← All Reports

Paxos USDG (Global Dollar)

2.4
USDG (Global Dollar) / Ethereum / March 20, 2026 (reassessed June 26, 2026)

Score Breakdown

CategoryWeightScore
Audits & Historical20%2.00
Centralization & Control30%2.80
Funds Management30%2.75
Liquidity Risk15%2.00
Operational Risk5%1.50
Final Score2.4 / 5.0
20%30%30%15%
Low Risk

Overview

USDG (Global Dollar) is a fiat-backed USD stablecoin issued by Paxos Digital Singapore Pte. Ltd. (PDS), a Major Payments Institution supervised by the Monetary Authority of Singapore (MAS). USDG maintains a 1:1 peg to the US dollar and is fully redeemable from Paxos on a one-to-one basis (1 USDG = 1 USD).

USDG's differentiating feature is its distribution partner model — ecosystem partners (Kraken, Robinhood, Anchorage Digital, Galaxy Digital, Bullish, BitGo, KuCoin, and others) share in the yield generated by USDG reserves. This incentivizes partners to integrate USDG into their platforms, driving adoption through aligned economics rather than subsidies.

Reserves consist of cash and cash equivalents (primarily short-duration U.S. Treasury Bills) held in segregated accounts at regulated custodians, with monthly attestation reports from independent accounting firms published on the Paxos transparency portal.

USDG is deployed on 4 chains: Ethereum, Solana (52.3% of supply), X Layer (19.5%), and Ink (6.2%). Cross-chain bridging between Ethereum and Solana is handled via LayerZero V2 OFT.

Key metrics (June 26, 2026):

  • Total Supply (Ethereum): ~494,698,323 USDG (~$495M) onchain
  • Total Supply (All Chains): ~$2.89B DeFiLlama
  • Market Cap: ~$2.89B
  • 30-Day Supply Change: +$259M (+9.9%)
  • DEX Liquidity (Ethereum): TODO — refresh liquidity snapshot
  • CEX Listings: OKX, Kraken, Bullish, KuCoin, Gate.io
  • Price: $0.99995 (at peg) DeFiLlama

Links:

Risk Summary

Key Strengths

  • Regulated issuer with stablecoin track record: Paxos is supervised by MAS (Singapore) and NYDFS (US). Has operated USDP since 2018 and PYUSD since 2023 with zero incidents across all stablecoins
  • Highest-quality reserves: Cash and cash equivalents (primarily U.S. Treasury Bills) in segregated accounts — equivalent to USDC's reserve quality
  • Solid audit coverage: 6 audits from 3 reputable firms including Trail of Bits and Zellic. Source code is open (MIT license)
  • 24-hour timelock on critical changes: Contract upgrades and admin changes now have a 24-hour delay (improved from 3h), providing meaningful monitoring window for integrators
  • Rate-limited minting: Supply controllers have capacity limits and refill rates, preventing instantaneous unlimited minting
  • Significant market adoption: $2.89B total supply with major partners (Kraken, Robinhood, Galaxy Digital, BitGo). Strong growth trajectory

Key Risks

  • Governance consolidated into an MPC wallet — the MPC wallet (0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B) holds PAUSE_ROLE, ASSET_PROTECTION_ROLE, timelock PROPOSER/EXECUTOR/CANCELLER, and SupplyControl SCM. The MPC structure (likely Fordefi) means the key is sharded across multiple parties, but the internal quorum and policy configuration are not publicly verifiable
  • Multisigs removed from governance — the 3-of-7 operational multisig (now 20 owners) and the 7-owner DEFAULT_ADMIN multisig (now 20 owners) no longer hold any onchain roles
  • Emergency actions have no onchain multisig — PAUSE and ASSET_PROTECTION are controlled by the MPC wallet with no onchain timelock. Internal MPC policy controls are the sole protection (previous model used a 3-of-7 multisig)
  • No formal public bug bounty — no confirmed Immunefi or equivalent program with monetary rewards. A private HackerOne program may exist but could not be verified
  • Offchain reserves — reserves are entirely offchain with monthly attestation. No onchain Proof of Reserves mechanism for real-time verification
  • Relatively new (21 months) — younger than USDC (2018) or USDT (2014), though longer than many DeFi stablecoins

Critical Risks

  • Freeze/wipe capabilityASSET_PROTECTION_ROLE (held by MPC wallet) can freeze any address and wipe frozen balances. This is standard for regulated stablecoins. The MPC structure provides internal governance, but from the contract's perspective this is a unilateral capability. For DeFi integrations, a frozen vault/strategy contract would lock all USDG held by that contract
  • Upgradeable proxy with facet pattern — the USDG contract can be upgraded via UUPS proxy AND can have functional behavior changed via the facet pattern (setFacet). Both controlled through the 24h timelock (MPC wallet as proposer/executor)

Full Report

Contract Addresses

Core Contracts (Ethereum)

Contract Address Type
USDG Token (Proxy) 0xe343167631d89B6Ffc58B88d6b7fB0228795491D ERC1967 / UUPS Proxy (Solidity 0.8.9)
USDG Implementation 0xFACd5ff359adf87822374275699DD518Aaf9A65f USDG (Solidity 0.8.28)
Supply Control (Proxy) 0x9a7164112029b81c07636AB7b59fA813E0883BBF ERC1967 / UUPS Proxy
Supply Control Implementation 0x9e12c058a20c5b0eebaa00e44a712ec54b838971 SupplyControl (Solidity 0.8.17)

Governance Contracts

Contract Address Type
Token Admin (TimelockController) 0x9036566eAa5F83E0b9E1161C6c602b0Adf997654 OpenZeppelin TimelockController — 24-hour minimum delay
DEFAULT_ADMIN Multisig 0x137Dcd97872dE27a4d3bf36A4643c5e18FA40713 SimpleMultiSig — 20 owners, threshold 3
Operational Multisig (no current roles) 0x0644Bd0248d5F89e4F6E845a91D15c23591e5D33 SimpleMultiSig — 20 owners, threshold 3; no longer holds any onchain roles
Operations MPC Wallet (PAUSE / ASSET_PROTECTION / Timelock PROPOSER+EXECUTOR+CANCELLER / SupplyControl SCM) 0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B MPC wallet (likely Fordefi — see governance section for evidence) — holds PAUSE_ROLE, ASSET_PROTECTION_ROLE on token; PROPOSER_ROLE, EXECUTOR_ROLE, CANCELLER_ROLE on timelock; SUPPLY_CONTROLLER_MANAGER on SupplyControl

Supply Controllers

# Address Type Mint Limit Capacity Refill Rate Allow Any Address
SC1 0xf845a0A05Cbd91Ac15C3E59D126DE5dFbC2aAbb7 EOA 500,000,000 USDG ~138,888 USDG/sec Yes
SC2 0x2fb074FA59c9294c71246825C1c9A0c7782d41a4 EOA 1,000,000,000 USDG ~277,778 USDG/sec Yes
SC3 0x147BdE4F997f0d4C7544ED0C55eAcf1E5E6bf9c4 OFTWrapper (LayerZero bridge) 45,000,000 USDG ~521 USDG/sec No (whitelist)

Multi-Chain Deployments

Chain Token Address Supply (DeFiLlama) Share
X Layer 0x4ae46a509F6b1D9056937BA4500cb143933D2dc8 $1,702.3M 58.8%
Solana 2u1tszSeqZ3qBWF3uNGPFc8TzMk2tdiwknnRMWGWjGWH $697.2M 24.1%
Ethereum 0xe343167631d89B6Ffc58B88d6b7fB0228795491D $455.4M 15.7%
Ink 0xe343167631d89B6Ffc58B88d6b7fB0228795491D $37.7M 1.3%
Hyperliquid L1 N/A $1.6M 0.1%
Total $2,894.2M 100%

Audits and Due Diligence Disclosures

Paxos has conducted 6 security audits from 3 reputable firms (Zellic, Trail of Bits, Halborn) covering the core stablecoin contracts, cross-chain integration, rewards system, and signature validation. All audits are publicly available in the paxos-token-contracts GitHub repository.

Audit History

Firm Scope Report
Zellic Core stablecoin contract review PDF
Trail of Bits Cross-chain integration PDF
Halborn Token contracts PDF
Halborn Domain separator functionality PDF
Zellic EIP-1271 signature validation PDF
Zellic USDG rewards system PDF

Audit firms: Zellic (3 audits) is a top-tier smart contract auditor. Trail of Bits (1 audit) is one of the most reputable security firms in the industry. Halborn (2 audits) is a well-known blockchain security firm.

Contract Complexity

The USDG system is moderate complexity:

  • UUPS upgradeable proxy for both the token and SupplyControl contracts
  • AccessControl role-based permissions (DEFAULT_ADMIN, PAUSE, ASSET_PROTECTION, SUPPLY_CONTROLLER_MANAGER)
  • Diamond-like facet pattern — the USDG contract uses setFacet/batchSetFacet to delegate function calls to external contracts (TokenAdminFacet, ClaimableRewardsFacet), adding upgradeability surface area beyond the proxy
  • Rate-limited minting via the SupplyControl contract with per-controller capacity and refill rates
  • EIP-2612/EIP-3009 gasless transfer support
  • LayerZero V2 OFT bridge wrapper for cross-chain transfers
  • Freeze/wipe capability for regulatory compliance

Version History

Version Date Key Changes
v2.0.0 Nov 4, 2024 Major rewrite: consolidated Paxos stablecoins, Solidity 0.8.17, EIP-3009/2612, SupplyControl, Hardhat migration
v2.0.1 Nov 12, 2024 Bugfix: prevent frozen addresses from cross-chain transfers
v2.0.2 Aug 8, 2025 Patch: domain separator initialization fix
v2.1.0 Jan 6, 2025 EIP-1271 smart contract wallet support, dynamic DOMAIN_SEPARATOR for chain fork handling
Governance restructure ~Mar–Jun 2026 Timelock delay increased 3h→24h; governance consolidated from multisigs to MPC wallet (Fordefi); SupplyControl admin moved from EOA to timelock; both multisigs expanded to 20 owners

Bug Bounty

  • Immunefi: No public Paxos USDG bug bounty program found
  • HackerOne: Access denied (403) — a private program may exist but could not be confirmed
  • Sherlock/Cantina: No audit contests found
  • Safe Harbor: Not listed on the SEAL Safe Harbor registry

The absence of a formal public bug bounty with monetary rewards is a weakness for a $1.67B stablecoin.

Historical Track Record

  • Contract deployed: October 7, 2024 (block 20,915,336) — ~21 months in production
  • Official launch: November 1, 2024
  • Total supply: ~$2.89B across 5 chains ($495M on Ethereum)
  • Growth trajectory: From ~$352M (mid-2025) to ~$2.89B (June 2026) — approximately 721% growth
  • 30-day change: +$259M (+9.9%)
  • Security incidents: None. No exploits, hacks, or depegging events reported
  • Peg stability: Price consistently at $0.999-$1.000 across all venues
  • Paxos track record: Paxos has operated USDP (Pax Dollar, formerly PAX) since 2018 and operates PYUSD (PayPal USD) on behalf of PayPal. No Paxos-issued stablecoin has suffered a security incident or depeg

Distribution partners: Kraken, Robinhood, Anchorage Digital, Galaxy Digital, Bullish, Nuvei, BitGo, Paysafe, GSR, KuCoin, Virtual Assets Group, Tokenize

Funds Management

Accessibility

  • Minting: Available through Paxos distribution partners and direct API integration. Minting requires a Paxos account with KYC/AML verification. Not permissionless
  • Redemption: Direct 1:1 redemption through Paxos (requires account). Onchain, USDG can be exchanged via DEXes or CEXes
  • No onchain mint/redeem: Unlike USDC's permissionless onchain redemption, USDG minting and burning are controlled by Paxos supply controllers via the SupplyControl contract. End users cannot directly mint or burn
  • Fees: No fees for minting or redeeming USDG through Paxos (standard network gas fees apply)
  • Geographic restrictions: Available globally except sanctioned jurisdictions. KYC required for direct minting/redemption

Collateralization

  • Backing: 100% backed by cash and cash equivalents — primarily short-duration U.S. Treasury Bills and high-quality liquid assets held in segregated accounts at regulated custodians
  • Collateral quality: U.S. Treasury Bills are the lowest-risk financial instruments globally — backed by the full faith and credit of the U.S. government
  • Segregation: Reserve assets are held in accounts segregated from Paxos's own operating funds, providing protection in a Paxos insolvency scenario
  • Regulatory requirement: As a Major Payments Institution supervised by MAS, Paxos is required to maintain 1:1 reserves and hold them in segregated accounts
  • Offchain: All reserves are held offchain at regulated banking institutions. Token holders cannot independently verify specific reserve compositions onchain

Provability

  • Monthly attestation: Paxos publishes monthly reserve composition reports verified by independent accounting firms. Reports are available on the USDG Transparency page
  • Onchain supply: Total USDG supply is verifiable onchain via totalSupply() on each chain
  • No Chainlink Proof of Reserves: No onchain oracle feed independently verifying reserves
  • Offchain verification: Reserves cannot be independently verified onchain by token holders. Must rely on the attestation reports, MAS regulatory oversight, and Paxos's institutional framework
  • Regulatory reporting: Paxos is subject to MAS supervisory requirements including regular regulatory reporting
  • MiCA compliance: USDG claims compliance with MiCA (Markets in Crypto-Assets) framework for Electronic Money Tokens under European Banking Authority oversight

Liquidity Risk

DEX Liquidity (Ethereum)

Pool DEX Liquidity 24h Volume
USDG/USDC Curve $7.88M $3.39M
USDC/USDG Uniswap V4 $1.82M $1.43M
USDG/USDT Uniswap V4 $97.4K $165K
USDC/USDG Uniswap V3 $1.8K $71K
Ethereum Total ~$9.8M ~$5.1M

DEX Liquidity (Solana)

Pool DEX Liquidity 24h Volume
USDG/USDC Meteora $37.8M ~$0
USDG/USDC Orca $16.2M $1.35M
USDG/SOL Orca $4.76M $2.49M
Various pairs Multiple ~$8.7M ~$1.8M
Solana Total ~$66.5M ~$5.6M

Aggregate Liquidity

Source Available Notes
DEX (all chains) ~$78.7M Active liquidity ~$40.9M (excluding zero-volume pools)
CEX OKX, Kraken, Bullish, KuCoin, Gate.io ~$24M total 24h volume
Direct redemption Unlimited (via Paxos) Requires KYC account, processed during business hours
  • Primary exit (permissionless): DEX swap or CEX trade — reasonable liquidity with ~$9.8M on Ethereum DEXes. A $1M swap on Curve USDG/USDC pool would incur <0.5% slippage
  • Primary exit (KYC): Direct 1:1 redemption from Paxos — most capital-efficient but requires account setup
  • Same-value asset: USD stablecoin — no price divergence risk from the underlying
  • No withdrawal queue: DEX/CEX exits are instant. Direct Paxos redemption follows standard processing times
  • Ethereum-only concern: The Ethereum DEX liquidity (~$9.8M) is modest relative to the onchain supply ($472M). Large exits exceeding $5M+ would require CEX routing or direct Paxos redemption

Centralization & Control Risks

Governance

Token governance has been restructured from a two-tier multisig model to a model consolidated under an MPC wallet with a 24-hour timelock.

⚠️ Governance restructured since last assessment (March 2026). The 7-owner DEFAULT_ADMIN multisig and 3-of-7 operational multisig have been removed from all onchain roles. All governance power is now concentrated in an MPC wallet (likely Fordefi) with a 24-hour timelock on critical changes.

MPC wallet evidence: The operations address 0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B exhibits a classic MPC custody wallet pattern:

  • Gas station funding: A dedicated gas station (0x264bd8291fae1d75db2c5f573b07faa6715997b5, nonce 5.6M+, balance ~4,986 ETH, funding 62+ distinct EOAs) sends just-in-time ETH (~0.02–0.05 ETH) before each batch of operations. The account never holds large ETH balances independently.
  • Rotating gas stations: Multiple funding addresses have serviced this EOA over its lifetime (0x9195, 0x4b39, 0xf492, 0xca67, 0x264bd), consistent with MPC provider infrastructure rotation.
  • No single key holder: In MPC wallets, the private key is cryptographically sharded across multiple parties — no individual ever holds the full key. Transactions require internal policy-based approvals within the workspace.
  • Provider: The pattern (dedicated gas station with 5.6M+ nonce, just-in-time funding, multi-address servicing) is consistent with institutional MPC custody infrastructure. Paxos's website lists "Fordefi by Paxos" — a comprehensive MPC wallet platform — in its footer navigation, indicating Paxos has a direct relationship with an MPC wallet provider. This strongly suggests Paxos uses Fordefi (or similar) MPC technology for its own operational key management.

Important caveat: The internal MPC quorum/threshold and policy configuration are not publicly verifiable onchain. The security depends on the provider's implementation and Paxos's internal policy controls (e.g., requiring multiple workspace members to approve transactions). While this is significantly stronger than a single-EOA held by one person, the exact risk profile depends on the unknown internal parameters.

Documentation is stale: The USDG GitHub README still lists the old multisig addresses as role holders and states "the addresses above utilize multisignature contracts." The live docs site (checked via Playwright rendering) does not document governance structure at all — neither the old multisig model nor the new MPC wallet. No public disclosure of the governance restructure exists.

Tier 1 — Critical operations (upgrades, role management):

  • TimelockController (0x9036566eAa5F83E0b9E1161C6c602b0Adf997654) with 24-hour minimum delay onchain
  • Holds DEFAULT_ADMIN_ROLE and owner() on the USDG token
  • Also holds DEFAULT_ADMIN_ROLE on the SupplyControl contract (SupplyControl admin no longer an EOA)
  • Controls contract upgrades (UUPS upgradeTo), role granting/revoking, and facet changes
  • PROPOSER_ROLE, EXECUTOR_ROLE, and CANCELLER_ROLE on the timelock are all held by the MPC wallet (0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B) — any action scheduled through the timelock can be proposed, executed, and cancelled by this same address. However, MPC policy controls mean multiple internal approvals are typically required to initiate transactions
  • The DEFAULT_ADMIN_ROLE on the timelock is held by the timelock itself (self-administered) — the timelock can grant/revoke roles on itself

Tier 2 — Operational / emergency (pause, freeze, supply management):

  • MPC wallet (0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B) holds PAUSE_ROLE and ASSET_PROTECTION_ROLE directly on the token (no onchain timelock — but internal MPC policy likely requires multiple approvals) verified onchain
  • The MPC wallet also holds SUPPLY_CONTROLLER_MANAGER_ROLE on the SupplyControl contract
  • The former operational multisig (0x0644Bd0248d5F89e4F6E845a91D15c23591e5D33) no longer holds any roles on the token, timelock, or SupplyControl
  • The SUPPLY_CONTROLLER_MANAGER_ROLE on the token appears unassigned — no holder found among known governance addresses

Multisig status (neither holds active governance roles):

SupplyControl governance:

  • DEFAULT_ADMIN_ROLE on SupplyControl is now held by the Token Admin Timelock (24h delay) — this is an improvement from the previous EOA admin
  • SUPPLY_CONTROLLER_MANAGER_ROLE on SupplyControl is held by the MPC wallet 0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B
  • Two EOA supply controllers (SC1, SC2) have very large mint capacities ($500M and $1B respectively)

Key governance concerns:

  1. All governance consolidated into an MPC wallet — the MPC wallet (0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B) holds PAUSE_ROLE, ASSET_PROTECTION_ROLE, timelock PROPOSER+EXECUTOR+CANCELLER, and SupplyControl SCM. However, as an MPC wallet (likely Fordefi), the private key is sharded across multiple parties — no single individual can unilaterally sign transactions. The risk is comparable to a multisig with an unknown internal quorum, not a standard single-key EOA
  2. 24-hour timelock is a strong improvement — the 3h delay increased to 24h, providing a meaningful monitoring window for contract upgrades. Combined with MPC policy controls, this creates defense-in-depth for critical changes
  3. Emergency actions have no onchain timelock but benefit from MPC controls — PAUSE_ROLE and ASSET_PROTECTION_ROLE can be exercised immediately onchain, but the MPC wallet's internal policy layer typically requires multiple approvals
  4. SupplyControl admin improvement — moving DEFAULT_ADMIN on SupplyControl from an EOA to the 24h timelock prevents unilateral addition of supply controllers
  5. Freeze/wipe capabilityASSET_PROTECTION_ROLE can freeze individual addresses and wipe frozen balances. This is standard for regulated stablecoins (USDC, USDT have equivalent capabilities). The MPC wallet structure provides internal governance but the onchain capability remains unilateral from the contract's perspective
  6. Internal MPC quorum unknown — while MPC is inherently multi-party, the exact number of key shards, approval threshold, and policy rules are not publicly verifiable. This is a transparency gap

Programmability

  • Token: Standard ERC-20 with EIP-2612/EIP-3009 gasless support. Transfers are fully programmatic onchain
  • Minting/burning: Through SupplyControl contract with rate-limited supply controllers. Onchain but Paxos-controlled (not permissionless)
  • Exchange rate: Fixed 1:1 USD peg — no oracle needed for the token itself
  • Reserves: Entirely offchain. Reserve management, yield generation, and reporting are handled by Paxos and its custodians with no onchain visibility into specific holdings
  • Pause mechanism: PAUSE_ROLE can freeze all transfers/approvals; minting/burning remain operational during pause
  • Operations split: Token operations (transfers, approvals) are onchain and programmatic. Reserve operations (investment, custody, yield distribution) are entirely offchain and centralized

External Dependencies

  • No DeFi protocol dependencies — USDG is a standalone stablecoin, not dependent on any external DeFi protocols
  • Banking infrastructure — reserves held at regulated custodians (inherent to fiat-backed stablecoins)
  • LayerZero V2 — cross-chain bridging to Solana via OFTWrapper. Non-critical for Ethereum-only usage. 45M USDG capacity
  • Curve/Uniswap — DEX liquidity for secondary market exits (not a protocol dependency, but relevant for exit liquidity)

Operational Risk

  • Team: Paxos was founded in 2012 by Charles Cascarilla (CEO) and Rich Teo (co-founder). Paxos is a well-established, regulated fintech company with 200+ employees
  • Track record: Operates multiple stablecoins: USDP (since 2018), PYUSD (PayPal USD, since 2023), USDG (since 2024). No security incidents across any Paxos stablecoin
  • Regulation: Paxos Digital Singapore is a Major Payments Institution supervised by MAS. Paxos Trust Company (US entity) is a New York State-chartered limited purpose trust company regulated by NYDFS. USDG also claims MiCA compliance
  • Documentation: Comprehensive documentation at docs.paxos.com covering integration guides, API reference, and contract addresses. Source code is MIT-licensed and publicly available on GitHub
  • Legal structure: Paxos Digital Singapore Pte. Ltd. (Singapore entity for USDG), with Paxos Trust Company LLC (US entity for USDP) and Paxos Issuance SARL (EU entity) as sister companies
  • Incident response: No public incident response playbook, but regulatory oversight provides accountability. Emergency pause capability via 3-of-7 multisig

Monitoring

Key Contracts to Monitor

Contract Address Monitor
USDG Token 0xe343167631d89B6Ffc58B88d6b7fB0228795491D totalSupply(), paused(), Transfer events, Mint/Burn events
SupplyControl 0x9a7164112029b81c07636AB7b59fA813E0883BBF Supply controller additions/removals, rate limit changes
TimelockController 0x9036566eAa5F83E0b9E1161C6c602b0Adf997654 CallScheduled, CallExecuted events (3h delay — gives monitoring window)
Operational Multisig 0x0644Bd0248d5F89e4F6E845a91D15c23591e5D33 Submitted/executed transactions (pause, freeze, supply management)
Operations MPC Wallet (all governance) 0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B Any transactions — controls pause, freeze, timelock scheduling, supply controllers. MPC wallet (likely Fordefi) — key sharded across multiple parties. Monitor for unexpected transactions
Gas Station 0x264bd8291fae1d75db2c5f573b07faa6715997b5 Funds MPC wallet before transactions — unusual ETH outflows could indicate MPC key migration or provider change

Critical Events to Monitor

  • Pause eventsPaused/Unpaused on the token — all transfers stop when paused (MPC wallet can trigger immediately, but internal policy likely requires multiple approvals)
  • Freeze events — individual address freezes via ASSET_PROTECTION_ROLE — could affect DeFi integrations (MPC wallet, no onchain timelock)
  • Supply changes — large mints/burns (>5% of supply in 24h) could indicate operational issues
  • Contract upgradesUpgraded events via UUPS proxy — 24h timelock provides advance notice via CallScheduled
  • Supply controller changes — additions/removals via SupplyControl — SCM role held by MPC wallet, admin role under 24h timelock
  • Rate limit changes — modifications to per-controller mint capacities
  • Timelock eventsCallScheduled gives 24h advance notice of all critical admin changes
  • Facet changessetFacet/batchSetFacet events indicate functional changes to the token contract
  • MPC wallet transactions — any transaction from 0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B — controls all governance actions. MPC structure provides multi-party security, but the address remains the single onchain governance point

Monitoring Functions

Function Contract Purpose Frequency
totalSupply() Token Supply tracking Every 6 hours
paused() Token Operational status Hourly
isFrozen(address) Token Address freeze status On integration
getSupplyController(address) SupplyControl Controller status/limits Daily
getMinDelay() TimelockController Timelock delay changes (currently 24h) Weekly
Role events TimelockController Monitor RoleGranted/RoleRevoked events — contract uses plain AccessControl, cannot enumerate On change

Reassessment Triggers

  • Time-based: Reassess in 6 months (December 2026)
  • TVL-based: Reassess if total supply changes by more than ±50% from current $2.89B
  • Incident-based: Reassess after any exploit, freeze affecting DeFi protocols, depegging event, or adverse regulatory action
  • Governance-based (IMPORTANT): Reassess if governance transitions from MPC wallet back to multisig (score improvement), or if MPC wallet shows signs of compromise. Any change in role holders, timelock delay, or MPC provider/gas station infrastructure warrants reassessment
  • MPC transparency: Reassess if Paxos discloses MPC provider, quorum, and policy configuration (potential score improvement from reduced uncertainty)
  • Governance-based: Reassess if SupplyControl admin or SCM transitions, or if multisig composition/threshold changes
  • Regulatory-based: Reassess if MAS takes enforcement action, if Paxos loses its MPI license, or if regulatory status changes
  • Bug bounty: Reassess if Paxos launches a public bug bounty (score improvement)
  • Proof of Reserves: Reassess if onchain reserve verification (e.g., Chainlink PoR) is deployed (score improvement)

Appendix A — USDG Risk as a Held Asset in yvUSD

Context: yvUSD is a USDC-denominated Yearn V3 vault that deploys USDC into multiple yield strategies. This appendix assesses the risk of including USDG as an asset held within yvUSD strategies — e.g., lending USDC against USDG collateral in Morpho markets, or holding USDG positions as part of yield strategies.

Risk Assessment for yvUSD Exposure

Depeg Risk: LOW

  • USDG is backed 1:1 by cash and U.S. Treasury Bills at regulated custodians under MAS supervision
  • Paxos has a 7+ year stablecoin track record with zero depegging incidents across USDP, PYUSD, and USDG
  • Strong peg stability observed: price consistently at $0.999-$1.000
  • Risk is comparable to holding USDC — both are regulated fiat-backed stablecoins

Smart Contract Risk: LOW-MEDIUM

  • 6 audits from reputable firms, source code is open and verified
  • UUPS upgradeable proxy with 24h timelock + MPC wallet governance
  • Diamond-like facet pattern adds upgradeability surface area
  • Contract complexity is moderate (standard ERC-20 + AccessControl + rate-limited supply)

Freeze Risk: MEDIUM

  • Paxos can freeze any address and wipe frozen balances via ASSET_PROTECTION_ROLE (held by MPC wallet)
  • If a Yearn vault or strategy contract holding USDG gets frozen, those funds become inaccessible until unfreezing
  • This is the same risk profile as USDC (Circle can freeze addresses) — it has never been used against DeFi protocols but the capability exists
  • Mitigation: Ensure the vault/strategy addresses are known to Paxos and not on any sanctions list

Liquidity Risk for yvUSD: LOW-MEDIUM

  • Ethereum DEX liquidity (~$9.8M) supports moderate position sizes
  • A yvUSD strategy holding <$2M in USDG-related positions could exit via DEX with <0.5% slippage
  • Larger positions would require CEX routing or Paxos redemption
  • Given yvUSD's current TVL (~$3M), USDG liquidity is adequate for current scale

Overall Assessment for yvUSD: USDG is a suitable stablecoin asset for yvUSD strategies at current scale. Risk is comparable to other regulated stablecoins. Recommend limiting USDG exposure to <20% of vault TVL until DEX liquidity deepens further.

Risk Factor Level Notes
Depeg Low Regulated, T-Bill backed, 7+ year Paxos track record
Smart Contract Low-Medium 6 audits, but upgradeable with 3h timelock
Freeze Medium Standard for regulated stablecoins, never used vs DeFi
Liquidity Low-Medium $9.8M DEX adequate for current yvUSD scale
Overall Low-Medium Suitable with position size limits

Appendix B — USDG Risk as Collateral for yvUSDC-1 Lending

Context: yvUSDC-1 is a USDC-denominated Yearn V3 vault that deploys USDC into lending strategies. This appendix assesses the risk of lending USDC against USDG as collateral — e.g., in Morpho markets where borrowers post USDG to borrow USDC.

Risk Assessment for Lending Against USDG

Collateral Quality: HIGH

  • USDG is 1:1 backed by U.S. Treasury Bills — same quality as USDC collateral
  • Regulatory framework (MAS supervision) provides strong assurances on reserve integrity
  • No history of depegging or reserve shortfalls
  • Appropriate for same-value lending (USDG collateral for USDC borrows)

Liquidation Risk: MEDIUM

  • DEX liquidation path: Curve USDG/USDC pool ($7.88M liquidity) is the primary liquidation venue on Ethereum. A $1M liquidation would execute with <0.5% slippage. However, a $5M+ simultaneous liquidation could move the market
  • Liquidation depth vs exposure: Current Ethereum DEX liquidity (~$9.8M) supports liquidation of positions up to ~$3-5M without excessive slippage. Larger positions require multi-block liquidation or CEX routing
  • Same-value asset: Since USDG and USDC are both USD stablecoins, liquidation is essentially a stablecoin-to-stablecoin swap — much lower risk than volatile collateral liquidations

Freeze Risk for Lending: MEDIUM-HIGH

  • If USDG collateral in a Morpho vault gets frozen by Paxos, the lending protocol cannot liquidate that collateral
  • This creates bad debt risk: the borrower defaults, but the collateral is frozen and cannot be seized/sold
  • This is the most significant risk for lending against USDG — the freeze capability creates a scenario where collateral becomes illiquid and unliquidatable
  • Mitigation: This risk exists for all regulated stablecoins (USDC, USDT) used as collateral and has never been triggered against DeFi protocols. MAS supervision provides accountability

Counterparty Risk: LOW

  • Paxos is well-regulated with zero incidents — very low probability of voluntary freeze of legitimate DeFi contracts
  • Involuntary freezes (law enforcement, sanctions) would target specific addresses, not the broad DeFi ecosystem
  • Regulatory clarity is improving, reducing the probability of blanket DeFi restrictions

Overall Assessment for yvUSDC-1: USDG is acceptable as lending collateral with appropriate risk parameters. The primary concern is the theoretical freeze risk on collateral, which is standard for all regulated stablecoins. Recommend conservative LTV ratios and position limits.

Risk Factor Level Notes
Collateral Quality High T-Bill backed, MAS-supervised, 1:1 with USD
Liquidation Medium $9.8M DEX liquidity, <0.5% slippage up to $1M
Freeze (Collateral) Medium-High Frozen collateral = unliquidatable = bad debt risk
Counterparty Low Paxos well-regulated, zero incident history
Overall Medium Acceptable with conservative LTV and position limits

Recommended parameters for lending against USDG:

  • Max LTV: 90% (same-value stablecoin, but freeze risk warrants buffer below 95%)
  • Liquidation threshold: 95%
  • Max exposure: min($5M, 50% of Ethereum USDG DEX liquidity, 10% of total vault TVL)
  • Monitor: Paxos freeze events, DEX liquidity depth, USDG peg