In accordance with the 5-day ARFC timeline, we are submitting our interim report on RLUSD. The token is currently in its launching phase, and we will update the community with further parameters and recommendations as more information becomes available.
Summary
RLUSD (Ripple USD) is a regulated stablecoin issued by Standard Custody & Trust Company, LLC (SCTC), a Ripple subsidiary operating under a limited-purpose trust charter from the NYDFS since May 2021. The stablecoin aims to maintain a 1:1 peg with the US dollar and is live on the XRP Ledger (XRPL) and Ethereum mainnet. The token is a non-yield bearing asset, although RLUSD’s reserves are kept in US cash equivalents capable of accruing yield and protected by a bankruptcy-remote structure. The investment framework incorporates Level 1 HQLA (High-Quality Liquid Assets), adhering to Basel Committee standards while strictly observing NYDFS-permitted asset guidelines with T/0 – T+1/2 settlement parameters.
The stablecoin operates within a permissioned framework that restricts token issuance to verified institutional clients meeting bank-level KYC/AML standards, while tokens are freely transferable on the secondary market. On the technical side, RLUSD implements the ERC-20 standard, with specific permissions for minting, burning, pausing, and clawback functionality. Roles are attributed to different multisigs. The contract uses an upgradeable proxy without a timelock. There does not appear to be an active bug bounty on the RLUSD contract; however, there is coverage for all publicly accessible web applications and APIs owned by Ripple.
Chainlink will integrate its services throughout 2025, beginning with price feed integration, then Assets Under Management (AUM) reporting mechanisms and Proof of Reserve (PoR) capabilities.
The stablecoin is listed on NYDFS’s Greenlist of approved stablecoins, though some aspects remain pending, including the disclosure of specific custodial institutions and the independent CPA firm responsible for attestations. Our initial assessment of RLUSD is conducive to onboarding on Aave. As part of our commitment to comprehensive coverage, we will update this analysis thread with new developments.
Expand to see the Collateral Risk Assessment
1. Asset Fundamental Characteristics
1.1 Asset
Ripple USD (RLUSD) is a fiat-backed stablecoin issued by Standard Custody & Trust Company, a Ripple subsidiary regulated under the New York Department of Financial Services (NYDFS). Designed to maintain a 1:1 peg with the US dollar, RLUSD is deployed on the XRP Ledger (XRPL) and Ethereum (using the ERC20 standard)
1.2 Architecture
The stablecoin architecture is very simple, based on the ERC-20 standard.
Source: Ripple’s public GitHub, December 19th, 2024
1.3 Tokenomics
Several potential use cases are presented in the whitepaper:
- B2B Cross Border Payments - RLUSD will be integrated into Ripple Payments, which serves hundreds of institutional customers across over 50 countries. Transactions can be completed almost instantly, while RLUSD will ensure low transaction costs.
- Foreign Exchange Markets - By utilizing RLUSD, traders can benefit from lower spreads and faster settlements.
- Global Access to a Digital Dollar - RLUSD aims to provide a stable medium of exchange that is particularly beneficial for businesses and individuals in economies with volatile local currencies.
- Trade Settlement Asset for Banks and Fund Managers - RLUSD can be an efficient settlement asset for financial institutions.
- Real-World Asset Tokenization - RLUSD can facilitate tokenizing tangible assets like real estate and commodities.
- On and Off Ramps - converting between digital assets and fiat currencies can be simplified by the low fees and fast processing offered by RLUSD.
Many items above have not become operational, and details on planned incentivization or profitability projections are unavailable.
1.3.1 Token Holder Concentration
Not available
2. Market Risk
2.1 Liquidity
Not available
2.1.1 Liquidity Venue Concentration
Not available
2.1.2 DEX LP Concentration
Not available
2.2 Volatility
Not available
2.3 Exchanges
List of partner exchanges disclosed on the Ripple website:
Source: Ripple Docs, December 19th, 2024
Following the webpage disclaimer, the information above does not cover all available venues where RLUSD is supported.
2.4 Growth
Not available
3. Technological Risk
3.1 Smart Contract Risk
While not publicly available, two confidential audit reports have been shared with our team under NDA. One assessment concluded that the codebase demonstrates robust security, identifying only minor concerns. The second auditor played an integral role in the stablecoin’s architectural development. Regarding privileged roles, Ripple has implemented the MultiSign contract management. The security framework addresses potential critical smart contract vulnerabilities, including reentrancy attacks, access control protocols, gas limitation considerations, signatory management systems, and multisig logic.
3.2 Bug Bounty Program
There is no mention of bug bounty covering rlUSD contracts. Ripple has a (web2) bug bounty program covering all publicly accessible web applications and APIs owned by Ripple.
3.3 Price Feed Risk
Chainlink price feed implementation will follow a three-stage rollout:
- The initial phase introduces a direct price feed scheduled for January deployment.
- Chainlink smart data feed mechanism synchronizes AUM reporting with regulatory submission frequencies.
- The final phase, implementing Proof of Reserve, is projected for a later deployment, though specific timing remains undefined.
3.4 Dependency Risk
- General dependence on OpenZeppelin Contracts.
StablecoinUpgradeable relies on:
AccountPausableUpgradeable for pausing;AccessControlUpgradeable for role management;UUPSUpgradeable for upgradability;ERC20Upgradeable and ERC20PausableUpgradeable for token functionality;
MultiSign for safe transaction execution, utilizing the EIP-712 scheme
4. Counterparty Risk
4.1 Governance and Regulatory Risk
Ripple USD is issued by Standard Custody & Trust Company, LLC (SCTC), a wholly-owned subsidiary of Ripple. SCTC operates under a New York State Department of Financial Services (NYDFS) charter as a limited-purpose trust company under the New York Banking Law.
Source: NYDFS, December 19th, 2024
NYDFS-supervised issuance imposes strict requirements on RLUSD, notably in four key areas:
- Backing of Reserves: RLUSD must remain fully backed by reserves of assets that are segregated from SCTC’s proprietary holdings. The reserves must be held in custody by the U.S. state or federally chartered depository institutions insured by the Federal Deposit Insurance Corporation (FDIC) or other asset custodians pre-approved by the NYDFS.
- Reserve Composition: The scope of permissible reserve assets is deliberately narrow, focusing on stability and liquidity. The reserves may only consist of:
• Short-term U.S. Treasury bills,
• Reverse repurchase agreements fully collateralized by U.S. Treasury instruments (bills, notes, and/or bonds),
• Government money-market funds, and
• Deposit accounts held at U.S. state or federally chartered depository institutions.
- Redeemability: The redemption framework requires SCTC to follow clear and transparent policies, pre-approved by the NYDFS, that confer upon any lawful holder the right to redeem RLUSD units at par value. The redemption process must occur within a strict timeframe, not exceeding two full business days (T+2) following receipt of the redemption request.
- Attestation and Transparency: RLUSD reserves are subject to rigorous oversight. Management’s reserve assertions must undergo independent examinations at least once per month, supplemented by an annual attestation conducted by a Certified Public Accountant (CPA) licensed in the United States. The CPA must apply the attestation standards of the American Institute of Certified Public Accountants (AICPA).
RLUSD minting is restricted to businesses and institutions that satisfy stringent bank-level Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols. SCTC, as the issuer, is independently required to adhere to the highest standards for KYC and AML compliance, reflecting its obligations as an NYDFS-supervised entity.
Beyond reliance on institutional clients’ compliance practices, SCTC has implemented its own sanctions compliance and risk mitigation framework. The issuer adheres to a policy requiring freezing RLUSD associated with wallet addresses listed on the Office of Foreign Assets Control (OFAC) 's Specially Designated Nationals (SDN) list. This policy extends to addresses flagged for suspected fraudulent activity, money laundering, or other illicit uses.
A confidential RLUSD Composition of Reserve Assets Standard analysis confirms alignment with NYDFS asset quality requirements. The reserve portfolio encompasses short-term U.S. Treasury bills (maximum 3-month maturity), triple-A rated Government/Treasury Money Market Funds (with NYDFS-compliant allocation limits), overnight reverse-repo operations in U.S. Treasury instruments, and cash deposits maintained at authorized U.S. banking institutions.
The investment framework incorporates Level 1 HQLA (High-Quality Liquid Assets), adhering to Basel Committee standards. The investment strategy strictly observes NYDFS-permitted asset guidelines with T/0 – T+1/2 settlement parameters.
The reserve management structure implements asset segregation, with custody services provided by FDIC-member institutions (either state or federally chartered). The reserve architecture incorporates bankruptcy-remote mechanisms, isolating assets from all RLUSD operations, management, or issuance entities.
At present, the specific custodial institutions remain undisclosed. Similarly, while the issuer has confirmed the engagement of an independent CPA firm for regular attestation services, their identity is yet to be revealed.
4.2 Access Control Risk
4.2.1 Contract Modification Options
RLUSD implements a security-focused ERC20 architecture, combining battle-tested OpenZeppelin components with Ripple’s proprietary enhancements. The token’s design utilizes the UUPS (Universal Upgradeable Proxy Standard) pattern, where the StablecoinProxy contract routes transactions to the StablecoinUpgradeable implementation.
Role management is executed through AccessControlUpgradeable. Role-based access, as outlined below, aims to limit sensitive functions to authorized entities:
| Role |
Description |
| DEFAULT_ADMIN |
Assigns and revokes other roles |
| MINTER |
Allows minting of new tokens |
| BURNER |
Allows token burning from specific accounts |
| CLAWBACKER |
Allows burning tokens forcibly from particular accounts. |
| PAUSER |
Allows pausing/unpausing the contract or specific accounts. |
| UPGRADER |
Allows upgrading the smart contract implementation. |
Minting capabilities are exclusively reserved for Ripple’s issuer account while burning operations are distributed among multiple internal Ripple accounts to optimize operational efficiency.
The contract incorporates several advanced security and compliance features:
- Global Freeze mechanism, implemented through
ERC20PausableUpgradeable, provides emergency control by halting all token transfers, approvals, and allowance modifications.
- The
MultiSign execution system adds a layer of security, requiring verification from predetermined signers before transaction execution
- The clawback mechanism enables authorized entities to forcibly remove tokens (via
burn(value)) from specific accounts, an important feature for maintaining regulatory compliance.
4.2.2 Timelock Duration and Function
The UUPSUpgradeable implementation (_authorizeUpgrade) restricts upgrades to accounts with UPGRADER_ROLE. There is no delay enforced when approving or executing upgrades.
The team should consider implementing a timelock for the proxy upgrade function, giving ample time for users to react in case the functionalities of the token are changed.
4.2.3 Multisig Threshold / Signer identity
We did a full audit of the permissionned function of rlUSD on Ethereum mainnet as of December 19th, 2024. The main token contract 0xCfd748B9De538c9f5b1805e8db9e1d4671f7F2ec is behind a proxy 0x8292Bb45bf1Ee4d140127049757C2E0fF06317eD, upgreadeable without a timelock.
The below multisigs are granted role
- Multisig A (7/7)
0x66fc2d9E4897cf3886A340A4CABC23CCA2aC6a0e, holds the DEFAULT_ADMIN role
- Multisig B (2/31)
0x97e9d0b0bCBE86E1e230b0FFd3A5F1f9B8428591, holds the MINTER_ROLE
- Multisig C (7/7)
0x863c8754C298D3efEC3863f2a46F1C71A355CE6C, holds the UPGRADER_ROLE
- Multisig D (2/31)
0x83f7f1c6A1547aFE2841943f428Cf6ff28541fA9, holding the PAUSER_ROLE & CLAWBACKER_ROLE
Multisig A and C and multisig B and D have identical lists of signers. These contracts are not verified on the block explorer; we’ve communicated this to the Ripple team and urged them to verify promptly for transparency.
A 7/7 threshold means that all signers are required to perform permissionned functions, such as assigning roles in the cause of DEFAULT_ADMIN or upgrading the contract implementation for UPGRADER_ROLE. Losing a single key means that these functions can no longer be performed.
Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.
Aave V3 Specific Parameters
Parameters will be presented jointly with @ChaosLabs.
Price feed Recommendation
To be provided.
Disclaimer
This review was independently prepared by LlamaRisk, a community-led non-profit decentralized organization funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.
The information provided should not be construed as legal, financial, tax, or professional advice.
