Origin ARM
Score Breakdown
| Category | Weight | Score |
|---|---|---|
| Audits & Historical | 20% | 1.50 |
| Centralization & Control | 30% | 1.33 |
| Funds Management | 30% | 1.25 |
| Liquidity Risk | 15% | 2.50 |
| Operational Risk | 5% | 1.00 |
| Final Score | 1.5 / 5.0 | |
Minimal Risk
Overview
Origin's stETH ARM (Automated Redemption Manager) is a yield-generating ETH vault (ERC4626) that earns returns primarily through arbitraging stETH against its redemption value via Lido's withdrawal queue. Users deposit WETH, receive ARM-WETH-stETH LP tokens. The protocol buys discounted stETH, redeems it 1:1 through Lido, and captures the spread as yield. The contract also supports deploying idle capital to Morpho lending markets, currently using WETH ARM Morpho vault curated by Yearn.
- Launch Date: October 25, 2024
- Performance Fee: 20% (2,000 bps) - mutable by owner (Timelock)
- Backing: Lido Ecosystem Foundation provides liquidity support
Links:
Risk Summary
Key Strengths
- Onchain xOGN governance with ~5-day total cycle, self-administered Timelock, no admin backdoor
- Cross-price protected by 48h timelock — limits operator manipulation
- 3 independent audits (2x OpenZeppelin + yAudit) + $1M Immunefi bounty
- Simple strategy (stETH arbitrage), with lending to low risk ARM Morpho Vault curated by Yearn
- 16 months clean ARM track record, same-value assets (ETH/stETH)
Key Risks
- Operator is single EOA (not multisig) — can set prices without timelock
- Extreme TVL volatility ($782K–$28M) — whale concentration
- Upgradeable proxy (protected by ~5-day governance cycle)
- Critical Lido dependency
Critical Risks
- None identified. All critical gates pass.
Full Report
Contract Addresses
| Contract | Address |
|---|---|
| ARM Proxy | 0x85B78AcA6Deae198fBF201c82DAF6Ca21942acc6 |
| ARM Implementation | 0xC0297a0E39031F09406F0987C9D9D41c5dfbc3df |
| Timelock Controller | 0x35918cDE7233F2dD33fA41ae3Cb6aE0e42E0e69F |
| Origin DeFi Governance | 0x1D3fBD4d129Ddd2372EA85c5Fa00b2682081c9EC |
| GOV Multisig (5/8, cancel-only) | 0xbe2AB3d3d8F6a32b96414ebbd865dBD276d3d899 |
| Operator (EOA) | 0x39878253374355DBcc15C86458F084fb6f2d6DE7 |
| Fee Collector | 0xBB077E716A5f1F1B63ed5244eBFf5214E50fec8c |
| xOGN Governance Token | 0x63898b3b6Ef3d39332082178656E9862bee45C57 |
| Lido Withdrawal Queue | 0x889edC2eDab5f40e902b864aD4d7AdE8E412F9B1 |
| MorphoMarket Wrapper (Proxy) | 0xB7CeFE4CB483Be80C2963D3D9Edb991e69ff39cf |
| Morpho Vault (WETH ARM, Yearn curated) | 0x3Dfe70B05657949A5dB340754aD664810ac63b21 |
| Harvester (Morpho rewards) | 0x4FF1b9D9ba8558F5EAfCec096318eA0d8b541971 |
Audits and Due Diligence Disclosures
ARM has been audited by OpenZeppelin (twice) and yAudit:
| # | Date | Firm | Scope | Report |
|---|---|---|---|---|
| 1 | Nov 2024 | OpenZeppelin | ARM contracts | Report |
| 2 | Jun 2025 | OpenZeppelin | ARM contracts | Report |
| 3 | Dec 2025 | yAudit | ARM contracts | Report |
Note: The Certora formal verification report (December 2024) covers OUSD only, not ARM.
Origin Protocol has 30+ audit reports across all products (OpenZeppelin, Trail of Bits, Solidified, Nethermind, Sigma Prime, Narya, Perimeter) in their security repository.
Smart Contract Complexity: Moderate - Upgradeable proxy (EIP-1967), AbstractARM base contract, Lido withdrawal queue integration, operator-controlled pricing with cross-price timelock protection.
Bug Bounty
- Platform: Immunefi
- Maximum Payout: $1,000,000
- Scope: ARM (stETH/WETH) contract explicitly in-scope
- Link: https://immunefi.com/bug-bounty/originprotocol/scope/
Historical Track Record
- Launched: October 25, 2024 (~16 months in production)
- ARM-specific incidents: None ✓
- Origin Protocol incident: November 17, 2020 - OUSD Flash Loan Reentrancy Attack ($8M loss). Different product (OUSD) with different contracts. ARM codebase built later with lessons learned. Source: DeFiLlama Hacks DB, rekt.news
- TVL volatility: Extreme range from $782K to $28M peak, suggesting whale concentration risk
- Team: Origin Protocol since 2017. Founded by Josh Fraser & Matthew Liu. CEO: Rafael Ugolini. Backed by Pantera Capital, Founders Fund. Previously launched OETH and OUSD. Active development - expanding to EtherFi, Ethena ARM variants.
Funds Management
Strategy: Buy discounted stETH → redeem 1:1 via Lido withdrawal queue → capture spread. Currently ~99% of assets sit in Lido withdrawal queue with a small WETH buffer.
Morpho Integration: The contract supports deploying idle capital to the WETH ARM Morpho vault (0x3Dfe70B05657949A5dB340754aD664810ac63b21) curated by Yearn. This is considered a safer option compared to the previous MEV Capital wETH vault, as Yearn's curation provides stronger risk management and oversight.
Accessibility
- Deposits: Permissionless, atomic. Deposit WETH, receive ARM-WETH-stETH LP tokens. Cap manager currently disabled (address(0)).
- Withdrawals: Two-step Request → Claim. PPS locked at request time, shares burned immediately. 10-minute minimum delay. Liquidity-dependent - exits exceeding WETH buffer require waiting for Lido withdrawal queue processing (1-3 days typical). No yield during queue.
Collateralization
- 100% onchain collateral: WETH + stETH (same-value ETH-denominated assets)
- No debt, leverage, or liquidation mechanics
- Operator sets buy/sell prices manually, bounded by cross-price (which requires timelock to change)
Provability
- All reserves verifiable onchain via view functions:
totalAssets(),totalSupply(),convertToAssets() - PPS calculated programmatically onchain:
totalAssets() / totalSupply() - Lido withdrawal queue state verifiable:
withdrawsQueued(),withdrawsClaimed(),claimable() - 100% onchain reserves, no offchain components
Liquidity Risk
- Exit Mechanism: Direct vault redemption with 10-minute delay. PPS locked at request time (no slippage on redemption value). Limited secondary DEX liquidity via Curve pool (OETH/ARM-WETH-stETH,
0x95753095f15870acc0cb0ed224478ea61aeb0b8e, ~$222K TVL). - Immediate exits limited to WETH buffer (variable, typically small % of TVL)
- Larger exits require Lido withdrawal queue processing (1-3 days)
- No priority mechanism - first-come-first-served
- Same-value assets (ETH/stETH) mitigate price impact risk during wait
Centralization & Control Risks
Governance
Governance Structure: See Appendix: Contract Architecture for full diagram.
Timelock Roles (verified via hasRole()):
| Role | Origin DeFi Governance | GOV Multisig (5/8) | address(0) |
|---|---|---|---|
| PROPOSER | ✓ | ✗ | - |
| EXECUTOR | ✓ | ✗ | ✗ (not open) |
| CANCELLER | ✓ | ✓ | - |
- Timelock is self-administered (TIMELOCK_ADMIN_ROLE held by itself)
- Total time from proposal to execution: ~5 days minimum (24h voting delay + 48h voting + 48h timelock)
- No backdoor - only Origin DeFi Governance can propose/execute
GOV Multisig Signers (5-of-8):
0x530d3F8C, 0xce96ae6D, 0x336C02D3, 0x6AC8d65D, 0x617a3582, 0x17aBc3F0, 0x39772922, 0xa96bD9c5
Privileged Roles:
| Role | Who | Timelock? | Powers |
|---|---|---|---|
| Admin (owner) | Timelock → xOGN governance | ~5 days | Upgrade proxy, set cross price, change lending markets, grant/revoke operator, set fee |
| Operator | EOA 0x39878...DE7 |
None | Set buy/sell prices (traderate0/1), trigger allocate/rebalance |
| Cap Manager | address(0) (disabled) | - | Could restrict deposits if enabled |
Key Risk: Operator is a single EOA (not a multisig). Can adjust buy/sell prices without timelock. Cross-price timelock limits exploitation.
Programmability
- PPS calculated programmatically onchain (
totalAssets() / totalSupply()) allocate()function is permissionless- Operator sets buy/sell prices manually (no timelock), bounded by cross-price (admin-set, 48h timelock)
- If operator inactive, pricing could become stale (no automated price discovery)
External Dependencies
- Lido (Critical) - Core value proposition depends on Lido's stETH and withdrawal queue. Failure would halt all operations.
- Morpho (High) - Idle capital is deposited into WETH ARM Morpho vault curated by Yearn. Yearn curation reduces curator risk compared to previous MEV Capital setup.
- DEX Aggregators (Non-critical) - 1inch, CoWSwap for stETH acquisition. Not required for core functionality.
No cross-chain dependencies.
Operational Risk
- Team: Origin Protocol since 2017, public team, known leadership, VC-backed (Pantera, Founders Fund)
- Documentation: Good. Public GitHub actively maintained, comprehensive security repo
- Legal: Company structure (Origin Protocol), established entity
- Incident Response: $1M bug bounty on Immunefi, learned from 2020 OUSD incident
Monitoring
- Governance: Monitor Timelock events (
CallScheduled,CallExecuted,Cancelled) and Origin DeFi Governance proposals. Monitor EIP-1967 implementation slot for proxy upgrades. - Operator: Monitor
traderate0(),traderate1(),crossPrice()for changes. Alert on >5% market deviation or operator role changes. - PPS & Liquidity: Track
totalAssets() / totalSupply(), alert on >1% sudden PPS drops. Monitor WETH buffer and Lido withdrawal queue state. Track large movements (>20% TVL change in 24h). - Lending: Monitor Morpho WETH ARM vault allocation and Yearn curator changes.
Reassessment Triggers
- Time-based: Quarterly (next: May 2026)
- Incident-based: Any security incident, pricing anomaly, or withdrawal issues
- Change-based: Morpho vault curator Yearn changes, especially adding new markets. Contract upgrade, Lido WQ issues or stETH depeg
Appendix: Contract Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ GOVERNANCE │
│ │
│ xOGN Token Holders (Staked OGN) │
│ (100K xOGN to propose, ~133.7M xOGN quorum) │
│ │ │
│ ▼ │
│ Origin DeFi Governance (0x1D3f...) │
│ [PROPOSER + EXECUTOR + CANCELLER] │
│ (7,200 blocks voting delay + 14,416 blocks voting period) │
│ │ │
│ ▼ │
│ Timelock Controller (0x3591...) GOV Multisig 5/8 │
│ [48h delay, self-administered] ◄────── (0xbe2A...) │
│ │ [CANCELLER only] │
│ │ owner │
│ ├──────────────────────────────────────┐ │
│ ▼ ▼ │
│ ARM Proxy (0x85B7...) MorphoMarket Wrapper (0xB7Ce..)│
│ [EIP-1967, impl: 0xC029...] [EIP-1967, also owned by TL] │
│ │
│ ⚠ Proxy upgrade = single-step setOwner (no 2-step transfer) │
│ │
└─────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────┐
│ ARM VAULT (LidoARM) │
│ 0x85B7...cc6 │
│ │
│ Immutables: Storage: │
│ ├── stETH (0xae7a) ├── traderate0/1 (36-dec pricing) │
│ ├── WETH (0xC02a) ├── crossPrice (operator bound, timelocked) │
│ └── lidoWQ(0x889e) ├── fee: 2000 (20%) │
│ ├── armBuffer: 0.1 ETH │
│ ├── claimDelay: 600s (10 min) │
│ └── activeMarket: 0xB7Ce... (MorphoMarket) │
│ │
│ Roles: │
│ ├── owner: Timelock (0x3591...) │
│ │ setCrossPrice, setFee, setOperator, addMarkets, upgradeTo │
│ ├── operator: EOA (0x3987...) │
│ │ setPrices, requestLidoWithdrawals, setActiveMarket │
│ ├── feeCollector: Safe 1/3 (0xBB07...) │
│ └── capManager: address(0) [disabled] │
│ │
│ Permissionless: deposit, requestRedeem, claimRedeem, allocate, │
│ claimLidoWithdrawals, collectFees, swap stETH↔WETH │
│ │
└──────────┬──────────────┬──────────────┬────────────────────────────┘
│ │ │
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────────────────────────┐
│ stETH │ │ Lido WQ │ │ MorphoMarket Wrapper │
│ (0xae7a...) │ │ (0x889e...) │ │ (0xB7Ce...) │
│ │ │ │ │ [Abstract4626MarketWrapper] │
│ transfer, │ │ request, │ │ owner: Timelock │
│ approve │ │ claim │ │ │ │
│ │ │ │ │ ▼ │
└──────────────┘ └──────────────┘ │ Morpho Vault (0x3Dfe...) │
│ [MetaMorpho v1.1, Yearn curated]│
│ │ │
│ ▼ │
│ Harvester Safe (0x4FF1...) │
│ [receives MORPHO rewards] │
└──────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────┐
│ SECONDARY LIQUIDITY │
│ │
│ Curve Pool: OETH / ARM-WETH-stETH (factory-stable-ng-641) │
│ (0x9575...) ~$222K TVL │
│ Gauge: 0xfcad... (active, no CRV weight) │
│ │
└─────────────────────────────────────────────────────────────────────┘
Data flows:
Deposit: User WETH → ARM → mint LP shares
Redeem: requestRedeem (burns shares, locks PPS) → claimRedeem (after 10m + liquidity)
Yield: ARM buys discounted stETH → requestLidoWithdrawals → claimLidoWithdrawals → WETH
Lending: allocate() → excess WETH → MorphoMarket wrapper → Morpho Vault (Yearn curated)
Swap: User stETH↔WETH at operator-set traderates (bounded by crossPrice)