This is an archive of our post on Aave governance forum. Read the full thread here.

In accordance with the 5-day ARFC timeline, we are submitting our interim report on eBTC. Similarly to our comment for LBTC, and given that eBTC is largely backed by LBTC, we are working to identify a suitable Oracle solution that would enable safe integration, particularly considering the aggressive parameters associated with E-Mode. We’ve also identified some key concerns that warrant further consideration before supporting onboarding.

Summary

eBTC is primarily backed by LBTC through Lombard, with WBTC and cbBTC as additional collateral types that users can deposit to mint eBTC. The pricing mechanism assumes equal price correlation across these collateral assets at a 1:1 minting ratio, creating exposure if any collateral asset depegs or experiences volatility. LBTC lacks a pricing mechanism to reflect potential slashing events in the Babylon Protocol.

The collateral structure consists of over $700M held in the “BoringVault,” managed by Veda and Seven Seas, with more than $500M restaked across Symbiotic and Karak for yield generation. This asset is conceptually similar to weETH. Key considerations include a concentration in liquidity venues and addresses, a developing governance system needing further decentralization, and additional risks from multiple yield generation protocols. Protocol-controlled liquidity forms the vast majority of Curve and Balancer liquidity pools, with the EtherFi team committing to maintain these positions long-term.

The system is also prone to operational risks from EtherFi Foundation multisig management. The absence of timelock protection in eBTC contracts is concerning, though a 24-hour timelock has been promised. The recent unannounced removal of FBTC as accepted minting collateral raises additional governance concerns. While eBTC governance operates independently through Veda, separate from the EtherFi Foundation, the timelock owner shares significant overlap with EtherFi Foundation signatories, raising centralization concerns.

1. Asset Fundamental Characteristics

1.1 Asset

Key Statistics (as of December 16, 2024):

• Circulating Supply: 6,706 eBTC

• Market Cap: $710M

• Current Yield: Point-based distribution

• Launch Date: August 18, 2024

eBTC is an ERC-20 token backed by Lombard Finance’s LBTC that enables dual yield on Bitcoin through staking via Babylon Labs and restaking through Symbiotic and Karak. Yields are currently distributed as points that convert to token airdrops each season.

Users can stake WBTC (0.4% fee), LBTC, or cbBTC to receive eBTC. The WBTC fee covers unwrapping costs to LBTC. A 7-day withdrawal period is an additional safety mechanism implemented by Veda Labs.

On December 4, the admin removed the ability to mint eBTC with FBTC without notice or explanation.

Source: Etherscan, December 16th, 2024

The token utilizes a multi-layered rewards system combining points from Babylon, Lombard, Symbiotic, EtherFi, Veda, Karak, and planned EigenLayer integrations. Points accrue based on deposit amounts and platform-specific multipliers.

Contract: 0x657e8C867D8B37dCC18fA4Caead9C45EB088C642

eBTC has integrated with major DeFi protocols, including Balancer, Curve, and Gearbox, and has established connections to platforms like Avalon, Equilibria, and Sturdy. The ecosystem continues expanding, with planned Uniswap pool integration and network expansion to Base and Arbitrum.

1.2 Architecture

Users can mint eBTC permissionlessly through the EtherFi dApp with a minimum stake of 0.01 BTC. The system uses BoringVault, developed by Seven Seas, which issues receipt tokens (eBTC) for deposited BTC.

BoringVault Architecture.Source: Veda

The BoringVault architecture consists of four main components:

1. BoringVault (0x657e8C867D8B37dCC18fA4Caead9C45EB088C642): Core minimalist contract that delegates functionality to external contracts. Users interact through the Teller, while the Manager handles rebalancing.

2. Teller (0x458797a320e6313c980c2bc7d270466a6288a8bb): Manages deposits/withdrawals with MEV protection through:

   • Share lock periods

   • Atomic Queue for withdrawal processing

   • Multi-asset support

3. Accountant (0x1b293DC39F94157fA0D1D36d7e0090C8B8B8c13F): Handles share pricing with safeguards:

   • Offchain exchange rate calculation

   • Rate/bound limiting

   • Automatic pausing on violations

   • Current 1:1 exchange rate with ±0.5% change limit

4. Lens (0x5232bc0F5999f8dA604c42E1748A13a170F94A1B): Provides read-only access to vault data and status

The vault currently holds $190M in collateral, split between BoringVault and restaking on Symbiotic/Karak platforms.

1.3 Tokenomics

The total supply of eBTC is not fixed as more eBTC can be permissionlessly minted based on the demand from users staking LBTC, wBTC, and cbBTC on EtherFi. eBTC is held by 4,572 unique addresses.

EtherFi’s primary token is ETHFI, whose supply is capped at 1B and is used as the governance token for the protocol.

1.3.1 Token Holder Concentration

eBTC Top 100 Token Holders.Source: Etherscan, December 13th, 2024.

The top 5 holders of eBTC are:

• 0x8bc93498b861fd98277c3b51d240e7E56E48F23c: 35.4% of the total supply and is restaked into Corn eBTC Silo.

• 0x7aCDF2012aAC69D70B86677FE91eb66e08961880: 27.1% of the total supply and is restaked into Pendle’s eBTC pool.

• 0x9d8f9295268674332A108eD7D2f537413FC8b9Ea: 6.1% of the total supply and is held by an EOA.

• 0xb99a2c4C1C4F1fc27150681B740396F6CE1cBcF5: 5.9% of the total supply and is held by an EOA.

• 0xADB34945d76062BA60c12F2a556096f201C55c01: 3.7% of the total supply and is restaked into Hourglass’s eBTC vault.

The top 10 holders control a significant 85.8% of the supply. When considering the top 100 holders, this concentration increases to 97.9%.

2. Market Risk

2.1 Liquidity

eBTC/ETH swap with <7.5% price impact.Source: CoW Swap Router, December 13th, 2024.

Using CoW Swap on Ethereum, a user can swap up to 73 eBTC (approximately $7.33 million) for ETH in a transaction with less than 7.5% price slippage.

2.1.1 Liquidity Venue Concentration

All eBTC liquidity pools on Ethereum.Source: GeckoTerminal, December 13th, 2024.

Curve and Balancer on Ethereum are the only on-chain markets for eBTC. The total liquidity in eBTC pools on the Ethereum Network is $17M, and almost 80% is in Curve liquidity pools, followed by Balancer V2.

2.1.2 DEX LP Concentration

The DEX liquidity concentration for the three eBTC pools:

• Curve Tri BTC-Fi (eBTC/LBTC/WBTC): 99.9% of the liquidity is held by the LBTC BoringVault.

• Curve eBTC/WBTC: 99.9% of the liquidity is held by a 3/7 multisig.

• Balancer V2 (eBTC/WBTC): Balancer Vault holds 100% of the liquidity, entirely supplied by a 2/5 multisig.

The liquidity in the DEX pools is fully concentrated in the hands of a few wallets, which include an LBTC Boring Vault and two multisigs.

The concentration of liquidity on Curve and Balancer is attributed to protocol-supplied liquidity, which the EtherFi team has assured is stable and will not be removed. Additionally, they are actively working on further liquidity incentivization for Curve and Balancer to drive more eBTC/WBTC pool deposits.

2.2 Volatility

eBTC to BTC Chart.Source: Coingecko, December 13th, 2024.

eBTC’s price has frequently deviated from Bitcoin by more than 2%. Over the past month, it has consistently traded at a slight discount, averaging approximately 0.996 BTC per eBTC. This slight deviation, averaging 0.4%, is within acceptable bounds and does not present a significant risk to the holders.

The slight depeg of eBTC can be attributed to low liquidity in the Curve Tri BTC-Fi pool and underdeveloped arbitrage opportunities, primarily due to eBTC’s absence on CEXs, especially following Bitcoin’s rapid price movement after November 10.

2.3 Exchanges

eBTC is exclusively traded on decentralized exchanges and is not currently listed on any centralized exchange.

2.4 Growth

eBTC total supply in USD.Source: Dune, December 13th, 2024.

The total eBTC supply has grown to ~6576 eBTC ($667M) from zero in just 118 days since listing on August 18, 2024. About 4323 eBTC ($434M), 66% of the total supply, is in DeFi protocols, accruing more yield for the holders.

Some recent incentives for staking eBTC:

• “The 12 Days of Hayes,” from December 11 through December 22, 2024, rewards eBTC stakers with ETHFI worth over $3M.

• “The Golden Bull Event,” from November 20 through December 3, 2024, rewarded eBTC stakers with ETHFI worth over $2M plus 4x Lombard Lux points.

These events are a part of EtherFi’s Season 4 incentives. However, users must hold the staked amount in their wallets until the end of Season 4, i.e., January 31, 2025, to be eligible for rewards.

3. Technological Risk

3.1 Smart Contract Risk

Macro and Spearbit (Cantina) have audited the Seven Seas’ BoringVault contract. Seven Seas is a prominent DeFi vault builder, managing a TVL of $2.5 billion across their vaults. Following is an aggregation of the issues found by the Audit team.

• Macro (March 20th, 2024)

• Macro (April 22nd, 2024)

• Spearbit (Cantina) (April 19th, 2024)

The presence of these audits goes some distance in mitigating smart contract risk.

3.2 Bug Bounty Program

EtherFi has a Bug Bounty program with ImmuneFi where anyone can get rewards up to $200,000 depending on the severity of the threat they found. The list of smart contracts included in the scope can be found here.

3.3 Price Feed Risk

eBTC is permissionlessly minted at a 1:1 exchange rate for each collateral (LBTC, WBTC, and cbBTC), assuming equal price correlation across all collateral types. This creates potential risk if any collateral assets experience depegging or significant price fluctuations. Additionally, the Accountant contract (prices BoringVault shares) relies on WBTC as the base asset for pricing, meaning that eBTC’s value is directly correlated 1:1 with WBTC.

3.4 Dependency Risk

The dependency risk is relatively high due to the interconnected reliance on Lombard Finance, Babylon, and the restaking protocols. Any failure in these systems could cascade and impact eBTC’s stability and value.

Veda and Seven Seas Vault
The functioning and security of eBTC are heavily reliant on the technology and infrastructure provided by Veda and Seven Seas. All collateral assets deposited to mint eBTC are stored within the Veda and Seven Seas-powered Boring Vault. This introduces a dependency risk, as any technological failures, vulnerabilities, or operational issues within these systems could jeopardize the safety of the collateral backing eBTC.

Lombard & Babylon Impact
Babylon provides the PoS staking infrastructure. LBTC is a Bitcoin LST, the primary collateral deposited to mint eBTC. If Lombard Finance does not perform its role effectively as a finality provider, it could fail to ensure the security of the staked LBTC within Babylon’s framework. This could lead to vulnerabilities in the staking process, resulting in slashing or other disruptions that would affect the value and stability of LBTC, and these issues could propagate to eBTC.

Collateral Risk
eBTC’s minting is backed by LBTC, wBTC, and cbBTC, which introduces a dependency risk. Negative events such as governance missteps, ecosystem disputes, depegs of WBTC or cbBTC, or slashing risks for LBTC could undermine the collateral backing eBTC, posing significant risks. Additionally, it takes 7 days to withdraw eBTC and reclaim the underlying collateral on the EtherFi dApp, which introduces a liquidity risk. This time delay increases the potential for volatility and risk exposure during market stress or protocol failure periods.

Restaking Protocol Risk
eBTC’s underlying collateral is sent to restaking protocols such as Symbiotic, Karak, and EigenLayer to earn additional yield and points, which enhances the value proposition for eBTC holders. However, this introduces risk as the collateral is exposed to the risks associated with these restaking protocols. Any vulnerabilities or failures within these protocols, such as slashing events, protocol exploits, or mismanagement, could directly affect the staked assets, including the LBTC backing eBTC.

4. Counterparty Risk

4.1 Governance and Regulatory Risk

EtherFi is decentralized under DAO governance. ETHFI is the governance token with a total supply capped at 1B. Regarding the governance of eBTC, EtherFi has clarified that the EtherFi Foundation’s bylaws are separate from the eBTC deployment, which is managed in collaboration with Veda. Therefore, decisions related to eBTC fall outside the scope of EtherFi governance. The Mainnet Vault Controller multisig, which oversees the eBTC deployment, has a 4/6 threshold.

The EtherFi Foundation oversees the governance decisions by implementing two roles:

• Proposers: Submits proposals for protocol changes and initiates community votes. For the EtherFi Foundation, EtherFi SEZC (The Labs Entity) is the current proposer in the first phase of progressive governance. As the DAO matures, additional proposers will be added.

• Multisig Committee: Implements decisions and maintains security by handling emergency action. The Multisig Committee for EtherFi Foundation is a 4/7 Safe multisig.

EtherFi manages delegation through Agora, with Proposers reviewing delegation requests and initially nominating active community members and early adopters. Only delegates can participate in the governance process, limiting the voting supply to just 2.78M ETHFI out of 1B. According to the Governance Roadmap, more community members will gradually join the delegation process as the protocol expands. The voting period lasts 4 days, and the quorum required to pass a proposal is 1M ETHFI.

Concentrated Voting Power
Governance participation is currently restricted to delegates, representing only 2.78M ETHFI from a total supply of 1B. Within this, a single delegator, sassal.eth holds over 50% of the votable supply (1.57M ETHFI) and could pass proposals single-handedly since it’s above the quorum limit of 1M ETHFI. This undermines the principle of decentralized governance and poses a risk of unilateral decision-making even among the trusted chosen group of delegators.

Limited Diversity in Proposals
The governance structure grants Proposers exclusive authority to submit new proposals, limiting the broader community’s ability to initiate governance changes. Proposers need more diversity, as seen on the governance forum, where only two users have submitted proposals. This concentration suggests limited participation in shaping protocol changes and raises concerns about the inclusivity and representativeness of the governance process.

Legal Commentary

The Risk Disclosure Statement is an integral part of ether.fi Terms of Use outlines key risks associated with using ether.fi website and services. Gazde Finance SEZC, a Special Economic Zone Company established under Cayman Islands law, offers these services. While the disclosure highlights several risks, it acknowledges that the information provided is not exhaustive and does not capture every factor users should consider before engaging with the platform.

One significant provision clarifies that the company does not act as a custodian or manager of user assets to generate staking rewards. Instead, the responsibility for generating staking rewards rests solely with the users. The company has no influence or control over the staking rewards determined by the underlying blockchain protocol or network, which remain subject to change at any time without prior notice.

Furthermore, the statement emphasizes that the company does not offer or facilitate financial services or products. This delineation reinforces ether. fi’s position as a facilitator of decentralized interactions rather than a provider of regulated financial services. Finally, the document warns that the level of consumer protection afforded to users may vary significantly based on their jurisdiction.

Additionally, the information received from the EtherFi team clarifies that the pricing plan stipulated by the Terms of Use does not currently apply to eBTC. No fees associated with eBTC accrue to ether.fi or Veda, and holders earn 100% of the points accrued to the asset (including Lombard, Babylon, and any additional Ethereum restaking points). The updated pricing plan will be introduced once eBTC begins accruing restaking yield.

4.2 Access Control Risk

4.2.1 Contract Modification Options

Controlling Wallets

Here are the two main contracts powering eBTC onchain:

• eBTC ERC-20: deployed behind a BoringVault that is owned by the burn address.

• Roles Authority: deployed behind a RolesAuthority that is owned by a 4/6 Safe multisig.

The BoringVault contract which is the same as eBTC ERC-20 has the following components:

• Teller: owned by the burn address and the authority is given to the Roles Authority contract.

• Accountant: owned by the burn address and the authority is given to the Roles Authority contract.

We can see that the core components of the BoringVault/eBTC ERC-20 contract are managed through Roles Authority, controlled by the 4/6 Safe multisig.

The Hook is another important contract that allows the share pausing inside the BoringVault or implement lock periods. In this case, the hook contract is the same as the Teller’s.

Criticial Contract Functions

List of some criticial functions that each contract exposes.

eBTC ERC-20/BoringVault:

• The Hook contract, identified as the Teller contract, can pause or enforce a lock period on shares within the BoringVault. The shareLockPeriod is set to 0, and isPaused is set to False.

• The Accountant contract is responsible for determining the exchange rate (getRate) used to price BoringVault shares, which is used by the Teller contract. Currently, the exchange rate is set to 1, with bounds defined by allowedExchangeRateChangeUpper and allowedExchangeRateChangeLower, permitting a fluctuation of ±0.5%. The accountantState includes critical controls such as isPaused, which can halt the contract, temporarily suspending BoringVault deposits and withdrawals until reactivated by the Roles Authority contract. Additionally, it specifies a 3/5 Safe multisig payout address for collecting management and performance fees, which are currently set to zero.

Roles Authority:

• It manages all components powering eBTC, including BoringVault, Teller/Hook, and Accountant. This contract is referenced in the authority method of each of these contracts. It is owned by the 4/6 Safe multisig.

4.2.2 Timelock Duration and Function

No Timelock is currently present on the contracts powering eBTC. However, the EtherFi team has assured us they’ll implement a 24-hour timelock on the admin contracts powering EtherFi contracts within the next few days.

4.2.3 Multisig Threshold / Signer identity

eBTC’s owner is the burn address. From all the information gathered so far, the eBTC ecosystem is controlled by this 4/6 Safe multisig, with the Roles Authority contract managing the key components of BoringVault.

Multisig Address: 0xCEA8039076E35a825854c5C2f85659430b06ec96

Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.

Aave V3 Specific Parameters

Parameters will be presented jointly with @ChaosLabs, if applicable.

Price feed Recommendation

To be provided.