Saturn (USDat)

Audits and Due Diligence Disclosures

• Per Saturn's due-diligence materials, USDat/sUSDat were audited by Three Sigma (USDat received a Three Sigma audit; Three Sigma also did the NAV-tracking and leakage modelling) and Certora (formal verification, engaged from mid-January 2026), with a third audit planned before mainnet. The Saturn docs Transparency & Audits page links four audit report files. TODO: download each of the four reports to confirm firm, date, exact scope, and unresolved findings (the firm list above is from Saturn's DD docs, not yet cross-checked against the published PDFs).
• The bulk of USDat's logic is the M0 m-extensions library (JMIExtension, MYieldToOne, Freezable, ForcedTransferable, Pausable). This M0 codebase has been independently audited multiple times as part of the M0 protocol. Saturn's own additions are a thin USDat.sol wrapper (whitelist gating + forced-transfer wiring), which lowers bespoke-code risk. Saturn states USDat smart-contract risk is "relatively low as the contract is a simple ERC20 token using OpenZeppelin standards … modified to support a blacklist and the ability to rescue tokens."
• Smart-contract architecture complexity: moderate. USDat is a TransparentUpgradeableProxy over a well-structured M0 extension. The novel surface is small; the main risk is upgradeability and admin powers, not contract complexity.
• Unresolved audit findings: TODO (pending audit report review).

Bug Bounty [If Applicable]

• No bug bounty program — confirmed absent from the docs (via the GitBook docs Q&A endpoint) and not found on Immunefi.
• Safe Harbor (SEAL) adoption: TODO — not confirmed.

Historical Track Record

• Time in production: ~2.5 months (USDat deployed 2026-03-10). This is very young.
• TVL: ~$126M, reached quickly after launch. High TVL in a <3-month-old protocol is itself a concentration consideration rather than a maturity signal.
• Past security incidents: none known (none expected given age).
• Peg history: USDat trades near $1; the Curve USDC/USDat pool is roughly balanced (see Liquidity). No depeg events observed. TODO: pull historical peg/price series for a fuller picture.
• Concentration risk from large depositors / holder distribution: TODO (holder list requires Etherscan Pro). A large fraction of supply is staked into sUSDat (sUSDat supply ≈ 106.5M shares).
• Funding: seed round (Jan 2026) led by YZi Labs and Sora Ventures plus angels. Reported amount conflicts across sources ($800K vs $2M) — TODO: confirm.
• STRC stability history (sUSDat-layer context, from Saturn's risk analysis): STRC's annualized realized volatility fell from ~15.25% to ~2.14% after a $2.25B reserve was implemented (~Feb 2026); max observed intraday drawdown ~6.03% (2025-11-20). STRC has traded below par 10 times since inception, with the last five recoveries each under 10 days.

Funds Management

USDat is an M0 extension. The fund flow is:

USDC  ──(Saturn app, onboarded user)──▶  M0 Swap Facility  ──swap──▶  $M  ──wrap──▶  USDat (1:1)
                                                                                       │
                                              M0 Treasury yield ───────────────────────┘──▶ yieldRecipient (Saturn)

• The protocol delegates backing entirely to M0 (the $M token). There is no other delegation for USDat itself. The collateral asset is held as $M on the USDat contract.
• Monitoring delegation changes: the ASSET_CAP_MANAGER_ROLE can authorize additional backing assets (the M0 "JMI / Just Mint It" model supports collateral assets beyond $M). Today totalAssets() ≈ 0 (backing is effectively all $M), but this is a parameter to watch — see Monitoring.

Accessibility [If Applicable]

• Who can mint/redeem: only whitelisted ("onboarded") addresses. The whitelist is enforced on wrap (mint) and unwrap (redeem) via _revertIfNotWhitelisted (verified in source). isWhitelistEnabled() = true on-chain.
• Regular transfers are NOT whitelist-gated — verified: the whitelist hooks fire only on _beforeWrap/_beforeUnwrap, not on transfer/transferFrom. This is why the Curve pool (not whitelisted) trades freely. Implication for Yearn: a non-onboarded holder can hold and transfer USDat but cannot mint or redeem directly — its only exit is the secondary market (Curve/Pancake) unless Yearn is whitelisted.
• Atomicity: the on-chain wrap (M → USDat) and unwrap (USDat → M) are atomic. The USDC↔M leg runs through the M0 Swap Facility in the same user flow. USDat→USDC redemption for onboarded users is effectively 1:1 and prompt (Treasury-backed, no queue). The sUSDat layer has a withdrawal queue (STRC liquidation); USDat itself does not.
• Redemption path (verified against Saturn DD docs): an onboarded user redeems in two on-chain legs — (1) swap/swapWithPermit on the M0 Swap Facility to turn USDat into wM (0x437cc33344a0B27A429f795ff6B469C72698B291), then (2) swap wM → USDC via the Uniswap wM/USDC pool (1 bps fee on that leg). Non-KYC'd users cannot redeem and must exit via the Curve pool.
• Fees / cooldowns on USDat: mint is 1:1 with USDC and effectively fee-free aside from the 1 bps Uniswap leg on the wM→USDC redemption path; no cooldown or queue on USDat itself. (The 10 bps fee in Saturn's docs and the withdrawal queue apply to the sUSDat staking layer, not USDat.)

Token Mint Authority

Mint mechanism: Closed mint — USDat can only be minted by the M0 Swap Facility calling wrap(...), which is gated onlySwapFacility. There is no MINTER_ROLE that can issue USDat directly. Minting requires depositing backing ($M or an allowed asset) in the same transaction, and the caller must be whitelisted.

Mint requires backing: Yes — wrap pulls in $M (or an allowed asset, 1:1) before minting USDat. No role can mint unbacked USDat under the current implementation. Caveat: the contract is an upgradeable proxy; the Admin (ProxyAdmin owner) could upgrade the implementation to alter this. See Centralization.

Per-address mint authority (verified on-chain May 27, 2026, from token contract 0x23238f20b894f29041f48D88eE91131C395Aaa71):

Address	Can Mint	Can Burn	Role / Mechanism	Notes
0xB6807116b3B1B321a390594e31ECD6e0076f6278	✓	✓	onlySwapFacility (wrap/unwrap)	M0 Swap Facility ("Mint and Redeem Contract"). Sole mint/burn path; mint pulls $M 1:1 first. Caller must be whitelisted.
0x10D59F776db12b4B271b2609CB8b7Ddd0A82703B	—	(seize)	FORCED_TRANSFER_MANAGER_ROLE	Compliance (Fireblocks 2/3 MPC). Cannot mint; can forceTransfer tokens out of frozen accounts. Also holds FREEZE_MANAGER_ROLE, PAUSER_ROLE, WHITELIST_MANAGER_ROLE.
0x610182581C93687Ca03F4a8E7f124f8cEC616820	(via upgrade)	(via upgrade)	DEFAULT_ADMIN_ROLE + ProxyAdmin owner	Admin (Fireblocks 2/3 MPC). Cannot mint directly, but owns the ProxyAdmin and can upgrade the implementation to introduce a mint path.

Rate limits / supply caps: No global USDat supply cap. Per-asset caps exist for non-$M backing assets (setAssetCap, ASSET_CAP_MANAGER_ROLE); none are material today.

Backing check at mint time: Atomic — the Swap Facility/wrap path requires the backing asset to be received before USDat is minted.

No mints (privileged unbacked-supply) edge exists for USDat: supply creation is collateral-gated through the Swap Facility, not a privileged minter. The only way to subvert this is a proxy upgrade by the Admin MPC.

Collateralization

• Backing: 100% on-chain in $M. Verified: M.balanceOf(USDat) = 126,010,142.17 vs totalSupply = 125,957,146.79 → fully backed with a small excess (undistributed yield, yield() ≈ $52,992).
• Collateral quality: $M is M0's tokenized short-term U.S. Treasuries product — high quality. However, USDat's backing is one protocol layer removed: USDat's solvency depends on $M holding its peg and on M0's own (off-chain, attested) Treasury reserves. USDat holds ~$126M of $M out of $M's ~$342M total supply (~37%) — a large share of a single underlying.
• Over-collateralization / liquidations: USDat is a 1:1 wrapper, not a CDP — no liquidations, no maintenance ratio. Peg stability rests on (a) $M redeemability and (b) the Curve/Pancake arbitrage pools.
• Custodial / privileged actions on funds: The compliance MPC can freeze any account and forceTransfer (seize) tokens from frozen accounts, and can pause all transfers. These are disclosed as compliance controls. The Admin MPC can upgrade the contract.
• Risk curation: asset caps for additional backing assets are managed by ASSET_CAP_MANAGER_ROLE (Processor MPC).

Provability

• USDat's $M backing is fully on-chain verifiable in real time (M.balanceOf(USDat) vs totalSupply()), and the exchange rate (currentIndex()) is read programmatically from M0 — anyone can compute it.
• The next layer down (M0's Treasury reserves backing $M) is off-chain and relies on M0's own attestation/governance.
• Saturn uses Accountable for real-time proof-of-reserves of the off-chain assets, and Chainlink publishes a NAV oracle from the Accountable feed; per the DD docs the NAV oracle updates every 24 hours or on a 50 bps move, and the STRC price feed updates every 24 hours or on a 10 bps move. These primarily serve sUSDat NAV (STRC is off-chain, custodied at Clear Street). For USDat, the $M backing is held in the token contract and is directly verifiable on-chain without relying on these feeds. TODO: confirm the Accountable PoR feed is live and record its address; confirm the Chainlink NAV oracle address. A Saturn STRC Price Feed (0x5f7eCD0D045c393da6cb6c933c671AC305A871BF) and a Chainlink STRC Price Feed (0xf4d2076277fff631EFC4385Ab36b1f7734218d23) exist on-chain.

Liquidity Risk

• Primary exit for onboarded users: direct 1:1 redemption USDat → $M/USDC via the Swap Facility (Treasury-backed, prompt, no queue).
• Exit for non-whitelisted holders (e.g., a Yearn vault that is not onboarded): secondary market only.
  • Curve USDC/USDat pool 0xf4d0cf32908b2c7f1021339c43df0f77f06896d7: ~$9.72M USDC + ~$9.66M USDat ≈ $19.4M, balanced (verified on-chain).
  • Curve USDC/sUSDat pool 0x6206ca315c2fcdd2a857b47efb285aa12c529a7a (sUSDat layer).
  • PancakeSwap USDT/USDat pool on BSC 0xF80Ab3Cc041d8Ccc1c51AcC295AFdba26AD70Aa9.
• For a ~$126M token, ~$19M of on-chain USDat liquidity is moderate. Small-to-mid exits clear with low slippage; a large exit ($5M+) by a non-whitelisted holder would move the Curve pool meaningfully. Slippage curve per size: TODO (quote on-chain).
• The cleanest mitigation for Yearn is to be whitelisted so it can redeem 1:1 directly, removing dependence on pool depth.
• USDat itself has no withdrawal queue. (The queue applies to sUSDat / STRC liquidation.)
• Behavior under stress / historical drawdown liquidity: TODO (insufficient history — <3 months).

Centralization & Control Risks

Governance

• Upgradeable: USDat is a TransparentUpgradeableProxy. Implementation: 0x17cac25c6d6bbcb592837fea083a5c8eb4d1e52e. ProxyAdmin: 0xcf1072DA5f0D127AEf99136489BAd08bFa3D1A7D, owned by the Admin address 0x6101…6820.
• No on-chain timelock and no Gnosis Safe — all privileged addresses are Fireblocks 2-of-3 MPC wallets (per docs). A 2/3 MPC is functionally a low-threshold, no-timelock controller.
• Privileged roles (verified on-chain via hasRole):

Role	Holder	Type	Power
DEFAULT_ADMIN_ROLE + ProxyAdmin owner	0x6101…6820 (Admin)	Fireblocks 2/3 MPC	Grant/revoke roles; upgrade the implementation
FREEZE_MANAGER_ROLE	0x10D5…703B (Compliance)	Fireblocks 2/3 MPC	Freeze/unfreeze any account
FORCED_TRANSFER_MANAGER_ROLE	0x10D5…703B (Compliance)	Fireblocks 2/3 MPC	Seize tokens from frozen accounts
PAUSER_ROLE	0x10D5…703B (Compliance)	Fireblocks 2/3 MPC	Pause all transfers
WHITELIST_MANAGER_ROLE	0x10D5…703B (Compliance)	Fireblocks 2/3 MPC	Manage mint/redeem whitelist
YIELD_RECIPIENT_MANAGER_ROLE	0x09D6…729f (Processor)	Fireblocks 2/3 MPC	Change the yield recipient
ASSET_CAP_MANAGER_ROLE	0xA18f…A3Ad (Processor 2)	Fireblocks 2/3 MPC	Authorize/cap additional backing assets

• Can governance pause, freeze, or seize user funds? Yes — freeze + forced transfer + pause are all live and held by the Compliance MPC. These are standard regulated-stablecoin compliance controls (cf. USDG, USDC) but represent real holder risk and a notable centralization signal.
• Documentation discrepancy (resolved in favour of on-chain): Saturn's internal Ops/Risk doc describes an earlier design in which "funds that back USDat are held in a Copper custodial multisig wallet" (not in the contract) and the admin is a "3-of-5 multisig." The live, on-chain design supersedes this: USDat is an M0 extension, the $M backing sits in the token contract (verified: M.balanceOf(USDat) = $126M), and the roles are held by Fireblocks 2/3 MPC addresses (per the key-addresses page). Treat on-chain state as authoritative; the "off-chain custody / 3-of-5" framing is stale. The exact MPC signer threshold cannot be verified on-chain (MPC is off-chain) — taken from docs.

Programmability

• Core mint/redeem and accounting are programmatic and on-chain: USDat is 1:1 non-rebasing; the index/exchange rate is read from M0 (currentIndex()); backing is verifiable on-chain.
• Off-chain dependencies: user onboarding/KYC (whitelist), the USDC↔$M swap routing in Saturn's app, and the sUSDat STRC management (off-chain). For USDat-as-collateral the critical accounting is on-chain.

External Dependencies

• M0 is a single critical dependency. USDat is 100% backed by $M; if M0 depegs, is paused, or its Treasury backing is impaired, USDat is directly affected. M0 is a permissioned stablecoin protocol with its own governance and minter set. TODO: assess M0's own risk posture (minter collateralization, governance, audits) — it is the de-facto floor on USDat's risk.
• M0 Swap Facility (0xB680…6278) — the sole mint/redeem contract; an M0/Saturn-controlled component. TODO: confirm who controls/can-upgrade the Swap Facility and which assets it accepts.
• Fireblocks MPC infrastructure underpins all admin keys.
• Oracles: STRC price feeds (Saturn + Chainlink) are relevant to sUSDat NAV, not USDat's 1:1 peg.

Operational Risk

• Team: Backed by reputable investors (YZi Labs, Sora Ventures). Founder/team identities and track record: TODO (not fully verified this session).
• Documentation: GitBook plus a detailed private DD pack (FAQ, contract spec, ops/risk, STRC analysis). Reasonably thorough, but contains internal inconsistencies — see the Governance note on the stale "Copper custodial / 3-of-5" description. Quality: good for a young protocol, with version drift.
• Legal structure / jurisdiction (from DD docs): A Cayman foundation owns a BVI token issuer ("Saturn Capital") that receives user stablecoins and issues USDat. When USDat is staked, Saturn Capital invests via a regulated BVI fund ("Saturn Fund") that holds the STRC; the smart-contract layer is launched under Panama jurisdiction. Off-chain service providers: Galaxy (execution broker / on-off-ramp), Clear Street (STRC custody, Galaxy's partner), Securitize (fund administrator/transfer agent), Fireblocks (key management). Note: per the DD docs, "ownership claims cannot be enforced in court for the capital backing the protocol" — relevant mainly to the sUSDat/STRC layer (USDat's $M backing is on-chain).
• Incident response: Documented compliance levers (pause, blacklist + fund recall via forced transfer) exist; a formal tested incident-response plan is TODO.

Monitoring

Key contracts and signals:

What	Contract / Call	Threshold / Watch
Backing ratio	M.balanceOf(0x2323…aa71) vs USDat.totalSupply()	Alert if backing/supply < 1.00 (any shortfall)
Peg	Curve pool 0xf4d0…96d7 price; off-chain USDat/USD	Alert on >0.5% deviation from $1
Implementation upgrade	ProxyAdmin 0xcf10…1A7D Upgraded events; EIP-1967 impl slot of 0x2323…aa71	Alert on any upgrade
Admin/role changes	RoleGranted/RoleRevoked on USDat; ProxyAdmin OwnershipTransferred	Alert on any change to the role table above
Freeze / forced transfer / pause	Freeze/ForcedTransfer/Paused events on USDat	Alert on any event
New backing assets	AssetCapSet events; totalAssets()	Alert if non-$M backing becomes material
Yield recipient change	setYieldRecipient / yield-recipient events	Alert on change
Liquidity depth	Curve 0xf4d0…96d7 / 0x6206…9a7a balances	Alert if USDat-side depth drops sharply
M0 health	$M peg, M0 total supply / pause status (0x866A…be1b)	Track underlying-protocol risk

Recommended frequency: backing ratio and peg hourly; governance/upgrade/freeze events real-time (event-driven); liquidity and M0 health daily.

Appendix: Contract Architecture

GOVERNANCE (Fireblocks 2/3 MPC — no timelock)
  ┌─────────────────────────────────────────────────────────────────────┐
  │ Admin 0x6101…6820   → DEFAULT_ADMIN_ROLE + owns ProxyAdmin (upgrade)  │
  │ Compliance 0x10D5…703B → FREEZE / FORCED_TRANSFER / PAUSER / WHITELIST│
  │ Processor 0x09D6…729f  → YIELD_RECIPIENT_MANAGER                      │
  │ Processor2 0xA18f…A3Ad → ASSET_CAP_MANAGER                            │
  └───────────────┬──────────────────────────────┬────────────────────────┘
                  │ owns                          │ roles
        ┌─────────▼─────────┐                     │
        │ ProxyAdmin        │                     │
        │ 0xcf10…1A7D       │                     │
        └─────────┬─────────┘                     │
                  │ upgrades                       │
TOKEN LAYER       ▼                                ▼
        ┌─────────────────────────────────────────────────────┐
        │ USDat (TransparentUpgradeableProxy) 0x2323…aa71       │
        │   impl 0x17ca…e52e  (M0 JMIExtension + ForcedTransfer)│
        │   1:1 non-rebasing wrapper · whitelist on wrap/unwrap │
        └───────▲───────────────────────────────┬─────────────┘
                │ wrap/unwrap (onlySwapFacility) │ holds backing
        ┌───────┴────────────┐          ┌────────▼─────────────┐
        │ M0 Swap Facility   │◀──USDC──▶│ $M (M0 token)        │
        │ 0xB680…6278        │  swap    │ 0x866A…be1b          │
        └────────────────────┘          └────────┬─────────────┘
                                                  │ backed by
PROTOCOL / UNDERLYING                             ▼
        ┌─────────────────────────────────────────────────────┐
        │ M0 protocol — tokenized U.S. Treasuries (off-chain   │
        │ reserves, M0 governance & minters)                   │
        └─────────────────────────────────────────────────────┘

YIELD LAYER (context only — not USDat backing)
        sUSDat 0xD166…2Df7 (ERC-4626 on USDat) → STRC (Strategy BTC-backed
        preferred equity) → queued redemptions, STRC price feeds

---

Reassessment Triggers [If Applicable]

• Time-based: Reassess in 3 months (protocol is <3 months old; track maturity and audit confirmation).
• TVL-based: Reassess if USDat supply changes by more than ±30%, or if backing/supply ratio drops below 1.00.
• Dependency-based: Reassess on any $M/M0 depeg, pause, or governance/minter change.
• Governance-based: Reassess on any USDat implementation upgrade, role change, or a freeze/forced-transfer/pause event.
• Backing-mix-based: Reassess if non-$M backing assets become material (AssetCapSet).
• Incident-based: Reassess after any exploit or peg deviation.

---

Pending TODOs (for follow-up)

1. Cross-check the 4 published audit PDFs (firms identified as Three Sigma + Certora) against the docs — record exact dates, scope, and unresolved findings.
2. Confirm Safe Harbor (SEAL) status (bug bounty confirmed none — not in docs, not on Immunefi).
3. Confirm the Accountable PoR feed is live and record its address; record the Chainlink NAV oracle address (cadence known: 24h / 50 bps).
4. Assess M0's own risk (minter collateralization, governance, audits) as the floor on USDat risk; confirm who controls/can-upgrade the M0 Swap Facility and accepted assets.
5. Pull holder distribution and historical peg/price series (Etherscan Pro / Dune).
6. Confirm team identities and seed amount ($800K vs $2M); record the two GitHub repo URLs (USDat / sUSDat).
7. Quote on-chain slippage for USDat exit sizes ($1M / $5M / $10M) on the Curve pool.
8. Optional: generate the contract dependency graph YAML at reports/graph/saturn-usdat.yaml.

Sources consulted this session

GitBook docs + key addresses; on-chain verification via cast/Etherscan; DefiLlama TVL; and the issue's deeper sources rendered via Notion's public page API and a Google Docs text export (Saturn DD FAQ, Product Operations & Risk, STRC Risk Analysis, STRC Product intro, and the contract-spec doc). The Lucidchart flow-of-funds and the X post were not ingested.