Tier 1 Cantina 2025-04-15 MUSD smart contracts (not deep-read per scope; pre-dates the PCV V2 upgrade) Report ↗
All protocols 0 deal-breaker FAILs 8 open issues 0 EOA surfaces 18 contracts 1 audit 1 Tier-1
Mezo CDP / Synthetic Assets (stablecoin) (Liquity-v2-style fork, BTC collateral, per-trove interest) TVL $29.40M
MUSD (Mezo USD)
Audited 06/08/2026 · 2w ago Tier: Moderate–Complex
Deal Breaker Gate
CONDITIONAL
Passed with material caveats
Score
60 /100
Grade B
Risk Level
Medium
Aggregate finding
Re-check Cadence
Weekly
Suggested for next assessment
Findings
MUSD is a faithful Liquity-v2-style BTC-CDP stablecoin with sound core mechanics — verified checks-effects-interactions on every native-BTC payout, symmetric interest accounting, and mint/burn authority correctly scoped to the canonical system contracts. The B grade reflects three governance and operational gaps rather than code defects: an untimelocked 5-of-9 Gnosis Safe holding full upgrade and mint-list authority, a single chain-native BTC/USD oracle with no fallback and no value-sanity bounds on the read path, and deployed bytecode that post-dates the only public audit and is unverified on the Mezo explorer. The deal-breaker gate clears with no failures.
- ▸ MUSD token is clean and minimal — mint/burn gated to canonical Liquity system contracts; no public mint path
- ▸ Untimelocked 5/9 Gnosis Safe owns every ProxyAdmin and the token — single-tx upgrade or mint-list rug vector
- ▸ Single chain-native BTC/USD oracle with no fallback and no price>0/deviation sanity bounds on the read path
- ▸ Deployed bytecode post-dates the only public audit (Cantina 2025-04-15) and is unverified on Blockscout
- ▸ Wormhole NTT bridge runs in locking mode and is not a minter — cannot inflate native MUSD supply
Technical findings only — not financial advice.
Trust Surfaces
Who can move funds, and how fast| Surface | Controller | Type | Min Delay | Worst Case |
|---|---|---|---|---|
| All ProxyAdmins (core contracts) — Proxy upgrade | 0x98D8899c3030741925BE630C710A98B57F397C7a ↗ | Multisig 5/9 | Instant | Upgrade BorrowerOperations to mint freely or ActivePool to drain BTC collateral — no timelock, single transaction |
| MUSD token — Owner (mint list) | 0x98D8899c3030741925BE630C710A98B57F397C7a ↗ | Multisig 5/9 | Instant | addToMintList an arbitrary address to mint unlimited MUSD |
| PriceFeed — setOracle (onlyOwner) | 0x98D8899c3030741925BE630C710A98B57F397C7a ↗ | Multisig 5/9 | Instant | Repoint the BTC/USD oracle to a malicious feed — mis-price collateral, minting, and liquidations |
| PCV / GovernableVariables — Owner | 0x98D8899c3030741925BE630C710A98B57F397C7a ↗ | Multisig 5/9 | Instant | Adjust PCV/governance parameters; movements are scoped to PCV's own capital and cannot pull user StabilityPool deposits or trove collateral |
All ProxyAdmins (core contracts) — Proxy upgrade
Multisig 5/9 Controller 0x98D8…7C7a ↗
Min delay Instant
Worst case Upgrade BorrowerOperations to mint freely or ActivePool to drain BTC collateral — no timelock, single transaction
MUSD token — Owner (mint list)
Multisig 5/9 Controller 0x98D8…7C7a ↗
Min delay Instant
Worst case addToMintList an arbitrary address to mint unlimited MUSD
PriceFeed — setOracle (onlyOwner)
Multisig 5/9 Controller 0x98D8…7C7a ↗
Min delay Instant
Worst case Repoint the BTC/USD oracle to a malicious feed — mis-price collateral, minting, and liquidations
PCV / GovernableVariables — Owner
Multisig 5/9 Controller 0x98D8…7C7a ↗
Min delay Instant
Worst case Adjust PCV/governance parameters; movements are scoped to PCV's own capital and cannot pull user StabilityPool deposits or trove collateral
Deal Breaker Matrix
PASS 15 FAIL 0 N/A 7 Inconclusive 1
Access Control & Governance
| Item | Status | Evidence |
|---|---|---|
| EOA Upgrade Control | PASS | All ProxyAdmins owned by the 5/9 Gnosis Safe 0x98D8899c3030741925BE630C710A98B57F397C7a (v1.3.0), not an EOA. |
| EOA Fund Control | PASS | No single-EOA fund-withdrawal path; admin powers are multisig-gated. |
| >60% Governance Centralization | N/A | No governance token; control is via the multisig. |
| Governance Mechanism Bypass | N/A | No on-chain token voting. |
| Timelock Backdoors | PASS | No bypass functions, but there is NO timelock at all between the Safe and the ProxyAdmins/token — scored as a risk in §2.2, not a hard breaker. |
| No Emergency Controls | N/A | Liquity-style non-custodial CDP has no pause; an upgrade is the only lever. |
Oracle & Price Integrity
| Item | Status | Evidence |
|---|---|---|
| Direct Pool Price Oracle | PASS | Oracle is the Mezo L1 chain-native BTC/USD precompile, not a DEX spot price. |
| Manual Price Control | PASS | No setPrice; setOracle (onlyOwner/Safe) must point to a feed returning decimals()>0 and a nonzero price. Repointing risk scored in §2.4 (C-04). |
Smart Contract Architecture
| Item | Status | Evidence |
|---|---|---|
| Known Compiler Bugs | PASS | Solidity 0.8.24, no applicable CVE. |
| No Reentrancy Protection | PASS | Strict CEI verified on all native-BTC payout paths; PCV adds nonReentrant. |
| Unlimited Minting | PASS | Mint gated to system contracts; the Safe can add an arbitrary minter (centralization risk in §2.2, not a breaker). |
| Unsafe Delegatecall / Call | PASS | No delegatecall; only SendCollateral raw .call{value} for native-BTC transfer. |
| Uninitialized Implementation | PASS | _disableInitializers() present in all upgradeable impls (one exception: GovernableVariables, D-1 — low impact). |
| Unprotected Initializer | PASS | initializer/reinitializer modifiers present; on-chain initialized=true. |
Audit & Verification
| Item | Status | Evidence |
|---|---|---|
| No Audit + High TVL | PASS | Cantina audit (2025-04-15); TVL ≈ $29M MUSD supply. |
| Unverified Contracts | Inconclusive | Deployed bytecode is UNVERIFIED on Blockscout; reviewed against the official GitHub source. Not a hard breaker (source is public/open). |
| Critical Unfixed Issues | PASS | No public unfixed Critical/High known; the Cantina PDF was not deep-read per scope. |
Economic & Liquidity
| Item | Status | Evidence |
|---|---|---|
| Zero Flash Loan Protection | PASS | Oracle-priced CDP; no same-block DEX reads; core ops atomic and CEI-safe. |
| Broken Tokenomics | N/A | Stablecoin; no APY emissions. |
| No Slippage Protection | PASS | Redemptions/adjustments use hints + max-fee parameters; the signature path carries deadlines. |
Cross-Chain & Bridges
| Item | Status | Evidence |
|---|---|---|
| Centralized Bridge | N/A | The NTT Manager on Mezo runs in locking mode and holds no mint/burn rights on the native token; guardian trust applies only to wrapped MUSD on other chains (out of scope). |
| No Transfer Limits | N/A | Bridge rate limits are an NTT/destination-chain concern; native token supply is unaffected. |
| No Token Verification | N/A | Native token; canonicality enforced by the NTT lock/mint invariant off-chain. |
Open Issues
P1: 2P2: 6
- P1 High · Access Control Timeline: 1 monthUntimelocked 5/9 Safe can mint (via the mint list) or upgrade to drain (A-1/A-2)Impact: Latent total loss if the multisig is compromised or malicious — a single transaction can add a minter or replace an implementationRecommendation: Add a timelock to the ProxyAdmin owner; cap and/or timelock mint-list additions
- P1 High · Code Quality Timeline: 1 monthDeployed code post-dates the Cantina audit and bytecode is unverified (RF)Impact: Audited code is not provably the deployed code; the PCV V2 delta carries unknown riskRecommendation: Re-audit the V2 delta; verify the deployed bytecode on the Mezo explorer
- P2 Medium · Oracle Timeline: 3 monthsSingle chain-native oracle with no fallback and no value-sanity bounds (C-01)Impact: Per-block updates (~3s) keep the 60s staleness window safe, so no normal-operation freeze; the residual risk is a single bad/zero price being trusted directly, or a chain oracle-module stall freezing the systemRecommendation: Add a fallback (e.g. the Mezo Pyth feed at 0x2880…7B43) plus deviation/circuit-breaker bounds
- P2 Medium · Oracle Timeline: 3 monthsfetchPrice lacks a price>0 / round-completeness check (C-02)Impact: A zero or negative answer would mis-price collateral or disable liquidations with no guardRecommendation: Add value and round-completeness guards on the read path
- P2 Medium · Economic Timeline: 3 monthsFixed redemption fee with no dynamic base-rate decay (C-03)Impact: Weaker peg-restoration force under a sustained depegRecommendation: Restore Liquity's dynamic base-rate spike/decay mechanism
- P2 Low · Dependencies Timeline: 3 monthsMUSD transfer reverts on to==address(this) — non-standard ERC20 behavior (D-2)Impact: Integration and composability breakage for naive integratorsRecommendation: Document the deviation; assess integrator impact
- P2 Low · Code Quality Timeline: 3 monthsGovernableVariables implementation missing _disableInitializers() (D-1)Impact: The implementation can be initialized (low impact behind a proxy)Recommendation: Add a constructor disable for consistency
- P2 Low · Smart Contract Timeline: 3 monthsPCV withdraw* lack nonReentrant; a malicious feeRecipient can DoS distributeMUSD (B-2/B-3)Impact: Griefing or limited denial-of-service against fee distributionRecommendation: Add reentrancy guards; validate the feeRecipient
Contract Inventory
MUSD (token)
0xdD468A1DDc392dcdbEf6db6e34E89AA338F9F186 ↗ Unverified
Compiler: 0.8.24
BorrowerOperations
0x44b1bac67dDA612a41a58AAf779143B181dEe031 ↗ Unverified Proxy
Compiler: 0.8.24
TroveManager
0x94AfB503dBca74aC3E4929BACEeDfCe19B93c193 ↗ Unverified Proxy
Compiler: 0.8.24
StabilityPool
0x73245Eff485aB3AAc1158B3c4d8f4b23797B0e32 ↗ Unverified Proxy
Compiler: 0.8.24
ActivePool
0x3012C2fE1240e3754E5C200A0946bb0E07474876 ↗ Unverified Proxy
Compiler: 0.8.24
DefaultPool
0xE4B5913C0c82dB2eFC553b95c0173efb90a07c8B ↗ Unverified Proxy
Compiler: 0.8.24
InterestRateManager
0x4a453700d157717Fe02fB62E7700ED7845048285 ↗ Unverified Proxy
Compiler: 0.8.24
Unverified Proxy
Compiler: 0.8.24
Unverified Proxy
Compiler: 0.8.24
GovernableVariables
0x560AC4Ea44Fb7EB2D4d3c00608CB1CAb2613d389 ↗ Unverified Proxy
Compiler: 0.8.24
CollSurplusPool
0xBF51807ACb3394B8550f0554FB9098856Ef5F491 ↗ Unverified Proxy
Compiler: 0.8.24
SortedTroves
0x8C5DB4C62BF29c1C4564390d10c20a47E0b2749f ↗ Unverified Proxy
Compiler: 0.8.24
Unverified Proxy
Compiler: 0.8.24
HintHelpers
0xD267b3bE2514375A075fd03C3D9CBa6b95317DC3 ↗ Unverified Proxy
Compiler: 0.8.24
BorrowerOperationsSignatures
0xB57ab578BF20b3e318f3EFAA587C51DBccE5df7a ↗ Unverified Proxy
Compiler: 0.8.24
Oracle — Skip precompile (BTC/USD)
0x7b7c000000000000000000000000000000000015 ↗ Unverified
Compiler: n/a
NTT Manager (Mezo)
0x7efb386675d75280D39Aae42964A6776DE0ee0bD ↗ Unverified
Compiler: n/a
Wormhole Transceiver (Mezo)
0x56E27f1A8425515FFD4BD76A254Ac1a5c0B66D71 ↗ Unverified
Compiler: n/a
Audit History
Protocol
Website: https://mezo.org/docs/users/musd/ ↗
TVL Source: On-chain MUSD totalSupply (29,416,412 MUSD); not listed on DeFiLlama
Operations
Bug Bounty: None detected
All role assignments (7)
| Contract | Role | Holder | Powers |
|---|---|---|---|
| MUSD (token) | owner (Ownable) | 0x98D8…7C7a (5/9 Safe) | Manage the mint list and burn list (addToMintList, etc.) |
| All ProxyAdmins | owner | 0x98D8…7C7a (5/9 Safe) | Upgrade every core proxy (BorrowerOperations, TroveManager, ActivePool, PriceFeed, PCV, …) |
| PriceFeed | owner | 0x98D8…7C7a (5/9 Safe) | setOracle — repoint the BTC/USD price source |
| PCV | owner | 0x98D8…7C7a (5/9 Safe) | Governance fund movements scoped to PCV's own capital |
| MUSD (token) | minter | BorrowerOperations, InterestRateManager | Mint MUSD |
| MUSD (token) | burner | BorrowerOperations, TroveManager, StabilityPool | Burn MUSD |
| InterestRateManager | owner | Renounced post-setup | Ownership renounced after configuration |