Paxos USDG (Global Dollar)
Score Breakdown
| Category | Weight | Score |
|---|---|---|
| Audits & Historical | 20% | 2.00 |
| Centralization & Control | 30% | 2.80 |
| Funds Management | 30% | 2.75 |
| Liquidity Risk | 15% | 2.00 |
| Operational Risk | 5% | 1.50 |
| Final Score | 2.4 / 5.0 | |
Overview
USDG (Global Dollar) is a fiat-backed USD stablecoin issued by Paxos Digital Singapore Pte. Ltd. (PDS), a Major Payments Institution supervised by the Monetary Authority of Singapore (MAS). USDG maintains a 1:1 peg to the US dollar and is fully redeemable from Paxos on a one-to-one basis (1 USDG = 1 USD).
USDG's differentiating feature is its distribution partner model — ecosystem partners (Kraken, Robinhood, Anchorage Digital, Galaxy Digital, Bullish, BitGo, KuCoin, and others) share in the yield generated by USDG reserves. This incentivizes partners to integrate USDG into their platforms, driving adoption through aligned economics rather than subsidies.
Reserves consist of cash and cash equivalents (primarily short-duration U.S. Treasury Bills) held in segregated accounts at regulated custodians, with monthly attestation reports from independent accounting firms published on the Paxos transparency portal.
USDG is deployed on 4 chains: Ethereum, Solana (52.3% of supply), X Layer (19.5%), and Ink (6.2%). Cross-chain bridging between Ethereum and Solana is handled via LayerZero V2 OFT.
Key metrics (June 26, 2026):
- Total Supply (Ethereum): ~494,698,323 USDG (~$495M) onchain
- Total Supply (All Chains): ~$2.89B DeFiLlama
- Market Cap: ~$2.89B
- 30-Day Supply Change: +$259M (+9.9%)
- DEX Liquidity (Ethereum): TODO — refresh liquidity snapshot
- CEX Listings: OKX, Kraken, Bullish, KuCoin, Gate.io
- Price: $0.99995 (at peg) DeFiLlama
Links:
Risk Summary
Key Strengths
- Regulated issuer with stablecoin track record: Paxos is supervised by MAS (Singapore) and NYDFS (US). Has operated USDP since 2018 and PYUSD since 2023 with zero incidents across all stablecoins
- Highest-quality reserves: Cash and cash equivalents (primarily U.S. Treasury Bills) in segregated accounts — equivalent to USDC's reserve quality
- Solid audit coverage: 6 audits from 3 reputable firms including Trail of Bits and Zellic. Source code is open (MIT license)
- 24-hour timelock on critical changes: Contract upgrades and admin changes now have a 24-hour delay (improved from 3h), providing meaningful monitoring window for integrators
- Rate-limited minting: Supply controllers have capacity limits and refill rates, preventing instantaneous unlimited minting
- Significant market adoption: $2.89B total supply with major partners (Kraken, Robinhood, Galaxy Digital, BitGo). Strong growth trajectory
Key Risks
- Governance consolidated into an MPC wallet — the MPC wallet (
0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B) holds PAUSE_ROLE, ASSET_PROTECTION_ROLE, timelock PROPOSER/EXECUTOR/CANCELLER, and SupplyControl SCM. The MPC structure (likely Fordefi) means the key is sharded across multiple parties, but the internal quorum and policy configuration are not publicly verifiable - Multisigs removed from governance — the 3-of-7 operational multisig (now 20 owners) and the 7-owner DEFAULT_ADMIN multisig (now 20 owners) no longer hold any onchain roles
- Emergency actions have no onchain multisig — PAUSE and ASSET_PROTECTION are controlled by the MPC wallet with no onchain timelock. Internal MPC policy controls are the sole protection (previous model used a 3-of-7 multisig)
- No formal public bug bounty — no confirmed Immunefi or equivalent program with monetary rewards. A private HackerOne program may exist but could not be verified
- Offchain reserves — reserves are entirely offchain with monthly attestation. No onchain Proof of Reserves mechanism for real-time verification
- Relatively new (21 months) — younger than USDC (2018) or USDT (2014), though longer than many DeFi stablecoins
Critical Risks
- Freeze/wipe capability —
ASSET_PROTECTION_ROLE(held by MPC wallet) can freeze any address and wipe frozen balances. This is standard for regulated stablecoins. The MPC structure provides internal governance, but from the contract's perspective this is a unilateral capability. For DeFi integrations, a frozen vault/strategy contract would lock all USDG held by that contract - Upgradeable proxy with facet pattern — the USDG contract can be upgraded via UUPS proxy AND can have functional behavior changed via the facet pattern (
setFacet). Both controlled through the 24h timelock (MPC wallet as proposer/executor)
Full Report
Contract Addresses
Core Contracts (Ethereum)
| Contract | Address | Type |
|---|---|---|
| USDG Token (Proxy) | 0xe343167631d89B6Ffc58B88d6b7fB0228795491D |
ERC1967 / UUPS Proxy (Solidity 0.8.9) |
| USDG Implementation | 0xFACd5ff359adf87822374275699DD518Aaf9A65f |
USDG (Solidity 0.8.28) |
| Supply Control (Proxy) | 0x9a7164112029b81c07636AB7b59fA813E0883BBF |
ERC1967 / UUPS Proxy |
| Supply Control Implementation | 0x9e12c058a20c5b0eebaa00e44a712ec54b838971 |
SupplyControl (Solidity 0.8.17) |
Governance Contracts
| Contract | Address | Type |
|---|---|---|
| Token Admin (TimelockController) | 0x9036566eAa5F83E0b9E1161C6c602b0Adf997654 |
OpenZeppelin TimelockController — 24-hour minimum delay |
| DEFAULT_ADMIN Multisig | 0x137Dcd97872dE27a4d3bf36A4643c5e18FA40713 |
SimpleMultiSig — 20 owners, threshold 3 |
| Operational Multisig (no current roles) | 0x0644Bd0248d5F89e4F6E845a91D15c23591e5D33 |
SimpleMultiSig — 20 owners, threshold 3; no longer holds any onchain roles |
| Operations MPC Wallet (PAUSE / ASSET_PROTECTION / Timelock PROPOSER+EXECUTOR+CANCELLER / SupplyControl SCM) | 0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B |
MPC wallet (likely Fordefi — see governance section for evidence) — holds PAUSE_ROLE, ASSET_PROTECTION_ROLE on token; PROPOSER_ROLE, EXECUTOR_ROLE, CANCELLER_ROLE on timelock; SUPPLY_CONTROLLER_MANAGER on SupplyControl |
Supply Controllers
| # | Address | Type | Mint Limit Capacity | Refill Rate | Allow Any Address |
|---|---|---|---|---|---|
| SC1 | 0xf845a0A05Cbd91Ac15C3E59D126DE5dFbC2aAbb7 |
EOA | 500,000,000 USDG | ~138,888 USDG/sec | Yes |
| SC2 | 0x2fb074FA59c9294c71246825C1c9A0c7782d41a4 |
EOA | 1,000,000,000 USDG | ~277,778 USDG/sec | Yes |
| SC3 | 0x147BdE4F997f0d4C7544ED0C55eAcf1E5E6bf9c4 |
OFTWrapper (LayerZero bridge) | 45,000,000 USDG | ~521 USDG/sec | No (whitelist) |
Multi-Chain Deployments
| Chain | Token Address | Supply (DeFiLlama) | Share |
|---|---|---|---|
| X Layer | 0x4ae46a509F6b1D9056937BA4500cb143933D2dc8 |
$1,702.3M | 58.8% |
| Solana | 2u1tszSeqZ3qBWF3uNGPFc8TzMk2tdiwknnRMWGWjGWH |
$697.2M | 24.1% |
| Ethereum | 0xe343167631d89B6Ffc58B88d6b7fB0228795491D |
$455.4M | 15.7% |
| Ink | 0xe343167631d89B6Ffc58B88d6b7fB0228795491D |
$37.7M | 1.3% |
| Hyperliquid L1 | N/A | $1.6M | 0.1% |
| Total | $2,894.2M | 100% |
Audits and Due Diligence Disclosures
Paxos has conducted 6 security audits from 3 reputable firms (Zellic, Trail of Bits, Halborn) covering the core stablecoin contracts, cross-chain integration, rewards system, and signature validation. All audits are publicly available in the paxos-token-contracts GitHub repository.
Audit History
| Firm | Scope | Report |
|---|---|---|
| Zellic | Core stablecoin contract review | |
| Trail of Bits | Cross-chain integration | |
| Halborn | Token contracts | |
| Halborn | Domain separator functionality | |
| Zellic | EIP-1271 signature validation | |
| Zellic | USDG rewards system |
Audit firms: Zellic (3 audits) is a top-tier smart contract auditor. Trail of Bits (1 audit) is one of the most reputable security firms in the industry. Halborn (2 audits) is a well-known blockchain security firm.
Contract Complexity
The USDG system is moderate complexity:
- UUPS upgradeable proxy for both the token and SupplyControl contracts
- AccessControl role-based permissions (DEFAULT_ADMIN, PAUSE, ASSET_PROTECTION, SUPPLY_CONTROLLER_MANAGER)
- Diamond-like facet pattern — the USDG contract uses
setFacet/batchSetFacetto delegate function calls to external contracts (TokenAdminFacet,ClaimableRewardsFacet), adding upgradeability surface area beyond the proxy - Rate-limited minting via the SupplyControl contract with per-controller capacity and refill rates
- EIP-2612/EIP-3009 gasless transfer support
- LayerZero V2 OFT bridge wrapper for cross-chain transfers
- Freeze/wipe capability for regulatory compliance
Version History
| Version | Date | Key Changes |
|---|---|---|
| v2.0.0 | Nov 4, 2024 | Major rewrite: consolidated Paxos stablecoins, Solidity 0.8.17, EIP-3009/2612, SupplyControl, Hardhat migration |
| v2.0.1 | Nov 12, 2024 | Bugfix: prevent frozen addresses from cross-chain transfers |
| v2.0.2 | Aug 8, 2025 | Patch: domain separator initialization fix |
| v2.1.0 | Jan 6, 2025 | EIP-1271 smart contract wallet support, dynamic DOMAIN_SEPARATOR for chain fork handling |
| Governance restructure | ~Mar–Jun 2026 | Timelock delay increased 3h→24h; governance consolidated from multisigs to MPC wallet (Fordefi); SupplyControl admin moved from EOA to timelock; both multisigs expanded to 20 owners |
Bug Bounty
- Immunefi: No public Paxos USDG bug bounty program found
- HackerOne: Access denied (403) — a private program may exist but could not be confirmed
- Sherlock/Cantina: No audit contests found
- Safe Harbor: Not listed on the SEAL Safe Harbor registry
The absence of a formal public bug bounty with monetary rewards is a weakness for a $1.67B stablecoin.
Historical Track Record
- Contract deployed: October 7, 2024 (block 20,915,336) — ~21 months in production
- Official launch: November 1, 2024
- Total supply: ~$2.89B across 5 chains ($495M on Ethereum)
- Growth trajectory: From ~$352M (mid-2025) to ~$2.89B (June 2026) — approximately 721% growth
- 30-day change: +$259M (+9.9%)
- Security incidents: None. No exploits, hacks, or depegging events reported
- Peg stability: Price consistently at $0.999-$1.000 across all venues
- Paxos track record: Paxos has operated USDP (Pax Dollar, formerly PAX) since 2018 and operates PYUSD (PayPal USD) on behalf of PayPal. No Paxos-issued stablecoin has suffered a security incident or depeg
Distribution partners: Kraken, Robinhood, Anchorage Digital, Galaxy Digital, Bullish, Nuvei, BitGo, Paysafe, GSR, KuCoin, Virtual Assets Group, Tokenize
Funds Management
Accessibility
- Minting: Available through Paxos distribution partners and direct API integration. Minting requires a Paxos account with KYC/AML verification. Not permissionless
- Redemption: Direct 1:1 redemption through Paxos (requires account). Onchain, USDG can be exchanged via DEXes or CEXes
- No onchain mint/redeem: Unlike USDC's permissionless onchain redemption, USDG minting and burning are controlled by Paxos supply controllers via the SupplyControl contract. End users cannot directly mint or burn
- Fees: No fees for minting or redeeming USDG through Paxos (standard network gas fees apply)
- Geographic restrictions: Available globally except sanctioned jurisdictions. KYC required for direct minting/redemption
Collateralization
- Backing: 100% backed by cash and cash equivalents — primarily short-duration U.S. Treasury Bills and high-quality liquid assets held in segregated accounts at regulated custodians
- Collateral quality: U.S. Treasury Bills are the lowest-risk financial instruments globally — backed by the full faith and credit of the U.S. government
- Segregation: Reserve assets are held in accounts segregated from Paxos's own operating funds, providing protection in a Paxos insolvency scenario
- Regulatory requirement: As a Major Payments Institution supervised by MAS, Paxos is required to maintain 1:1 reserves and hold them in segregated accounts
- Offchain: All reserves are held offchain at regulated banking institutions. Token holders cannot independently verify specific reserve compositions onchain
Provability
- Monthly attestation: Paxos publishes monthly reserve composition reports verified by independent accounting firms. Reports are available on the USDG Transparency page
- Onchain supply: Total USDG supply is verifiable onchain via
totalSupply()on each chain - No Chainlink Proof of Reserves: No onchain oracle feed independently verifying reserves
- Offchain verification: Reserves cannot be independently verified onchain by token holders. Must rely on the attestation reports, MAS regulatory oversight, and Paxos's institutional framework
- Regulatory reporting: Paxos is subject to MAS supervisory requirements including regular regulatory reporting
- MiCA compliance: USDG claims compliance with MiCA (Markets in Crypto-Assets) framework for Electronic Money Tokens under European Banking Authority oversight
Liquidity Risk
DEX Liquidity (Ethereum)
| Pool | DEX | Liquidity | 24h Volume |
|---|---|---|---|
| USDG/USDC | Curve | $7.88M | $3.39M |
| USDC/USDG | Uniswap V4 | $1.82M | $1.43M |
| USDG/USDT | Uniswap V4 | $97.4K | $165K |
| USDC/USDG | Uniswap V3 | $1.8K | $71K |
| Ethereum Total | ~$9.8M | ~$5.1M |
DEX Liquidity (Solana)
| Pool | DEX | Liquidity | 24h Volume |
|---|---|---|---|
| USDG/USDC | Meteora | $37.8M | ~$0 |
| USDG/USDC | Orca | $16.2M | $1.35M |
| USDG/SOL | Orca | $4.76M | $2.49M |
| Various pairs | Multiple | ~$8.7M | ~$1.8M |
| Solana Total | ~$66.5M | ~$5.6M |
Aggregate Liquidity
| Source | Available | Notes |
|---|---|---|
| DEX (all chains) | ~$78.7M | Active liquidity ~$40.9M (excluding zero-volume pools) |
| CEX | OKX, Kraken, Bullish, KuCoin, Gate.io | ~$24M total 24h volume |
| Direct redemption | Unlimited (via Paxos) | Requires KYC account, processed during business hours |
- Primary exit (permissionless): DEX swap or CEX trade — reasonable liquidity with ~$9.8M on Ethereum DEXes. A $1M swap on Curve USDG/USDC pool would incur <0.5% slippage
- Primary exit (KYC): Direct 1:1 redemption from Paxos — most capital-efficient but requires account setup
- Same-value asset: USD stablecoin — no price divergence risk from the underlying
- No withdrawal queue: DEX/CEX exits are instant. Direct Paxos redemption follows standard processing times
- Ethereum-only concern: The Ethereum DEX liquidity (~$9.8M) is modest relative to the onchain supply ($472M). Large exits exceeding $5M+ would require CEX routing or direct Paxos redemption
Centralization & Control Risks
Governance
Token governance has been restructured from a two-tier multisig model to a model consolidated under an MPC wallet with a 24-hour timelock.
⚠️ Governance restructured since last assessment (March 2026). The 7-owner DEFAULT_ADMIN multisig and 3-of-7 operational multisig have been removed from all onchain roles. All governance power is now concentrated in an MPC wallet (likely Fordefi) with a 24-hour timelock on critical changes.
MPC wallet evidence: The operations address 0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B exhibits a classic MPC custody wallet pattern:
- Gas station funding: A dedicated gas station (
0x264bd8291fae1d75db2c5f573b07faa6715997b5, nonce 5.6M+, balance ~4,986 ETH, funding 62+ distinct EOAs) sends just-in-time ETH (~0.02–0.05 ETH) before each batch of operations. The account never holds large ETH balances independently. - Rotating gas stations: Multiple funding addresses have serviced this EOA over its lifetime (
0x9195,0x4b39,0xf492,0xca67,0x264bd), consistent with MPC provider infrastructure rotation. - No single key holder: In MPC wallets, the private key is cryptographically sharded across multiple parties — no individual ever holds the full key. Transactions require internal policy-based approvals within the workspace.
- Provider: The pattern (dedicated gas station with 5.6M+ nonce, just-in-time funding, multi-address servicing) is consistent with institutional MPC custody infrastructure. Paxos's website lists "Fordefi by Paxos" — a comprehensive MPC wallet platform — in its footer navigation, indicating Paxos has a direct relationship with an MPC wallet provider. This strongly suggests Paxos uses Fordefi (or similar) MPC technology for its own operational key management.
Important caveat: The internal MPC quorum/threshold and policy configuration are not publicly verifiable onchain. The security depends on the provider's implementation and Paxos's internal policy controls (e.g., requiring multiple workspace members to approve transactions). While this is significantly stronger than a single-EOA held by one person, the exact risk profile depends on the unknown internal parameters.
Documentation is stale: The USDG GitHub README still lists the old multisig addresses as role holders and states "the addresses above utilize multisignature contracts." The live docs site (checked via Playwright rendering) does not document governance structure at all — neither the old multisig model nor the new MPC wallet. No public disclosure of the governance restructure exists.
Tier 1 — Critical operations (upgrades, role management):
- TimelockController (
0x9036566eAa5F83E0b9E1161C6c602b0Adf997654) with 24-hour minimum delay onchain - Holds
DEFAULT_ADMIN_ROLEandowner()on the USDG token - Also holds
DEFAULT_ADMIN_ROLEon the SupplyControl contract (SupplyControl admin no longer an EOA) - Controls contract upgrades (UUPS
upgradeTo), role granting/revoking, and facet changes - PROPOSER_ROLE, EXECUTOR_ROLE, and CANCELLER_ROLE on the timelock are all held by the MPC wallet (
0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B) — any action scheduled through the timelock can be proposed, executed, and cancelled by this same address. However, MPC policy controls mean multiple internal approvals are typically required to initiate transactions - The DEFAULT_ADMIN_ROLE on the timelock is held by the timelock itself (self-administered) — the timelock can grant/revoke roles on itself
Tier 2 — Operational / emergency (pause, freeze, supply management):
- MPC wallet (
0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B) holdsPAUSE_ROLEandASSET_PROTECTION_ROLEdirectly on the token (no onchain timelock — but internal MPC policy likely requires multiple approvals) verified onchain - The MPC wallet also holds
SUPPLY_CONTROLLER_MANAGER_ROLEon the SupplyControl contract - The former operational multisig (
0x0644Bd0248d5F89e4F6E845a91D15c23591e5D33) no longer holds any roles on the token, timelock, or SupplyControl - The
SUPPLY_CONTROLLER_MANAGER_ROLEon the token appears unassigned — no holder found among known governance addresses
Multisig status (neither holds active governance roles):
- DEFAULT_ADMIN Multisig (
0x137Dcd97872dE27a4d3bf36A4643c5e18FA40713): 20 owners, threshold 3, 43 transactions — no governance roles - Operational Multisig (
0x0644Bd0248d5F89e4F6E845a91D15c23591e5D33): 20 owners, threshold 3, 855 transactions — no governance roles
SupplyControl governance:
DEFAULT_ADMIN_ROLEon SupplyControl is now held by the Token Admin Timelock (24h delay) — this is an improvement from the previous EOA adminSUPPLY_CONTROLLER_MANAGER_ROLEon SupplyControl is held by the MPC wallet0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B- Two EOA supply controllers (SC1, SC2) have very large mint capacities ($500M and $1B respectively)
Key governance concerns:
- All governance consolidated into an MPC wallet — the MPC wallet (
0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B) holds PAUSE_ROLE, ASSET_PROTECTION_ROLE, timelock PROPOSER+EXECUTOR+CANCELLER, and SupplyControl SCM. However, as an MPC wallet (likely Fordefi), the private key is sharded across multiple parties — no single individual can unilaterally sign transactions. The risk is comparable to a multisig with an unknown internal quorum, not a standard single-key EOA - 24-hour timelock is a strong improvement — the 3h delay increased to 24h, providing a meaningful monitoring window for contract upgrades. Combined with MPC policy controls, this creates defense-in-depth for critical changes
- Emergency actions have no onchain timelock but benefit from MPC controls — PAUSE_ROLE and ASSET_PROTECTION_ROLE can be exercised immediately onchain, but the MPC wallet's internal policy layer typically requires multiple approvals
- SupplyControl admin improvement — moving DEFAULT_ADMIN on SupplyControl from an EOA to the 24h timelock prevents unilateral addition of supply controllers
- Freeze/wipe capability —
ASSET_PROTECTION_ROLEcan freeze individual addresses and wipe frozen balances. This is standard for regulated stablecoins (USDC, USDT have equivalent capabilities). The MPC wallet structure provides internal governance but the onchain capability remains unilateral from the contract's perspective - Internal MPC quorum unknown — while MPC is inherently multi-party, the exact number of key shards, approval threshold, and policy rules are not publicly verifiable. This is a transparency gap
Programmability
- Token: Standard ERC-20 with EIP-2612/EIP-3009 gasless support. Transfers are fully programmatic onchain
- Minting/burning: Through SupplyControl contract with rate-limited supply controllers. Onchain but Paxos-controlled (not permissionless)
- Exchange rate: Fixed 1:1 USD peg — no oracle needed for the token itself
- Reserves: Entirely offchain. Reserve management, yield generation, and reporting are handled by Paxos and its custodians with no onchain visibility into specific holdings
- Pause mechanism:
PAUSE_ROLEcan freeze all transfers/approvals; minting/burning remain operational during pause - Operations split: Token operations (transfers, approvals) are onchain and programmatic. Reserve operations (investment, custody, yield distribution) are entirely offchain and centralized
External Dependencies
- No DeFi protocol dependencies — USDG is a standalone stablecoin, not dependent on any external DeFi protocols
- Banking infrastructure — reserves held at regulated custodians (inherent to fiat-backed stablecoins)
- LayerZero V2 — cross-chain bridging to Solana via OFTWrapper. Non-critical for Ethereum-only usage. 45M USDG capacity
- Curve/Uniswap — DEX liquidity for secondary market exits (not a protocol dependency, but relevant for exit liquidity)
Operational Risk
- Team: Paxos was founded in 2012 by Charles Cascarilla (CEO) and Rich Teo (co-founder). Paxos is a well-established, regulated fintech company with 200+ employees
- Track record: Operates multiple stablecoins: USDP (since 2018), PYUSD (PayPal USD, since 2023), USDG (since 2024). No security incidents across any Paxos stablecoin
- Regulation: Paxos Digital Singapore is a Major Payments Institution supervised by MAS. Paxos Trust Company (US entity) is a New York State-chartered limited purpose trust company regulated by NYDFS. USDG also claims MiCA compliance
- Documentation: Comprehensive documentation at docs.paxos.com covering integration guides, API reference, and contract addresses. Source code is MIT-licensed and publicly available on GitHub
- Legal structure: Paxos Digital Singapore Pte. Ltd. (Singapore entity for USDG), with Paxos Trust Company LLC (US entity for USDP) and Paxos Issuance SARL (EU entity) as sister companies
- Incident response: No public incident response playbook, but regulatory oversight provides accountability. Emergency pause capability via 3-of-7 multisig
Monitoring
Key Contracts to Monitor
| Contract | Address | Monitor |
|---|---|---|
| USDG Token | 0xe343167631d89B6Ffc58B88d6b7fB0228795491D |
totalSupply(), paused(), Transfer events, Mint/Burn events |
| SupplyControl | 0x9a7164112029b81c07636AB7b59fA813E0883BBF |
Supply controller additions/removals, rate limit changes |
| TimelockController | 0x9036566eAa5F83E0b9E1161C6c602b0Adf997654 |
CallScheduled, CallExecuted events (3h delay — gives monitoring window) |
| Operational Multisig | 0x0644Bd0248d5F89e4F6E845a91D15c23591e5D33 |
Submitted/executed transactions (pause, freeze, supply management) |
| Operations MPC Wallet (all governance) | 0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B |
Any transactions — controls pause, freeze, timelock scheduling, supply controllers. MPC wallet (likely Fordefi) — key sharded across multiple parties. Monitor for unexpected transactions |
| Gas Station | 0x264bd8291fae1d75db2c5f573b07faa6715997b5 |
Funds MPC wallet before transactions — unusual ETH outflows could indicate MPC key migration or provider change |
Critical Events to Monitor
- Pause events —
Paused/Unpausedon the token — all transfers stop when paused (MPC wallet can trigger immediately, but internal policy likely requires multiple approvals) - Freeze events — individual address freezes via
ASSET_PROTECTION_ROLE— could affect DeFi integrations (MPC wallet, no onchain timelock) - Supply changes — large mints/burns (>5% of supply in 24h) could indicate operational issues
- Contract upgrades —
Upgradedevents via UUPS proxy — 24h timelock provides advance notice viaCallScheduled - Supply controller changes — additions/removals via SupplyControl — SCM role held by MPC wallet, admin role under 24h timelock
- Rate limit changes — modifications to per-controller mint capacities
- Timelock events —
CallScheduledgives 24h advance notice of all critical admin changes - Facet changes —
setFacet/batchSetFacetevents indicate functional changes to the token contract - MPC wallet transactions — any transaction from
0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B— controls all governance actions. MPC structure provides multi-party security, but the address remains the single onchain governance point
Monitoring Functions
| Function | Contract | Purpose | Frequency |
|---|---|---|---|
totalSupply() |
Token | Supply tracking | Every 6 hours |
paused() |
Token | Operational status | Hourly |
isFrozen(address) |
Token | Address freeze status | On integration |
getSupplyController(address) |
SupplyControl | Controller status/limits | Daily |
getMinDelay() |
TimelockController | Timelock delay changes (currently 24h) | Weekly |
| Role events | TimelockController | Monitor RoleGranted/RoleRevoked events — contract uses plain AccessControl, cannot enumerate |
On change |
Reassessment Triggers
- Time-based: Reassess in 6 months (December 2026)
- TVL-based: Reassess if total supply changes by more than ±50% from current $2.89B
- Incident-based: Reassess after any exploit, freeze affecting DeFi protocols, depegging event, or adverse regulatory action
- Governance-based (IMPORTANT): Reassess if governance transitions from MPC wallet back to multisig (score improvement), or if MPC wallet shows signs of compromise. Any change in role holders, timelock delay, or MPC provider/gas station infrastructure warrants reassessment
- MPC transparency: Reassess if Paxos discloses MPC provider, quorum, and policy configuration (potential score improvement from reduced uncertainty)
- Governance-based: Reassess if SupplyControl admin or SCM transitions, or if multisig composition/threshold changes
- Regulatory-based: Reassess if MAS takes enforcement action, if Paxos loses its MPI license, or if regulatory status changes
- Bug bounty: Reassess if Paxos launches a public bug bounty (score improvement)
- Proof of Reserves: Reassess if onchain reserve verification (e.g., Chainlink PoR) is deployed (score improvement)
Appendix A — USDG Risk as a Held Asset in yvUSD
Context: yvUSD is a USDC-denominated Yearn V3 vault that deploys USDC into multiple yield strategies. This appendix assesses the risk of including USDG as an asset held within yvUSD strategies — e.g., lending USDC against USDG collateral in Morpho markets, or holding USDG positions as part of yield strategies.
Risk Assessment for yvUSD Exposure
Depeg Risk: LOW
- USDG is backed 1:1 by cash and U.S. Treasury Bills at regulated custodians under MAS supervision
- Paxos has a 7+ year stablecoin track record with zero depegging incidents across USDP, PYUSD, and USDG
- Strong peg stability observed: price consistently at $0.999-$1.000
- Risk is comparable to holding USDC — both are regulated fiat-backed stablecoins
Smart Contract Risk: LOW-MEDIUM
- 6 audits from reputable firms, source code is open and verified
- UUPS upgradeable proxy with 24h timelock + MPC wallet governance
- Diamond-like facet pattern adds upgradeability surface area
- Contract complexity is moderate (standard ERC-20 + AccessControl + rate-limited supply)
Freeze Risk: MEDIUM
- Paxos can freeze any address and wipe frozen balances via
ASSET_PROTECTION_ROLE(held by MPC wallet) - If a Yearn vault or strategy contract holding USDG gets frozen, those funds become inaccessible until unfreezing
- This is the same risk profile as USDC (Circle can freeze addresses) — it has never been used against DeFi protocols but the capability exists
- Mitigation: Ensure the vault/strategy addresses are known to Paxos and not on any sanctions list
Liquidity Risk for yvUSD: LOW-MEDIUM
- Ethereum DEX liquidity (~$9.8M) supports moderate position sizes
- A yvUSD strategy holding <$2M in USDG-related positions could exit via DEX with <0.5% slippage
- Larger positions would require CEX routing or Paxos redemption
- Given yvUSD's current TVL (~$3M), USDG liquidity is adequate for current scale
Overall Assessment for yvUSD: USDG is a suitable stablecoin asset for yvUSD strategies at current scale. Risk is comparable to other regulated stablecoins. Recommend limiting USDG exposure to <20% of vault TVL until DEX liquidity deepens further.
| Risk Factor | Level | Notes |
|---|---|---|
| Depeg | Low | Regulated, T-Bill backed, 7+ year Paxos track record |
| Smart Contract | Low-Medium | 6 audits, but upgradeable with 3h timelock |
| Freeze | Medium | Standard for regulated stablecoins, never used vs DeFi |
| Liquidity | Low-Medium | $9.8M DEX adequate for current yvUSD scale |
| Overall | Low-Medium | Suitable with position size limits |
Appendix B — USDG Risk as Collateral for yvUSDC-1 Lending
Context: yvUSDC-1 is a USDC-denominated Yearn V3 vault that deploys USDC into lending strategies. This appendix assesses the risk of lending USDC against USDG as collateral — e.g., in Morpho markets where borrowers post USDG to borrow USDC.
Risk Assessment for Lending Against USDG
Collateral Quality: HIGH
- USDG is 1:1 backed by U.S. Treasury Bills — same quality as USDC collateral
- Regulatory framework (MAS supervision) provides strong assurances on reserve integrity
- No history of depegging or reserve shortfalls
- Appropriate for same-value lending (USDG collateral for USDC borrows)
Liquidation Risk: MEDIUM
- DEX liquidation path: Curve USDG/USDC pool ($7.88M liquidity) is the primary liquidation venue on Ethereum. A $1M liquidation would execute with <0.5% slippage. However, a $5M+ simultaneous liquidation could move the market
- Liquidation depth vs exposure: Current Ethereum DEX liquidity (~$9.8M) supports liquidation of positions up to ~$3-5M without excessive slippage. Larger positions require multi-block liquidation or CEX routing
- Same-value asset: Since USDG and USDC are both USD stablecoins, liquidation is essentially a stablecoin-to-stablecoin swap — much lower risk than volatile collateral liquidations
Freeze Risk for Lending: MEDIUM-HIGH
- If USDG collateral in a Morpho vault gets frozen by Paxos, the lending protocol cannot liquidate that collateral
- This creates bad debt risk: the borrower defaults, but the collateral is frozen and cannot be seized/sold
- This is the most significant risk for lending against USDG — the freeze capability creates a scenario where collateral becomes illiquid and unliquidatable
- Mitigation: This risk exists for all regulated stablecoins (USDC, USDT) used as collateral and has never been triggered against DeFi protocols. MAS supervision provides accountability
Counterparty Risk: LOW
- Paxos is well-regulated with zero incidents — very low probability of voluntary freeze of legitimate DeFi contracts
- Involuntary freezes (law enforcement, sanctions) would target specific addresses, not the broad DeFi ecosystem
- Regulatory clarity is improving, reducing the probability of blanket DeFi restrictions
Overall Assessment for yvUSDC-1: USDG is acceptable as lending collateral with appropriate risk parameters. The primary concern is the theoretical freeze risk on collateral, which is standard for all regulated stablecoins. Recommend conservative LTV ratios and position limits.
| Risk Factor | Level | Notes |
|---|---|---|
| Collateral Quality | High | T-Bill backed, MAS-supervised, 1:1 with USD |
| Liquidation | Medium | $9.8M DEX liquidity, <0.5% slippage up to $1M |
| Freeze (Collateral) | Medium-High | Frozen collateral = unliquidatable = bad debt risk |
| Counterparty | Low | Paxos well-regulated, zero incident history |
| Overall | Medium | Acceptable with conservative LTV and position limits |
Recommended parameters for lending against USDG:
- Max LTV: 90% (same-value stablecoin, but freeze risk warrants buffer below 95%)
- Liquidation threshold: 95%
- Max exposure: min($5M, 50% of Ethereum USDG DEX liquidity, 10% of total vault TVL)
- Monitor: Paxos freeze events, DEX liquidity depth, USDG peg