Summary
This proposal authorizes the launch of the Junior Tranche system (jrDOLA) following successful completion of two comprehensive security audits. The proposal sets initial operational parameters and allocates a DBR reward budget to bootstrap liquidity through an initial measured approach. A follow up proposal will set out to enable FiRM market coverage, pending governance approval.
Background
jrDOLA introduces a market-driven insurance layer that addresses a fundamental limitation in Inverse Finance’s current risk model. As FiRM continues to scale, the protocol absorbs all bad debt directly into DOLA backing, creating concentration risk that constrains growth potential. This model works adequately at current scale but becomes increasingly fragile as total debt exposure grows.
jrDOLA solves this by creating a first-loss capital buffer where depositors voluntarily accept bad debt risk in exchange for yield. If and when FiRM positions become insolvent, the slashing mechanism automatically draws from jrDOLA deposits to repay bad debt before it impacts DOLA backing. This achieves several strategic objectives. First, it protects DOLA solvency by establishing a dedicated bad debt absorption layer. Second, it enables protocol scaling with reduced systemic risk exposure. Third, it provides DOLA holders with a new yield-generating product that earns both sDOLA base yield and DBR rewards. Finally, it establishes automated, permissionless bad debt resolution that requires no manual governance action during stress events.
The system is designed for composability and future expansion. While this initial launch intends to cover FiRM markets, the modular architecture allows governance to add coverage for additional markets and protocols such as the PSM or future Fed deployments without requiring contract redeployment or migration.
The jrDOLA codebase has undergone rigorous security scrutiny through a dual-audit process with Sherlock. The first phase consisted of a private audit conducted with specialized security researchers Hash and Osidian, who focused on ERC-4626 vault mechanics, slashing logic, and withdrawal queue edge cases. All identified issues were addressed prior to the second phase, a public audit contest open to Sherlock’s broader security researcher community. The final reports for both are posted for public viewing here. Additionally, Sherlock Shield provides 200,000 USDC in exploit insurance coverage for the first month post-deployment, offering an additional layer of financial protection during the critical early launch period.
Technical Implementation
Deployed Contracts
The jrDOLA system consists of four core contracts deployed to Ethereum mainnet:
JuniorDola (jrDOLA) — 0xf4307a1354c0463812b3ce0f509c227f5cd1ccfd The main ERC-4626 vault representing user deposits. All deposits are in sDOLA to provide a base yield layer. The contract integrates an xy=k auction mechanism that converts DBR rewards into DOLA-denominated yield, allowing depositors to earn returns without directly holding or managing DBR tokens.
WithdrawalEscrow — 0x3912365cc44309c99743597f9d18c6cb946ab5f0 Manages the delayed withdrawal queue. This contract is intentionally immutable to protect user interests. Once a withdrawal is queued, the cooldown duration and exit window parameters are locked and cannot be altered by governance. Users continue earning rewards during cooldown since their funds remain slashable.
LinearInterpolationDelayModel — 0x3b1e443ab423c9a7b1b2ea7b3cb7c0be012a4fbf Calculates withdrawal delays based on queue utilization. Uses linear interpolation between minimum delay (when queue is empty) and maximum delay (at governance-defined threshold). The contract is upgradeable by governance, but active withdrawals continue using the delay parameters from their queue time.
FiRMSlashingModule — 0x6d27dd57a7dbf5b27a3fcabd75c916ac765a346c Implements the permissionless slashing mechanism for FiRM bad debt. Anyone can call the slashing function when a position becomes insolvent. Protective parameters include:
- maxCollateralValue: Prevents slashing positions with significant collateral, forcing liquidators to handle those first
- minDebt: Prevents dust positions from spamming slashing events
- activationDelay: Requires newly added markets to wait before becoming eligible for coverage
A guardian multisig can cancel pending market additions during the delay window.
Helper — 0x93c0610b258e42c43544e74cfc1efec8c1f5459b Implements helper functions for interacting with the DBR auction in the JuniorDola contract.
Initial Parameters
JuniorDola:
- dbrReserve: [1,000,000e18] DBR — virtual reserves for xy=k auction
- dolaReserve: [40,519e18] sDOLA — virtual reserves for xy=k auction
- yearlyRewardBudget: [500,000] DBR — initial annual allocation (operator-controlled)
- maxYearlyRewardBudget: [10,000,000] DBR — governance ceiling
- operator: Treasury Working Group multisig
WithdrawalEscrow:
- withdrawFee: [5] bps — creates friction against cycling behavior; paid to remaining depositors
- exitWindow: [48] hours — time to claim withdrawal after cooldown completes
LinearInterpolationDelayModel:
- minDelay: [1] day — minimum withdrawal delay when queue is empty
- maxDelay: [7] days — applies when queue utilization reaches threshold
- maxDelayThreshold: [10000] bps — e.g., 5,000 bps (50%) means delay scales linearly from min to max as queue fills from 0% to 50%
FiRMSlashingModule:
- maxCollateralValue: [$100] — positions above this must be liquidated normally
- minDebt: [$5] — minimum debt for slashing eligibility
- activationDelay: [7] days — review window for new market additions
- guardian: Policy Committee multisig
Governance Controls
Governance CAN:
- Add or remove FiRM markets for coverage (new markets subject to activation delay)
- Increase the maxYearlyRewardBudget ceiling
- Replace the LinearInterpolationDelayModel contract
- Adjust FiRMSlashingModule parameters
- Change the guardian address
Governance CANNOT:
- Pause withdrawals or interfere with the active withdrawal queue
- Change withdrawal terms for users already in queue
- Access deposited funds except through legitimate slashing
- Bypass market activation delays
Operator (TWG multisig) CAN:
- Adjust yearlyRewardBudget within the governance-set ceiling
Operator CANNOT:
- Exceed the governance-approved ceiling
- Access deposited funds
- Modify withdrawal or slashing parameters
Guardian CAN:
- Remove markets from slashing protection before the activation period has elapsed.
Guardian CANNOT:
- Interfere with operations of actively protected markets.
Operational Mechanics
For Depositors
Depositing into jrDOLA follows standard ERC-4626 vault interactions. Users approve sDOLA to the jrDOLA contract and call either deposit(amount, receiver) or mint(shares, receiver) depending on whether they prefer to specify deposit amount or desired shares. Upon deposit, users receive jrDOLA shares representing their proportional claim on the vault. Additionally, depositors begin earning DBR rewards distributed through the xy=k auction mechanism, which automatically converts DBR into DOLA-denominated yield without requiring direct DBR interaction.
Withdrawing requires a multi-step process designed to provide security during periods of stress while maintaining reasonable user experience during normal operations. Users first call queueWithdrawal(shares) to enter the withdrawal queue. At this moment, the system snapshots their withdrawal parameters including cooldown duration and exit window timing, and applies the withdrawal fee, which is distributed to remaining depositors. Users then wait for the cooldown period, which ranges from the minimum delay to maximum delay based on current queue utilization as calculated by the LinearInterpolationDelayModel. During this cooldown, users continue earning rewards since their funds remain in the vault and continue to provide slashable insurance coverage. After the cooldown completes, users enter their exit window during which they can claim their withdrawal by calling the claim function. Users receive sDOLA representing their original deposit plus all accrued yield, minus any slashing events that occurred while they were deposited, minus the withdrawal fee. Users can also cancel their withdrawal during the cooldown period and return to the active depositor pool.
For the Protocol
Reward distribution operates through an ongoing auction mechanism integrated into the jrDOLA contract. The protocol allocates DBR to the jrDOLA contract according to the yearlyRewardBudget parameter controlled by the operator within governance-set limits. These DBR tokens enter an xy=k constant product market maker with virtual DOLA reserves, creating a permissionless auction where anyone can swap sDOLA for DBR. This increases the vault’s total assets without changing the share supply, causing the sDOLA-per-share exchange rate to increase. Depositors thus earn DOLA-denominated yield without ever directly interacting with DBR tokens. The auction mechanism provides continuous price discovery and automatically adjusts reward distribution based on DBR market dynamics.
The bad debt coverage mechanism operates through a permissionless slashing process. When a FiRM position becomes insolvent such that the debt value exceeds collateral value based on oracle pricing, anyone can call slash(market, borrower) on the FiRMSlashingModule contract. The module first verifies that the position is legitimately insolvent by checking current debt and collateral values. It then applies protective checks, ensuring the position’s collateral value is below maxCollateralValue to prevent slashing positions that should be liquidated through normal mechanisms, and ensuring debt exceeds minDebt to avoid processing economically insignificant positions. If all checks pass, the module calculates the required DOLA amount needed to bring the position’s debt-to-collateral ratio back to parity. It then triggers a pro-rata slash against the jrDOLA vault, where all depositors’ share values decrease proportionally to socialize the loss. The recovered DOLA is used to repay the bad debt in the FiRM market, removing the insolvency. This protects DOLA backing by absorbing bad debt into jrDOLA before it impacts core protocol reserves.
Budget Request
The budget operates within a controlled structure. The maxYearlyRewardBudget parameter of 10,000,000 DBR represents a governance-enforced ceiling that can only be increased through full governance proposals. Within this ceiling, the yearlyRewardBudget parameter of 500,000 DBR represents the initial active budget upon approval of this proposal. This amount is controlled by the operator (Treasury Working Group multisig) and can be adjusted up to the governance ceiling without requiring additional votes, enabling responsive adjustment to market conditions while maintaining ultimate governance control.
The initial budget request was calibrated through analysis of comparable insurance mechanisms in DeFi, modeling of depositor yield requirements given FiRM’s historical bad debt frequency and severity, and assessment of total DBR availability relative to competing uses across the protocol ecosystem.