In-depth analysis of Ondo Finance, a RWA DeFi protocol that raised $24 million in funding.

Original Title: "Asset Risk Assessment: Ondo and Flux Finance (OUSG)"

Original Author: LLAMARISK

Original Translation: Kxp, BlockBeats

Ondo Finance Introduction

Ondo Finance is a blockchain service company that creates and manages institutional-grade financial products, such as US Treasury bonds and money market funds, and builds DeFi protocols around these products. Ondo is committed to developing decentralized and composable protocols and providing customized services to meet the needs of organizations, DAOs, and high net worth individuals. The platform aims to bridge the gap between TradFi and DeFi by introducing real-world assets (RWAs) into DeFi.

Ondo Finance was founded by Nathan Allman in 2021 and has raised $24 million in funding from investors including Pantera Capital, Founders Fund, Coinbase Ventures, and Tiger Global. The team members have rich backgrounds in various institutions and protocols such as Goldman Sachs, Fortress, Bridgewater, and MakerDAO.

Legal Structure 

Link: Ondo Legal Documents

Ondo Finance adopts a standard fund structure, including limited partners and general partners, as well as third-party service providers such as qualified custodians, fund administrators, and treasury auditors.

Here is an overview of Ondo's own legal structure:

· Ondo Finance Inc: Parent Company

· Ondo I GP: General Partner (GP), responsible for managing the fund and guiding service providers.

· Ondo Capital Management LLC: Investment Manager (Ondo IM), collaborates with GPs to manage funds.

· Ondo I LP: A Delaware limited partnership that accepts capital contributions from investors and holds assets with third-party service providers. It is the issuer of OUSG.

Ondo Finance takes extensive security measures and partners with reputable service providers such as Coinbase and Clear Street to ensure the safe and efficient management of funds. Qualified custodians are institutions approved by regulatory authorities that hold client assets in separate accounts under the client's name.

Ondo uses the following third-party fund service providers:

· Clear Street: Securities broker and qualified custodian managing off-exchange assets and trading orders for funds.

· NAV Consulting Inc.: Provides third-party administrative services, including daily calculation of fund net asset value.

· Coinbase Prime: Hold stablecoins, exchange them for US dollars, and remit to Clear Street as instructed by the investment manager.

The following chart shows the relationships between these entities (from a MakerDAO forum proposal):

1. Ondo Finance fully owns investment managers and general partners.

2. The investment manager is responsible for buying and selling ETFs.

3. General partners act as general partners of the fund.

4. OUSG investors send stablecoins to the fund's Coinbase account to purchase OUSG. The fund then sends OUSG to OUSG investors.

5. The fund has hired Coinbase to hold stablecoins, exchange them for US dollars, and remit them to Clear Street as directed by the investment manager.

6. The fund has hired Clear Street to provide primary brokerage services and utilizes Clear Street to hold and trade assets.

7. The investment manager instructed Clear Street (CS) to execute trades, settle, and custody the assets of the fund in the CS account of the fund.

The fund has established access control to ensure security, especially for third-party transfers. Coinbase accounts are only allowed to send USD wire transfers to Clear Street accounts. Clear Street's account wire transfers are sent and received through its bank, BMO Harris, while Coinbase's wire transfers are sent and received through its bank, Customer's Bank. To approve another account for wire transfers, the fund must first receive a wire transfer from that bank account to the fund's Coinbase account, and then work with Coinbase representatives to configure that bank as a trusted withdrawal destination. In addition, Ondo also retains standards for approving new bank accounts as transfer destinations.

Ondo I LP: OUSG Fund 

Link: Ondo I LP Investor Document

Ondo I LP Fund was created in February 2023, and its first product is the Ondo Short-Term US Government Bond (OUSG). The iShares Short-Term Bond ETF (SHV) is the only underlying asset of the fund, which is a US Treasury index with a maturity of less than one year. As of May 15th, the net assets of the ETF were $23.4 billion, with an average daily trading volume of over $300 million.

This foundation automatically reinvests the dividends generated by its holdings. The fund's expenses include the ETF management fee (0.15%) of the underlying assets and the management fee (0.15%) charged by Ondo, with a total expense cap of 0.3%.

1. Use Ondo to complete the KYC/AML process, provide the required documents, and pass the automatic screening.

3. Provide Ethereum wallet address for whitelist processing, for subscription, receipt of fund tokens, and redemption.

4. Send USDC to the fund's smart contract for subscription.

8. Increase the value of the fund by reinvesting through the purchase of more ETF shares.

2. Smart contracts record your redemption request.

3. Once the next daily net asset value is calculated and your redemption request is accepted, Ondo IM will sell enough ETF shares to pay your redemption amount.

4. Clear Street will transfer the corresponding US dollars to Coinbase and convert them into USDC.

5. Ondo IM will complete the redemption request and distribute USDC to the user's wallet.

OUSG Access Control

Ondo authorizes the flow of funds between its fund account service provider (Coinbase Prime for stablecoin and USD exchange, and Clear Street brokerage account for ETF custody and trading). Ondo, Coinbase, and Clear Street have reached a custody agreement regarding the authorization and approval of fund transfers. Measures have been taken to securely build access between brokerage and bank accounts to minimize employee access to fund accounts.

Ondo uses two multi-signatures to manage the on-chain portion of its system. The team claims that each member is an employee of Ondo and requires the use of a hardware wallet for signing.

Ondo 3-of-6  Cash Management Multisig

· Configure the minimum redemption and subscription amount on the CashManager contract.

· Configure rate limiter parameters on the CashManager contract (i.e. the number of subscriptions and redemptions that can be processed within a day).

· Configure the fee receiver on the CashManager contract (fees are currently disabled).

· Set the exchange rate for OUSG minting.

· Cast OUSG to meet subscription demand.

· Temporarily suspend the functionality of the CashManager contract in emergency situations.

· In emergency situations, destroy OUSG.

· In emergency situations, upgrade the OUSG implementation contract.

· In the event that a user accidentally transfers their Token to the CashManager contract, the multi-functionality will be executed within the CashManager contract.

Ondo 3-of-7 Redeem Multi-Signature

· You can send stablecoins to CashManager contract to meet redemption needs.

Flux Finance Introduction 

Flux Finance is a decentralized lending protocol developed by the Ondo Finance team and governed by the Ondo DAO (ONDO holders). It is a fork of Compound V2 with minor modifications to handle permission tokens like OUSG. The protocol offers a variety of tokens for borrowing and lending, such as USDC, DAI, USDT, and FRAX. OUSG is the only collateral asset and cannot be borrowed.

The main goal of Flux is to create utility for OUSG assets and facilitate the process of bringing real-world assets onto the blockchain in a compliant manner. This decentralized finance (DeFi) approach aims to ensure that each token operates within the appropriate framework, promoting a balanced environment of accessibility and compliance.

The following figure shows the interaction between the Ondo and Flux ecosystems:

fTokens 

fTokens are similar to the common cToken  standard of Compound. Flux Finance allows lenders to earn interest by providing stablecoins to the platform and minting fTokens. These ERC-20 tokens represent the balance on the protocol and earn interest through the exchange rate of fToken/Token. The interest earned by the protocol is not directly distributed to the lenders, but instead, the exchange rate of fToken increases over time, allowing users to exchange more assets as interest accumulates. The supply and borrowing rates of Flux Finance are determined by an algorithm based on supply and demand.

fTokens have additional functionality to support permission token restrictions, so fOUSG can only be transferred between addresses that are whitelisted. Any interaction with fOUSG, including minting, redeeming, or transferring, undergoes a check of the kycRegistry contract, which stores the whitelisted addresses. Additionally, if a transfer would result in negative account liquidity for the borrower, the transfer will fail, ensuring the stability and security of the protocol.

Unitroller contract sets several parameters that affect the OUSG lending market:

· Flux USDC（fUSDC）

· Flux DAI（fDAI）

· Flux USDT（fUSDT）

· Flux FRAX（fFRAX）

· Flux OUSG（fOUSG）

Regarding the unauthorized portion of the agreement, fUSDC has 420 token holders, fDAI has 160, fUSDT has 76, and fFRAX only has 7 holders. Despite having competitive supply (lending) rates compared to larger currency market protocols, on-chain adoption seems relatively low.

Through the above chart, we can see that the utilization rate of fTokens without permission is about 90%, reaching an equilibrium state, where the OUSG yield (underlying asset - SHV ETF yield) matches the borrowing cost of supported stablecoins. Given that fTokens without permission can only be borrowed, while permission token OUSG is specifically used as collateral, it can be inferred that fTokens without permission represent the maximum capacity for borrowers to borrow without negative debt annual percentage yield (APY) at a utilization rate of 90%.

· Loan APY at 90% utilization: 4.41%

· Loan APY at 91% utilization: 4.78%

By calculating and managing the management cost and correspondingly reducing the annualized yield of the underlying collateral, the current yield for OUSG depositors is 4.3%. In contrast, the average borrowing cost is 4.575%, which is relatively low for borrowers in terms of overall cost.

Considering the current utilization of lending agreements (and corresponding fTokens), it is beneficial to add/allocate some external productivity to fTokens to meet the demand of using OUSG as collateral.

Curve fUSDC/fDAI Pool 

The utilization rate of Flux Curve pool has been very low so far, although it was deployed just a month before the writing of this article. The pool was funded with $2 million by a team with multi-signature. There is currently no substantial trading volume.

This pool is deployed as a V2 pool for assets that are not anchored 1:1. This is to account for the difference in interest accumulation between fUSDC and fDAI. The team hopes to achieve a parameter pool as close to XY=k as possible while rebalancing liquidity. They chose to use the minimum value of A and gamma parameters, which is a very unusual choice, but the team believes it is the most appropriate for the purpose of this pool.

This agreement aims to achieve the optimal borrowing rate, and once the rate exceeds this, the borrowing rate will increase rapidly. The Curve pool can help arbitrage fTokens near the optimal rate, while additional incentives on Curve may increase demand for Flux lending.

Other types of DeFi integrations 

The Ondo Finance team has begun to focus on the composability of fTokens. In addition to the current Curve proposal, they have also submitted a proposal to MakerDAO. MIP119 proposes to create a reserve of 500 million DAI for Flux Finance's DAI lending pool.

Recently, another proposal with Frax went through a snapshot vote to activate an AMO that can lend up to 2 million FRAX on Flux. The funds for this proposal are still awaiting deployment.

Flux Finance is governed by Ondo DAO . ONDO holders have control over the protocol's economic parameters, smart contract upgrades through on-chain proposals, and the OUSG oracle and lending protocol interest rate model contracts. Although ONDO is currently non-transferable, users can use the token to vote on DAO proposals or delegate their voting power to other accounts.

Ondo DAO's governance follows a standard two-step process:

· Forum discussion

· On-chain voting (managed by Tally)

Document The maximum total supply of ONDO is set to 10 billion ONDO, and it will be distributed according to the following token allocation and unlocking plan:

At the time of writing, ONDO has 9,770 holders, all of whom have completed KYC in public sales and private placement activities. These token distribution plans were carried out through the Coinlist platform, with 11.31% of the total ONDO supply allocated. The remaining undistributed ONDO accounts for 88.69% of the supply and is stored in a multi-signature wallet in the treasury.

According to the governance configuration file on Boardroom, Ondo DAO has proposed six proposals since its launch, with a total of 762 voters participating in the vote, casting a total of 1,589 votes. When reviewing the delegation situation, the two largest accounts (account 1 and account 2) together hold about 70% of the total voting power of the DAO. Although these accounts have voting restrictions, they can create and submit new proposals.

Ondo DAO The two accounts with the highest voting rights hold 202,806,000 ONDO, contributing approximately 70% of the voting weight to the DAO. However, these accounts are subject to voting restrictions, leaving 30% of weighted voting rights available, equivalent to approximately 86,916,850 ONDO. The three representatives collectively occupy 65.28% of the total weighted voting rights, including:

1. glassmarkets.eth - About 240.63 million VP (894 delegates).

2. 0xcd7979e12E2A502a280270827077Fd7f206f9a44 (inactive in previous proposals) - approximately 205,200 VP (193 delegates).

3. vexmachina.eth - 12.164 million VP (33 delegates)

The voting restrictions for the two accounts mentioned above are set by the administrator of the Tally page.

It is evident that the Ondo Finance team has control over all decisions regarding the Flux protocol. Although the two accounts with the highest voting power are declared as non-voting accounts on the Tally page, this rule is not enforced in the Governor smart contract. In this case, the "non-voting" accounts can participate in the voting process at any time.

Flux Finance Multi-Signature Account 

Aside from the two multi-signature accounts used by Ondo to manage OUSG assets, Flux also employs two multi-signature accounts for treasury and operational management. Flux claims that all members are employees of Flux Finance, a company based in the British Virgin Islands. These wallets include:

Flux Protocol Vault Account 3/6 Multisig

· Holds over 88.7% of ONDO's supply

Neptune Foundation (fluxfinance.eth)3/6 Multisig

· Control the interest rate model and Oracle contract of the Flux protocol until the implementation of FIP-04. The authority of multi-signature has been transferred to DAO.

fluxfinance.eth provides the latest price data for OUSG on a continuous and periodic basis, with a daily price change limit of no more than 100 basis points. This limit is enforced by the address. Integration with Chainlink is currently being tested on the mainnet and is expected to be completed in the near future.

Risk Vector 

Smart Contract Risks 

The smart contracts of Ondo Finance have been audited by code4rena, which evaluated the security and potential vulnerabilities of the code. The audit assessed 19 smart contracts, 5 digests, and 6 interfaces, totaling 4,365 lines of Solidity code.

The Ondo team collaborated with C4A to address any major vulnerabilities in smart contracts. C4A auditors discovered 6 unique vulnerabilities, one of which was classified as a high-risk vulnerability, and five were classified as medium-risk vulnerabilities. In addition, the audit included 54 reports that detailed low-risk or non-critical issues, as well as 24 recommended gas optimization reports.

The key high-risk issue is referred to as "loss of user funds when completing cash redemptions," which involves the completeRedemptions function in the CashManager contract. The issue arises when the refunded amount is not updated in the totalBurned storage variable for the given period. If the administrator uses multiple calls to the completeRedemptions function to complete refunds and redemptions at different steps or stages during the given period, any refunded amount will not be considered in subsequent calls to the function. Even if the user redeems the same amount of CASH, this discrepancy may result in the user receiving fewer collateral tokens than expected, leading to a loss of user funds. The Ondo team worked with C4A to address this vulnerability.

One of the noteworthy issues in moderate-risk situations is the "first deposit vulnerability" discovered in the Compound v2 smart contract. This vulnerability allows attackers to seize the funds of the initial depositor of the newly deployed cToken contract. The Ondo team solved this problem by enforcing a minimum deposit, which is achieved by minting a small amount of cToken units to the 0x0 (burn) address during the first deposit, which cannot be withdrawn.

Flux Finance maintains an active bug bounty program on its protocol smart contract, hosted on ImmuneFi. The program is divided into four categories based on the severity or impact of the discovered vulnerabilities, offering bounty payouts ranging from $1,000 to $550,000:

Ondo Finance has paid a bug bounty to security researcher Ashiq Amien on January 26, 2022. The issue was related to the TrancheToken smart contract, which is part of Ondo Finance's first product, Ondo Vaults. Ondo Vaults is a financial protocol built on top of Uniswap, predating OUSG and has since been deprecated.

治理风险 

translates to

Governance Risk 

Flux Finance adopts a two-stage governance process, including forum discussions and on-chain voting, to ensure community participation and reduce potential risks. Governance proposals are usually posted on the Flux Finance governance forum, where community members and the team can provide feedback. Although this step is not mandatory, it increases the likelihood of proposals achieving good consensus and success.

After discussion on the forum, the final proposal will be submitted for a binding on-chain vote. Flux Finance's DAO is a fork of Compound's Governor Bravo and manages on-chain voting through Tally. Voting power is determined by ONDO ownership, and holders can delegate their voting power to other wallets.

The key DAO parameters include:

· Proposal threshold: You need to have at least 100 million ONDO voting rights to submit a proposal, which helps prevent spam or malicious proposals.

· Voting period: Community members can vote within a 3-day time window.

· Legal quorum: Proposals must have at least 1 million ONDO voting rights to be approved.

· Time lock: There is a 1-day delay period between the end of the voting period and the successful execution of the proposal.

This governance structure ensures community participation, reduces risk, and promotes transparency in the decision-making process of Flux Finance.

When examining the distribution of voting rights for Ondo DAO on Tally, we observed that the governance appears to be highly centralized. Two governance accounts, "glassmarkets.eth" and "vexmachina.eth", collectively hold approximately 34.91 million ONDO tokens (including delegated tokens). Compared to the proposal with the highest participation rate, these two accounts collectively hold a significant amount of voting power, approximately 73.57%.

In addition, the distribution of voting rights within the platform is relatively centralized, with three wallets holding a total of 65.28% of the voting rights (currently eligible to vote). This centralization of influence may raise concerns about platform governance and decentralization, emphasizing the need for a more balanced distribution of voting rights among participants.

This centralization of voting rights has raised concerns about the influence of these entities on the Ondo DAO governance decision-making process. For example, entities like GlassMarkets only own 57 Ondo, but have 894 addresses delegating voting power to them, making them the largest voter in the DAO.

Hosting Risk 

When evaluating centralized risks, it is important to consider the underlying assets and infrastructure that support the Ondo Finance ecosystem. OUSG is not directly supported by US Treasury bonds, but rather by the SHV ETF, which tracks the ICE Short-Term US Treasury Bond Index. SHV is an ETF managed by Blackrock that tracks short-term Treasury bonds, with assets under management of approximately $23 billion.

抵押风险/偿付能力风险 

translates to

Mortgage risk/Solvency risk 

in English.During extreme market volatility, there is a possibility of accumulated bad debts, although this risk can be considered relatively low. Users should be aware of the limitations and vulnerabilities that may lead to payment risks.

The settlement on Flux is similar to Compound V2. When the loan-to-value ratio (LTV) of an account is insufficient, the account will be liquidated. At this point, third-party liquidators can pay off a portion of the borrower's debt and take the corresponding collateral at a discounted price. However, unlike Compound, Flux's liquidation complies with OUSG's KYC requirements. To liquidate using OUSG as collateral, the liquidator must complete KYC and be whitelisted to hold the Token. The limited authorized liquidator pool may increase the possibility of liquidation not being completed in a timely manner.

Clearing is expected to be rare. Flux currently only supports stablecoin markets, which are usually not very volatile. However, in extreme volatility situations, when the LTV increases rapidly and cannot be liquidated in time, the net value of the account may become negative, resulting in accumulated bad debts for the protocol and its borrowers. Flux Finance's assets are usually very stable, so it is highly unlikely that bad debts will accumulate. As an additional security mechanism, Flux's stablecoin oracle will never price stablecoins above 1 USDC, reducing the risk of external oracle manipulation.

The Flux team's assessment of the possibility of bad debt is as follows:

Considering that the assets (tokenized bonds) on Flux are typically very stable, it is highly unlikely for bad debts to accumulate on Flux. Since its inception in 2007, the maximum weekly volatility of the SHV Short-Term Bond ETF is less than 0.5%. With the loan settlement for OUSG starting at 92% LTV, this provides a huge safety margin for Flux's borrowers.

In the unlikely event of accumulated bad debts, Flux's market reserves will be used first to cover losses. If the reserves are insufficient, some borrowers may not be able to withdraw their assets.

Oracle Risk 

Tokenized securities agreements adopt NAV Consulting services to provide daily updated price feedback mechanisms, ensuring accurate valuation of underlying collateral. This is just a temporary solution, and the Ondo team is developing an on-chain oracle to provide real-time price updates.

NAV Consulting has limited API access to the fund accounts of Coinbase and Clear Street, allowing only for data viewing and not any modifications. NAV Consulting calculates the net asset value (NAV) of each token using a specific method on a daily basis, which can be described in the following three steps:

· Sum the present value of all fund assets (SHV shares, cash, and stablecoins).

· Then subtract the accrued expenses and management fees of the fund.

Using NAV Consulting's calculations, Ondo updates contract prices daily.

· STABLECOIN_HARDCODE_SETTER_ROLE

· TOKENIZED_RWA_SETTER_ROLE

· CHAINLINK_ORACLE_SETTER_ROLE

All roles are set to be controlled by a time-lock contract controlled by Ondo DAO.

Centralization Factor

2. If the team disappears, can the project continue to operate?

As a tangible securities issuer, OUSG relies heavily on the team's ongoing operations to manage the Ondo I LP (fund).

1. Does the feasibility of the project depend on additional incentive measures?

2. If the demand drops to zero tomorrow, will all users be able to receive compensation?

If demand drops to zero tomorrow, OUSG will use SHV ETF as a backing to provide a basis for redemption. In this case, the backing of SHV ETF is designed to ensure that Ondo Finance is able to continue to fulfill redemption requests, provide a certain degree of financial security and protection, and enable all users to be repaid. SHV is highly liquid, with an average daily trading volume of over $300 million, and short-term bonds are less affected by interest rate changes.

The risks of fixed income investments still exist, with interest rate risk and credit risk being the main concerns. Generally, as interest rates rise, bond values tend to decline. Credit risk involves the possibility that the bond issuer may not be able to fulfill its obligations to pay principal and interest. Investors need to understand that investing in this fund does not receive insurance or guarantees from the FDIC or any other government agency. These risks are related to the overall US bond market, not to Blackrock/Ondo specifically.

Security Factor

1. Has the audit revealed any concerning signs?

C4A's audit of Ondo Finance's smart contract did indeed uncover several vulnerabilities, including one high-risk issue and five medium-risk issues.

However, the Ondo team has worked closely with C4A to address any critical vulnerabilities in smart contracts. A high-risk discovery titled "User Fund Loss When Completing CASH Redemption" has been resolved in collaboration with the auditing team.

Risk team's recommendations 

After evaluating Ondo Finance and Flux Protocol, we believe that they operate well within acceptable risk parameters. However, we also recognize areas for improvement to enhance the platform's security, decentralization, and transparency:

Addressing the issue of centralization of governance and voting power in Ondo DAO. Implementing mechanisms to reduce the centralization of voting power can promote a more decentralized and democratic governance system. It is important to ensure that the decision-making process is more inclusive and the influence is distributed among more participants.

By addressing the potential risks associated with smart contracts, oracles, and collateral, Ondo Finance aims to enhance its security and stability. Regular audits and updates to the platform's security features will help build a stronger and more reliable ecosystem. It is crucial to ensure that all identified vulnerabilities are addressed and measures are taken to prevent future issues.

By providing more detailed documentation on platform functionality, risks, and mitigation strategies, Ondo Finance aims to increase transparency in its operations. This will enable users to make informed decisions about participating in the platform and increase their understanding of project goals and potential risks.

In our collaboration with the Ondo and Flux teams, we found them to be very professional, taking all reasonable precautions to ensure the security of the system and provide assurances to users. We believe that Flux is an excellent demonstration of introducing regulated real assets into DeFi, and we look forward to further integration with Curve.

Original article link

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia