MAINNETBETA

ethena.fi

ethena.fi
5.7MODERATEhigh
6 sectionsrun #1
Findings2 critical9 high19 medium
DEPGOVTKNAUDCTR
Last analyzed 16d ago runs

Summary

Ethena is a ~$5B synthetic-dollar protocol issuing USDe (delta-neutral, CEX-hedged) and sUSDe (yield-bearing stake), plus treasury-backed USDtb and the ENA governance token across 14+ chains. Core USDe minting and staking contracts are verified, heavily audited, and controlled by a 5-of-10 multisig—but documentation claims 7 signatures and 7-day timelocks that do not exist on-chain. The largest on-chain red flag is USDtb: its upgradeable proxy is controlled by a single EOA, not a multisig. USDe backing depends on off-chain CEX hedging and custodians that smart-contract audits cannot fully cover; the Feb 2025 Bybit incident briefly depegged USDe and triggered ~$22M in Aave liquidations despite no reported backing loss. Overall risk is moderate (5.7/10).

Trust Assumptions

Users must trust that a 5-of-10 Dev Multisig (not the documented 7-of-7) will not abuse immediate admin powers over USDe minting, sUSDe staking, ENA inflation (up to 10% annually), and blacklist/redistribution controls. USDe's $1 peg requires centralized exchanges to remain solvent and operational, whitelisted custodians (e.g., Copper ClearLoop) to hold collateral safely, and Ethena's off-chain hedge book to stay delta-neutral—none of which is enforceable in smart contracts. Cross-chain USDe on 14+ chains depends on LayerZero bridge integrity and per-chain multisigs that can reconfigure peers without timelock. USDtb holders additionally trust a single EOA admin and ~90% BlackRock BUIDL treasury concentration. ENA holders rely on discretionary airdrop campaigns and an approved-but-unimplemented fee switch, not contractual revenue share.

What Could Go Wrong

A CEX counterparty failure or hedge mismatch could impair USDe backing—the Bybit hack already stressed ~20% of CEX collateral, depegging USDe to ~$0.96–$0.994 and causing ~$22M Aave liquidations before Ethena settled PnL in 90 minutes. The USDtb EOA admin could upgrade the token implementation instantly to mint, pause, or blacklist without multisig delay—a structurally different and more centralized risk profile than core USDe. Compromise of the 5-of-10 Dev Multisig or GATEKEEPER EOAs could halt mint/redeem, seize sUSDe via blacklist redistribution, or misconfigure LayerZero bridge peers to mint unbacked tokens on L2s. Heavy insider ENA vesting (~40M tokens/month through 2028), yield-compressed sUSDe (~3–4% APY vs ~18% in 2024), and points-driven mercenary capital create secondary-market depeg and TVL flight risk, as seen in the Oct 2025 flash crash ($0.97) and repeated web2 incidents (Discord Sep 2024, domain drainer Sep 2024).

Recommendation

USDe/sUSDe exposure is defensible for risk-tolerant allocators given strong audit coverage (14+ reviews, $3M Immunefi bounty), zero core contract exploits, and demonstrated crisis response on Bybit—but size positions assuming off-chain hedge and custodian dependencies, not just on-chain code quality. Treat USDtb as a separate, higher-centralization product until its EOA admin is replaced with a multisig and timelock. Avoid using Ethena tokens as collateral in leveraged DeFi loops given composability losses (~$12.9M Balancer BEX tripool, Nov 2025). Monitor CEX hedge concentration, USDe peg deviation, insider ENA unlocks, fee-switch implementation, and any changes to multisig signers or bridge peer configuration. Reduce exposure if documentation continues to overstate on-chain protections relative to verified contract reality.

Key Findings (30)

critical
USDtb Proxy Upgrade Key Held by EOAaccess-control
critical
USDtb token and upgrade path controlled by single EOAcentralization
high
Unverified StakingRewardsDistributor Contractverification
high
Unverified ENAOFT on Arbitrumverification
high
Upgradeable Token Proxies Without Timelockupgradability
high
Documentation overstates multisig thresholdtransparency
high
No on-chain timelock despite documented 7-day delayscentralization
high
Heavy Insider Allocation With Ongoing Vesting Unlocksemission
high
CEX Perpetual Hedge Counterparty Exposurecounterparty
high
Off-Chain Custodian Dependency for Collateral and Hedge Settlementcustodian
high
September 2024 Frontend / Domain Registrar Compromiseincident
medium
LayerZero OFT Destination-Chain Mintingbridge
medium
Fragmented Governance Across Product Linesgovernance
medium
Admin Blacklist and Fund Redistribution Powers on sUSDeaccess-control
medium
ENA Inflationary Mint Authorityminting
medium
Core protocol controlled by Dev Multisig without timelockcentralization
medium
USDtb minting governed separately from USDe Dev Multisiggovernance-structure
medium
GATEKEEPER role can halt USDe mint/redeem instantlyadmin-controls
medium
StakedUSDeV2 admin can blacklist and seize staked balancesadmin-controls
medium
ENA inflation minting controlled by Dev Multisig, not token votetokenomics
medium
LayerZero bridge admins use chain-specific Safescross-chain
medium
ENA Fee Switch Approved But Not Implementedutility
medium
Points Campaigns Drive Mercenary Capital Riskincentives
medium
Multisig-Controlled Treasury and Emission Leversconcentration
medium
USDe/sUSDe Yield Compression and Historical Depeg Stresspeg
medium
USDtb BUIDL Concentration as Reserve Ballastconcentration
medium
sENA/rsENA Lock Stack Has Low On-Chain Adoptionutility
medium
LayerZero OFT Cross-Chain Dependencybridge
medium
Bridge Admin Protected by Multisig (No EOA Risk)bridge
medium
DeFi Composability Contagion (Balancer, Aave)composability

Analysis Sections

Ethena's core USDe stack is controlled by a 5-of-10 Gnosis Safe (Dev Multisig) with no on-chain timelock. Documentation claims 7-of-7 signatures and 7-day timelocks that are not enforced in verified contracts. USDtb uses separate governance: minting is controlled by a distinct 5-of-11 Safe, but the USDtb token proxy and ProxyAdmin are owned by a single EOA. ENA "governance" is primarily off-chain committees; on-chain ENA inflation is controlled by the Dev Multisig.

Findings (11)

criticalUSDtb token and upgrade path controlled by single EOA

USDtb (0xC139190F447e929f090Edeb554D95AbB8b18aC1C) is a TransparentUpgradeableProxy whose ProxyAdmin (0x3c405f68d5c6ece868e5646cac926679839acd68) is owned by EOA 0xd93826bb299765c87d13aeba2a7e5d9b27a03956. The implementation owner()/DEFAULT_ADMIN is the same EOA. This key can upgrade the token implementation, pause/unpause, and grant mint/burn/blacklist roles without multisig or timelock.

on-chain RPCProxyAdmin.owner()=0xd93826bb299765c87d13aeba2a7e5d9b27a03956; eth_getCode length=0 (EOA)
on-chain RPCowner(USDtb proxy)=0xd93826bb299765c87d13aeba2a7e5d9b27a03956
EtherscanImplementation AnchorageTokenUSDtb exposes pause(), mint(), transferAdmin(), upgrade via ProxyAdmin
highDocumentation overstates multisig threshold

Ethena documentation states the protocol multisig requires 7 signatures from distributed stakeholders. On-chain, the primary Dev Multisig is configured as 5-of-10. This mismatch reduces transparency for users relying on published trust assumptions.

on-chain RPCgetThreshold(0x3b0aaf6e6fcd4a7ceef8c92c32dfea9e64dc1862)=5
protocol docsmulti-sig wallet requires 7 signatures
highNo on-chain timelock despite documented 7-day delays

Verified Ethena contracts implement SingleAdminAccessControl and Ownable2Step but contain no TimelockController, delay parameters, or schedule/execute patterns. Documentation asserts 7-day timelocks on core admin and GATEKEEPER changes; this protection is not verifiable on-chain and may only exist as off-chain operational policy.

contract sourcegrep across contracts/ found no TimelockController or delay enforcement
protocol docsReferences timelocked multi-sig for privileged roles
mediumCore protocol controlled by Dev Multisig without timelock

On-chain verification shows the Dev Multisig (0x3b0aaf6e6fcd4a7ceef8c92c32dfea9e64dc1862) holds DEFAULT_ADMIN_ROLE or owner() on USDe, EthenaMinting V2, StakedUSDeV2, ENA, Ethereum LayerZero OFT adapters, and StakingRewardsDistributor. The Safe requires 5 of 10 signatures. No timelock contract or delay modifier exists in verified source code; admin actions including transferAdmin(), setMinter(), collateral changes, and bridge peer configuration can execute immediately once a Safe transaction passes.

on-chain RPCowner(USDe)=0x3b0aaf6e6fcd4a7ceef8c92c32dfea9e64dc1862; getThreshold()=5; getOwners().length=10
contract sourceSingleAdminAccessControl.transferAdmin() has no delay; grep found zero timelock contracts in repo
protocol docsDocs claim 7 signatures and 7-day timelocks on privileged role changes
mediumUSDtb minting governed separately from USDe Dev Multisig

USDtbMinting (0xa3DDBf92077b850E29C4805Df0a2459Ae048416a) DEFAULT_ADMIN is a separate 5-of-11 Gnosis Safe (0xe897d8620d5eba2c8ecaaf0ada191a23230ab8ec), not the Dev Multisig. This reflects the BlackRock/Anchorage partnership structure but creates a split governance surface: USDe and USDtb products have different admin keys and signer sets.

on-chain RPCowner(USDtbMinting)=0xe897d8620d5eba2c8ecaaf0ada191a23230ab8ec; hasRole(DEFAULT_ADMIN)=true; getThreshold()=5; owners=11
on-chain RPCDev Multisig hasRole(DEFAULT_ADMIN on USDtbMinting)=false
mediumGATEKEEPER role can halt USDe mint/redeem instantly

EthenaMinting V2 defines a GATEKEEPER_ROLE that can disableMintRedeem() and revoke MINTER/REDEEMER/COLLATERAL_MANAGER roles without re-enable authority. Documentation assigns this to EOAs at Ethena Labs and external security firms for rapid response. This is an intentional circuit breaker but concentrates emergency power outside the multisig admin path.

contract sourcedisableMintRedeem() external onlyRole(GATEKEEPER_ROLE); removeMinterRole() onlyRole(GATEKEEPER_ROLE)
protocol docsGatekeeper: EOA, 3+ internal 3+ external; can disable mint/redeem
mediumStakedUSDeV2 admin can blacklist and seize staked balances

StakedUSDeV2 grants DEFAULT_ADMIN (Dev Multisig) and blacklist managers the ability to restrict addresses and call redistributeLockedAmount() to move locked sUSDe from restricted wallets to arbitrary unrestricted addresses. Admin can also rescueTokens(). These are powerful compliance controls but create custodial risk if admin keys are compromised.

contract sourceredistributeLockedAmount() onlyRole(DEFAULT_ADMIN_ROLE); blacklist functions on StakedUSDeV2
on-chain RPChasRole(DEFAULT_ADMIN, DevMultisig) on StakedUSDeV2=true
mediumENA inflation minting controlled by Dev Multisig, not token vote

Despite ENA being marketed as a governance token with committee-based off-chain governance (Snapshot, Risk Committee), on-chain ENA mint() is onlyOwner and owner is the Dev Multisig. Owner can mint up to 10% of total supply once per year. Tokenholder votes do not gate this inflation path.

on-chain RPCowner(ENA)=0x3b0aaf6e6fcd4a7ceef8c92c32dfea9e64dc1862
contract sourcemint() external onlyOwner; MAX_INFLATION=10; MINT_WAIT_PERIOD=365 days
protocol docsGovernance delegated to committees; not fully on-chain
mediumLayerZero bridge admins use chain-specific Safes

Ethereum USDeOFTAdapter owner is the Dev Multisig, but Arbitrum and Base USDeOFT owners are separate chain-local 5-of-10 Safes (0xc9647361742Eb964965B461C44Bdf5c4Bc3c406d on Arbitrum, 0xbC89D10EB486b6591583F218acB9545087dBF293 on Base). Signer sets largely overlap with the Dev Multisig (10/10 shared signers on Arbitrum), but distinct Safe contracts mean bridge peer misconfiguration on L2 requires a separate multisig transaction.

on-chain RPCUSDeOFT owner Ethereum=DevMultisig; Arbitrum=0xc9647361742Eb964965B461C44Bdf5c4Bc3c406d; Base=0xbC89D10EB486b6591583F218acB9545087dBF293
on-chain RPCArbitrum/Base multisigs threshold=5, owners=10; 10/10 signer overlap with Dev Multisig on Arbitrum
lowSome periphery contracts remain unverified

StakingRewardsDistributor (0xf2fa332bd83149c66b09b45670bce64746c6b439) and Arbitrum ENAOFT (0x58538e6A46E07434d7E7375Bc268D3cb839C0133) lack verified source in Etherscan. StakingRewardsDistributor owner is the Dev Multisig on-chain, but bytecode cannot be independently audited from this repo.

verification statuscontracts/VERIFICATION_STATUS.md lists 2 unverified contracts
on-chain RPCowner(StakingRewardsDistributor)=0x3b0aaf6e6fcd4a7ceef8c92c32dfea9e64dc1862
infoDAO governance is primarily off-chain committees

Ethena documentation and StakedUSDeV2 comments reference Ethena DAO governance for yield allocation, but on-chain control of core contracts remains multisig-based. Ethena Foundation operates Risk and other committees via Snapshot elections. Users should not assume ENA token voting directly controls minting, collateral, or upgrade parameters.

protocol docsCommittee approach; not fully on-chain governance
discovery.jsongovernanceType: multisig

Governance Checklist

Multisig (not EOA) for core USDe contractsDev Multisig 5/10 verified on-chain
Timelock on admin actionsNo timelock in verified contracts; docs claim 7-day delay
On-chain tokenholder governanceCommittee/Snapshot only; contracts multisig-controlled
USDtb admin uses multisigToken proxy + ProxyAdmin owned by EOA
Cross-chain governance parityL2 uses chain Safes with overlapping signers
Renounce ownership disabled on core tokensUSDe/ENA revert on renounceOwnership()
Emergency pause role separatedGATEKEEPER_ROLE can disable mint/redeem

Key Admin Entities

multisigethereumDev Multisig
multisigethereumReserve Fund Multisig
multisigethereumsUSDe Payout Fund Multisig
multisigethereumUSDtbMinting Multisig
eoaethereumUSDtb Token Admin
multisigarbitrumArbitrum Multisig
multisigbaseBase Multisig

On-Chain Ownership (Ethereum)

ContractAdmin / OwnerAdmin Type
USDe0x3b0aaf6e6fcd4a7ceef8c92c32dfea9e64dc1862Gnosis Safe 5/10
EthenaMinting V20x3b0aaf6e6fcd4a7ceef8c92c32dfea9e64dc1862Gnosis Safe 5/10 (DEFAULT_ADMIN)
StakedUSDeV20x3b0aaf6e6fcd4a7ceef8c92c32dfea9e64dc1862Gnosis Safe 5/10 (DEFAULT_ADMIN)
ENA0x3b0aaf6e6fcd4a7ceef8c92c32dfea9e64dc1862Gnosis Safe 5/10
USDe minter0xe3490297a08d6fc8da46edb7b6142e4f461b62d3EthenaMinting V2 contract
USDtb (proxy)0xd93826bb299765c87d13aeba2a7e5d9b27a03956EOA
USDtb ProxyAdmin0xd93826bb299765c87d13aeba2a7e5d9b27a03956EOA
USDtbMinting0xe897d8620d5eba2c8ecaaf0ada191a23230ab8ecGnosis Safe 5/11
USDeOFTAdapter (ETH)0x3b0aaf6e6fcd4a7ceef8c92c32dfea9e64dc1862Gnosis Safe 5/10
Loading dependency graph…

Analysis History

#1completed5.716d agocurrent