Risk Assessment: Frax Governance
This report was funded by veFunder to assess the risk posed to the Curve protocol. This report was also published to Crypto Risk Assessments.
The Curve protocol has become integral to DeFi, ranking first in DEX TVL and second in DEX volume. It was recently highlighted that Frax, a protocol deeply involved with Curve, uses multisigs operated by the core team to control protocol funds and governance operations. A December 2021 Trail of Bits audit graded the decentralization of the protocol as "weak" and stated, "Contract owners have near complete control over the system. While the concept of governance exists, its role is unclear."
Given the level of integration between Curve and Frax, the risk posed by the core team multisig to the Curve protocol must be assessed.
Frax is a fractional-algorithmic stablecoin protocol that aims to improve the scalability of decentralized stablecoins without sacrificing stability. The protocol features two stablecoins: FRAX pegged to the US dollar and FPI pegged to US inflation. Frax is governed by its token holders using a similar vote escrow model to Curve, in which FXS is locked for veFXS and governance rights.
Frax's stability mechanism allows users to mint and redeem FRAX for $1 of value, but the $1 is derived from external collateral and burning FXS. With traditional collateralized debt position stablecoins, like DAI, users must deposit more than $1 of value to mint $1 of the stablecoin, and the $1 must be entirely derived from external assets. The fractional-algorithmic system deployed by Frax increases the capital efficiency of each dollar, improving scalability.
The price stability of FRAX has been proven over time, with the only significant deviation from $1.00 occurring during the UST collapse. FRAX briefly fell to $0.975 in the FRAX/USDC/USDT/DAI Curve pool before returning to its $1 peg.
More recently, FRAX has traded between $0.9995 and $1.0020 in the FRAX/USDC Curve pool. Yet this spread can further tighten if the pool's transaction fees are reduced to 1bp, matching the 3pool.
Frax leverages the Curve protocol to create deep liquidity for its assets. There are currently $1.1B of FRAX, $63M of FPI, and $56M of FXS deposited in various Curve pools, totalling 21.5% of all Curve TVL. At $1.1B, FRAX enjoys very deep liquidity on Curve, followed by $780M of USDC and $764M of stETH. While Curve TVL has significant exposure to Frax assets, it also attracts a deep supply of other prominent assets (such as stETH, tricrypto, etc.) that attract traders to the protocol.
Convex is a yield aggregator that simplifies the LP process and maximizes returns for its users. Since launch, it has accumulated a material influence in the Curve DAO and Frax, holding 53% and 29% of governance power, respectively. Convex has a vested interest in the success of both protocols, and its voters have historically signalled to improve the synergies between them. Convex acts as a gravitational force that keeps the interests of Frax and the Curve DAO aligned.
During the Terra collapse, Curve volumes reached all-time highs, driving significant fee revenue to the protocol. If Frax experienced a similar fate, we would expect a transient surge in volume, but the loss of Frax asset pools would likely reduce Curve volume over the long run. In this scenario, the Curve DAO should remove gauges from Frax asset pools to halt the flow of inefficient CRV emissions. The Curve protocol would continue to operate as designed with minimal intervention from the Curve DAO. While the success of Frax would benefit Curve, its implosion does not lead to the demise of Curve.
The FRAX/USDC pair (FraxBP) was launched just three months ago and has quickly become the third largest Curve pool with $830M TVL. The FraxBP attracts LPs with its strong yield, driven by Frax bribing CVX voters for veCRV votes. Since FraxBP is a base pool, other tokens can be paired alongside the FraxBP LP token to form new pools called metapools. There are currently 14 FraxBP metapools totalling $112M in TVL, further entrenching FRAX into the Curve protocol.
Curve pools are permissionless, so the protocol is agnostic to the assets that find liquidity on its platform. Gauges, however, are governance approved and determine which pools receive valuable CRV emissions. Pools containing FRAX or FXS currently hold 32% of the total gauge weight vote, meaning the Frax protocol is farming approximately one-third of daily CRV emissions. Frax is regularly responsible for 50% of the total amount bribed to CVX lockers, paying greatly to accumulate its gauge weight.
CRV emissions attract LPs that create deep liquidity for traders, generating revenue for the protocol through transaction fees. If pools receive CRV emissions without returning transaction revenue to the protocol, the pool's LPs are farming CRV to the detriment of the protocol and current CRV holders/lockers. At the time of writing, FraxBP and the Frax3crv pools have generated the fifth and sixth most revenue, respectively.
Historically, the biggest issue with FRAX has been its lack of velocity or the rate of turnover in the money supply. Historically, the primary use case of FRAX was to store value and farm rewards. The recent launch of Fraxlend may increase FRAX velocity as it denominates loans in FRAX. Like loans denominated in DAI, borrowers swap out of the debt token and into an asset of their choosing. Borrowers must repurchase the debt token to repay the loan and close out their position. Given the deep liquidity, these trades will likely occur on Curve, driving further transaction fees back to the protocol.
Fraxlend launched in the first week of September, initially offering loans against WBTC and ETH collateral. Less than one month since launch, the lending platform accrued $1.05M in deposits and lent $809K FRAX to borrowers. Increased adoption of Fraxlend may drive transaction revenue to Curve, increasing the efficiency of CRV emissions flowing to FRAX pools.
Frax proposals have a minimum three-day discussion period before moving to a five-day off-chain voting period on Snapshot. A simple majority with weighted voting decides vote outcomes, meaning users can spread their votes across multiple options, which is beneficial for gauge weight voting.
Frax has deployed a governance contract forked from Compound's governor alpha that uses FXS as the voting token. This contract, designed to be the protocol's decentralized, on-chain voting engine, is not yet in operation; no transactions have been executed since December 2020 (contract deployment date) beyond setting the timelock address. Note that there were failed attempts to update the admin of the contract in early September.
Additionally, the veFXS-controlled timelock of the governor alpha is a standard two-day delay. Still, the admin of the timelock is the Frax comptroller multisig (core team multisig) instead of the governor alpha contract: this gives the core team multisig complete control over the governance contract.
Therefore, there is an implicit trust assumption in Frax governance: veFXS voters must trust the core team to adhere to outcomes determined on Snapshot.
In addition to governance, the core team multisig has complete control over the protocol's assets. This multisig currently manages $762M of Frax assets and holds admin rights over other Frax contracts, such as a wallet that holds $534M of Frax assets on Curve. In other words, over $1.2B is managed by a 3 of 5 multisig with four core team members and one timelock contract. Since the admin of the timelock is the core team multisig, this is effectively a 3 of 4 multisig held by only the core team.
The team members on the multisig are Sam Kazemian, Travis Moore, Jason Juan, and Justin Moore, who are all doxed and entirely known. While this lowers the likelihood of collusion, it potentially introduces geographic censorship risk. If three core team members reside in a country that suddenly deems fractional-algorithmic stablecoins illegal, the multisig signers could be forced to terminate the protocol. Additionally, there are $450M of external assets managed by this multisig, making an exploit particularly lucrative. The inherent trust assumption of Frax is that the multisig signers act in the best interest of the protocol.
Frax developers deployed on-chain governance infrastructure but elected only to use a multisig to govern and manage the protocol. The decision to rely on multisigs reflects the core team's prioritization of speed over decentralization. The team can quickly respond to crises but must be trusted to act on behalf of the token holders and safely store private keys. If a majority of the multisig addresses were compromised, the hacker would gain complete control of the protocol and over $1B of its assets. The speed of a multisig can be beneficial as Frax has saved millions of dollars from the team's quick withdrawal of protocol-owned liquidity from compromised contracts. The team's response to the recent Fuse and Nomad exploits is evidence of this. While a multisig structure has become a standard practice in the early stages of a protocol, a mature DeFi protocol must sufficiently decentralize.
In short, Frax currently relies on multisig execution of Snapshot votes and core team management of protocol funds. For the protocol to be considered decentralized, it must seek an alternative structure.
Frax Founder Sam Kazemian has stated the team understands the current structure is unsustainable and plans to implement a more decentralized governance model. The new governance module is an optimistic implementation of Compound's Governor Bravo that will eliminate the need to trust the core team. Governance will be entirely on-chain and managed by a 6 of 11 multisig. Six of the signers are "smart contract signers" that work as one group permanently controlled by veFXS voters, while the other five signers will be human (initially the core team). Because the new structure requires a minimum of 6 signers, the core team cannot unilaterally execute transactions. Thus, the human signers cannot be compromised, coerced by any entity, or maliciously controlled without explicit approval or abstention of FXS holders.
The six smart contract signers optimistically assume the five human signers are not malicious and will autonomously sign pending transactions after a timelock period expires. The timelock is initially set for two days but is an adjustable parameter. During the timelock period, a simple majority of veFXS voters can veto any transaction deemed malicious. The new structure balances the tradeoffs between speed and decentralization.
The updated governance module removes the trust requirements from the core team by swinging the default majority to FXS holders. If veFXS voters feel the core team multisig is acting maliciously, the group can vote to veto all incoming transactions, vote to replace them, and vote to change other parameters in the system. The six smart contract signers cannot be voted out, meaning veFXS voters will always have majority control over the system. Sam also stated the governance overhaul will be live before year-end and will replace the old governance contracts.
The proposed implementation is an untested governance mechanism: the first implementation of its kind in DeFi. While introducing a system that has not been battle-tested may create unseen vulnerabilities, removing the core team's ability to transfer Frax funds without input from veFXS voters is an objective improvement on the current system.
The current use of a multisig in the governance and management of Frax does pose a risk to Curve, given the value of Frax assets in Curve pools. If Frax were to become compromised, 21.5% of assets on Curve would be at risk, and 32% of CRV emissions would be ineffectively distributed. However, the Frax team is aware the current structure is unsustainable and is implementing a secure and decentralized model that shifts majority control of the protocol to FXS voters. The successful implementation of this new governance model would remove the current risks posed by multisig wallets. A Crypto Risk Assessment completed in December 2021 stated the core team was planning to remove the multisig "in 3-6 months so that it is purely governance on-chain." Since this has yet to happen, the core team is currently 3-6 months behind their previous timeline.
Given the information described in this report, we believe that the Curve DAO should actively monitor the implementation of the optimistic governance model but take no action now. Suppose the new model is not implemented by December 31, 2022. In that case, the Curve DAO should consider funding a report to investigate why and push the Frax core team to provide an updated timeline on deprecating the multisig. If the implementation is successful, the Curve DAO should consider funding a report to assess the decentralization and security of the new governance model.