Logo

New OUSD Convex Yield Strategies for Higher Yield, Audited by OpenZeppelin

November 29, 2022
OUSD V2

Want to read the full report? You can read it on our GitHub.

In line with our commitment to security, Origin Protocol has commissioned OpenZeppelin to review and audit new OUSD Convex strategies. The audit has been successfully completed, with no critical or high severity issues.

Auditing the Ethereum Foundation, Coinbase, Aave, and others, OpenZepellin sets the standard for smart contract auditing. We’re thrilled to announce our latest audit for new strategies coming to OUSD, conducted by OpenZeppelin.

We are excited to integrate the OUSD-3Crv strategy, which will help increase Origin Dollar’s yield to mid-single digits with the same best-in-class OUSD security and convenience.

New Strategies Using Convex

OUSD has developed two new strategies for generating yield, the Convex Generalized Meta Strategy and the Convex OUSD Meta Strategy.

As a refresher, Curve is a decentralized exchange that allows users to trade or provide liquidity to earn fees and rewards. Curve’s 3Pool (3CRV) consists of USDC, USDT and DAI, allowing users to deposit these tokens and traders to trade between them. Our original integration with Convex and Curve two years ago has allowed us to use this strategy. 

The Convex Generalized Meta Strategy allows us to utilize pools that pair 3CRV with other stablecoins, such as OUSD. Pairing 3CRV with OUSD to deposit into the OUSD3CRV pool allows traders to trade between OUSD, USDC, USDT and DAI.   This liquidity position will be deposited into Convex Finance to earn staking rewards in the form of CRV and CVX, and trading fees from the pool.

The difference between the strategies is that the OUSD Minting Strategy is able to mint OUSD to deposit into the OUSD3CRV pool to keep it balanced. The strategy has to burn the minted OUSD when they are withdrawn, so there is no dilution of OUSD. Furthermore, OUSD tokens held by a contract are non-rebasing by default, so the yield generated for holders are not diluted as well.

We see the minting strategy as an exceptional breakthrough, as other yield aggregators are unable to replicate it without their own stablecoin.

Audit Findings

A total of 14 issues have been found, the highest being a medium security issue which has been resolved: 

  • Critical Severity - 0
  • High Severity - 0 
  • Medium Severity - 1 (1 resolved)
  • Low Severity - 9 (5 resolved, 1 partially resolved)
  • Notes and Additional - 4 (3 resolved)

What Was the Medium Severity Issue? 

In several instances where the strategies utilized their token balances, the strategies did not validate if the balances match the expected or specified value. This means it did not account for tokens that can be sent to the contract directly, or assumed the contract has received the expected number of tokens. 

For example, if the minting strategy attempted to burn all its OUSD tokens, it would fail if its balance exceeds the specified range, which could occur if someone sends OUSD directly to the contract. 

This has been fixed in a commit by OUSD developers.

Higher APY, Same Security

At OUSD, we maintain our philosophy of security first to give our users the best risk-adjusted yields in DeFi. Even as we are confident in the ability of our engineers to ship secure code, and rightly so seeing the results of the audit, we patiently wait for audits before deployment of new contracts. 

There are no shortcuts to security, and OUSD embodies this. 

Other new strategies built on top of Curve, Convex, Aave and Compound are being built and can be monitored on our governance page. The same security processes will be followed for these strategies. 

If you do not hold OUSD to earn passive yield right into your crypto wallet, you can acquire OUSD through a decentralized exchange aggregator like matcha.xyz, centralized exchanges such as Kucoin or Gate.io, or use our own app on OUSD.com.
 

Joshua Teo
Joshua Teo
Origin
Stay in touch
Be the first to hear about important product updates. Your email will be kept private.
Originally released by Origin Protocol
Privacy policyTerms of service