Onboard sfrxUSD as Collateral on FiRM

Summary

This post is a preliminary signal of intent to onboard sfrxUSD as a collateral asset on FiRM, pending:

1. a full risk assessment and parameter recommendation by the Risk Working Group (RWG), and
2. market and feed deployments.

The goal here is to align the DAO, core contributors, and the Frax community around the direction of travel, while the risk work is done in the background.

Why now: we’ve been working directly with the Frax team, and we have an understanding that if Inverse onboards sfrxUSD as collateral on FiRM, Frax will help push and support sDOLA being onboarded as collateral into various Morpho curated vaults (with frxUSD as the debt token). This is a strategically valuable distribution for sDOLA, especially in light of the recent Curve Lend / LlamaLend incident, meaning new sDOLA collateral integrations are vital.

Background

sfrxUSD is the yield-bearing (ERC-4626) “savings” version of frxUSD. Users stake frxUSD and receive sfrxUSD, which accrues yield via an increasing redemption rate back into frxUSD.

From FiRM’s perspective, this is a familiar collateral profile: a yield-bearing, USD-denominated asset that borrowers may want to lever while locking in FiRM’s fixed-rate borrow cost.

Motivation / Business Case

1) Direct product benefit for FiRM

Adding sfrxUSD gives FiRM another high-quality “stable yield” collateral option that should be attractive to:

• stablecoin allocators who prefer levered yield with predictable borrow costs; and
• borrowers who already hold frxUSD/sfrxUSD and want fixed-rate leverage without rotating out of their asset.

2) Strategic partnership value: unlock Morpho distribution for sDOLA

The bigger unlock is the partnership flywheel:

• Inverse onboards sfrxUSD collateral on FiRM
  → Frax helps drive sDOLA onboarding into Morpho curated vaults (as collateral, with frxUSD as debt)
  → sDOLA gets new, credible collateral utility in a venue that is actively curated/risk-managed
  → Inverse benefits from increased sDOLA relevance and (by extension) DOLA ecosystem demand.

This is exactly the type of mutually beneficial DeFi partnership that compounds over time.

TBC Risk Parameters

RWG will run the full qualitative + technical risk process and return with recommended values for:

• Market supply ceiling
• Daily borrow limit
• Collateral factor (CF)
• Liquidation factor (LF) and liquidation incentive (LI)
• Minimum debt, oracle staleness threshold, and any additional safeguards RWG deems appropriate

Oracle Approach (High-Level)

Final oracle design is owned by RWG, but the expected “clean” approach is:

• price frxUSD in USD via a robust reference feed (such as Chainlink)
• resolve sfrxUSD to frxUSD via the ERC-4626 exchange rate (utilizing convertToAssets)
• apply appropriate staleness checks / guards consistent with FiRM’s oracle framework

Useful Links

• Token (sfrxUSD): Staked Frax USD (sfrxUSD) | ERC-20 | Address: 0xcf62f905...02fc9c5b6 | Etherscan
• Frax UI (Earn / Stake frxUSD → sfrxUSD): Frax.com
• Docs (Stake & Unstake overview): Stake & Unstake frxUSD Overview | Fraxtal Docs
• Frax addresses (frxUSD + sfrxUSD): Frax Ether Addresses | Fraxtal Docs
• Chainlink frxUSD/USD feed (Ethereum): frxUSD / USD Price Feed | Chainlink

Risk Working Group — Pre-Screening Assessment: frxUSD and sfrxUSD

The RWG has completed a pre-screening assessment of frxUSD and sfrxUSD in response to the onboarding proposal posted to this forum two weeks ago. Sharing the conclusion publicly so the proposal isn’t sitting without a response, and so the broader DAO has visibility into where things stand.

Pre-screening verdict: does not advance to full risk assessment at this time.

Two findings are independently dispositive at the pre-screening stage.

First, on access control and upgrade authority. Upgrade and admin authority across the entire frxUSD stack (the token, all five custodian proxies, ProxyAdmin, and the LayerZero OFT adapter) is concentrated in a 3/5 Gnosis Safe. Pricing and minter authority on sfrxUSD sits in a parallel 3/6 Safe. Both Safes have been verified on-chain to have zero modules and zero guard contracts enabled. There is no delay module, no timelock, no policy check anywhere in the governance chain. A 3/5 (or 3/6) signature set executes an arbitrary upgrade in the same block.

Second, on protocol maturity. The frxUSD and sfrxUSD proxies were deployed in January 2025, but both contracts have undergone material implementation upgrades since. Most consequentially, sfrxUSD was restructured under FIP-430 on September 2, 2025, from a deposit-tracking ERC-4626 vault into an administratively-priced minter-model token. Both contracts then had their authorization modules rewritten on January 26, 2026. The RWG is in the process of formalizing how it weighs root-token implementation upgrades against the Lindy clock for screening purposes, and is consulting with our devs on that question. Regardless of where that internal standard lands, the access-control finding above is sufficient on its own to hold the pre-screening at this stage.

Why this matters for FiRM specifically:

We want to be direct about why these findings carry the weight they do for Inverse, because the same upgradeable-token profile is accepted at much larger lending protocols every day. FiRM is an immutable, permissionless, fixed-rate lending protocol governed entirely on-chain. There are limited emergency triggers at our disposal that can intervene between an adverse upgrade and DOLA solvency. Our defensive response to a bad upgrade on a live market consists of pausing the market of new borrows and submitting an on-chain governance proposal to lower CF, which takes approximately 4.5 days to execute. That response surface is a deliberate design choice that makes FiRM what it is, but it also means the cost of accepting upgradeable collateral is significantly higher for us than it is for protocols with discretionary admin controls. A timelock on the upgrade path of the asset itself is what can close that gap.

This is also why the framing of “Circle and Chainlink are upgradeable but we trust them” doesn’t quite map. Those assets have accumulated a level of operational and capital-base Lindy that lets the broader market absorb the upgrade risk implicitly. Earlier-stage upgradeable assets that haven’t yet earned that posture create asymmetric risk for a protocol like ours that can’t intervene off-chain. The pre-screening framework is set up to recognize that asymmetry rather than ignore it.

Other findings worth surfacing:

• Five implementation upgrades across the two contracts in fifteen months. This cadence, combined with the no-timelock posture, is the binding constraint.
• sfrxUSD’s post-FIP-430 economic semantics: the vault declares frxUSD as asset() but holds zero frxUSD; totalAssets() is computed from totalSupply × pricePerShare where pricePerShare is administratively curated weekly. Standard ERC-4626 oracle paths are no longer trust-minimized for this asset.
• Aggregate Curve exit liquidity around $9M against $118M+ supply (~7% ratio). Any future parameterization would need to size to exit liquidity rather than market cap.
• Custodian-dependent redemption: frxUSD redemptions return whichever reserve asset (BUIDL, USTB, WTGXX, USDC) the chosen custodian holds, several of which are permissioned.

A broader observation, and what happens next:

The pre-screening process has surfaced something the RWG is increasingly thinking about as a structural question rather than an asset-specific one. FiRM v1 is built around a single rigid risk-control surface (collateral factor, supply ceiling, liquidation factor, liquidation incentive, 24-hour rolling debt limit, etc) applied across all markets. That works well for assets that fit cleanly inside conservative parameters, and it works less well for assets that carry meaningfully different risk profiles. Variable risk-premium architectures, where markets can price their own insurance and borrow cost, are something we’ve only just started exploring with jrDOLA and other brewing ideas as tools that would let FiRM accommodate a wider range of collateral types without compromising the immutable, permissionless properties that define it. We’ll share more on that as it develops.

In the immediate term, the RWG has opened direct dialogue with the Frax team. The conversation is constructive and partnership-friendly. The questions we’re starting with focus on whether Frax would consider introducing a timelock on the upgrade path (the central guardrail), and on transparency and audit practice around past and future upgrades. If Frax is open to introducing the structural changes that would close the access-control gap, the path back to a full risk assessment is short. If not, the assessment stays held until our own architecture catches up to the asset profile.

The full pre-screening assessment is available at: Risk-Assessments/frxUSD_sfrxUSD_pre_screening.md at main · InverseFinance/Risk-Assessments · GitHub

Questions and discussion welcome below.