Plasma Assets Overview
This analysis covers the assets proposed for the initial listing on Plasma. As these assets are already listed on one or more Aave instances, the review provides an overview of key aspects such as contract implementations and access controls of critical components that are relevant to protocol security during the listing process, as extra transparency for the community.
Disclosure: This is not an exhaustive security review of the asset like the ones conducted by the asset’s teams, but an overview analysis from an Aave technical service provider on various aspects we consider critical before listing an asset that is already listed on other Aave instances. Therefore, like with any security review, this does not make an absolute statement that the asset is flawless, only that, in our opinion, we do not see significant problems with its integration with Aave, aside from different trust points.
Assets
The following is a non-exhaustive overview of the assets’ smart contracts that will initially be listed on Plasma.
WETH
The WETH token on Plasma is non-upgradable and uses the standard OFT ERC20 token implementation, which includes ERC20 minting and burning capabilities by designated minters.
For access control, it employs the OZ Ownable contract, set to a OneSig 3-of-6 configuration, where the main control is to add or remove addresses from the minters list. Currently, only the StargateOFT contract is whitelisted as a minter.
The StargateOFT serves as an intermediary contract for receiving and sending messages to mint or burn WETH through the LayerZero bridge. The token implementation doesn’t impose major risks, and the asset can be listed.
For pricing, we recommend using the Chainlink ETH / USD Price Feed to maintain a consistent approach across Aave instances.
| Upgradable | Access Control | Minter and Burner | Locked funds on mainnet | Upgradable Locked funds | Locked funds access Control |
|---|---|---|---|---|---|
| WETH - Not upgradable | Ownable: OneSig 3-of-6 | StargateOFT | StargatePoolNative | - | Ownable: OneSig 3-of-6 |
USDe and sUSDe
The Ethena’s tokens USDe and its staked version sUSDe on Plasma are non-upgradable and use the standard OFT ERC20 token implementation, including the standard LZ OApp and rate limiter capabilities.
For access control, both contracts use OZ Ownable2Step with the same 5-of-11 Safe as owner, which controls, among other things, the OFT, the OApp, and the mint/burn rate limiter. Only sUSDe also has an owner-managed blacklist.
By featuring the OApp, the token contracts themselves act as the facilitator, receiving messages directly from the bridge (LZ endpoint) to mint and burn tokens. The implementation of both assets and their lock contracts doesn’t impose risks for the listing.
We suggest pricing USDe with the CAPO stable adapter using the USDT / USD Chainlink Price feed, while for sUSDe, we suggest a CAPO adapter using the sUSDe/USDe exchange rate provided by Chainlink with the USDe Capo Stable adapter as the base price. The suggestion is consistent with other instances where both assets are listed.
| Upgradable | Access Control | Minter and Burner | Exchange Rate | Locked funds on mainnet | Upgradable Locked funds | Locked funds access Control |
|---|---|---|---|---|---|---|
| USDe: - Not upgradable | Ownable 2-step: Safe 5-of-11 | LZ endpoint | - | USDeOFTAdapter | - | Ownable: Safe 5-of-11 |
| sUSDe: - Not upgradable | Ownable 2-step: Safe 5-of-11 | LZ endpoint | sUSDe / USDe (Provided by Chainlink Feed) | StakedUSDeOFTAdapter | - | Ownable: Safe 5-of-11 |
weETH
The Ether.fi LRT weETH on Plasma is an upgradable OZ Transparent Proxy that uses as implementation the standard OFT ERC20 token, LZ OApp, and rate limiter for minting, burning, and pausability functions.
For access control, it uses the OZ Ownable and Role-based, with both owner and DEFAULT_ADMIN_ROLE set to a 3-day Timelock.
The contract also features native mint by an assigned MINTER_ROLE address; however, no address has been assigned with this role yet. By featuring the OApp, the token itself receives messages directly from the bridge (LayerZero endpoint) to mint and burn tokens.
The PAUSER_ROLE (EOA 0x9AF1…844D) can stop the token from receiving bridges messages, while the UNPAUSER_ROLE (Safe 2-of-5) can re-activate them again.
The token implementation doesn’t impose major risks, and the asset can be listed and its upgradable and default admins are time-locked, increasing the general security of the asset.
For pricing, we suggest a CAPO adapter using the weETH/eETH exchange rate provided by Chainlink, with the Chainlink ETH / USD as the base price.
| Upgradable | Access Control | Minter and Burner | Exchange Rate | Locked funds on mainnet | Upgradable Locked funds | Locked funds access Control |
|---|---|---|---|---|---|---|
| weETH: Proxy Admin → 3-day Timelock | Ownable: 3-day Timelock + Role-based DEFAULT_ADMIN: 3-day Timelock |
LZ endpoint + MINTER_ROLE |
weETH / eETH (Provided by Chainlink Feed) | OFTAdapterUpgradable | Proxy Admin → 3-day Timelock | Ownable: Safe 3-of-5 |
USDT0 and XAUt0
The USDT0 stablecoin and the tokenized gold XAUt0 are upgradable OZ Transparent Proxies, utilizing the TetherTokenV2 standard with an OFT extension as their implementations.
For access control, it uses the OZ Ownable, where both owners are set to a Safe 3-of-5, where the principal role is to set the OFT Contract and upgrade the implementation of the Proxy.
The OFT extension grants an OFT Contract the ability to mint and burn tokens. This OFT Contract is the adapter (LZ OApp) that receives the message from the LayerZero bridge to mint the tokens.
The implementation of both assets doesn’t impose risks for the listing.
For USDT0 pricing, we recommend using the Capo stable adapter with the USDT/USD Chainlink price feed. For XAUt0, we recommend using the XAU/USD Chainlink price feed, consistent with how the asset is handled in other Aave instances.
| Upgradable | Access Control | Minter and Burner | Locked funds on mainnet | Upgradable Locked funds | Locked funds access Control |
|---|---|---|---|---|---|
| USDT0: Proxy Admin → Safe 3-of-5 | Ownable: Safe 3-of-5 | OFT Contract | OFTAdapterUpgradable | Proxy Admin → Safe 3-of-5 | Ownable: Safe 3-of-5 |
| XAUt0: Proxy Admin → Safe 3-of-5 | Ownable: Safe 3-of-5 | OFT Contract | OFTAdapterUpgradable | Proxy Admin → Safe 3-of-5 | Ownable: Safe 3-of-5 |
Miscellaneous
-
The listed assets are the official contracts on the Plasma network. Among them, WETH is bridged through Stargate, the primary Plasma bridge partner. For the other assets in this analysis, the responsible teams selected the LayerZero bridge, implementing the OFT standard to avoid liquidity fragmentation.
-
These bridged assets use the widely adopted OFT standard implementation with little to no changes, which does not affect their overall usability or security. When tokens are sent cross-chain via LayerZero, they are locked in an OFT Adapter contract. The messages are transmitted to the destination chain through the LZ endpoint, where the OApp (OFT adapter or the token itself) receives the message and mints the token. The tokens can be sent back by burning them (via OFT adapter or the token itself), which triggers a message on the LZ endpoint to release the tokens from their respective OFT adapters on the mainnet.
-
The assets on mainnet are secured and locked in an OFT Adapter extension contract, which implements the OFT mechanisms, locking and releasing the tokens as they are bridged through LayerZero. The WETH adapter on mainnet uses the Stargate Pool Native adapter, which inherits the OFT Adapter mechanism while handling native ETH transfers.
-
The OFT and OApp audits can be found in the LayerZero audits GitHub repository here.
-
We still recommend time-locking the upgradable admins of the upgradable assets and the ownership of general asset configurations that can add new token minters, which enhances the overall security of the assets and provides extra time to validate any changes made to the current configuration.
Conclusion
Already implicit in the activation proposal, we believe the initial assets have no problems with integration into Aave, and aside from requested improvements to the asset issuers, we don’t see any blocker for listing.