Overview
The system design document in our Github repository provides an overview of the smart contracts architecture and details about the protocol implementation.
The Protocol Operations chapter explains how these contracts work together to provide the core functionality of the protocol.
Some monetary units
Reserve Protocol refers to units of financial value in a handful of different ways, and treats them as different dimensions. Some of these distinctions may seem like splitting hairs if you're just thinking about one or two example RTokens, but the differences are crucial to understanding how the protocol works in a wide variety of different settings.
The following are the three main financial units that apply to the protocol:
-
Unit of Account: any particular RToken must have a single Unit of Account. This unit is used internally to compare the values of different assets, as when deciding when there's enough revenue to start an auction, or in which of several surplus assets we hold the largest surplus.
By default, the unit of account for all RTokens is USD. As this financial unit is mostly for internal calculations (such as converting price feeds), there is no reason for an RToken deployer to change it—it is therefore also not an RToken parameter. -
Target unit: each collateral token in an RToken basket is expected to generally be stable or appreciating against some exogenous currency. The exogenous currency is that collateral's target unit. We expect that in many RTokens that people actually want, all of those target units will be the same, and we can speak of the RToken maintaining stability or appreciation against its target unit.
-
Reference unit: when collateral tokens are expected to appreciate, it's generally because some DeFi protocol produces a “receipt token” that is freely redeemable for some base token, the redemption rate of which is expected to monotonically increase over time. That base token is the reference unit for the collateral token.
A couple examples:
- For a Compound collateral token such as cUSDC, the unit of account is USD, the reference unit USDC and target unit USD.
- For an Aave collateral token such as aUSDP, the unit of account is USD, the reference token USDP and target unit USD.
- Let's say we're building a pure-stable USD basket, out of USDC, USDP, and DAI. The unit of account would surely be USD. Each collateral token would also be its own reference unit, and their target units would be USD.
Reserve Protocol expects collateral tokens (e.g. cUSDC) to be in a known, predictable relationship with the reference units (e.g. USDC), and the reference units to be in a known, predictable relationship with the target units (e.g. USD) and will flag the collateral token as defaulting if any of these relationships appear to be broken.
Basket Dynamics
“Baskets” in the Reserve Protocol are arrays of financial values that the protocol references when keeping RTokens fully collateralized at all times. We differentiate between the following three types of baskets:
-
Prime basket: This is the target collateral basket at the onset of an RToken that defines which collateral needs to be deposited for issuances. The prime basket is directly set by governance, and only changes through successful governance proposals. It consists of an array of triples (
<collateral token, target unit, target amount>
) where each portion of the basket has atarget amount
of thetarget unit
that should be represented bycollateral token
.
For example, if the prime basket contains the triple<cUSDC, USD, 0.33>
, that means "The RToken should contain 0.33 USD per basket, as represented by cUSDC". -
Reference basket: When the prime basket is updated by governance or in the case of a collateral default, the protocol will determine a new “Reference Basket” and then take certain actions (described in the Protocol Operations section) to change the collateral makeup until it matches the new basket. This new basket is called the reference basket and, like the prime basket, consists of a set of triples
<collateral token, reference unit, reference amount>
. Each triple means that each basket unit must contain an amount ofcollateral token
currently equivalent toreference amount
of thereference unit
.
For example, if the reference basket contains the triple<aDAI, DAI, 0.33>
, then one basket unit should contain whatever amount of aDAI is redeemable in its protocol for 0.33 DAI. -
Collateral basket: the collateral basket is derived, moment-by-moment and on-demand, from the reference basket. Since DeFi redemption rates can change every transaction, so can the collateral basket. The collateral basket is a set of pairs
<collateral token, token amount>
. Each pair means that each basket unit must containtoken amount
ofcollateral token
.
For example, if the reference basket contains the pair<cUSDC, O.29>
, then one basket unit will contain 0.29 cUSDC.
System states and roles
Reserve Protocol contains five core governance roles that any governance smart contract can easily integrate in order to create new governance systems for RTokens:
OWNER
: the top level decision maker, typically a decentralized governance smart contract, responsible for setting or updating all RToken parameter values, RToken baskets, etc. - The RToken OWNER has the power to:- grant and revoke roles to any Ethereum account
- set governance parameters
- upgrade system contracts
PAUSER
: has the ability to pause and unpause an RToken’s system. The PAUSER role should be assigned to an address that is able to act quickly in response to off-chain events, such as a Chainlink feed failing. It is ok to have multiple pausers. It can be robot-controlled. It can also consist of a 1-of-N multisig for high availability and coverage. It is acceptable for there to be false positives, since redemption remains enabled. See the table below for more information on what exactly a “pause” of an RToken means.SHORT_FREEZER
: has the ability to freeze an RToken’s system for a short period of time. The SHORT_FREEZER role should be assigned to an address that might reasonably be expected to be the first to detect a bug in the code and can act quickly, and with some tolerance for false positives, though less than in pausing. It is acceptable to have multiple short freezers. It can be robot-controlled. It can also consist of a 1-of-N multisig for high availability and coverage. If a bug is detected, a short freeze can be triggered which will automatically expire if it is not renewed by LONG_FREEZER.
When the SHORT_FREEZER call freezeShort(), they relinquish their SHORT_FREEZER role, and can only be re-granted the role by the OWNER (governance). The OWNER may also step in and unfreeze at any time.LONG_FREEZER
: has the ability to freeze an RToken’s system for a long period of time. The LONG_FREEZER role should be assigned to an address that will highly optimize for no false positives. It is much longer than the short freeze. It can act slowly and needs to be trusted. It is probably expected to have only one long-freezer address. It allows only 6x uses per long-freezer. It exists so that in the case of a zero-day exploit, governance can act before the system unfreezes and resumes functioning.
When the LONG_FREEZER calls freezeLong(), they spend a “charge”. A LONG_FREEZER starts with 6 charges, and when they run out of charges they relinquish the LONG_FREEZER role. Only the OWNER can re-grant the role or top up an accounts charges.GUARDIAN
: has the ability to reject proposals even if they pass. Should be assigned to a multisig or EOA that can be trusted to act as a backstop. It is acceptable if it is relatively slow to act. Only one guardian address should be defined.
💡 While Reserve Protocol is a fully open system that allows the integration of any custom governance smart contract for RTokens, the Reserve team has deployed a recommended governance system that will be suggested to RToken deployers. If you’re interested in reading about its details, please refer to the Governor Anastasius.
The roles mentioned above each have the ability to put their RToken’s system in specific non fully functional states in the case of an attack, exploit, or bug. These states are:
-
Issuance Paused: when an RToken’s system is issuance-paused, all interactions are enabled except issuance. It is a narrow control knob that is designed solely to protect against a case where bad debt is being injected into the protocol. An RToken’s system can be issuance-paused by any of the Pauser addresses calling
pauseIssuance()
and resumed by callingunpauseIssuance()
. -
Trading Paused: when an RToken’s system is trading-paused, all interactions besides issuance, redemption, ERC-20 functions, staking of RSR, and rewards payout are disabled. It is designed to prevent against cases where the protocol may trade unnecessarily. An RToken’s system can be trading-paused by any of the Pauser addresses calling
pauseTrading()
and resumed by callingunpauseTrading()
. -
Frozen: when an RToken’s system is frozen, all interactions besides ERC-20 functions and staking of RSR are disabled. An RToken’s system can be short-frozen by any of the SHORT_FREEZER addresses calling
shortfreeze()
. This freeze can be extended by any of the LONG_FREEZER addresses callinglongfreeze()
, or can be resumed by the SHORT_FREEZER or OWNER addresses by callingunfreeze()
.
Action | Trading Paused | Issuance Paused | Frozen |
---|---|---|---|
Issue RToken | Enabled | Disabled | Disabled |
Redeem RToken | Enabled | Enabled | Disabled |
Staking RSR | Enabled | Enabled | Enabled |
Unstaking RSR | Disabled | Enabled | Disabled |
Cancel Unstake RSR | Enabled | Enabled | Disabled |
Withdraw RSR | Disabled | Enabled | Disabled |
RSR Rewards Payout | Enabled | Enabled | Enabled |
Trading | Disabled | Enabled | Disabled |
RToken Melting | Enabled | Enabled | Enabled |
Deployed rtokens
Many Reserve Protocol smart contracts rely on the proxy pattern, whereby users interact with proxy contracts which store data but which do not contain business logic. Rather, all function calls in these proxy contracts are delegated to implementation contracts to execute the desired logic. Implementation contracts and versions of the protocol are provided below.
Anyone can create an RToken
In a similar way as how anyone can create a new trading pair on Uniswap, anyone can permissionlessly create a new Reserve stablecoin (RToken) by interacting with Reserve Protocol’s smart contracts. The protocol applies a system of factory smart contracts that allows anyone to deploy their own smart contract instance.
Creating an RToken can be done either by interacting directly with the Reserve Protocol’s smart contracts or any user interface that gets built on top of it. The first user interface for these smart contracts will be released by ABC Labs the company that's leading protocol development. Besides the creation of RTokens, this user interface will also support exploring usage and stats related to RTokens, RToken minting & redeeming, and RSR staking.
Non-compatible ERC20 assets
The following types of ERC20s are not supported to be used directly in an RToken system. These tokens should be be wrapped into a compatible ERC20 token to be used within the protocol. A concrete example is the use of Static ATokens for Aave V2.
- Rebasing Tokens that return yields by increasing the balances of users
- Tokens that take a "fee" on transfer
- Tokens that do not expose the decimals() in their interface. Decimals should always be between 1 and 18.
- ERC777 tokens which could allow reentrancy attacks
- Tokens with multiple entry points (multiple addresses)
- Tokens with multiple entry points (multiple addresses)
- Tokens that do not adhere to the ERC20 standard in general
Advanced RToken parameters
When deploying an RToken, the deployer has the ability to configure many different advanced parameters. The following list goes into detail about what these parameters do and some of the factors the deployer should keep in mind to set them.
As many of these parameters concern the Protocol Operations, we advise reading through that section of the documentation first—as it will give the deployer the necessary context to fully understand all parameters.
Trading delay(s)
The trading delay defines how many seconds should pass after the basket has been changed before a trade can be opened.
A collateral asset can instantly default if one of the invariants of the underlying DeFi protocol breaks. If that would happen, and we would not apply a trading delay, the protocol would react instantly by opening an auction. This would give only auctionLength seconds for people to bid on the auction, making it very possible for the protocol to lose value due to slippage.
The trading delay parameter may only be needed in the early days - before we get to a point where there is a robust market of MEV searchers. We expect that this parameter can be set to zero later on (once a robust market of MEV searchers is established).