XAUt technical analysis
Summary
This is a technical analysis of all the smart contracts of the XAUt asset and its main dependencies.
Disclosure: This is not an exhaustive security review of the asset like the ones done by Tether, but an analysis from an Aave technical service provider on different aspects we consider critical to review before a new type of listing. Consequently, like with any security review, this is not an absolute statement that the asset is flawless, only that, in our opinion, we don’t see significant problems with its integration with Aave, apart from different trust points.
Analysis
Tether Gold (XAUt) is a tokenized representation of physical gold on the Ethereum blockchain. Tokens are minted once the corresponding physical gold bars, in the equivalent number of fine troy ounces, have passed the Custodian’s intake process. The reserves are held in Switzerland. Subject to KYC, customers can purchase XAUt directly from Tether with a minimum order of 50 XAUt (50 fine troy ounces). Redemptions are available only in whole-bar increments, and token holders can redeem the physical gold in Switzerland.
For the context of this analysis, our focus has been on the following aspects, critical for the correct and secure integration with Aave:
- A recommendation of pricing strategy to be used in the integration asset <> Aave.
- Any miscellaneous aspect of the code that can be considered important.
- Analysis of the access control (ownerships, admin roles) and the nature of the entities involved in the system. Regarding the table permissions’ holders and their criticality/risk, it is done following these guidelines:
| Criticality | Description |
|---|---|
| CRITICAL | Usually super-admin functionality: it can compromise the system by completely changing its fundamentals, leading to loss of funds if misused or exploited. E.g. proxy admin, default admin |
| HIGH | It can control several parts of the system with some risk of losing funds. E.g., general owners or admin roles involved in the flow of funds |
| MEDIUM | It can cause malfunction and/or minor financial losses if misused or exploited. E.g., fee setter, fee recipient addresses |
| LOW | It can cause system malfunctions but on non-critical parts without meaningful/direct financial losses. E.g., updating descriptions or certain non-critical parameters. |
| Risk | Description |
|---|---|
 |
The role is controlled via a mechanism we consider safe, such as on-chain governance, a timelock contract, or setups involving multi-sigs under certain circumstances. |
 |
The role is controlled in a way that could expose the system and users to some risk depending on the actions it can control. |
 |
The role is controlled via a clearly non-secure method, representing risks for the system and users. |
General points
- XAUt relies on a single contract with most dependencies from OZ for access control, tokenization, upgradability, and security. It uses the OZ Transparent Proxy pattern.
- The system uses the ownable pattern for minting, burning tokens, and blocking addresses.
- The system’s upgradable admin and the owner of XAUt is the Tether multisig 3-of-6.
Contracts
The following is a non-exhaustive overview of the main smart contracts involved with XAUt.
XAUt
The primary contract for the Tether gold tokenization system. XAUt is an upgradable OZ ERC20 with minting, burning, and blacklisting capabilities, which are managed via ownable access control. Customers can acquire XAUt directly with Tether after passing the KYC requirements. The contract is upgradable by the Tether multisig 3-of-6.
| Permission Owner | functions | Criticality | Risk |
|---|---|---|---|
| upgradable admin: Tether multisig 3-of-6 | upgrade, upgradeAndCall | CRITICAL | |
| Owner: Tether multisig 3-of-6 | mint, redeem, destroyBlockedFunds, addToBlockedList, removeFromBlockedList, transferOwnership | HIGH | |
- Access Control
- The owner can mint new XAUt tokens by calling the
mint(to, amount)function. Currently, - The owner can redeem his own XAUt tokens via the
redeem(amount)function. - The owner can add or remove users in the blacklist via the
addToBlockedList(address)removeFromBlockedList(address)methods. - The owner can burn funds from blacklist addresses via the
destroyBlockedFunds(address)function.
- The owner can mint new XAUt tokens by calling the
Pricing strategy
Tether Gold is another example of a complex asset with multiple price options, each with its own pros and cons. Since it is a tokenized asset and its reserves are traded only during regular market hours, it remains an on-chain asset that can still be freely traded on weekends. With that said, we have two options:
-
Chainlink XAU/USD feed:
Refers to the institutional global gold price, which reflects the behavior of the real-world asset. However, it relies on a “stale” price during off-market hours when gold markets are closed, and XAUt still trades on CEX and DEXes, where it might be valued differently than the oracle indicates. This can cause price deviations that could potentially lead to bad debt if the price drops below market risk parameters when trading resumes.
-
Chainlink XAUt/USD feed:
Considers XAUt price aggregated from secondary markets and treats it solely as an on-chain asset. This approach exposes the asset on Aave to volatility during off-market hours and fails to account for its underlying nature. However, the low liquidity of secondary markets is susceptible to manipulation, which could lead to unnecessary liquidations.
Considering the asset’s nature, we recommend pricing XAUt using the XAU/USD Chainlink price feed; the first option appears reasonable and does not pose a significant risk of bad debt, given the conservative risk parameters suggested by the risk teams and gold’s long history of not dropping to substantial levels in a very short period.
Still, we highlight the importance of being very conservative on risk parameters, given the nature of the underlying, very different to any other listed on the protocol.
Miscellaneous
- Tether provides the reserve reports for transparency purposes. They’re published on a quarterly basis and can be found here.
- Tether has mentioned in the Relevant Information Document that security reviews were performed on the smart contracts; however, they are not public.
- The access control of XAUt is a consistent approach across other Tether Group’s systems already listed on Aave. Tether mentions in the Relevant Information Document that their cybersecurity procedures have completed the SOC 2 Type 1 audit.
Conclusion
We believe XAUt has no issues with Aave integration and no major blockers for listing.
We consider XAUt’s upgradability without a timelock acceptable, but only due to a combination of factors: XAUt issued by Tether, its upgrades are governed by the same multisig as USDT, and Aave already operating USDT under the same setup. Still, we have recommended the Tether team to evaluate adding timelocking on upgradeability.