Explain in detail the RWA DeFi protocol Ondo Finance, which raised $24 million

Introduction to Ondo Finance

Ondo Finance is a blockchain-as-a-service company that creates and manages institutional-grade financial products, such as U.S. Treasury bonds and money market funds, and builds DeFi protocols around these products. Ondo is committed to developing decentralized, composable protocols and providing tailored services to meet the needs of organizations, DAOs and high net worth individuals. The platform aims to bridge the gap between TradFi and DeFi by bringing real world assets (RWAs) into DeFi.

Ondo Finance, founded by Nathan Allman in 2021, has raised $24 million to date from investors including Pantera Capital, Founders Fund, Coinbase Ventures and Tiger Global. Team members have extensive backgrounds in various institutions and protocols including Goldman Sachs, Fortress, Bridgewater, and MakerDAO.

Legal Structure

Link: Ondo Legal Documents

Ondo Finance employs a standard fund structure, including limited partners and general partners, as well as third-party service providers such as qualified custodians, fund administrators and treasury auditors.

Here is an overview of Ondo's own legal structure:

· Ondo Finance Inc: parent company

· Ondo I GP: General Partner (GP) who manages the fund and guides the service providers.

· Ondo Capital Management LLC: Investment Manager (Ondo IM), cooperating with GP to manage funds.

· Ondo I LP: A Delaware limited partnership that receives capital contributions from investors and holds assets with third-party service providers. It is the issuer of the OUSG.

Ondo Finance employs extensive security measures, partnering with reputable service providers such as Coinbase and Clear Street to ensure funds are managed safely and efficiently. Qualified custodians are those approved by regulators to hold client assets separately in segregated accounts in the client's name.

Ondo uses the following third-party fund service providers:

· Clear Street: securities brokers and qualified custodians, manage the fund's off-exchange assets and trading orders.

· NAV Consulting Inc.: Provides third-party administrative services, including daily calculation of the fund's net asset value.

Coinbase Prime: Hold stablecoins, convert stablecoins to USD, and send money to Clear Street as directed by the investment manager.

The following diagram shows the relationship between these entities (from the MakerDAO forum proposal):

1. Ondo Finance fully owns the investment manager and general partner

2. Investment managers are responsible for buying and selling ETFs

3. The general partner acts as the general partner of the fund

4. OUSG investors send stablecoins to the fund’s Coinbase account, buy OUSG, and the fund sends OUSG to OUSG investors

5. The fund hired Coinbase to hold the stablecoin, convert the stablecoin to USD, and send money to Clear Street as directed by the investment manager

6. Funds engage Clear Street to provide prime brokerage services and use Clear Street to hold and trade assets

7. The investment manager instructs Clear Street (CS) to execute the transaction, settle and custody the fund's assets in the fund's CS account

The fund has established access controls to ensure security, especially for third-party transfers. Coinbase accounts are only allowed to send USD wires to Clear Street accounts. Clear Street's account wires are sent and received through its bank, BMO Harris, while Coinbase's wires are sent and received through its bank, Customer's Bank. To approve another account for a wire transfer, the fund must first receive a wire transfer from that bank account, send it to the fund's Coinbase account, and then work with a Coinbase representative to configure the bank as a trusted withdrawal destination. In addition, Ondo also maintains the criteria for approving new bank accounts as transfer destinations.

Ondo I LP: OUSG Fund

Link: Ondo I LP Investor Documentation

The Ondo I LP Fund was created in February 2023 with the first product being Ondo Short-Term US Government Bonds (OUSG). The iShares Short-Term Bond ETF (SHV), the fund's sole underlying asset, is an index of U.S. Treasury bonds with maturities of less than one year. As of May 15, the ETF had net assets of $23.4 billion and an average daily trading volume of more than $300 million.

The fund automatically reinvests dividends from positions held. The fund's fees include the ETF's management fee for the underlying asset (0.15%) and the management fee charged by Ondo (0.15%), with the total fee capped at 0.3%.

NAV Consulting issues daily certificates of account balances and balance sheets. Based on this calculation, Ondo updates the contract price of OUSG daily. OUSG investors will also receive regular monthly updates from NAV Consulting on the fund's net asset value and the fund will undergo an annual audit.

The chart below shows recent attestation documents from the Fund Administrator disclosing the Portfolio Asset Account ("Long Portfolio Value") and various cash accounts for the Fund's liabilities.

This proof can be compared to the outstanding supply of OUSG and the last on-chain share price update (lastSetMintExchangeRate() in the CashManager contract). The current value on-chain is $118.4 million, which matches the NAV proof in the image above.

By examining Ondo Finance's documents, including trial balances, account statements, and balance sheets, and comparing them with on-chain data, we found no material differences between NAV Consulting's reports and on-chain data.

In terms of off-market protection, OUSG holders have SIPC insurance coverage on Clear Street up to $500,000 because Ondo Finance has an account with Clear Street, which is a member brokerage of SIPC. However, the amount covered by SIPC insurance is immaterial compared to the value of the Ondo I LP fund assets. It is also worth mentioning that the "Ondo I LP" account is a "cash account" (not a "margin account"), so Clear Street cannot re-pledge account securities.

The legal documents involved in the Fund are available on this Dropbox, including a detailed disclosure of the risk factors associated with the Fund in the Private Placement Memorandum.

investment process

OUSG shares are issued as Tokens on the Ethereum blockchain and can be minted/redeemed on US business days. These operations are handled by the Ondo Ops team and the fund administrator (NAV Consulting) provides accounting services. When the redemption demand is large, the fund may not have enough liquidity in hand, and Ondo expects that the redemption request may take 2-3 days to process.

OUSG can be minted with USDC or DAI of at least $100,000. It is available to both US and non-US, although access to minting, redeeming and transferring OUSG is restricted. Ondo uses smart contracts to enforce these transfer restrictions. Investors must undergo KYC/AML/CFT screening, and must be both "qualified investors" and "qualified buyers". Whitelist users can only transfer their Tokens to other whitelist addresses on the chain. Whitelisted addresses are stored in the KYC registration contract and multi-signature processing is managed by Ondo.

The following workflow outlines the subscription and redemption process for investors investing in stablecoins:

Subscription (issue) process:

1. Complete the KYC/AML process using Ondo, providing the required documents and passing the automated screening.

2. Review and sign the fund documents.

3. Provide the Ethereum wallet address for whitelist processing to subscribe, receive fund Token and redeem it.

4. Send USDC to the smart contract of the fund for subscription.

5. The smart contract records your subscription request and immediately transfers USDC to Coinbase Custody's fund account.

6. After calculating the next daily NAV and accepting your subscription request, you will receive OUSG representing your share in the fund.

7. Ondo IM buys ETFs using Clear Street dollars.

8. Increase the value of the fund by purchasing more ETF shares and reinvesting.

Redemption process:

1. Submit a redemption request by sending OUSG to the cash manager's smart contract.

2. The smart contract records your redemption request.

3. Once the next daily NAV is calculated and your redemption request is accepted, Ondo IM will sell enough ETF shares to cover your redemption amount.

4. Clear Street will remit the corresponding USD to Coinbase and convert it to USDC.

5. Ondo IM will complete the redemption request and distribute USDC to the user's wallet.

OUSG Access Control

Ondo empowers the movement of funds between the blockchain and its fund account service providers (Coinbase Prime for stablecoin-to-USD conversions, and Clear Street brokerage accounts for custody and trading of ETFs). An escrow agreement has been entered into between Ondo, Coinbase and Clear Street for the authority and approval of funds transfers. Measures have been taken to securely structure access between brokerage and bank accounts to minimize staff access to fund accounts.

Ondo uses two multi-signatures to manage the on-chain portion of its system. The team claims that each member is an employee of Ondo and needs to sign with a hardware wallet.

Ondo 3-of-6 Cash Management Multisig

· Configure the minimum redemption and subscription amount on the CashManager contract.

· Configure the rate limiter parameter (i.e. the number of subscriptions and redemptions that can be processed in a day) on the CashManager contract.

· Configure fee receivers on the CashManager contract (fees are currently turned off).

· Set the exchange rate for OUSG minting.

· Minting OUSG to meet subscription needs.

· Suspend the functionality of the CashManager contract in case of emergency.

· In case of emergency, destroy OUSG.

· In case of emergency, upgrade the OUSG implementation contract.

· Execute the all-in-one function in the CashManager contract in case the user accidentally transfers Token to the CashManager contract.

Ondo 3-of-7 Redeem Multisig

· It can be sent to the stablecoin it owns through the CashManager contract to meet the redemption demand.

Introduction to Flux Finance

Flux Finance is a decentralized lending protocol developed by the Ondo Finance team and governed by Ondo DAO (ONDO holders). It is a fork of Compound V2, with minor modifications to handle permission tokens similar to OUSG. The protocol provides various tokens available for lending, such as USDC, DAI, USDT and FRAX. OUSG is the only collateral asset and cannot be borrowed.

The main goal of Flux is to create utility for OUSG assets and facilitate the process of bringing real-world assets into the blockchain in a regulatory-compliant manner. This approach to decentralized finance (DeFi) aims to ensure that each token operates within the appropriate framework, promoting an environment that balances accessibility and compliance.

The diagram below shows how the Ondo and Flux ecosystems interact:

fTokens

fTokens are similar to Compound's common cToken standard. Flux Finance allows lenders to earn interest by providing stablecoins to the platform and minting fTokens. These ERC-20 Tokens represent the balance on the agreement and earn interest through the fToken/Token exchange rate. The interest earned by the agreement will not be directly distributed to the lender, but the exchange rate of fToken will increase over time, allowing users to exchange more assets as the interest accumulates. Flux Finance's supply and lending rates are algorithmically determined based on supply and demand.

fTokens have additional features to support permission token restrictions, so fOUSG can only be transferred between whitelisted addresses. Any interaction with fOUSG, including minting, redeeming, or transferring, is checked by the kycRegistry contract, which stores whitelisted addresses. In addition, if the transfer would cause the borrower's account to have negative liquidity, the transfer will fail, ensuring the stability and security of the protocol.

Several parameters affecting the OUSG lending market are set in the Unitroller contract:

· Collateralization Factor: A value between 0 and 98% representing the value that can be borrowed relative to the value offered.

· Closing Factor: A value between 5% and 90% representing the amount of liquidated account borrowing that can be repaid in a single liquidation transaction.

Liquidation Premium: An additional percentage share of the liquidation value sent to liquidators as compensation.

Currently, the OUSG collateral factor is set to 92%, the closing factor is set to 50%, and the liquidation premium is set to 5%.

The tokens that can be borrowed and borrowed on Flux are as follows (with fToken contract):

· Flux USDC（fUSDC）

Flux DAI（fDAI）

· Flux USDT（fUSDT）

· Flux FRAX（fFRAX）

Tokens that can be used as collateral on Flux are as follows (with fToken contract):

· Flux OUSG (fOUSG)

According to the TVL calculation method used by DeFi Llama, which covers the borrowed amount, the total locked value of the Flux protocol is 57.95 million US dollars as of the beginning of May 2023, of which 60% is OUSG. USDC is the asset with the most supply (borrowable), followed by DAI.

OUSG/fToken Market Dynamics

Currently, there are 33 OUSG holders. The largest holder is Flux Finance (fOUSG), accounting for approximately 31.05% of the total supply. Considering that OUSG is currently only generating capital gains as collateral on the Flux protocol, the relationship between fOUSG supply and overall OUSG supply can be used as an indicator to measure the relationship between utilization and potential (maximum) OUSG capacity.

Regarding the permissionless part of the protocol, fUSDC has 420 Token holders, fDAI has 160, fUSDT has 76, and fFRAX has only 7 holders. While supply (borrowing) rates are competitive with larger money market protocols, on-chain adoption appears to be relatively low.

From the above figure, we can find that the utilization rate of permissionless fToken is about 90%, reaching an equilibrium state, where OUSG income (basic asset - SHV ETF income) matches the borrowing cost of the supported stablecoin. Given that the permissionless fToken can only be borrowed, and the permissioned Token OUSG is used exclusively as collateral, it can be inferred that the 90% utilization rate of the permissionless fToken means that the borrower can borrow without the maximum annualized yield (APY) of the liability. capacity.

· Borrowing APY at 90% utilization: 4.41%

· Borrowing APY at 91% utilization: 4.78%

By calculating management costs and reducing the annualized rate of return of the underlying collateral accordingly, the current rate of return for OUSG depositors is 4.3%. In comparison, the average cost of borrowing is 4.575%, an overall small cost to the borrower.

Given the current utilization of lending protocols (and correspondingly fTokens), it would be beneficial to add/allocate some external production to fTokens to meet the need to use OUSG as collateral.

Curve fUSDC/fDAI 池

The Flux Curve pool has seen very low usage so far, even though it was only deployed a month before this article was written. The pool is funded with $2 million invested by the team multisig. There hasn't been any substantial trading volume yet.

The pool is deployed as a V2 pool for assets that do not maintain a 1:1 peg. This is to account for differences in interest accrual between fUSDC and fDAI. The team hopes to get a parameter pool as close as possible to XY=k while rebalancing liquidity. They chose to use the minimum values for the A and gamma parameters, a very unusual choice that the team felt was most appropriate for the pool's purposes.

The protocol is designed to achieve an optimal borrowing rate, beyond which the borrowing rate increases rapidly. Curve pools can help fToken arbitrage near optimal rates, and additional incentives on Curve may increase demand for Flux lending.

Other types of DeFi integrations

The Ondo Finance team has already started working on fToken composability. In addition to the current Curve proposal, they also have a proposal to MakerDAO. MIP119 proposes the creation of a 500 million DAI reserve for Flux Finance's DAI lending pool.

Recently, another proposal with Frax went through a snapshot vote to activate an AMO that lends up to 2 million FRAX on Flux. Funding for the proposal is still pending deployment.

Flux Finance Governance

Flux Finance is governed by Ondo DAO. ONDO holders have control over the economic parameters of the agreement, smart contract upgrades through on-chain proposals, and OUSG oracles and lending agreement interest rate model contracts. Although ONDO is currently non-transferable, users can use the Token to vote on DAO proposals or delegate voting rights to other accounts.

Governance of Ondo DAO follows a standard two-step process:

· Forum discussion

· On-chain voting (managed by Tally)

document The maximum total supply of ONDO is set at 10 billion ONDO, which will be distributed according to the following Token distribution and unlocking plan:

As of this writing, ONDO has 9,770 holders, all of whom have completed KYC in public sales and private sales. The distribution of these tokens is planned through the Coinlist platform, where 11.31% of the total ONDO supply is allocated. The remaining unallocated ONDO, representing 88.69% of the supply, is held in vault multisig wallets.

According to the Ondo DAO governance profile on Boardroom, the platform has put forward six proposals since its launch, with 762 participating voters casting a total of 1,589 votes. When reviewing delegation, the two largest accounts (Account 1 and Account 2) together accounted for approximately 70% of the DAO's total voting power. Although these accounts have voting restrictions, they can create and submit new proposals.

Where DAO The two accounts with the highest voting power own 202,806,000 ONDO, contributing about 70% of the voting weight of the DAO. However, these accounts are subject to voting restrictions, and the remaining 30% of weighted voting power is available, equivalent to approximately 86,916,850 ONDO. Three representatives together accounted for 65.28% of the total weighted voting power, including:

1glassmarkets.eth - about 240.63 million VPs (894 delegators)

20xcd7979e12E2A502a280270827077Fd7f206f9a44 (inactive in previous proposal) - ~205,200 VPs (193 delegators)

3vexmachina.eth - 12.164 million VPs (33 delegators)

Voting limits for the above two accounts are set by the administrator of the Tally page.

It can be clearly seen that the Ondo Finance team has control over all decisions of the Flux protocol. While it is stated on the Tally page that the two accounts with the highest voting power are non-voting accounts, this provision is not enforced (restricted) in the Governor smart contract. In this case, "non-voting" accounts can participate in the voting process at any time.

Flux Finance multi-signature account

In addition to the two multi-signature accounts that Ondo uses to manage OUSG assets, Flux also uses two multi-signature accounts for treasury and operational management. Flux claims that all members are employees of Flux Finance, a company based in the British Virgin Islands. These wallets include:

Flux Protocol Vault Account****3/6 Multi-signature

· Hold more than 88.7% of ONDO supply

**Neptune Foundation（fluxfinance.eth）**3/6 multi-signature

· Control the Flux protocol's interest rate model and oracle contracts until FIP-04 is implemented. The authority of multi-signature has been transferred to DAO.

fluxfinance.eth continues to provide the latest price data for OUSG on a regular basis, but limits daily price changes to no more than 100 basis points. The restriction is enforced by the address. The integration with Chainlink is being tested on mainnet and is expected to be completed in the near future.

Risk vector

Smart Contract Risk

Ondo Finance's smart contracts have been audited by code4rena, which evaluates the code for security and potential vulnerabilities. The audit evaluated 19 smart contracts, 5 digests, and 6 interfaces, totaling 4,365 lines of Solidity code.

The Ondo team works with C4A to address any critical vulnerabilities in the smart contracts. C4A auditors found six unique vulnerabilities, one classified as high severity and five classified as medium severity. In addition, the audit included 54 reports detailing low-risk or non-critical issues, and 24 recommended gas optimization reports.

The key high-stakes issue is called "Loss of user funds when completing cash redemption", which involves the completeRedemptions function in the CashManager contract. The problem occurs that for a given period, the refunded amount is not updated in the totalBurned storage variable for the given period. If an administrator completes refunds and redemptions using multiple calls to the completeRedemptions function at different steps or stages in a given period, any refunded amounts will not be considered in subsequent calls to this function. Even if the user redeems the same amount of CASH, this difference may cause the user to obtain less collateral Token than expected, resulting in the loss of the user's funds. The Ondo team worked with C4A to resolve this vulnerability.

Among the medium-risk issues, it is worth noting the "first deposit bug" found in the Compound v2 smart contract. This vulnerability allows an attacker to expropriate the funds of the initial depositors of a newly deployed cToken contract. The Ondo team solved this problem by enforcing a minimum deposit, which is achieved on the first deposit by minting a small number of cToken units to 0x0 (burn) addresses, which cannot be withdrawn.

Flux Finance maintains an active bug bounty program on its protocol smart contracts, hosted on ImmuneFi. The program offers bounty payouts ranging from $1,000 to $550,000 in four categories based on the severity or impact of the discovered vulnerabilities:

Ondo Finance has paid out a bug bounty to security researcher Ashiq Amien on January 26, 2022. This question is related to the TrancheToken smart contract, which is part of the first Ondo Finance product, Ondo Vaults. Ondo Vaults is a financial protocol built on top of Uniswap, which predates OUSG and has been discontinued.

Governance Risk

Flux Finance employs a two-stage governance process, including forum discussions and on-chain voting, to ensure community engagement and mitigate potential risks. Governance proposals are typically published on the Flux Finance Governance Forum, where community members and teams can provide feedback. While this step is not mandatory, it increases the likelihood of good agreement and success for the proposal.

Following discussion in the forum, final proposals will be submitted for binding on-chain voting. Flux Finance's DAO is a fork of Compound's Governor Bravo, managing on-chain voting through Tally. Voting rights are determined by ONDO holdings, and holders can delegate their voting rights to other wallets.

Key DAO parameters include:

Proposal Threshold: A minimum of 100 million ONDO voting power is required to submit a proposal, which helps prevent spam or malicious proposals.

· Voting period: Community members can vote within a 3-day window.

· Quorum: Proposals need to have at least 1 million ONDO voting rights to pass.

· Timelock: There is a 1-day delay after the end of the voting period until successful proposals are executed.

This governance structure ensures community participation, reduces risk, and promotes transparency in Flux Finance's decision-making process.

When reviewing Ondo DAO's distribution of voting power on Tally, we observed that governance appears to be highly centralized. The two governance accounts "glassmarkets.eth" and "vexmachina.eth" hold a total of about 34.91 million ONDO (including delegated Token). Compared to the proposal with the highest participation rate, these two accounts together have a considerable voting power, about 73.57%.

In addition, the distribution of voting rights within the platform is relatively centralized, and the three wallets hold 65.28% of the total voting rights (currently eligible to vote). This concentration of influence could raise concerns about platform governance and decentralization, emphasizing the need for a more balanced distribution of voting power among participants.

This centralization of voting power raises concerns about the influence of these entities on the Ondo DAO governance decision-making process. For example, an entity like GlassMarkets only owns 57 Ondos, but has 894 addresses delegating voting power to it, making it the largest voter in the DAO.

Escrow risk

When assessing centralization risk, it is important to consider the underlying assets and infrastructure that support the Ondo Finance ecosystem. OUSG is not backed directly by US Treasuries, but by an SHV ETF that tracks the ICE Short-Term US Treasury Security Index. SHV is an iShares Short-Term Treasury Bond ETF managed by Blackrock with approximately $23 billion in assets.

Another centralization risk aspect within the Ondo Finance platform is its reliance on centralized exchanges such as Coinbase and Clear Street brokerage platform. Reliance on centralized service providers may expose platforms to additional counterparty risks and regulatory uncertainties from these institutions.

To address concerns about token support and transparency, Ondo Finance utilizes third-party service providers such as NAV Consulting, a fund management company responsible for verifying fund assets directly from banks and custody accounts. In addition, the Fund undergoes independent annual audits. While Ondo Finance manages tokenization through its smart contracts, fund administrators are responsible for maintaining off-chain records and providing monthly reports to investors. This process ensures daily reconciliation of Token records and off-chain records.

Mortgage Risk / Solvency Risk

During periods of extreme market volatility, there is a possibility that bad debts will accumulate, although this risk can be considered fairly low. Users should be aware of limitations and vulnerabilities that may lead to solvency risks.

Liquidation on Flux is similar to Compound V2, when an account's loan-to-value ratio (LTV) is insufficient, the account will be liquidated. At this point, the third-party liquidator can pay a portion of the borrower's debt and seize the corresponding collateral at a discounted price. However, unlike Compound, Flux's liquidation complies with OUSG's KYC requirements. **To liquidate with OUSG as collateral, the liquidator must complete KYC and be whitelisted to hold the Token. ** A limited pool of authorized liquidators may increase the likelihood that liquidations will not be completed in a timely manner.

Liquidations are expected to be rare. Flux currently only supports stablecoin markets, which are generally less volatile. However, in cases of extreme volatility, when the LTV rapidly increases to the point where timely liquidation is not possible, the equity of the account may become negative, causing the protocol and its borrowers to accumulate bad debts. The assets of Flux Finance are usually very stable, so it is extremely unlikely that bad debts will accumulate. As an additional security mechanism, Flux's stablecoin oracles will never price stablecoins above 1 USDC, reducing the risk of external oracle manipulation.

The Flux team’s assessment of the likelihood of bad debts is as follows:

Considering that Flux's assets (tokenized bonds) are usually very stable, the accumulation of bad debts on Flux should be extremely unlikely. Since its inception in 2007, the SHV Short-Term Bond ETF has seen a maximum weekly move of less than 0.5%. Considering that loan liquidation against OUSG starts at an LTV of 92%, this provides a huge margin of safety for Flux's borrowers.

In the unlikely event that bad debts accumulate, Flux's market reserves will be used first to cover losses. Some borrowers may not be able to withdraw their assets if reserves are insufficient.

Oracle risk

The Tokenized Securities Protocol uses the NAV Consulting service to provide a daily updated price feedback mechanism to ensure accurate valuation of the underlying collateral. This is only a temporary solution, the Ondo team is working on an on-chain oracle to provide real-time price updates.

NAV Consulting had limited API access to Coinbase and Clear Street's fund accounts, allowing them to view data without making any changes. NAV Consulting uses a specific method to calculate the net asset value (NAV) of each Token every day, which can be described as the following three steps:

· Summing the present value of all fund assets (SHV shares, cash, and stablecoins)

· Then subtract the fund’s accruals and management fees

· Finally divide the result by the total number of Tokens

Using NAV Consulting's calculations, Ondo updates the contract price daily.

Flux Finance recently implemented a governance proposal to increase the transparency of price feeds and reduce reliance on the team. One of the key components of the proposal is the deployment of a new oracle controlled by the Ondo DAO. This oracle will serve as the primary mechanism for the Flux Finance protocol to retrieve the price of the underlying asset. The proposal also implements a 100 basis point limit on OUSG daily price fluctuations, effectively reducing the risks associated with price fluctuations.

A newly implemented price oracle, FluxOracle, is used to manage the market. The contract implements the hard-coded price of the underlying asset of the stablecoin fToken (Oracle Type-1), and uses RWAOracleRateCheck to check the "authorized" fToken, currently only the underlying asset price of fOUSG (Oracle Type-2). Additionally, the contract provides the option to configure a Chainlink oracle (oracle type-3).

The FluxOracle contract also implements role-based access control, where DEFAULT_ADMIN_ROLE can set roles for arbitrary addresses of each oracle type:

· STABLECOIN_HARDCODE_SETTER_ROLE

· TOKENIZED_RWA_SETTER_ROLE

· CHAINLINK_ORACLE_SETTER_ROLE

All roles are set to timelock contracts controlled by Ondo DAO.

Flux has been testing Chainlink price feeds for SHV/USD. The price feed has already been deployed and they are testing a contract on mainnet that limits price updates based on SHV/USD feeds. In the near future, this contract will be used by the official Flux oracle.

Llama Risk Assessment Criteria

Centralization Factors

**1. Is it possible for a single entity to deceive users? **

While it is possible for a single entity to exploit the protocol for manipulation, several safeguards have been put in place to minimize this risk. Ondo Finance uses three multi-signature wallets (Ondo Management Multi-Signature, OUSG Redemption Multi-Signature, and ONDO Holder Multi-Signature), each of which requires at least three signatures to perform.

While this setup theoretically allows three multi-signature signers to coordinate the operation of the system, the multi-signature requirement adds an additional layer of security. This structure helps mitigate the risk of a single entity breaking the protocol and ensures that decision-making power is distributed among multiple parties.

**2. Can the project continue to run if the team disappears? **

As a physical securities issuer, OUSG has full reliance on the continuous operation of the team for the management of Ondo I LP (fund).

The Flux protocol currently requires manual price updates from the team, although a transition to Chainlink price feeds may be possible in the near future. At that point, Flux can continue to operate in full autonomy (although since the Flux team is also the Ondo team, the project still depends on Ondo's continued operations).

economic factors

**1. Does the viability of the project depend on additional incentives? **

The continued viability of Ondo Finance does not depend on additional incentives. The project has been developed with a focus on its basic financial services, suggesting that its sustainability does not depend on external incentives. However, it is critical to monitor future developments or any changes in the structure of the project that may affect its risk profile.

**2. If demand drops to zero tomorrow, will all users be reimbursed? **

OUSG is backed by an SHV ETF designed to provide a basis for redemptions should demand drop to zero tomorrow. In this case, the SHV ETF's backstop is designed to ensure that Ondo Finance has the ability to continue to fulfill redemption requests, to have all users repaid, and to provide a level of financial safety and security. SHV is very liquid, with an average daily trading volume of over $300 million, while short-dated bonds are less affected by interest rate changes.

Usually fixed income risks still exist, of which interest rate risk and credit risk are the main concerns. Generally speaking, as interest rates rise, bond values tend to fall. Credit risk involves the possibility that the bond issuer may not meet its obligations regarding principal and interest payments. Investors need to expressly understand that investments in this fund are not insured or guaranteed by the FDIC or any other government agency. These risks relate to the US Treasury market in general and not to Blackrock/Ondo.

safety factors

**1. Did the audit reveal any signs of concern? **

C4A’s audit of Ondo Finance’s smart contracts did uncover several vulnerabilities, including one high-risk issue and five medium-risk issues.

However, the Ondo team worked closely with C4A to address any critical vulnerabilities in the smart contracts. A high-risk finding titled "Loss of user funds when completing a CASH cashout" was addressed in collaboration with the audit team.

Advice from the Risk Team

After evaluating Ondo Finance and Flux Protocol, we believe they work well within acceptable risk parameters, but we also realize that there are areas for improvement to enhance the security, decentralization and transparency of the platform:

Solve the problem of centralization of governance and voting power in Ondo DAO. Implementing mechanisms to reduce the centralization of voting power can promote a more decentralized and democratized governance system. It is important to ensure that the decision-making process is more inclusive and that influence is distributed among more participants.

Improve the security and stability of Ondo Finance by addressing the potential risks of smart contracts, oracles, and collateral. Conducting regular audits and updating the security features of the platform will help build a stronger and more reliable ecosystem. It is critical to ensure that all identified vulnerabilities are addressed and steps are taken to prevent future issues.

Improves the transparency of Ondo Finance's operations by providing more detailed documentation on platform functionality, risks, and mitigation strategies. This will enable users to make informed decisions about participating in the platform and increase understanding of project goals and potential risks.

In our work with the Ondo and Flux teams, we have found them to be very professional, taking every reasonable precaution to keep the system secure and provide assurance to users. We think Flux is an excellent demonstration of bringing real assets that meet regulatory requirements into DeFi, and look forward to further integration with Curve.