1. Asset Fundamental Characteristics

1.1 Asset

Ripple USD (RLUSD) is a fiat-backed stablecoin issued by Standard Custody & Trust Company, a Ripple subsidiary regulated under the New York Department of Financial Services (NYDFS). Designed to maintain a 1:1 peg with the US dollar, RLUSD is deployed on the XRP Ledger (XRPL) and Ethereum (using the ERC20 standard)

1.2 Architecture

The stablecoin architecture is very simple, based on the ERC-20 standard.

image886×362 17.5 KB

Source: Ripple’s public GitHub, December 19th, 2024

1.3 Tokenomics

Several potential use cases are presented in the whitepaper:

• B2B Cross Border Payments - RLUSD will be integrated into Ripple Payments, which serves hundreds of institutional customers across over 50 countries. Transactions can be completed almost instantly, while RLUSD will ensure low transaction costs.
• Foreign Exchange Markets - By utilizing RLUSD, traders can benefit from lower spreads and faster settlements.
• Global Access to a Digital Dollar - RLUSD aims to provide a stable medium of exchange that is particularly beneficial for businesses and individuals in economies with volatile local currencies.
• Trade Settlement Asset for Banks and Fund Managers - RLUSD can be an efficient settlement asset for financial institutions.
• Real-World Asset Tokenization - RLUSD can facilitate tokenizing tangible assets like real estate and commodities.
• On and Off Ramps - converting between digital assets and fiat currencies can be simplified by the low fees and fast processing offered by RLUSD.

Many items above have not become operational, and details on planned incentivization or profitability projections are unavailable.

1.3.1 Token Holder Concentration

Not available

2. Market Risk

2.1 Liquidity

Not available

2.1.1 Liquidity Venue Concentration

Not available

2.1.2 DEX LP Concentration

Not available

2.2 Volatility

Not available

2.3 Exchanges

List of partner exchanges disclosed on the Ripple website:

image1920×918 68.9 KB

Following the webpage disclaimer, the information above does not cover all available venues where RLUSD is supported.

2.4 Growth

Not available

3. Technological Risk

3.1 Smart Contract Risk

While not publicly available, two confidential audit reports have been shared with our team under NDA. One assessment concluded that the codebase demonstrates robust security, identifying only minor concerns. The second auditor played an integral role in the stablecoin’s architectural development. Regarding privileged roles, Ripple has implemented the MultiSign contract management. The security framework addresses potential critical smart contract vulnerabilities, including reentrancy attacks, access control protocols, gas limitation considerations, signatory management systems, and multisig logic.

3.2 Bug Bounty Program

There is no mention of bug bounty covering rlUSD contracts. Ripple has a (web2) bug bounty program covering all publicly accessible web applications and APIs owned by Ripple.

3.3 Price Feed Risk

Chainlink price feed implementation will follow a three-stage rollout:

• The initial phase introduces a direct price feed scheduled for January deployment.
• Chainlink smart data feed mechanism synchronizes AUM reporting with regulatory submission frequencies.
• The final phase, implementing Proof of Reserve, is projected for a later deployment, though specific timing remains undefined.

3.4 Dependency Risk

1. General dependence on OpenZeppelin Contracts. StablecoinUpgradeable relies on:

• AccountPausableUpgradeable for pausing;
• AccessControlUpgradeable for role management;
• UUPSUpgradeable for upgradability;
• ERC20Upgradeable and ERC20PausableUpgradeable for token functionality;

2. MultiSign for safe transaction execution, utilizing the EIP-712 scheme

4. Counterparty Risk

4.1 Governance and Regulatory Risk

Ripple USD is issued by Standard Custody & Trust Company, LLC (SCTC), a wholly-owned subsidiary of Ripple. SCTC operates under a New York State Department of Financial Services (NYDFS) charter as a limited-purpose trust company under the New York Banking Law.

image1678×564 35 KB

Source: NYDFS, December 19th, 2024

NYDFS-supervised issuance imposes strict requirements on RLUSD, notably in four key areas:

1. Backing of Reserves: RLUSD must remain fully backed by reserves of assets that are segregated from SCTC’s proprietary holdings. The reserves must be held in custody by the U.S. state or federally chartered depository institutions insured by the Federal Deposit Insurance Corporation (FDIC) or other asset custodians pre-approved by the NYDFS.
2. Reserve Composition: The scope of permissible reserve assets is deliberately narrow, focusing on stability and liquidity. The reserves may only consist of:
   • Short-term U.S. Treasury bills,
   • Reverse repurchase agreements fully collateralized by U.S. Treasury instruments (bills, notes, and/or bonds),
   • Government money-market funds, and
   • Deposit accounts held at U.S. state or federally chartered depository institutions.
3. Redeemability: The redemption framework requires SCTC to follow clear and transparent policies, pre-approved by the NYDFS, that confer upon any lawful holder the right to redeem RLUSD units at par value. The redemption process must occur within a strict timeframe, not exceeding two full business days (T+2) following receipt of the redemption request.
4. Attestation and Transparency: RLUSD reserves are subject to rigorous oversight. Management’s reserve assertions must undergo independent examinations at least once per month, supplemented by an annual attestation conducted by a Certified Public Accountant (CPA) licensed in the United States. The CPA must apply the attestation standards of the American Institute of Certified Public Accountants (AICPA).

RLUSD minting is restricted to businesses and institutions that satisfy stringent bank-level Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols. SCTC, as the issuer, is independently required to adhere to the highest standards for KYC and AML compliance, reflecting its obligations as an NYDFS-supervised entity.

Beyond reliance on institutional clients’ compliance practices, SCTC has implemented its own sanctions compliance and risk mitigation framework. The issuer adheres to a policy requiring freezing RLUSD associated with wallet addresses listed on the Office of Foreign Assets Control (OFAC) 's Specially Designated Nationals (SDN) list. This policy extends to addresses flagged for suspected fraudulent activity, money laundering, or other illicit uses.

A confidential RLUSD Composition of Reserve Assets Standard analysis confirms alignment with NYDFS asset quality requirements. The reserve portfolio encompasses short-term U.S. Treasury bills (maximum 3-month maturity), triple-A rated Government/Treasury Money Market Funds (with NYDFS-compliant allocation limits), overnight reverse-repo operations in U.S. Treasury instruments, and cash deposits maintained at authorized U.S. banking institutions.

The investment framework incorporates Level 1 HQLA (High-Quality Liquid Assets), adhering to Basel Committee standards. The investment strategy strictly observes NYDFS-permitted asset guidelines with T/0 – T+1/2 settlement parameters.

The reserve management structure implements asset segregation, with custody services provided by FDIC-member institutions (either state or federally chartered). The reserve architecture incorporates bankruptcy-remote mechanisms, isolating assets from all RLUSD operations, management, or issuance entities.

At present, the specific custodial institutions remain undisclosed. Similarly, while the issuer has confirmed the engagement of an independent CPA firm for regular attestation services, their identity is yet to be revealed.

4.2 Access Control Risk

4.2.1 Contract Modification Options

RLUSD implements a security-focused ERC20 architecture, combining battle-tested OpenZeppelin components with Ripple’s proprietary enhancements. The token’s design utilizes the UUPS (Universal Upgradeable Proxy Standard) pattern, where the StablecoinProxy contract routes transactions to the StablecoinUpgradeable implementation.

Role management is executed through AccessControlUpgradeable. Role-based access, as outlined below, aims to limit sensitive functions to authorized entities:

Minting capabilities are exclusively reserved for Ripple’s issuer account while burning operations are distributed among multiple internal Ripple accounts to optimize operational efficiency.

The contract incorporates several advanced security and compliance features:

• Global Freeze mechanism, implemented through ERC20PausableUpgradeable, provides emergency control by halting all token transfers, approvals, and allowance modifications.
• The MultiSign execution system adds a layer of security, requiring verification from predetermined signers before transaction execution
• The clawback mechanism enables authorized entities to forcibly remove tokens (via burn(value)) from specific accounts, an important feature for maintaining regulatory compliance.

4.2.2 Timelock Duration and Function

The UUPSUpgradeable implementation (_authorizeUpgrade) restricts upgrades to accounts with UPGRADER_ROLE. There is no delay enforced when approving or executing upgrades.

The team should consider implementing a timelock for the proxy upgrade function, giving ample time for users to react in case the functionalities of the token are changed.

4.2.3 Multisig Threshold / Signer identity

We did a full audit of the permissionned function of rlUSD on Ethereum mainnet as of December 19th, 2024. The main token contract 0xCfd748B9De538c9f5b1805e8db9e1d4671f7F2ec is behind a proxy 0x8292Bb45bf1Ee4d140127049757C2E0fF06317eD, upgreadeable without a timelock.

The below multisigs are granted role

• Multisig A (7/7) 0x66fc2d9E4897cf3886A340A4CABC23CCA2aC6a0e, holds the DEFAULT_ADMIN role
• Multisig B (2/31) 0x97e9d0b0bCBE86E1e230b0FFd3A5F1f9B8428591, holds the MINTER_ROLE
• Multisig C (7/7) 0x863c8754C298D3efEC3863f2a46F1C71A355CE6C, holds the UPGRADER_ROLE
• Multisig D (2/31) 0x83f7f1c6A1547aFE2841943f428Cf6ff28541fA9, holding the PAUSER_ROLE & CLAWBACKER_ROLE

Multisig A and C and multisig B and D have identical lists of signers. These contracts are not verified on the block explorer; we’ve communicated this to the Ripple team and urged them to verify promptly for transparency.

A 7/7 threshold means that all signers are required to perform permissionned functions, such as assigning roles in the cause of DEFAULT_ADMIN or upgrading the contract implementation for UPGRADER_ROLE. Losing a single key means that these functions can no longer be performed.

Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.