. StablecoinUpgradeable relies on:
  • AccountPausableUpgradeable for pausing;
  • AccessControlUpgradeable for role management;
  • UUPSUpgradeable for upgradability;
  • ERC20Upgradeable and ERC20PausableUpgradeable for token functionality;
  1. MultiSign for safe transaction execution, utilizing the EIP-712 scheme

4. Counterparty Risk

4.1 Governance and Regulatory Risk

Ripple USD is issued by Standard Custody & Trust Company, LLC (SCTC), a wholly-owned subsidiary of Ripple. SCTC operates under a New York State Department of Financial Services (NYDFS) charter as a limited-purpose trust company under the New York Banking Law.

Source: NYDFS, December 19th, 2024

NYDFS-supervised issuance imposes strict requirements on RLUSD, notably in four key areas:

  1. Backing of Reserves: RLUSD must remain fully backed by reserves of assets that are segregated from SCTC’s proprietary holdings. The reserves must be held in custody by the U.S. state or federally chartered depository institutions insured by the Federal Deposit Insurance Corporation (FDIC) or other asset custodians pre-approved by the NYDFS.
  2. Reserve Composition: The scope of permissible reserve assets is deliberately narrow, focusing on stability and liquidity. The reserves may only consist of:
    • Short-term U.S. Treasury bills,
    • Reverse repurchase agreements fully collateralized by U.S. Treasury instruments (bills, notes, and/or bonds),
    • Government money-market funds, and
    • Deposit accounts held at U.S. state or federally chartered depository institutions.
  3. Redeemability: The redemption framework requires SCTC to follow clear and transparent policies, pre-approved by the NYDFS, that confer upon any lawful holder the right to redeem RLUSD units at par value. The redemption process must occur within a strict timeframe, not exceeding two full business days (T+2) following receipt of the redemption request.
  4. Attestation and Transparency: RLUSD reserves are subject to rigorous oversight. Management’s reserve assertions must undergo independent examinations at least once per month, supplemented by an annual attestation conducted by a Certified Public Accountant (CPA) licensed in the United States. The CPA must apply the attestation standards of the American Institute of Certified Public Accountants (AICPA).

RLUSD minting is restricted to businesses and institutions that satisfy stringent bank-level Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols. SCTC, as the issuer, is independently required to adhere to the highest standards for KYC and AML compliance, reflecting its obligations as an NYDFS-supervised entity.

Beyond reliance on institutional clients’ compliance practices, SCTC has implemented its own sanctions compliance and risk mitigation framework. The issuer adheres to a policy requiring freezing RLUSD associated with wallet addresses listed on the Office of Foreign Assets Control (OFAC) 's Specially Designated Nationals (SDN) list. This policy extends to addresses flagged for suspected fraudulent activity, money laundering, or other illicit uses.

A confidential RLUSD Composition of Reserve Assets Standard analysis confirms alignment with NYDFS asset quality requirements. The reserve portfolio encompasses short-term U.S. Treasury bills (maximum 3-month maturity), triple-A rated Government/Treasury Money Market Funds (with NYDFS-compliant allocation limits), overnight reverse-repo operations in U.S. Treasury instruments, and cash deposits maintained at authorized U.S. banking institutions.

The investment framework incorporates Level 1 HQLA (High-Quality Liquid Assets), adhering to Basel Committee standards. The investment strategy strictly observes NYDFS-permitted asset guidelines with T/0 – T+1/2 settlement parameters.

The reserve management structure implements asset segregation, with custody services provided by FDIC-member institutions (either state or federally chartered). The reserve architecture incorporates bankruptcy-remote mechanisms, isolating assets from all RLUSD operations, management, or issuance entities.

At present, the specific custodial institutions remain undisclosed. Similarly, while the issuer has confirmed the engagement of an independent CPA firm for regular attestation services, their identity is yet to be revealed.

4.2 Access Control Risk

4.2.1 Contract Modification Options

RLUSD implements a security-focused ERC20 architecture, combining battle-tested OpenZeppelin components with Ripple’s proprietary enhancements. The token’s design utilizes the UUPS (Universal Upgradeable Proxy Standard) pattern, where the StablecoinProxy contract routes transactions to the StablecoinUpgradeable implementation.

Role management is executed through AccessControlUpgradeable. Role-based access, as outlined below, aims to limit sensitive functions to authorized entities:

Role Description
DEFAULT_ADMIN Assigns and revokes other roles
MINTER Allows minting of new tokens
BURNER Allows token burning from specific accounts
CLAWBACKER Allows burning tokens forcibly from particular accounts.
PAUSER Allows pausing/unpausing the contract or specific accounts.
UPGRADER Allows upgrading the smart contract implementation.

Minting capabilities are exclusively reserved for Ripple’s issuer account while burning operations are distributed among multiple internal Ripple accounts to optimize operational efficiency.

The contract incorporates several advanced security and compliance features:

  • Global Freeze mechanism, implemented through ERC20PausableUpgradeable, provides emergency control by halting all token transfers, approvals, and allowance modifications.
  • The MultiSign execution system adds a layer of security, requiring verification from predetermined signers before transaction execution
  • The clawback mechanism enables authorized entities to forcibly remove tokens (via burn(value)) from specific accounts, an important feature for maintaining regulatory compliance.

4.2.2 Timelock Duration and Function

The UUPSUpgradeable implementation (_authorizeUpgrade) restricts upgrades to accounts with UPGRADER_ROLE. There is no delay enforced when approving or executing upgrades.

The team should consider implementing a timelock for the proxy upgrade function, giving ample time for users to react in case the functionalities of the token are changed.

4.2.3 Multisig Threshold / Signer identity

We did a full audit of the permissionned function of rlUSD on Ethereum mainnet as of December 19th, 2024. The main token contract 0xCfd748B9De538c9f5b1805e8db9e1d4671f7F2ec is behind a proxy 0x8292Bb45bf1Ee4d140127049757C2E0fF06317eD, upgreadeable without a timelock.

The below multisigs are granted role

  • Multisig A (7/7) 0x66fc2d9E4897cf3886A340A4CABC23CCA2aC6a0e, holds the DEFAULT_ADMIN role
  • Multisig B (2/31) 0x97e9d0b0bCBE86E1e230b0FFd3A5F1f9B8428591, holds the MINTER_ROLE
  • Multisig C (7/7) 0x863c8754C298D3efEC3863f2a46F1C71A355CE6C, holds the UPGRADER_ROLE
  • Multisig D (2/31) 0x83f7f1c6A1547aFE2841943f428Cf6ff28541fA9, holding the PAUSER_ROLE & CLAWBACKER_ROLE

Multisig A and C and multisig B and D have identical lists of signers. These contracts are not verified on the block explorer; we’ve communicated this to the Ripple team and urged them to verify promptly for transparency.

A 7/7 threshold means that all signers are required to perform permissionned functions, such as assigning roles in the cause of DEFAULT_ADMIN or upgrading the contract implementation for UPGRADER_ROLE. Losing a single key means that these functions can no longer be performed.

Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.

Aave V3 Specific Parameters

Parameters will be presented jointly with @ChaosLabs.

Price feed Recommendation

To be provided.

Disclaimer

This review was independently prepared by LlamaRisk, a community-led non-profit decentralized organization funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.

The information provided should not be construed as legal, financial, tax, or professional advice.

2 Likes

Overview

Chaos Labs supports listing rlUSD on Aave V3’s Ethereum Main instance. Below is our analysis and initial risk parameter recommendations.

Technical Overview

Ripple USD (rlUSD) is a stablecoin developed by Ripple, fully backed by a segregated reserve of cash and short-term U.S. Treasuries, and redeemable 1:1 for US dollars. Ripple emphasizes transparency in rlUSD’s backing, with a third-party accounting firm conducting monthly attestation reports to verify the reserves’ accuracy and proper management.

Ripple is the sole entity authorized to mint and burn the Ripple USD stablecoin through its Minter and Burner roles. Ripple’s issuer account can mint rlUSD in response to a distribution request from an onboarded customer. On the other hand, multiple internal Ripple accounts can call the burn() function to redeem rlUSD upon a user’s redemption request.

Additionally, rlUSD introduces several features that distinguish it from typical ERC-20 tokens. These include an Individual Freeze/Unfreeze mechanism to pause or unpause activity on specific accounts, a Global Freeze/Unfreeze measure to pause or unpause activity across all accounts, and a Clawback function that allows authorized parties (Clawbackers) to forcefully burn rlUSD tokens from any address or contract without needing the account owner’s signature.

rlUSD transitioned from its testing phase to public availability on December 17, 2024, after receiving regulatory approval from the New York Department of Financial Services (NYDFS).

Market Cap, Liquidity, Volatility

Since August 2024, Ripple has been conducting the beta testing phase for rlUSD, primarily targeting its enterprise partners and not open to the public. By October 2024, rlUSD’s total supply on Ethereum had reached 48 million and remained in this range for about a month. As the public launch approached over the past week, the total supply has increased again, reaching 53 million.

Based on publicly available information, Ripple has partnered with leading exchanges and platforms, including Uphold, Bitstamp, Bitso, Moonpay, and others, to support rlUSD liquidity. Additionally, Ripple is collaborating with market makers B2C2 and Keyrock to further ensure robust rlUSD liquidity.

Since rlUSD’s launch on December 17 until the time of writing, the majority of its liquidity sits on CEX. The only accessible DEX liquidity for rlUSD comes from Sologenic, a DEX on XRPL Chain, with a 24-hour trading volume of $515K for the XRP/RLUSD trading pair. DEX liquidity on Ethereum is currently unavailable.

LTV, Liquidation Threshold, and Liquidation Bonus

Due to the absence of price history and volatility data, we cannot apply Chaos Labs’ standard methodology to determine the listing parameters. However, as a non-yield-bearing stablecoin, rlUSD is unlikely to see significant use as collateral. As a precaution, we recommend listing it initially as a non-collateral asset.

Supply and Borrow Caps

Given the current lack of on-chain liquidity, we are unable to provide specific supply and borrow cap parameters for rlUSD’s listing.

IR Curve

We recommend aligning rlUSD’s Interest Rate curve with those of other USD-pegged stablecoins such as USDC or PYUSD. Due to the expected high concentration of supply amongst top suppliers in the early stages post-launch, we suggest setting the UOptimal to 80%, creating a larger liquidity buffer to better handle potential large withdrawals.

Pricing rlUSD

We recommend using a Chainlink market price oracle once available.

Recommendations

Based on the available data, we recommend proceeding with the listing of rlUSD on Aave V3’s Ethereum deployment. However, we are currently unable to provide a complete set of parameters given the lack of market data. Chaos Labs will monitor the market after the launch in order to update this post with initial supply and borrow caps. Below, we provide initial listing parameters based on the information at hand:

Parameter Value (Ethereum)
Isolation Mode No
Borrowable Yes
Collateral Enabled No
Supply Cap -
Borrow Cap -
Debt Ceiling -
LTV -
LT -
Liquidation Bonus -
Liquidation Protocol Fee -
Variable Base 0%
Variable Slope1 12.5%
Variable Slope2 50%
Uoptimal 80%
Reserve Factor 10%
Stable Borrowing Disabled
Flashloanable Yes
Siloed Borrowing No
Borrowable in Isolation No
E-Mode Category N/A

Disclaimer

Chaos Labs has not been compensated by any third party for publishing this ARFC.

Copyright

Copyright and related rights waived via CC0

4 Likes

The current proposal has been escalated to ARFC Snapshot.

Vote will start tomorrow, we encourage everyone to participate.

After Snapshot monitoring, the current ARFC Snapshot ended recently, reaching both Quorum and YAE as winning option, with 859.9K votes.

Therefore [ARFC] Add rlUSD to Core Instance has PASSED.

Next step will be the publication of an AIP for final confirmation and enforcement of the proposal.

The core liquidity pool for RLUSD is now live on curve here: Curve.fi
The pool currently holds $10.8M of liquidity versus USDC, and RLUSD has an FDV on chain over $132M

@ACI are there any remaining requirements to push this proposal to the next stage?

Overview

In light of the substantial growth in rlUSD’s supply and liquidity over the past two months, Chaos Labs has conducted a targeted parameter update to align with the latest market dynamics.

Market Cap and Liquidity

Since the previous assessment, rlUSD’s total supply has increased significantly—from 52 million to 132 million tokens—bringing its market cap to $132.56 million. The following chart illustrates the progression in rlUSD’s total supply over time:

rlUSD’s liquidity has also significantly improved since our last analysis. Currently, it is primarily concentrated in two pools: the rlUSD/USDC pool on Curve, with a total TVL of $48.40M, and the rlUSD/USDC pool on Uniswap, with a total TVL of $2M. The chart presented here displays rlUSD’s aggregated on-chain liquidity over time:

Supply Cap and Borrow Cap Recommendations

In accordance with Chaos Labs’ standard risk framework, based on the available on-chain liquidity—we recommend a supply cap of 50,000,000 rlUSD.
After syncing with growth and aligning with the preferences of the team, we recommend limiting the initial borrow cap to 10% of the supply cap.

Oracle Integration

An rlUSD/USD market oracle has been deployed since the initial listing. We recommend utilizing this feed as the price source for the asset.

Interest Rate Curve Adjustment

Consistent with the rationale outlined in this governance proposal, we advise updating the Slope 1 parameter to 6.5%. This adjustment reflects a more appropriate cost of capital for borrowing stablecoins under current market conditions.

Final Recommendation

Given rlUSD’s role as a stablecoin, it is recommended that the asset be listed as borrowable only, with no collateral functionality enabled at the moment. The table below summarizes the proposed configuration, which has been aligned on with @LlamaRisk:

Parameter Proposed Value (Ethereum)
Isolation Mode No
Borrowable Yes
Collateral Enabled No
Supply Cap 50,000,000
Borrow Cap 5,000,000
Debt Ceiling -
Loan-to-Value (LTV) -
Liquidation Threshold (LT) -
Liquidation Bonus -
Liquidation Protocol Fee -
Variable Base Rate 0%
Variable Slope 1 6.5%
Variable Slope 2 50%
Optimal Utilization (Uoptimal) 80%
Reserve Factor 10%
Stable Borrowing Disabled
Flashloanable Yes
Siloed Borrowing No
Borrowable in Isolation No
E-Mode Category N/A

Disclaimer

Chaos Labs has not been compensated by any third party for publishing this recommendation.

Copyright

Copyright and related rights waived via CC0

3 Likes

We’re supportive of the latest parameters presented by Chaos Labs.

rlUSD (Ethereum) technical analysis


Summary

This is a technical analysis of all the smart contracts of the asset and its main dependencies.

Disclosure: This is not an exhaustive security review of the asset like the ones done by Ripple, but an analysis from an Aave technical service provider on different aspects we consider critical to review before a new type of listing. Consequently, like with any security review, this is not an absolute statement that the asset is flawless, only that, in our opinion, we don’t see significant problems with its integration with Aave, apart from different trust points.



Analysis

RLUSD is a stablecoin paired to the US dollars on the Ethereum mainnet issued in accordance with NYDFS stablecoin guidance by Standard Custody & Trust Company (SCTC), owned by Ripple. Reserves back RLUSD consist of a combination of US dollars and low-risk investment assets securely held at highly reputable financial institutions in the U.S.

Businesses and institutions can onboard with SCTC to purchase Ripple USD stablecoin via the Stablecoin UI, while regular users can acquire it through CEXs and DEXs.

For the context of this analysis, our focus has been on the following aspects, critical for the correct and secure integration with Aave:

  • A recommendation of pricing strategy to be used in the integration asset <> Aave.
  • Any miscellaneous aspect of the code we can consider of importance.
  • Analysis of the access control (ownerships, admin roles) and the nature of the entities involved in the system. Regarding the table permissions’ holders and their criticality/risk, it is done following these guidelines:

Criticality Description
CRITICAL Usually super-admin functionality: it can compromise the system by completely changing its fundamentals, leading to loss of funds if misused or exploited. E.g. proxy admin, default admin
HIGH It can control several parts of the system with some risk of losing funds. E.g., general owners or admin roles involved in the flow of funds
MEDIUM It can cause malfunction and/or minor financial losses if misused or exploited. E.g., fee setter, fee recipient addresses
LOW It can cause system malfunctions but on non-critical parts without meaningful/direct financial losses. E.g., updating descriptions or certain non-critical parameters.

Risk Description
:green_circle: The role is controlled via a mechanism we consider safe, such as on-chain governance, a timelock contract, or setups involving multi-sigs under certain circumstances.
:yellow_circle: The role is controlled in a way that could expose the system and users to some risk depending on the actions it can control.
:red_circle: The role is controlled via a clearly non-secure method, representing risks for the system and users.


General points

  • It relies on a single contract with most dependencies from OZ for access control, tokenization, upgradability, and security. The proxy uses the OZ UUPS upgradable pattern.
  • The system uses a role-based access control for minting, burning, and pausing mechanisms, with a master admin granting roles.
  • The upgradeability admin of the system is an unverified 7-of-8 MultiSign contract.

Contracts

The following is a non-exhaustive overview of the main smart contracts involved with rlUSD.


RLUSD

The primary contract for the Ripple stablecoin system. RLUSD is an upgradable OZ ERC20 with minting, burning, freezing, and pausing capabilities, which are managed via its role-based access control. Customers receive newly minted RLUSD stablecoin issued by Ripple. Users can submit a redemption request to a Ripple-owned redemption account, which burns RLUSD after it is received and processed. The contract is upgradable by 7-of-8 MultiSign contract.

Permission Owner functions Criticality Risk
upgradable admin: UPGRADER_ROLE: 7-of- 8 MultiSign Contract (0x863c…CE6C) upgradeAndCall CRITICAL :yellow_circle:
DEFAULT_ADMIN_ROLE: 7-of-8 MultiSign Contract (0x66fc2…6a0e) grantRole, revokeRole HIGH :yellow_circle:
MINTER_ROLE: 2-of-32 MultiSign Contract (0x97e9d…8591) mint HIGH :green_circle:
BURNER_ROLE: 2-of-32 MultiSign Contract (0x9B8A…7A34) burn HIGH :green_circle:
CLAWBACKER_ROLE: 2-of-32 MultiSign Contract (0x83f7…1fA9) clawback HIGH :green_circle:
PAUSER_ROLE: 2-of-32 MultiSign Contract (0x83f7…1fA9) pause, unpause, pauseAccounts, unpauseAccount HIGH :green_circle:
  • Access Control
    • The DEFAULT_ADMIN_ROLE is in charge of granting roles and removing them via the grantRole(role, address) and revokeRole(role, address) functions, respectively.
    • The MINTER_ROLE can mint new RLUSD tokens by calling the mint(to, amount) function. Tokens can only be minted if the contract is not paused.
    • The BURNER_ROLE can burn his tokens via the burn(amount) function. Tokens can only be burned if the contract is not paused.
    • The CLAWBACKER_ROLE can burn tokens from any address via the clawback(from, amount) function. Also, it can only burn if the contract is not paused.
    • The PAUSER_ROLE can pause and unpause the circulation, mint, and burn of RLUSD via the pause() and unpause() functions, respectively.
    • The PAUSER_ROLE can freeze and unfreeze transfers from and to specific addresses via the pauseAccounts(address[]) and unpauseAccount(address) functions, respectively.

Pricing strategy

We suggest pricing using the RLUSD/USD Chainlink price feed through the CAPO’s stables adapter.


Miscellaneous

  • There is one security review by OpenZeppelin, including both the rlUSD smart contract and its custom multi-sig. The report can be found HERE.
  • The Ripple team confirmed that they will improve the upgradeability logic and assign the UPGRADER_ROLE, including timelocking mechanics. While acceptable given the non-collateral nature of the asset, we would like to emphasise we consider very important to time-lock critical functionality of the asset.

Conclusion

We think RLUSD doesn’t have any problems in terms of integration with Aave, and there is no major blocker.
We also recommend listing RLUSD only as a borrowable asset until the time-locking functionality is addressed, and do further evaluation in the future for enabling it as collateral.

3 Likes