Recommendation
LlamaRisk reviewed artMETIS, a Liquid Staking Derivative (LSD) on the Metis L2 chain, and recommends holding off onboarding until i) access control of its upgradeable contracts is transferred to a multi-sig, ii) unstake feature is enabled, and iii) its peg against METIS improves. Most of its contracts, including the artMETIS token ERC20 contract, can be upgraded by a single EOA without a timelock. This critical flaw in its access control could lead to a manipulation of the artMETIS supply, a risk that we deem unacceptable for Aave. The absence of an unstake feature, planned for the near future, has also led to a deteriorating peg against METIS. Based on this review, we advise against onboarding. The full review is provided below for Aaveâs consideration.
Resources
Introduction
artMETIS is an LSD proposed by Artemis on the Metis L2 chain. It represents staked METIS tokens â the native token of the Metis L2 chain â which are staked as collateral by users to get the right to operate sequencers of the Metis L2 chain. Artemis offers to operate sequencers and stake METIS tokens on behalf of their users. It is the third-biggest dApp in terms of TVL on the Metis L2 chain, with $9.2m in assets locked. With a TVL of $5.4m, the Enki Protocol is its only competitor.
I - Asset Fundamentals
Metis L2 chain
Metis is an L2 rollup that settles on Ethereum mainnet. According to L2Beat, it represents 0.97% of the L2 market share. Metis L2 utilizes the Optimistic Virtual Machine (OVM) codebase, an early iteration of the Optimism codebase. The primary challenge with the OVM lies in its partial compatibility with the Ethereum Virtual Machine (EVM), necessitating additional development efforts for teams to deploy their applications on this platform. Subsequently, Optimism developed OVM 2.0, which achieved full EVM compatibility. This updated codebase is currently employed by numerous rollups, including the official Optimism L2 rollup. However, Metis L2 has opted to continue using the initial version of the OVM.
Source: Perpetual Protocol blog post
METIS token statistics (as of the 20th of June 2024):
- Total supply: 10,000,000
- Circulating supply: 5,686,334
- Market cap: $290,915,236
- Staked supply: 335,168 METIS (5.89% of circulating supply)
- Number of sequencers: 6
Metis staking
Contrary to Ethereum L1 (mainnet), where staked ETH provides economic security to ensure the chainâs state is correct, METIS tokens are staked to provide economic security to the decentralized set of sequencers of the Metis L2 chain. In an optimistic L2 chain, transactions are processed off-chain to increase scalability. The backend process responsible for ordering transactions is called a sequencer. The staking of METIS tokens provides economic security to a decentralized set of sequencers by operating a Proof-of-Stake Sequencer Pool. In their beginnings, most L2 chains opted to centralize their sequencers and considered decentralizing them later. Metis L2 is the first rollup to attempt to decentralize its sequencers. Please refer to the official documentation of Artemis for more information.
Metis L2 chain sequencers. Source:
Metis L2 official website
Metis currently boasts 6 sequencers, of which the Metis team operates 3. Although a good first step, especially compared to other L2 chains, this remains a limited degree of decentralization. To get the right to operate a sequencer and secure the Metis L2 network, participants must stake at least 20,000 METIS tokens ($1.02M as of the 20th of June 2024) in an L1 contract called the Sequencer Locking Pool. A sequencerâs stake is limited to 100,000 METIS. If the maximum number of sequencers is reached, candidates enter a FIFO queue and are selected when a new sequencer spot is freed. Underperforming sequencers can be rejected from the pool. On deposit, participants receive a Soul Bound Token (SBT) containing their sequencer ID. This SBT is later destroyed upon their exit from the sequencer pool.
Sequencers in the pool are selected, in turn, according to a weighted random selection algorithm that considers their voting power, which is a linear function of each sequencerâs stake. The probability for a sequencer to be selected, P(A), is calculated as follows:
P(A) = VotingPower(A) / TotalVotingPower
votingPower(A) = lockedAmount(A) / 10^18
Source: Metis L2 chain documentation
A new random selection is made if the active sequencer is down. According to the documentation, apart from being ejected from the sequencer pool and missing out on future rewards, no penalties are inflicted upon underperforming sequencers. Active and well-performing validators are rewarded with a 20% APY reward on their stake, and withdrawals are subject to a 21-day unbonding period.
Artemis protocol
artMETIS is a liquid staking token representing staked METIS in the Sequencer Locking Pool L1 contract. This re-pricing token can be exchanged to increase METIS tokens thanks to the accrued staking rewards. Because of how the Metis L2 staking system works, there is no risk of slashing. Therefore, depegging risks are limited to potential smart contract vulnerabilities and exploits.
Source: Metis L2 documentation
The Artemis architecture spans both layers because the sequencers are tracked on L1. The system works as follows: METIS token holders deposit METIS tokens on the Metis L2 network into the artMETIS Module contract and return the artMETIS token in exchange. The Artemis protocol will automatically deposit user deposits into the L1 bridge and stake them into the Sequencer Locking Pool L1 contract. Artemis currently operates two sequencers:
- ArtemisSuperNode: locked 100,000 METIS tokens since 22nd of March 2024. 100% of blocks signed.
- ArtemisSuperNode2: locked 75,167 METIS tokens since the 13th of April 2024. 96% of blocks signed.
We observe that the ArtemisSuperNode2 sequencer has a 96% block signing rate, the lowest block signing rate of all sequencers. However, this remains a relatively high rate and is not a cause for concern.
Itâs important to note that unstaking functionality is yet to be enabled in the Artemis protocol. The planned unstaking process will involve a 21-day unbonding period once implemented, which is expected to occur shortly.
Incentives
METIS staking currently provides a relatively high reward rate of 20%. Usually, liquid staking provides a staking yield slightly lower than the underlying staking yield because the protocol takes a cut of the staking yield. This differs from artMETIS, which currently proposes a staking yield of 74.08% APY, a boosted staking yield provided by a $50M incentive program funded by Artemis. This indicates that Artemis is well-funded. The artMETIS staking yield is calculated as follows:
artMETIS APY = 20% sequencer APY + (10% x 50M $USD / TVL)
It follows from the calculation that the incentive will gradually decrease as the TVL of the protocol approaches 50M $USD.
II - Market Risk Assessment
Key metrics (as of the 20th of June 2024)
Liquidity
Source: daily volume of the HerculesV3 artMETIS/WMETIS liquidity pool in USD
The primary liquidity venue for artMETIS is the artMETIS/WMETIS liquidity pool on the HerculesV3 exchange, the main swap exchange of Metis L2 chain. The pool currently boasts a $1.6m TVL. It relies on a Channel Multiplier Strategy from SteerProtocol, an LP method that aims to capitalize on market deviation from the theoretical peg.
Liquidity trend in the HerculesV3 artMETIS/WMETIS pool. Source:
SteerProtocol
Volatility
HerculesV3 artMETIS/WMETIS Source:
geckoterminal.com
The secondary market rate between artMETIS and METIS, its underlying asset, has been slowly declining since its inception. This is troubling since the opposite should be observed: a unit of artMETIS should be exchangeable for increasing METIS tokens through time, thanks to the accrued rewards from the Metis L2 sequencer pool. The depeg on secondary markets currently stands at 3.9%, which is relatively large compared to the observed deviation of other liquid staking tokens.
The absence of an unstake feature, currently pending launch by the METIS sequencer node, has contributed to a deteriorating peg of artMETIS against METIS. This depeg is likely exacerbated by a $50m incentive program that has boosted staking yields from 20% to approximately 75%. Some stakers may constantly be withdrawing their rewards and converting them into METIS tokens, creating selling pressure on artMETIS. The team plans to enable unstaking shortly, including a 21-day unbonding period. While this unbonding period might initially limit liquidity, introducing unstaking functionality is anticipated to help recover the peg.
Growth
Looking at the top holders on L1, we can see that 3/4 of the total supply helps in the Metis official bridge, that is, the Metis L2 chain. The second top holder is the SequencerLockingPool contract, in which sequencer operators must lock their METIS tokens. The third top holder is Binance.
Source: Etherscan
Unique holder addresses on L2 have reached a maximum of 800,000 addresses.
Source:
Metis explorer
The TVL reached a maximum of ~$14m at the beginning of June 2024 and has since retraced to a previously observed plateau of ~$10M.
Source: DeFiLlama
III - Technological Risk
3.1 Smart Contract Risk Assessment
Audits
Artemis has been audited by PeckShield on the 26th of January 2024. This audit revealed three findings, including one medium risk and two low risks. Notably, PeckShield classified the extended responsibilities of the ADMIN_ROLE as medium risk for the protocol and recommended transferring this role to a proper DAO-like governance contract. The Artemis team claimed that the issue was mitigated by transferring this role to a multisig, better than an EOA but still far from truly decentralized governance.
Codebase
Artemis contracts are verified on Metis Explorer but are not available on GitHub. No details about off-chain services comprising the Artemis protocol are provided, limiting transparency and independent review.
Upgradeability
All L2 contract implementations use TransparentUpgradeableProxy contracts with a proxyAdmin at 0x479603DE0a8B6D2f4D4eaA1058Eea0d7Ac9E218d, owned by an EOA at 0xc493BD1d8d794357E79dA84613b67533Afc4D337.
This single-EOA control is a critical security flaw. If compromised, an attacker could upgrade contracts to allow infinite minting of artMETIS tokens, risking complete value loss. The lack of a timelock exacerbates this vulnerability by enabling immediate execution of changes. While initially chosen for development ease, this centralized control violates best practices for decentralized protocols. The team plans to transfer ownership to a multisig wallet, which is urgently needed to enhance security and decentralization.
In contrast, the Sequencer Locking Pool L1 contract uses a more secure 4/9 protocol multisig ownership. A similar approach should be swiftly implemented for L2 contracts to address current vulnerabilities.
3.2 Price Feed Considerations
A Chainlink price feed is available on Metis L2 chain for the METIS/USD exchange rate. This could be used with the exchange rate, derived by amtDepositPool.totalDeposits() / artMETIS.totalSupply()
.
3.3 Dependencies
As a liquid staking token representing staked METIS that secures the Metis L2 chain, Artemis directly inherits the risk associated with the Metis L2 chain. With a TVL of only ~$56m, Metis L2 chain is a relatively small L2 chain whose limited economic security budget might prevent its ability to secure itself. Furthermore, the limited number of sequencers it relies upon and the absence of penalties for underperforming sequencers might hinder its ability to maintain high uptime.
IV - Counterparty Risk
4.1 Governance and Regulatory Risk Assessment
Governance model
Artemis plans to distribute the ART token, allowing users to vote on governance proposals. Below is a draft of the planned allocation.
Source: Artemis documentation
For now, the protocol is centralized in the hands of the Artemis team. There is no public forum where protocol upgrades are discussed.
Regulatory risks
Itâs noted that the METIS staking functionality is accessible through https://artemisfinance.io. The website links to a Docs section detailing artMETIS mechanics, fees, deployed contracts, security audits, and related information. However, a significant absence is observedâneither the âDocsâ nor the landing page includes a comprehensive Terms of Service or similar document outlining conditions governing access to and use of the protocolâs front-end interface. Ideally, such terms would cover eligible user profiles, acceptable use policies, restrictions, liability limitations, warranties, and dispute resolution mechanisms.
The lack of specific risk disclaimers or disclosures related to the protocolâs intricacies is also noticeable. While acknowledging the protocolâs inherently non-custodial nature, activities on the front-end layers may be subject to various rules and regulations. Including risk explanations would benefit both the front-end operator, establishing liability boundaries, and users, enabling them to understand better and potentially mitigate risks.
The Artemis team should expand on METIS staking options beyond the centralized https://artemisfinance.io interface. Given its potentially centralized control, users should be informed about alternative ways to interact with the protocol if the front end is no longer supported or undergoes modifications.
4.2 Access Control
The proxyAdmin contract, which is the admin of all contracts on L2, is itself owned by an EOA located at 0xc493BD1d8d794357E79dA84613b67533Afc4D337. The only contract that is not controlled by the proxyAdmin is the priceFeed contract which is owned by a 4/9 multisig.
IV - Aave V3 Specific Parameters
Subject to addressing the critical access control flaw, we align with parameters recommended by @ChaosLabs.
Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.
Revision 1: change in recommended parameters