QiDAO Protocol Assessment

Disclaimers
This report has been prepared by GFX Labs at the request of the QiDAO protocol’s original developers. The purpose of this report is to provide a high-level review of the economic and financial design of the QiDAO protocol and its associated stablecoin, MAI. The analysis and conclusions presented herein are based on the information available to GFX Labs at the time of writing and are intended solely for informational purposes.

Important Notices:

• Scope of Report. This report does not cover technical, legal, regulatory, security, or other risks associated with the QiDAO protocol and its associated stablecoin, MAI. It is solely focused on the economic and financial aspects of the protocol and MAI.
• No Legal or Investment Advice. The information provided in this report does not constitute legal, regulatory, investment, or financial advice. GFX Labs recommends that readers seek appropriate professional advice tailored to their individual circumstances.
• Forward-Looking Statements. Any forward-looking statements in this report are based on assumptions and estimations that are subject to uncertainties and risks. Actual outcomes may differ materially from those projected.
• No Liability. GFX Labs disclaims any liability for any direct, indirect, incidental, or consequential damages arising out of or in connection with the use of this report or the information contained herein.
• Third-Party Information. This report may contain information derived from third-party sources. GFX Labs has not independently verified such information and makes no representations or warranties as to the accuracy, completeness, or reliability of such third-party information.
• Review by Developers/Contributors. QiDAO protocol developers did not have control over the content of this report. However, they were allowed to review it prior to publication to assist with fact-checking.

By using this report, you acknowledge and agree to all of the above.

Protocol Overview
QiDAO is a stablecoin-generating protocol, which focuses on a core product called MAI. Users may permissionlessly utilize the QiDAO software protocol to generate MAI by locking supported digital assets in a specialized smart contract.

Economic Design
At the top level, the economic design for QiDAO and MAI is not dissimilar from the familiar collateralized debt position (CDP) model. The core product is MAI, which is intended to trade on the secondary market in a band of $0.99 to $1.01. To achieve this, QiDAO attempts to use two main methods of MAI generation and burning to target that price band: a Peg Stability Module (PSM) and user vaults, which are explained in more detail below.

An added challenge to this model is the cross-chain nature of MAI. MAI can be generated on 14 chains, and also exists on Fantom, which is currently frozen.

Source: app.mai.finance; retrieved May 11, 2024

This opens the possibility of MAI trading outside its intended band on local secondary markets. This is of special concern because there is not a PSM available on every chain where MAI is deployed.

Peg Stability Module
The QiDAO Peg Stability Module accepts stable-value digital assets, such as sDAI or USDC, and allows users to mint MAI on a 1:1 price basis. A user on Fraxtal with sFRAX, for example, can surrender $1 par value of sFRAX to mint 1 MAI token. Alternatively, a user can do the reverse, where they burn 1 MAI to receive $1 par value of sFRAX. This allows an arbitrage opportunity when MAI and the accepted stable assets trade outside the targeted fixed exchange rate, which is a $0.99 to $1.01 secondary market price for MAI.

PSMs have become popular mechanisms to stabilize an asset’s price in close to real time, as it does not experience the variable lag times and imprecise outcomes typical of interest rate or other CDP parameter changes. The best-known PSM is utilized by MakerDAO, where users can swap between USDC & DAI on a 1:1 basis.

QiDAO’s PSM strategy is considerably more complex than Maker’s in that it has to support market intervention in markets where there is not a MAI PSM locally available, and QiDAO has adopted a multi-reserve PSM system, with multiple accepted assets, while MakerDAO’s PSM is responsible for DAI prices on Ethereum only and has moved away from being multi-reserve.

For QiDAO, the use of PSMs is relatively recent, with initial approval occurring in early January 2024. Several additional PSMs have been approved, with assets such a cUSDC, USDM, sDAI, and sFRAX. Rollout of these modules is still ongoing and should be considered a work in progress. As PSMs become operational and liquidity deepens on more chains, the risk of local market deviations in MAI price will fall, but the operational complexity of shifting PSM reserves could become more burdensome. PSM reserves are considered to be owned by the protocol, and are available for rehypothecation, though currently, most accepted assets are already yield-bearing versions of other stablecoins.

The risk assumptions of this mechanism will be covered in the Risk Factors section.

Overcollateralized Lending
The other method for users to generate MAI is through overcollateralized borrowing. A user can lock supported digital assets in a specialized smart contract within the QiDAO protocol, and then generate MAI against those assets, thereby “borrowing” MAI. The user’s assets stay within the smart contract and are not relent or rehypothecated on behalf of QiDAO governance or the protocol. In practice, this is a sort of self-lending, as the MAI is not provided by QiDAO governance or another entity, but comes into existence when the user chooses to borrow in this manner against their supported assets.

This can be counterintuitive to new users of this sort of protocol, and an (imperfect) analogy is if a user owned a physical safe with an ATM attached to it. By depositing valuables inside, the user is able to withdraw cash from the ATM. The safe will not unlock, however, until the cash has been repaid (plus any accrued fees). In this way, the user retains both ownership and control over their assets, but manages to still utilize a credit line against those assets.

QiDAO’s use of overcollateralized lending is sound in principle and is the industry standard for permissionless lending in decentralized finance. The risk assumptions around execution will be covered in the Risk Factors section.

Liquidation Procedure
Supported assets are often volatile in price. To prevent MAI from circulating that are not backed fully by collateral assets, liquidations occur when the value of a user’s locked assets falls below a predetermined liquidation threshold. For the QiDAO protocol, liquidations consist of a keeper or liquidator assuming 50% of the user’s debt in exchange for 50% of the assets. To avoid their own liquidation and be compliant with liquidation thresholds, this requires at least a partial repayment of the liquidated user’s MAI debt.

For example, consider a hypothetical user with $100 of collateral and 80 MAI debt. Their collateral depreciates to $90, falling below an 80% LTV/125% collateralization threshold. A liquidator can repay 50% of the user’s debt (40 MAI) in exchange for some of the collateral (including a bonus).

This is a relatively novel approach to liquidations. Most other borrow-lend protocols utilize a small set fee and either liquidate the entire balance of the user or, more commonly, just enough to allow the user’s vault to become appropriately collateralized again. The latter is widely used by familiar protocols such as Aave. The other liquidation procedure in use at major protocols is the use of Dutch auctions, but this is largely limited to MakerDAO.

QiDAO developers chose their 50% liquidation approach to address an edge case weakness in the predominant approach utilized by Aave and others. That is, in the event a collateral’s price experiences a prolonged downward price movement, a phenomenon the QiDAO developers refer to as the “death spiral” for the collateralization of a user’s vault. They point out that in extreme cases, this can result in bad debt accruing to the protocol as overcollateralization falls to the point it can no longer guarantee a liquidator their bonus.

Source: docs.mai.finance/liquidation

We generally think the risk of this is low, though it does open up a potential vector for griefing attacks by someone unconcerned with paying transaction costs in a low-gas environment like many chains where QiDAO operates. The 50% liquidation solution seems to strike a balance between addressing this edge case and fairness to users.

Risk assumptions of this approach are addressed in the Risk Factors section.

Governance Design
Changes in QiDAO governance structure are currently underway while this report is being drafted in May 2024, and readers should be sure to research any updates since the time of writing.

At present, QI tokenholders do not directly have the ability to execute code. QiDAO utilizes Snapshot votes to achieve consensus, with more than 230 proposals voted upon to date.

Operational tasks and upgrades are mainly handled by the QiDAO Guardians, which a 4-of-6 multisig with publicly doxxed members. The Guardians are a mixture of QiDAO developers, community members, and partner organizations. The only organization with more than a single signer are the core developers, which have two of the six signers.

In line with industry best practices, QiDAO has been following a gradual decentralization path that is frequently advocated for by a16z (they term is “progressive decentralization”). In our experience, this is relatively rare to see both a sustained and slow process of increasing decentralization of control over many years. Many protocols tend to lose focus on decentralizing.

QiDAO began in 2021 with a variety of areas of responsibility for their governance token holders, and that has gradually expanded in the years since.

In June of 2023, technical control powers were vested into the current QiDAO Guardian multisig. This means tokenholders still do not directly control the technical aspects of the protocol, but does provide some sanity checks.

The next milestone on QiDAO’s decentralization roadmap is to ungate proposal posting on the QiDAO snapshot. This would allow governance participants to present their own proposals (subject to a process with some documentation and compliance requirements).

More consideration of the risk assumptions are in the Risk Factors section.

Risk Factors & Possible Mitigations

Overcollateralized Lending and Bad Debt Risk
All borrow-lend protocols are exposed to the risk assumptions of the collateral assets. There are three main ways in which bad debt can accrue: oracle failure, asset issuer failure, and liquidation failure. These are each covered in their own subsection below.

Oracle Risk
QiDAO, like the majority of borrow-lend software protocols, utilizes oracles to inform the protocol on the value of user collateral for MAI loans. If an oracle returns an inaccurate price or goes offline, this can affect the protocol by either allowing debt to avoid liquidation or simply interfering with protocol operations, like allowing the issuance of new MAI debt.

QiDAO currently utilizes Chainlink and API3 oracles in order to find price feeds for its expansive list of supported collateral assets, some of which can be exotic or in exotic local markets. While Chainlink appears to be the preferred oracle partner, Pyth, API3, Redstone, and custom oracles have all been approved in the past. Because QiDAO’s competitive advantage is often offering overcollateralized lending on chains or using assets competitors don’t, it’s unlikely that QiDAO can restrict itself to using only the most battle-tested oracles.

We recommend — where a second oracle source is available — that lending utilize two oracles: a primary oracle and an anchor oracle. When the prices reported by the primary oracle deviates from that of the anchor by some predetermined margin, lending can be automatically disabled. The use of two oracles is gradually becoming more common across the industry, and the use of a primary and anchor oracle reduces the risk associated with using newer or less battle-tested oracle solutions.

It is also important to note that oracles, when possible, should reflect local market prices where liquidations are likely to occur.

Asset Issuer/Collateral Risk
All borrow-lend software protocols are exposed to the risk of their supported collateral assets. This risk can manifest as technical risk (a bug in the token contract or its associated smart contracts), governance risk (also known as rug risk in some circles), solvency or financial risk (the token is dependent upon the proper functioning of some economic underpinning at another protocol or company).

QiDAO onboarding procedure currently reviews each of these risks prior to asset approval. The core developers typically present QiDAO voters with a condensed version with their assessment of each, which is scored according to a standardized rubric:

There is always the possibility that a key vulnerability is overlooked, particularly with complex assets that are built on top of other protocols, such as LP tokens for a DEX or farming strategy. But that possibility is always nonzero, and a standardized checklist of questions and rubric to score the asset are industry standard and have generally served protocols well, particularly when administered by the protocol’s own core team, which is aware of edge cases within their own protocol where some assets may pose unexpected risks.

Similar to MakerDAO, Aave, and other lending protocols, QiDAO imposes a maximum limit on how much MAI can be minted from any single asset, whether that is from overcollateralized debt or one of the PSMs. Such maximum limits are typically 1,000,000 MAI, and offer a ceiling on worst-case losses in the event a supported collateral asset loses 100% of its value instantly.

Because there is already a standardized risk assessment built into the collateral onboarding process, and caps on exposure to each asset, we do not recommend any further mitigations for standard onboarding.

Bad Liquidations Risk
Liquidations rely on a liquidator or keeper willing and able to use the buyRisky function, allowing the user to assume debt and collateral. This requires repayment of at least a portion of the outstanding debt in the form of MAI.

While the design is different from the prevailing standard at other protocols, the major risk is the same: that no liquidator shows up or that they are unable to successfully liquidate due to constraints like congested networks or lack of repayment asset.

The main risk is that it becomes impractical to liquidate due to high network fees or inability to source MAI to recapitalize the newly acquired debt.

QiDAO mitigates the risk of liquidation cost exceeding the benefit by enforcing a minimum debt. On Ethereum, this is currently 10,000 MAI, and for a variety of accepted collaterals on other chains this ranges from 0 to 10 MAI. Congestion is typically a problem restricted to Ethereum, so the minimum debt size ensures that there is enough debt to liquidate profitably even in times of high gas fees. This minimum debt threshold is an approach also utilized by MakerDAO vaults, and typically works well as a mitigant against small amounts of bad debt, but at the expense of preventing small users from accessing the protocol.

Availability of MAI is typically not a constraint, particularly at the scale needed on most chains. This is subject to change, and could in theory experience a liquidity crunch if bridges and sources of MAI generation cannot be relied upon quickly. This is theoretical only at the time of writing, with circulating MAI able to service liquidations on all active chains. This risk is also likely mitigated by capital controls QiDAO institutes to limit the flow of debt and assets between chains as part of its chain risk mitigation strategy.

Finally, QiDAO’s V2 includes caps on any individual vault size, intended to prevent any single position from becoming too big to liquidate, which is an issue that has presented at other protocols like Aave and Solend.

We do not recommend any additional mitigations, as QiDAO currently follows industry standards, keeping risks low and within acceptable bounds.

Governance Risk
Governance risk is the danger that malicious or incompetent governance could endanger the protocol. Conventionally, these are considered a trade-off, with a centralized, competent core team capable of a rug pull on one end of the spectrum and completely decentralized governance that may lack technical or financial sophistication on the other.

QiDAO sits close to the center, slightly on the centralized end of the spectrum, where core developers and contributors with specialized knowledge of the protocol and DeFi markets ultimately have admin control over the protocol’s governable parameters. This limits the ability for governance to approve low-quality collateral or irresponsible lending parameters. The QiDAO Guardians can simply not implement any proposal they felt was a danger to the protocol.

This does leave room for core contributors to cause mischief, but QiDAO mitigates this by having contributors that are publicly known (“doxxed”) and of relatively long tenure. The protocol itself has been in existence since 2021, and the general assumption is that both technical and governance risk diminish over time, if only because the opportunity to exploit the project would have been seized by now.

We recommend QiDAO continue with its commitment to decentralize over time, with particular emphasis on letting the governance token exercise direct administrative control over the protocol’s smart contracts. We also recommend implementing a timelock delay for governance actions. This can still be combined with the QiDAO Guardians multisig. While it may be a major technical and governance task to decentralize direct control, one milestone that would work well with QiDAO’s gradual approach is to let the governance tokenholders directly change membership of the QiDAO Guardians multisig (with a timelock to allow users to migrate in the event of a malicious or improperly configured upgrade).

Key Man Risk
Several aspects of QiDAO governance and operations are reliant upon specific individuals.

For governance functions, the QiDAO Guardians have administrative powers over a variety of smart contracts, and require a consensus of at least four signers to execute changes. In the event three of the signers become unavailable for any reason, the protocol would face significant challenges. This is especially important given the cross-chain interoperability of QiDAO deployments and lending parameters, which requires fine-tuning on a regular basis.

This is currently mitigated by having a well-balanced group of signers, that are geographically dispersed and unlikely to suffer illness, accident, or life events in tandem. As a temporary measure, this is sufficient, but we recommend creating a mechanism for governance tokenholders to replace or reconstitute this multisig in the event that becomes necessary.

QiDAO operations and development appear to be highly dependent upon a small team of core developers. This team is composed of individuals who may become unavailable or impaired in tandem. It is unclear the extent of this risk, or what possible mitigations are in place. Publicly available documentation and GitHub are available, but likely insufficient for outside developers to quickly and safely continue work on the protocol.

We recommend quarterly or bi-annual reviews of all user-facing and technical documentation to ensure they are up to date.

We also recommend onboarding at least one technical contributor outside the core team. This would ensure there is someone familiar with the code base and able to continue work QiDAO, either permanently or in a caretaker role until new developer contributors were in place. This is the approach being taken by larger open-source projects like Optimism, where outside technical contributors are given tasks that are not mission critical and do not present a danger to users or assets, allowing those contributors to begin familiarizing themselves with the code base.

Chain + Bridge Risk
Because QiDAO is deployed across many chains, the protocol is exposed to the possibility of losses in the event any chain suffers a catastrophic failure. The protocol is also exposed to bridge risk through any collateral that is not native to the chain it is accepted upon.

Unfortunately, QiDAO already experienced a black swan event around bridge/chain risk when the Multichain Bridge to Fantom was exploited or seized. This resulted in approximately 8,000,000 MAI bad debt. Because not all MAI minted on Fantom remained there, this allowed unbacked MAI to propagate throughout the MAI ecosystem, effectively exporting bad debt. QiDAO has worked to assume the bad debt over time, with the recent recapitalization on Polygon occurring in February.

Currently, QiDAO has disabled MAI fungibility across chains and also institutes capital controls to limit the amount of foreign-minted MAI on a chain.

If and when MAI bridging between chains resumes, there will always be the risk that MAI legitimately minted on a chain bridges to another chain and then becomes unbacked due to realized chain or bridge risk. Given that QiDAO is already widely exposed to a long list of chain/bridge counterparties, and its growth strategy demands making that list longer, it may not be practical to tightly curate the parties that guarantee the security of collateral assets (asset issuer, chain where the MAI is minted, bridge if the asset is not native to that chain).

The current capital controls are likely sufficient for the time being. The ability to limit the amount of foreign MAI in any local market sets a ceiling on the amount of unbacked MAI, similar to how debt ceilings limit the amount of bad debt that could accrue from a single collateral asset. This has the potential to degrade user experience in the long run, however. Given that QiDAO doesn’t have the option of starting from a blank slate to find ways to limit the number of chains/bridge partners it is exposed to, alternative methods of capital control may be worth exploring. The current ceiling on foreign MAI could become only one tool in a more expansive toolbox, with other possible mitigations being higher treasury reserves to assume bad debt, a tax upon migration to chains that are at or above their desired limit of foreign-minted MAI, or higher LTVs/fees on chains that experience large, consistent outflows of MAI to other chains.

Current chain risk policies enable restrictions on both inflow and outflow of MAI from a chain. This is important, because one can imagine a scenario where 100% of the MAI minted on BadChain is exported to a variety of QiDAO’s other supported chains. By having a parameter that limits the export of MAI, governance has a tool to prevent this from occurring.

We recommend QiDAO relax restrictions on the import of MAI to chains, and rely upon restrictions on the export of MAI as the primary manager of chain risk. Longer term, development of additional tools, such as a tax to bridge into a chain, would allow more flexibility for MAI users than simple quotas.

Because the risk of unbacked MAI is concentrated at the minting source, limits on export will continue to make a lot of sense to maintain. The benefit of restricting inflows of MAI to a given chain, however, is less obvious. The cost is potentially a bad user experience, particularly if a MAI user is wishing to bridge but is prevented from doing so without understanding why.

Political Risk
Underappreciated by many projects, political risk manifests as action taken against a protocol, its developers, or its users by a government.

QiDAO’s structure is a software protocol and associated core contributors. The protocol itself cannot be seized by a government without accessing a quorum of individuals with administrative power, and the QiDAO Guardians appear to be geographically dispersed across different jurisdictions.

Indirectly, however, QiDAO was previously exposed to significant political risk. An example of this is the Multichain exploit or seizure in the summer of 2023. It has been widely assumed that the Multichain team ran afoul of local authorities in China. Likewise, any asset issuer, chain, or bridge that QiDAO is exposed to potentially carries some political risk. Unfortunately, it is not always obvious where a team, legal entity, or funds are located, and many will not disclose that information for a simple collateral integration.

Given the expansive list of collateral assets supported by QiDAO, the difficulty of identifying the amount of political risk each carries, and the low probability of catastrophic outcome, we do not recommend any additional mitigation measures.

PSM Liquidity Risk
Peg Stability Modules accept approved assets at a fixed exchange rate with MAI. To date, these are mainly yield-bearing, stable-value assets, such as USDM or sDAI. This helps to enforce the fixed exchange rate band of $0.99 to $1.01 on the secondary market for MAI.

A PSM can, in principle, perfectly prevent deviations above the targeted exchange rate by allowing an infinite amount of approved assets to be swapped for MAI. As a risk management policy, QiDAO governance does institute limits on how much MAI can be generated via PSM for a collateral asset, just as it does for vault debt. There are no signs that PSM capacity is a constraint, meaning it is very unlikely MAI would ever trade above its targeted price band for very long. Governance also has the option of increasing these limits at any time, because there are no liquidity constraints to supply more MAI.

The reverse, however, is not true. The amount of MAI that can be swapped back to an approved reserve asset is limited by how much of that asset is in a PSM. This means that, below the targeted exchange rate, there is a risk of the PSM running out of liquidity and being unable to continue supporting the fixed exchange rate on the open market.

At the microeconomic scale, this is akin to a bank run, where the bank eventually runs out of cash for people who are redeeming their bank deposits. At the macro level, it is akin to a small central bank with a fixed exchange rate running out of foreign reserves.

The main protection against PSMs running out of liquidity is properly pricing fees on borrowing. All lenders are ultimately price takers, not price makers, and must bend to the realities of market forces. If a stablecoin lender like QiDAO prices its borrowing fees too low, users may borrow MAI, swap to one of the PSM assets, then use that asset elsewhere. If this is done too many times, then the PSM empties, and a liquidity crisis occurs.

This was narrowly avoided earlier this year at MakerDAO, when rates needed to be dramatically raised to halt outflows resulting from unsustainably low borrowing rates.

Source: vote.makerdao.com/executive/template-executive-vote-out-of-schedule-executive-vote-increase-edsr-increase-stability-fees-decrease-gsm-delay-usdc-psm-throughput-change-trigger-spark-proxy-spell-march-8–2024

Because MAI is present in so many local markets, PSM management will become increasingly complex for QiDAO governance over time. The first line of defense will always be the rates charged and other parameters, but the possibility of an enduring, local market environment that results in draining a PSM cannot be dismissed.

We recommend establishing and testing a process that can be used to migrate reserves from one PSM to another in the event a local market cannot reduce outflows through standard parameter changes.

Summary of Findings

In most ways, QiDAO is exposed to the expected risks of a borrow-lend stablecoin protocol. Overall, the project either adopts industry best practices, is actively moving towards them, or could implement them.

While modest improvements in oracle risk mitigation can be made to address reliance on a variety of oracle providers, the first major risk that users and tokenholders should be aware of is the significant chain risk and bridge risk. There are few protocols exposed to so many infrastructure counterparties. See the attached appendix for a list of identified chain, bridge, and oracle counterparties.

Unfortunately, it is difficult for QiDAO to robustly mitigate many of these risks. Bearing counterparty risk from an extensive list of chains, bridges, and asset issuers is an important part of QiDAO’s competitive advantage. The biggest improvement that can be made easily is that the export of MAI from a chain be limited, but only rarely the import of MAI, as we mentioned in the Chain + Bridge Risk subsection. Loosening this restriction can allow MAI to flow between safer chains more freely and efficiently, while the risk of bad debt contagion is managed through export restrictions on riskier chains.

The second major risk is the current concentration of administrative powers in the QiDAO Guardians. A 4-of-6 multisig represents a step towards decentralization from QiDAO’s historical administrative power structure, but is not sufficiently decentralized to prevent abuse. Introducing checks on this multisig — such as a timelock on its decisions and veto power by governance tokenholders — should be prioritized in the medium term. More robust checks and/or wider distribution of administrative access to the core protocol should continue to be the longer term focus.

Otherwise, we generally encourage QiDAO to continue with its progress towards decentralization, with a goal of moving faster towards decentralization over time. This is an important mitigation to some risks in and of itself, but also a core ethos of the decentralized finance industry.

Our main recommendations are that the QiDAO protocol can improve its risk profile through continued decentralization, and can loosen some of the capital controls put in place in the wake of the Multichain Bridge exploit. This is based on the assumption that QiDAO will either continue or improve its current risk management practices.

Appendix: Infrastructure Exposure
Below is a list of protocols that QiDAO is exposed to and are not primarily asset token issuers. It is recommended that QiDAO make an annual review of each to confirm their trust assumptions, security track record, and continued support for chains/bridge routes/price feeds QiDAO utilizes.

*Treasury balance excluding QI at time of writing; exposure equal to assets secured by oracles, bridged by bridge, and treasury assets + the greater of debt issued or MAI present on a chain.

**Ethereum is treated as securing its L2s as well.

It should be noted that while very few individual infrastructure providers have the ability to create an insolvent QiDAO, this is in part due to the diversified treasury of the protocol, and its distribution across many chains. Several assets making up >5% of the treasury, such as AERO, ARB, WBTC, VELO, OP, and BIFI, are volatile in price. Changes in the market prices of those tokens largely determines whether QiDAO has existential exposure to any counterparties.