Proposal updated to reflect Chaos Labs recommendations

Title: ARFC - Onboard osETH to Aave v3 on Ethereum

Author: ACI ( Aave Chan Initiative)

Date: 2024-03-11

Summary

This is a ARFC proposal for adding borrow/lend support for StakeWise’s new over-collateralized staked ETH token, osETH, on AAVE V3 Ethereum.

Motivation

Liquid staking tokens (LSTs) have proven to be popular collateral assets on Aave, with Lido’s stETH the largest Reserve across all Aave deployments and rETH quickly reaching its supply caps. As productive assets, LSTs are high quality collateral to borrow against. Given their high correlation to ETH, LSTs are commonly used as collateral to borrow ETH and engage in yield leveraged staking, with several communities having built products that automate such strategies on top of Aave. The introduction of eMode only made such strategies more popular.

osETH in particular is overcollateralized by design, providing in-built slashing protection and consequently an increased level of protection for the Aave protocol…

As StakeWise V3 provides solo stakers to ability to mint osETH against their own nodes, on-boarding osETH will benefit Aave, StakeWise, and the Ethereum ecosystem as a whole, and be an important step in the pursuit to diversify Ethereum staking and encourage staking from home.

The onboarding of osETH will consequently create increased osETH demand and increased revenues for both Aave and StakeWise protocols, whilst also bolstering the liquidity and peg stability of osETH.

Chain to be deployed/listed

Ethereum mainnet

Specification:

osETH contract address:

0xf1C9acDc66974dFB6dEcB12aA385b9cD01190E38

Useful Links

Temp Check in Forum: [TEMP CHECK] onboard osETH to Aave v3 on Ethereum pool

Snapshot: Snapshot

Website

V3 Litepaper

V3 Docs

What is osETH?

Audits - Sigma Prime and Halborn

Github Page

Communities: Discord / Twitter / Forum

Disclaimer

The Aave-chan Initiative is not presenting this ARFC on behalf of any third party and is not compensated by Stakewise for creating this proposal.

Next Steps

1. Collect community & service providers feedback before escalating proposal to ARFC snapshot stage
2. If consensus is reached on this ARFC escalate this proposal to the Snapshot stage.
3. If the Snapshot outcome is YAE, this proposal will be escalated to AIP stage
4. If the ARFC snapshot outcome is YAE, publish an AIP vote for final confirmation and enforcement of the proposal

Copyright

Copyright and related rights waived under CC0.

@ACI What oracle would this market use?

The current proposal has been escalated to ARFC Snapshot.

Vote will start tomorrow, we encourage everyone to participate.

See here Pete Update on correlated-price asset onboarding

Following Snapshot monitoring, the current ARFC Snapshot has just ended, reaching both Quorum and YAE as winning option, with 489K votes.

Next step will be the publication of an AIP for final voting.

Whats the criteria for being included in emode? Did osETH not meet the criteria?

Summary

This is a technical analysis of all the smart contracts of the asset and main dependencies.

Disclosure: This is not an exhaustive security review of the asset like the ones done by the StakeWise team, but an analysis from an Aave technical service provider on different aspects we consider critical to review. Consequently, like with any security review, this is not an absolute statement that the asset is flawless, only that, in our opinion, we don’t see significant problems with its integration with Aave, apart from different trust points.

Analysis

osETH is an overcollateralized token that represents ETH staked in so-called Vaults (isolated staking pools) and earns ETH rewards that accrue from their validators. osETH can be minted against staked ETH on any Ethereum node and has in-built slashing protection.

For the context of this analysis, our focus has been on the following aspects, critical for the correct and secure integration with Aave:

• Mechanism to update the exchange rate of the asset for the underlying ETH.
• Access control (ownerships, admin roles) and nature of the entities involved.
• Any miscellaneous aspect of the code we can consider of importance.

General points

• The owner role of the main contracts is given to the StakeWise DAO address, which is a Gnosis Safe controlled by a SafeSnap plugin. All transactions executed must pass a Snapshot vote and the Reality.eth escalation game with SWISE. The 4-of-7 committee acts as a safeguard and is responsible for rejecting malicious transactions. Just one of the seven signers is from the StakeWise team.
• The main contracts are non-upgradable, except for the Vaults created by VaultFactory, which are proxies and can be updated if the DAO proposes and the VaultAdmin accepts.

How osETH overcollateralized system works?

The maximum LTV for any StakeWise Vault V3 is 90%, meaning you can mint osETH up to 90% of your staked ETH to make it liquid. The limit is set to ensure that any penalties or slashing from the Vault validator do not affect the osETH holders and preserve the peg stability.

The user’s osETH position is considered healthy if it does not exceed the 90% limit. This limit can be exceeded if the Vault APY differs from the osETH APY. Depending on the level above the limit, the user position is subject to the so-called redemption or liquidation mechanisms.

At a 91.5 % limit, the user position is considered risky and subject to the redemption mechanism. This means anyone can redeem osETH acquired from exchanges for ETH locked in the Vault. The limit amount of osETH that can be redeemed for ETH is defined by the amount needed to bring the user position back to a healthy level (the formula is defined below). Redemptions don’t incur any fees, so the stakers in the Vault don’t actually lose capital. To redeem osETH, the function redeemOsToken() must be called on the Vault where the staker has a risky position level.

The redeem-amount formula:

Amount of osETH to be redeemed = 10 * amount of osETH currently minted - 9 * amount of ETH staked / osETH exchange rate

At a 92% limit, the user position is considered unhealthy and subject to the liquidation mechanism. This means that anyone can liquidate the entire osETH position of the staker previously minted for ETH + 1% reward on the value of ETH redeemed taken from the user’s stake. The oracles will exit enough validators in the Vault, so the liquidators can liquidate a position as soon as there is the so-called unbonded ETH (amounts less than 32 ETH accumulated from new deposits or exit from validators) in the Vault. If a slashing event triggers the liquidation, it will take 36 days from the initial violation to exit the slashed validators, and the liquidators can do the liquidation. To liquidate a staker position, the function liquidateOsToken() must be called on the Vault where the staker has an unhealthy position level.

The LTV, redemption, and liquidation limits are defined in a contract called OsTokenConfig and can be fetched by the getConfig() function.

List of contracts

The following is a non-exhaustive overview of the main smart contracts involved with osETH.

osETH

• The so-called overcollateralized staked ETH token is a non-upgradable contract that accrues staking rewards.
• The osETH token is a repricing token that continually increases the exchange rate as more staking rewards are earned.
• The OsTokenVaultController contract controls the minting of new osETH tokens by calling the mint function.
• The StakeWise DAO multi-sig can add more controllers to mint new osETH tokens by calling the setController function.
• The exchange rate is queried from the OsTokenVaultController Contract.

OsTokenVaultController

• It’s a non-upgradable contract that controls the emission/burn of osETH tokens.
• The mint/burn functionalities are called by Vaults duly registered in the VaultRegistry Contract.
• The Keeper Contract updates the new average rewards per second by calling the setAvgRewardPerSecond() function.
• The StakeWise DAO multi-sig can set up a new Keeper Contract.

OsTokenConfig

• It’s a non-upgradable contract that provides the configuration for minting and liquidating osETH tokens.
• This contract defines the configuration of minting and liquidating osETH stakers positions by setting the LTV and Liquidation Threshold percentages. Vaults query these values when Staker’s mint tokens or liquidators liquidate unhealthy Staker positions. The percentages can be fetched by calling the getConfig() function.
• The StakeWise DAO multi-sig can set up new LTV and Liquidation Threshold percentages by ca.

Vaults

• Vaults are created permissionless through the VaultFactory Contract.
• It’s an OZ ERC1967Proxy Contract with a UUPS pattern. The implementation can be found here.
• The Vaults are independent and cannot be unilaterally upgraded by the StakeWise DAO. However, if the StakeWise DAO implements changes to the Vault Contract, the Vaults can choose to upgrade to the new version.
• Once oracles submit a new Merkle tree root to the Keeper contract, every Vault can pull these updates by calling the updateState() function.
• Stakers can mint osETH tokens through Vaults, which calculate and validate the LTV using the OsTokenConfig Contract and then call the OsTokenVaultController Contract to mint new osETH tokens.
• Vault Admin cannot change the Vault’s core parameters (vault type and fee) once deployed.

Oracle

• Oracles fetches the reward data from the Beacon Chain validators and triggers validator registration and exit processes. The new reward data is submitted to the Keeper Contract by the updateRewards() function, which sets an average reward per second to accrue in the OsTokenVaultController.
• The updateRewards() function checks if the new average reward per second value exceeds the maximum average reward per second limit (around 22.14% APR) set in the Keeper contract constructor. The maxAvgRewardPerSecond defines the hard limit on the maximum exchange rate possible.
• To update the rewards, there is a voting mechanism that the Oracles periodically participate in every 12 hours set in the Keeper contract constructor.
• The Oracles use validator balances in the Beacon Chain and execution rewards/penalties for all the Vaults connected to the smoothing pool (a staking rewards pool) to calculate the consensus rewards/penalties for each Vault. These calculations are used to create a Merkle tree, which is then uploaded to IPFS. The vote is saved to a database and can be accessed through public Oracles endpoints.
• Anyone can call the updateRewards() function by fetching votes from Oracles endpoints, concatenating them, and sending them to the Keeper Contract.
• The Oracle network has 11 participants, and 6 out of 11 votes are needed to update the rewards and process validator registration/exits.
• The Keeper Contract is a non-upgradable contract controlled by the StakeWise DAO multi-sig.
• The StakeWise DAO multi-sig can update the number of participants, the threshold to update the rewards, and the threshold to approve new validator registration/exists.
• Currently, the Oracle Network consists of 11 commercial operators all acting under SLA agreements: StakeWise Labs, P2P, Gnosis, DSRV, Chorus one, Bitfly, Finoa, T-Systems, Gateway.fm, Stake.Fish, and Senseinode.

Miscellaneous

• The system has multiple audits by Halborn and Sigma Prime. Given its layered nature, we still recommend adding some extra.
• The team has put effort into both security and decentralization, making the control of the major contracts by the DAO, building a robust Oracle network, and not allowing Vault Admins to make changes in the core logic.
• Given the nature of osETH to be overcollateralized and for providing in-built slashing protection, we believe that peg stability can be reinforced with its listing on AAVE V3.

Conclusion

We think osETH doesn’t have any problem in terms of integration with Aave, and there is no major blocker for listing.

Overview

Chaos Labs supports listing osETH on Aave V3 Ethereum as part of the community’s strategy to increase the offering of Aave protocol with more LST assets. Following is our analysis and risk parameter recommendations for the initial listing.

Note: The following analysis is conducted solely from a market risk viewpoint, excluding centralization and third-party risk considerations. If the community aims to reduce exposure to osETH, adopting more conservative supply and borrow caps should be considered.

Liquidity and Market Cap

osETH is an ETH liquid staking token offered by StakeWise. The token represents ETH staked in Vaults, which earn ETH rewards from validators. Similar to wstETH, its accrued rewards are reflected in the asset’s price relative to ETH. It is minted using an overcollateralized position, meaning stakers receive relatively less osETH than the ETH used to stake. This is intended to protect from slashing events. Redemption of osETH for ETH is always set to the underlying exchange rate, determined by StakeWise oracles based on the performance of Vaults.

The current supply is 33.26K osETH, representing a market cap of roughly $100M. Its liquidity is concentrated on Curve, Balancer V2, and Uniswap V3.

osETH / ETH Volatility

Liquidation Threshold

Considering the volatility and the correlation of osETH to ETH, we recommend setting the LT to 75%, mirroring similar assets on Ethereum V3.

Supply Cap, Borrow Cap, and Liquidation Bonus

Chaos Labs’ approach to initial supply caps is generally proposed by setting the supply cap at 2x the liquidity available under the liquidation penalty price impact, which would lead to a recommendation of 28,000 osETH.

However, we recommend first a more conservative cap of 10,000 osETH to observe user behavior as anticipated before enabling more aggressive caps via risk steward.

Based on our observations, the utilization rate for LRTs and LSTs has been low due to additional borrowing costs. Therefore, we have taken a conservative approach and recommend a borrow cap of 1000 osETH. However, if there is a significant increase in demand and utilization, perhaps due to external incentives, we will reassess the caps according to the utilization pattern.

IR Curve Parameters

We recommend aligning the interest rate parameters with those of weETH on Ethereum to ensure consistency across similar assets on Aave v3.

E-mode

Given the asset’s overall liquidity and risk profile, we recommend including osETH in the ETH-correlated E-mode category.

CAPO recommendations:

Considering the stable nature of osETH yield and the relatively low staking rates since its launch, along with the granular and streamlined reward approach, we suggest initializing osETH CAPO parameters similar to wstETH.

Specification

Following the above analysis, we recommend listing osETH with the following parameter settings:

Summary

We recently published a comprehensive review of StakeWise Staked ETH (osETH) and present here a summary of our findings, with specific considerations regarding its current listing on Aave V3.

Our assessment of osETH is predominantly favorable. The primary area for improvement remains liquidity, with a significant portion of the supply currently held in EigenLayer. We also recommend that StakeWise implement more advanced access control capabilities and enhance protocol security measures for adverse conditions, particularly through refined pausing mechanisms.

A weakness noted in our comprehensive assessment regarding the absence of a Chainlink feed is not applicable in this context. Aave utilizes a combination of Chainlink’s ETH/USD feed, StakeWise v3’s exchange rate mechanism (updated via keepers), and the Correlated-assets price oracle (CAPO) adapter. This is generally sound, although it presents certain tradeoffs compared to using market price. We intend to explore these tradeoffs in future research.

In conclusion, we consider osETH a well-developed liquid staking token that has reached sufficient maturity for listing on Aave. The current parameters, including ETH-correlated e-mode and caps, appear appropriate given the present liquidity and market conditions.

II - Market Risk Assessment

Liquidity

51.71% of osETH tokens are deposited in EigenLayer, making liquidity heavily dependent on EigenLayer’s operational status and execution of its roadmap. This concentration could impact the osETH peg on secondary markets despite active liquidity incentives. StakeWise’s efforts to distribute liquidity and maintain a stable profile enhance confidence in its market resilience.

image2210×1248 194 KB

Volatility

Initial volatility stabilized with a positive depeg, indicating a high demand for osETH. On the 15th of May, we observed an outlier with a positive depeg of +2.8%, which quickly resolved in the following days. StakeWise uses a system that automatically chooses between protocol withdrawals and market swaps to maximize withdrawal output. The 10% overcollateralized ETH buffer protects against validator issues, maintaining the osETH peg without liquidations so far. However, the long-term efficacy of the redemption and liquidation mechanisms remains unproven under more adverse conditions.

Source: OsTokenVaultController contract and CoinGecko - from April 1st to June 28th, 2024

III - Technological Risk

3.1 Smart Contract Risk Assessment

Audits

Three audits on the V3 codebase and previous audits have provided valuable insights. The public, well-documented, modular codebase includes a bug bounty on Immunefi. No security breaches or successful Immunefi claims have occurred.

• Halborn (2023-05): 5 findings including one high risk.
• Halborn (2023-08): 3 findings including one medium.
• SigmaPrime (2023-08): 21 findings including two critical risks, five high risks, and one medium risk.

3.2 Price Feed Considerations

Aave’s integration of StakeWise v3’s osETH utilizes StakeWise’s osETH/ETH exchange rate, Chainlink’s ETH/USD feed, and Aave’s Correlated-assets price oracle (CAPO) adapter.

StakeWise v3’s exchange rate mechanism provides the base osETH/ETH rate. Every 12 hours, off-chain oracles update this rate through the Keeper contract. The update process requires a 6/11 majority consensus among oracles and caps rate changes at approximately 22% APR. This mechanism captures accrued staking rewards and maintains the osETH/ETH relationship.

Aave combines this rate with Chainlink’s ETH/USD feed to calculate the osETH/USD value. The CAPO adapter then applies range price protection to the resulting rate. This layered approach addresses the nature of osETH as an asset correlated with ETH but is subject to divergence due to staking rewards or market conditions. The system enables Aave to use osETH as collateral while addressing risks specific to liquid staking derivatives. It provides the price accuracy required for Aave’s collateralization and liquidation processes.

A osETH/USD RedStone pricefeed also exists, although we deem it suitable for isolated lending markets only as we consider it less secure than Chainlink.

3.3 Dependencies

StakeWise V3 relies on two off-chain services, the Operator and the Oracle. The decentralized, but not open-source, Oracle reduces centralization concerns. Smart contract checks and a role-based access control system prevent balance and reward manipulation. Operator off-chain services are operated by each vault admin, along with the infrastructure needed to operate their validators.

IV - Counterparty Risk

4.1 Governance and Regulatory Risk Assessment

Regulatory risks

Incorporated in a UAE-free zone, StakeWise enjoys business flexibility but often has opaque ownership structures. The UAE’s VARA still needs to regulate non-custodial staking, offering regulatory latitude. User interaction terms emphasize limiting liability and disclaiming warranties concerning osETH and protocol use.

4.2 Access Control

StakeWise V3 is decentralized and permissionless, with limited team control over deployed contracts. A 4/7 multisig with known public entities as signers control most contracts, except for the staking vaults which vault admins control. Known entities also operate Offchain Oracles, but the private Oracle code and unknown execution client diversity pose risks.

IV - Aave V3 Specific Parameters

Here are the current parameters for osETH:

The current parameters appear to remain optimal for an LSD such as osETH, based on the available data and established methodologies.

Analysis of osETH liquidity reveals that the primary pool is BalancerV2 osETH/ETH, containing 10,500 ETH, constituting 55% of the pool’s total assets. Alternative pools offer insignificant liquidity. The current supply cap of 10,000 aligns closely with the recommendation derived from the recommended methodology, which proposes setting the supply cap at twice the liquidity within the liquidation bonus, expressed as a percentage of price impact.

The E-mode parameters for osETH against ETH are consistent with those of comparable Liquid Staking Derivatives (LSDs) such as stETH and rETH. Considering the observed stability of the osETH/ETH peg, these parameters are deemed appropriate. The absence of a debt ceiling is justified by the StakeWise protocol’s maturity and degree of decentralization.

Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.