risk: add Noon sUSN risk assessment (3.5/5.0 Elevated Risk)#67
Open
spalen0 wants to merge 11 commits into
Open
risk: add Noon sUSN risk assessment (3.5/5.0 Elevated Risk)#67spalen0 wants to merge 11 commits into
spalen0 wants to merge 11 commits into
Conversation
Risk assessment for Noon protocol's sUSN (Staked USN) token on Ethereum. Final score: 3.6/5.0 (Elevated Risk). Key findings include no timelock on 3-of-6 multisig, off-chain custodial reserves, 5-day withdrawal lockup, and Stork oracle dependency. Closes #66 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
- Remove multisig signer addresses (per skill.md guidelines) - Add full Risk Tier table with final tier bolded - Verify and annotate collateral wallet types on-chain: Collateral 1 (4-of-5 Safe), Collateral 2 (3-of-4 Safe), Collateral 3 (EOA - flagged as higher risk) - Expand monitoring section: blacklist events, RBAC changes, withdrawal period changes, EOA collateral wallet alerts - Fix placeholder deployment tx links - Fix typo (redeplooys -> redeploys) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update all on-chain metrics: exchange rate 1.1680 (was 1.1659), TVL ~$31M (was ~$28M), chain distribution shifted to Ethereum - Update DEX volume with accurate CoinGecko data (~$33K USN, ~$156 sUSN) - Update Morpho market data, oracle values, Stork/Chainlink feed values - Add USN peg monitoring section (was missing from monitoring) - Update timeline references to ~14 months beta - Verify all contract ownership unchanged (multisig 3-of-6) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add NOON governance token launch on KuCoin (March 5, 2026) with veToken system details — does not change underlying multisig admin - Add US GENIUS Act regulatory risk for BVI stablecoin issuers - Add tBTC Bitcoin Yield Vault product expansion note - Add Serenity Research link (paywalled analysis) - Note NOON token in governance section Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Collaborator
Author
Review: Noon Team Responses (March 14 Google Sheets)Noon provided responses to our risk assessment findings here: Planned Remediations (commitments, not yet verified on-chain)
New Information to Investigate
Items With No Remediation Offered
Next Steps (updated March 23, 2026)
Additional Findings During Reassessment
|
Reassessment incorporating team data from feedback spreadsheet: Verified improvements: - 48h timelock on proxy upgrades (0xE5e4...5A7F, on-chain verified) - Source code now public (Protocol-Core + Governance-Core, Slither/Mythril CI) - DCLM market maker liquidation backstop (24h execution on >1% depeg) - Ceffu funding rate arb paused 12+ months New findings: - mintAndRebase() allows unbacked USN minting (no supply cap, no cooldown, no daily limit, rebaseLimit adjustable to uint256.max, not behind timelock) - 2 EOAs still hold REBASE_MANAGER_ROLE on sUSN vault - Alpaca/Dinari tokenization NOT verified on-chain - Morpho market at 100% utilization (was 89.6%) - Anonymous signers: no fix planned (commitment after >$100M TVL) Score changes: - Audits: 3.5 → 3.0 (public code, 17mo production) - Centralization: 4.0 → 3.5 (timelock on proxy upgrades) - Operational: 3.5 → 3.0 (public repos, CI) - Final: 3.6 → 3.4 (Elevated → Medium Risk) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
On-chain reverification (block 24,973,944) confirms governance state unchanged: 3-of-6 multisig, 48h timelock on proxy upgrades, both ProxyAdmins owned by timelock, 2 EOAs still hold REBASE_MANAGER_ROLE, Collateral 3 still EOA, MinterHandler params unchanged. Refreshed metrics: - TVL: $30.75M (Mar 23) → $26.91M (Apr 22) → $26.57M (Apr 27, DeFiLlama) - USN supply: 27.70M → 24.10M → 23.76M (-14.2% from Mar 23) - sUSN supply: 18.20M → 17.66M → 17.55M (-3.5% from Mar 23) - sUSN exchange rate: 1.1717 → 1.1822 → 1.1824 - Morpho utilization: 100% → ~90% → 89.6% (~$880K supply headroom) - DEX volume: USN $33K → $626 → $5.7K/day; sUSN $156 → $118 → $1.6/day - USN price: $0.9997 (well-pegged, CoinGecko) - Oracle price: 1.1826 USDC/sUSN Score unchanged at 3.4 (Medium Risk). TVL contraction worth watching against the $15M reassessment trigger but well outside it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
spalen0
commented
Apr 28, 2026
|
|
||
| - **Oracle**: [`0xC415Cc3F04F9074A9562aEEe02591e65D39A94aa`](https://etherscan.io/address/0xC415Cc3F04F9074A9562aEEe02591e65D39A94aa) | ||
| - Monitor oracle price for staleness or deviation from sUSN vault exchange rate | ||
| - **Alert**: If Stork feed deviates >1% from sUSN's on-chain `convertToAssets()` value |
Collaborator
Author
There was a problem hiding this comment.
Current on-chain values make this alert fire permanently if implemented literally: BASE_FEED_1.latestAnswer() is 1e18 (USN/USD), while sUSN.convertToAssets(1e18) is 1.182370407318935270e18 (sUSN/USN). The Stork feed should be monitored against USN/USD peg/market sources or expected 1e18 plus staleness; the full Morpho price() can be compared against convertToAssets * USN/USD / USDC/USD after normalizing decimals.
Collaborator
Author
There was a problem hiding this comment.
Addressed in 66b3a9e:
- Removed the broken
Stork feed deviates from convertToAssets()alert (different units, would always fire) - Oracle now monitored against the expected
convertToAssets × USN/USD ÷ USDC/USDformula - Stork USN/USD feed monitored against
1e18($1.00) and against off-chain market USN/USD price (oracle-vs-market divergence is the actual depeg risk) - Added Chainlink USDC/USD feed monitoring with standard staleness checks
- Documented the non-Unix
updatedAtissue with the Stork adapter and the cadence-based workaround
spalen0
commented
Apr 28, 2026
| - **MinterHandlerV2**: [`0xB91b361ebE4022Bb62dF0651bDD09b21209ac058`](https://etherscan.io/address/0xB91b361ebE4022Bb62dF0651bDD09b21209ac058) | ||
| - Monitor `MintAndRebase(amount)` events — each call mints USN without collateral | ||
| - **Alert**: If `mintAndRebase` called more than once per day or with amount close to `rebaseLimit` | ||
| - Monitor for `setRebaseLimit()`, `setAdmin()` calls — parameter changes with no timelock |
Collaborator
Author
There was a problem hiding this comment.
setAdmin() is on the USN token (0xdA67...1eD), not on the MinterHandlerV2 address listed in this subsection. If the monitor follows this literally and watches only MinterHandler calls, it will miss the critical admin-replacement path. I would split this into setRebaseLimit(uint256) on MinterHandler and setAdmin(address) / selector 0x704b6c02 on USN, or monitor the Safe transactions by target contract.
Collaborator
Author
There was a problem hiding this comment.
Addressed in 66b3a9e:
setAdmin(address)(selector0x704b6c02, verified viacast sig) moved to the USN token monitoring section- MinterHandlerV2 monitoring now lists only
setRebaseLimit(uint256) - Added the alternative suggestion to monitor by Safe transaction target contract (USN vs MinterHandlerV2) rather than event-name parsing
Collaborator
Author
|
Review pass notes (Apr 28, 2026):
I left two inline comments on monitoring details that should be fixed before relying on the report operationally. Also, the PR title/body are stale: they still advertise No TODO/TBD placeholders were left in |
Two inline review issues from spalen0 (Apr 28):
1. setAdmin() is on the USN token, not MinterHandlerV2. Split the
bullets so USN watches setAdmin(address) (selector 0x704b6c02) and
MinterHandlerV2 watches only setRebaseLimit(uint256). Note the
option to monitor by Safe transaction target contract.
2. Stork USN/USD feed (1e18) was being compared to convertToAssets
(1.18e18) — different units, so the alert would fire permanently.
Rewrite to:
- Monitor oracle price() against expected
convertToAssets × USN/USD ÷ USDC/USD formula
- Monitor Stork against $1.00 directly and against off-chain market
USN/USD price (oracle-vs-market divergence is the depeg risk)
- Note Stork's non-Unix updatedAt — wall-clock staleness checks
don't work; use update-cadence checks instead
- Add explicit Chainlink USDC/USD monitoring
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
spalen0
changed the title
Updates all on-chain data, TVL, DEX volumes and prior-period comparisons to block 25,074,135. Key narrative changes from Apr 27: - USN total supply rebounded +16.4% (23.76M -> 27.66M) but did not enter sUSN; staking ratio dropped from 87.4% to ~72% - sUSN total supply down 4.4%; exchange rate up to 1.1870 (from 1.1824) - TVL grew +9.5% to $29.10M, but L2 deployments collapsed (Sophon -79.6%, zkSync Era -76.8%) - Morpho market utilization 89.5% (was 89.6%); supply ~$8.53M, borrow ~$7.63M, ~$890K withdrawable headroom - DEX volumes still negligible: USN ~$1.0K/day, sUSN ~$42/day - Governance state and REBASE_MANAGER_ROLE holders unchanged
Reassess Liquidity Risk from 3.5 to 4.0 to better reflect the use-case-specific exit profile for sUSN as Morpho collateral: - 5-day handler queue with maxRedeem() = 0 (no on-chain instant redeem) - DEX exit effectively absent — ~$42/day sUSN, ~$1.0K/day USN vs $29M TVL - Morpho market 89.5% utilized, only ~$890K withdrawable headroom - DCLM backstop is contractual/off-chain only, not on-chain enforceable These factors collectively meet the score-4 rubric criteria better than score-3 (market-based >$1M exit in 3-7 days). Recomputed final score 3.45 -> 3.5 (rounded), tier change from Medium to Elevated Risk. Tier change reflects use-case liquidity, not protocol deterioration.
spalen0
changed the title
- On-chain snapshot at block 25,123,989 - DeFiLlama TVL $28.59M (down ~1.7% from $29.10M on May 11) - USN supply 27.14M (-1.9%), sUSN supply 16.28M (-3.0%), totalAssets 19.37M (-2.8%) - Exchange rate 1.1897 (+0.22% from 1.1870 on May 11), staking ratio ~71.4% - Morpho market: $8.60M supply / $7.67M borrow / 89.1% utilization / ~$935K headroom - Oracle price() = 1.1900 USDC/sUSN; Stork USN/USD $1.00; Chainlink USDC/USD $0.9997 - CoinGecko: USN $1.001 (24h vol $280K, up notably); sUSN 24h vol $4.9K (still negligible) - Governance and MinterHandler params unchanged - All scores and 3.5/5.0 Elevated Risk final score unchanged Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cast(governance state, MinterHandler params, Morpho oracle architecture)Score Breakdown (current)
Risk Tier: Elevated Risk (lower bound — Limited approval, strict position-size limits recommended)
Score evolution
maxRedeem = 0+ ~$42/day sUSN DEX volume + 89.5% Morpho utilization with ~$890K headroom. The DCLM backstop is helpful but contractual/off-chain onlyKey Findings (current as of May 11)
0xE5e412C212B4FBbF550A94e7BD5e83dB0B315A7FmintAndRebase()— multisig can mint USN with zero collateral (rebaseLimit 50K/call, adjustable without timelock)maxRedeem()returns 0Closes #66
Test plan
0x4ea0…ef50) — multisig, MinterHandlerV2, 2 EOAs all still activesetAdmin()moved to USN token monitoring; Stork/oracle monitoring rewritten with correct semantics🤖 Generated with Claude Code