Skip to content
All protocols
Ethereum Stablecoin (Managed Single-Asset (yield via off-chain STRC credit exposure)) TVL $88.60M

Saturn Credit

Audited 06/24/2026 · today Tier: Moderate
Deal Breaker Gate
CONDITIONAL
Passed with material caveats
Score
68.4 /100
Grade B
Risk Level
Medium
Aggregate finding
Re-check Cadence
Weekly
Suggested for next assessment
0 deal-breaker FAILs 9 open issues 3 EOA surfaces 10 contracts 3 audits 2 Tier-1

Findings

This is the full scored assessment that the April run never produced — that pass halted at the deal-breaker gate. The three April access-control deal breakers are now resolved by a 5-day TimelockController migration (verified on-chain), and the implementations are byte-identical to April, so no code re-audit was triggered. Saturn is well-engineered — modern OpenZeppelin v5.x, comprehensive reentrancy protection, ERC4626 inflation defense, internal-accounting NAV, and three prior audits — with no Critical/High code vulnerability and no unprivileged drainable path. The score lands at the B band (68.4, a B+ at the bottom of the band) because of structural trust concentration rather than code defects: 92.5% of the $88.6M vault NAV is off-chain STRC credited by a non-timelocked single-key processor that can move the liquid balance within a ±20% tolerance, the 5-day timelock's sole proposer/canceller is still a single EOA, a slow 24h-heartbeat single oracle prices the off-chain NAV, and there is no bug bounty. The team is publicly doxxed.

  • April's 3 access-control deal breakers resolved — upgrade authority now behind a 5-day TimelockController
  • 92.5% of the $88.6M vault NAV is off-chain STRC credited by the processor — not provable on-chain
  • Non-timelocked single-key processor can move the liquid USDat balance within a ±20% tolerance, uncapped
  • The 5-day timelock's sole proposer/canceller is still a single EOA — delay without decentralization
  • Slow single oracle (24h-heartbeat Chainlink STRC feed) prices 92.5% of NAV; no fallback
  • No bug bounty / security contact; team is publicly doxxed (Kevin Li, Ellis Osborn, Seb)

Technical findings only — not financial advice.

Trust Surfaces

Who can move funds, and how fast
USDat / sUSDat / Withdraw / StrcPriceOracle — Upgrade & DEFAULT_ADMIN
Timelock
Controller 0xfD57…8A67 ↗
Min delay 120h
Worst case Upgrade any core contract or change the oracle/params — but only after a public 5-day delay (the canonical exit window)
TimelockController — PROPOSER & CANCELLER
EOA
Controller 0x6101…6820 ↗
Min delay Instant
Worst case Sole proposer and canceller: can queue a 5-day-delayed malicious upgrade, indefinitely cancel remediation, or freeze admin if the key is lost
sUSDat — PROCESSOR_ROLE (convertFromUsdat)
EOA
Controller Processor key (single EOA, non-timelocked)
Min delay Instant
Worst case Move the liquid USDat balance via convertFromUsdat within a ±20% tolerance, uncapped and repeatable; off-chain STRC backing (92.5% of NAV) is not on-chain-provable
USDat — COMPLIANCE_ROLE
EOA
Controller Compliance key (hot key)
Min delay Instant
Worst case Freeze accounts, arbitrary-recipient forceTransfer, manage the whitelist, and both pause and unpause USDat
Mint/Redeem (SwapFacility) — Proxy upgrade
Timelock
Controller 0x23CA…A468 ↗
Min delay 72h
Worst case Mint/Redeem upgrade — 72h public delay before exposure
Chainlink STRC Feed — Owner
Multisig 4/9
Controller 0x21f7…73CA ↗
Min delay Instant
Worst case Replace the underlying Chainlink STRC price-feed implementation

Deal Breaker Matrix

PASS 17 FAIL 0 N/A 5 Inconclusive 1

Access Control & Governance

Item Status Evidence
EOA Upgrade Control PASS Was FAIL in April. Upgrade authority on all 4 core contracts now terminates at a 5-day TimelockController (0xfD57…8A67, minDelay 432000s). UUPS _authorizeUpgrade = onlyRole(DEFAULT_ADMIN_ROLE) = timelock; USDat ProxyAdmin owner = timelock. Old EOA fully revoked.
EOA Fund Control PASS Was FAIL in April. No single EOA can upgrade-to-drain; the upgrade path is 5-day-timelock-gated. The processor's convertFromUsdat is the intended conversion mechanism within ±20% tolerance with an off-chain backing obligation — scored as a Fund Control / economic weakness (§2.2, F-2), not an unrestricted EOA withdrawal.
>60% Governance Centralization N/A No governance token.
Governance Mechanism Bypass N/A No on-chain voting.
Timelock Backdoors PASS Was FAIL in April. Timelock executor = address(0) (open), admin = self; no fastTrack/emergencyExecute. 5d ≫ 48h mainnet minimum. Mint/Redeem under a separate 72h timelock. updateOracle now timelock-gated.
No Emergency Controls PASS Pause via COMPLIANCE_ROLE; unpause via DEFAULT_ADMIN_ROLE (timelock).

Oracle & Price Integrity

Item Status Evidence
Direct Pool Price Oracle PASS Chainlink STRC feed wrapped with staleness + bounds; not a DEX spot price.
Manual Price Control PASS No direct price setter; updateOracle / setPriceBounds are now 5-day-timelock-gated.

Smart Contract Architecture

Item Status Evidence
Known Compiler Bugs PASS Solidity 0.8.20 / 0.8.26, no applicable CVE.
No Reentrancy Protection PASS OZ ReentrancyGuard + CEI; SwapFacility transient-storage lock.
Unlimited Minting PASS USDat mints only by wrapping M 1:1 (onlySwapFacility).
Unsafe Delegatecall / Call PASS No delegatecall or unvalidated .call{} in Saturn contracts.
Uninitialized Implementation PASS All implementations call _disableInitializers().
Unprotected Initializer PASS initializer-gated; already initialized on-chain.

Audit & Verification

Item Status Evidence
No Audit + High TVL PASS 3 audits (Three Sigma + 2× Certora); TVL ~$88.6M, audited.
Unverified Contracts PASS 10/10 in-scope contracts verified on Etherscan (100%).
Critical Unfixed Issues Inconclusive Audit PDFs not re-read this pass (per process).

Economic & Liquidity

Item Status Evidence
Zero Flash Loan Protection PASS Was Inconclusive in April. Internal-accounting NAV + async withdrawal + vesting break same-block manipulation.
Broken Tokenomics PASS Was Inconclusive in April. ~11% real yield from off-chain STRC, well below 100%; not emission-driven.
No Slippage Protection PASS depositWithMinShares, mintWithMaxAssets, requestRedeem(minUsdatReceived).

Cross-Chain & Bridges

Item Status Evidence
Centralized Bridge N/A Single chain (Ethereum only).
No Transfer Limits N/A Not a bridge.
No Token Verification N/A Not a bridge.

Open Issues

P1: 4P2: 5
  • P1 Medium · Access Control Timeline: 1 month
    Timelock's sole PROPOSER + CANCELLER is a single EOA (F-1)
    Impact: Delay without decentralization: key loss freezes admin (incl. unpause); key compromise can propose a malicious upgrade (5-day window) or indefinitely cancel remediation
    Recommendation: Move PROPOSER/CANCELLER to a ≥3/5 multisig with an independent canceller
  • P1 Medium · Access Control Timeline: 1 month
    Non-timelocked single-key processor can move the liquid USDat balance via convertFromUsdat (F-2)
    Impact: The processor can move the entire liquid USDat balance within a ±20% tolerance, uncapped and repeatable; off-chain STRC backing (92.5% of NAV) is not on-chain-provable
    Recommendation: Add on-chain caps/rate limits to convertFromUsdat; reduce reliance on off-chain-credited STRC backing
  • P1 Medium · Economic Timeline: 1 month
    ±20% toleranceBps compounds to a ~33% value-leak ceiling per processor conversion (F-7)
    Impact: toleranceBps bounds strcAmount and purchasePrice independently, compounding to roughly a 33% value-leak ceiling per conversion by the trusted processor
    Recommendation: Narrow toleranceBps to ≤5%
  • P1 Medium · Operations Timeline: 1 month
    No public bug bounty program or security contact
    Impact: No incentive or channel for responsible vulnerability disclosure (counted as a red flag in the assessment)
    Recommendation: Establish an Immunefi program with a $100K+ max bounty and a public security contact
  • P2 Medium · Economic Timeline: 3 months
    Withdrawal settlement allows a ≤20% haircut vs previewRedeem; minUsdatReceived can be 0 (F-8)
    Impact: A per-request minUsdatReceived of 0 still validates, allowing settlement up to 20% below previewRedeem
    Recommendation: Enforce a minimum minUsdatReceived; bound the settlement haircut vs previewRedeem
  • P2 Low · Access Control Timeline: 3 months
    USDat COMPLIANCE hot key holds freeze + forceTransfer + whitelist + pause and unpause (F-3)
    Impact: Broader than the sUSDat/Queue compliance roles: a single key can freeze, force-transfer to an arbitrary recipient, manage the whitelist, and both pause and unpause
    Recommendation: Split the compliance hot key's powers; separate pause from unpause; constrain forceTransfer
  • P2 Low · Smart Contract Timeline: 3 months
    Unbounded user-iterated loops (_claimAllFor over balanceOf) (F-4)
    Impact: Gas-griefing / self-DoS; funds remain escapable via per-NFT claim
    Recommendation: Bound the user-iterated loops or document per-NFT claim as the escape hatch
  • P2 Low · Oracle Timeline: 3 months
    Oracle has no fallback; a stale/out-of-bounds feed reverts all sUSDat accounting (F-5)
    Impact: A feed failure reverts deposit/preview/requestRedeem — a liveness DoS (fails closed)
    Recommendation: Add an oracle fallback / circuit breaker so a feed failure does not DoS vault accounting
  • P2 Low · Oracle Timeline: 3 months
    getPrice omits answeredInRound / round-completeness; loose staleness and static bounds (F-6)
    Impact: 36h staleness ceiling vs a 24h heartbeat, static $20–$150 bounds (~±50%), and no deviation breaker
    Recommendation: Add answeredInRound/round-completeness checks; tighten staleness to the 24h heartbeat; add a deviation breaker

Contract Inventory

USDat (Proxy)
0x23238f20b894f29041f48D88eE91131C395Aaa71 ↗
Verified Proxy
Compiler: 0.8.26
USDat (Impl)
0x17cac25c6d6bbcb592837fea083a5c8eb4d1e52e ↗
Verified
Compiler: 0.8.26
sUSDat (Proxy)
0xD166337499E176bbC38a1FBd113Ab144e5bd2Df7 ↗
Verified Proxy
Compiler: 0.8.20
sUSDat (Impl)
0x2005e0ca201a37694125ff267ae57872bea0a0ce ↗
Verified
Compiler: 0.8.20
Mint/Redeem (Proxy)
0xB6807116b3B1B321a390594e31ECD6e0076f6278 ↗
Verified Proxy
Compiler: 0.8.26
Mint/Redeem (Impl)
0x45bf08d042a8958f01f8e8319b791e4584550da8 ↗
Verified
Compiler: 0.8.26
Withdraw (Proxy)
0x4Bc9FEC04F0F95e9b42a3EF18F3C96fB57923D2e ↗
Verified Proxy
Compiler: 0.8.20
Withdraw (Impl)
0x256fa0ba1b6dfb50ee883955c5a99d3c1b017fd5 ↗
Verified
Compiler: 0.8.20
StrcPriceOracle
0x5f7eCD0D045c393da6cb6c933c671AC305A871BF ↗
Verified
Compiler: 0.8.20
Chainlink STRC Feed
0xf4d2076277fff631EFC4385Ab36b1f7734218d23 ↗
Verified Proxy
Compiler: 0.6.6

Audit History

Tier 2 Three Sigma Unknown Audit #1 — full scope undisclosed Report ↗
Tier 1 Certora Unknown Audit #2 — full scope undisclosed Report ↗
Tier 1 Certora Unknown Audit #3 — full scope undisclosed Report ↗

Protocol

TVL Source: On-chain vault NAV ≈ $88.6M (USDat supply ≈ $116M); not listed on DeFiLlama

Operations

Bug Bounty: None detected
All role assignments (8)
Contract Role Holder Powers
USDat DEFAULT_ADMIN_ROLE Timelock 0xfD57…8A67 Grant/revoke roles, full admin — behind 5-day delay
USDat COMPLIANCE_ROLE Compliance key Freeze, arbitrary-recipient forceTransfer, whitelist, pause + unpause
sUSDat DEFAULT_ADMIN_ROLE Timelock 0xfD57…8A67 UUPS upgrade, vesting, fees, tolerance, params — behind 5-day delay
sUSDat PROCESSOR_ROLE Processor key (single EOA) convertFromUsdat (±20% tolerance), distribute rewards, settle withdrawals
Withdraw DEFAULT_ADMIN_ROLE Timelock 0xfD57…8A67 UUPS upgrade, unpause — behind 5-day delay
StrcPriceOracle DEFAULT_ADMIN_ROLE Timelock 0xfD57…8A67 updateOracle, set staleness, set price bounds — behind 5-day delay
TimelockController PROPOSER_ROLE / CANCELLER_ROLE 0x6101…6820 (single EOA) Queue (5-day-delayed) or cancel privileged operations
TimelockController EXECUTOR_ROLE address(0) (open) Anyone may execute an operation after the 5-day delay

Related notes

All notes →

All reports for Saturn Credit