← All Reports

Superstate USTB

2.3
USTB / Ethereum / April 7, 2026
View full report on GitHub →

Score Breakdown

CategoryWeightScore
Audits & Historical20%1.25
Centralization & Control30%3.00
Funds Management30%2.25
Liquidity Risk15%3.00
Operational Risk5%1.00
Final Score2.3 / 5.0
20%30%30%15%
Low Risk

Overview

USTB is a tokenized investment fund issued by Superstate Inc. that provides exposure to short-duration U.S. Treasury Bills and Agency securities. The fund's investment objective is to seek current income consistent with liquidity and stability of principal, targeting returns in line with the federal funds rate.

USTB uses a price appreciation model (non-rebasing) — each USTB token represents one share in the fund, and the NAV per share increases daily as interest income from Treasury Bills accrues. The token price has grown from ~$10.00 at inception (February 2024) to ~$11.05 as of April 2026.

Investors undergo KYC/AML onboarding, get their wallet addresses whitelisted on the AllowList smart contract, and can then subscribe (mint) or redeem (burn) USTB tokens via USDC or USD. Onchain atomic subscription and redemption is available through the Protocol Mint and Redeem system, with a USDC instant redemption facility (currently ~$1.7M, capacity varies as it is refilled regularly).

The fund is structured as a series of Superstate Asset Trust, a Delaware Statutory Trust, providing bankruptcy remoteness from Superstate Inc. The sub-advisor is Federated Hermes, the custodian is UMB Bank (OCC-regulated), and the auditor is Ernst & Young.

  • Current NAV/Share: ~$11.045 (SuperstateOracle: $11.045231, Chainlink: $11.044354 — verified onchain April 2026)
  • Onchain Supply (Ethereum): ~56.59M USTB (~$625M onchain)
  • Total AUM: ~$650M+ (including Solana and book-entry shares)
  • Onchain Holders (Ethereum): ~70
  • Current APY: ~2.58% (30-day), tracking the federal funds rate
  • Management Fee: 0.15% annually (waived until AUM exceeds $200M — now exceeded)

Links:

Risk Summary

Key Strengths

  1. Safest underlying asset class — 95%+ invested in U.S. Treasury Bills, the lowest-risk financial instrument globally, backed by the full faith and credit of the U.S. government
  2. Great audit coverage — 11 audits from 3 firms (0xMacro, ChainSecurity, Offside Labs) plus Certora formal verification, with ongoing audit relationship as code evolves
  3. Institutional-grade service providers — UMB Bank (OCC-regulated custodian), Federated Hermes (sub-advisor, $800B+ AUM), Ernst & Young (auditor), NAV Consulting (independent NAV)
  4. Strong team and backing — Compound Finance founders, $100.5M raised from Bain Capital Crypto, Distributed Global, Brevan Howard, Galaxy Digital, Haun Ventures
  5. Bankruptcy-remote legal structure — Delaware Statutory Trust with inter-series liability protection, SEC-regulated framework
  6. Large AUM — $650M+ with strong institutional adoption (Spark $300M, Aave Horizon, M^0)

Key Risks

  1. EOA-controlled admin — 4 distinct EOAs control token minting, forced burning, pausing, oracle changes, and proxy upgrades. No multisig, no timelock on any. The separation across 4 keys reduces single-key blast radius but none have multisig protection.
  2. Offchain assets — Underlying Treasury portfolio held offchain at UMB Bank. Token holders cannot independently verify holdings onchain. Must rely on NAV agent, auditor, and regulatory framework.
  3. No DEX liquidity — Exit exclusively through Superstate's mint/redeem system. No secondary market. Transfer restricted to allowlisted addresses only.
  4. No formal bug bounty rewards — Researchers explicitly told not to expect compensation for vulnerability discoveries.
  5. Permissioned access — Only Qualified Purchasers ($5M+) who pass KYC can hold or transfer USTB. Limits DeFi composability.

Critical Risks

  • AllowList freeze risk — If Superstate removes an address from the AllowList, the holder's tokens are completely frozen with zero exit paths. No transfers, no redemption, no DEX fallback. For DeFi protocols integrating USTB, this means Superstate has unilateral power to freeze an entire protocol's USTB position.
  • Private key compromise — 4 separate EOAs control different parts of the system. Compromise of 0xad309bb6f13074128b4f23ef9ea2fe8552afca83 alone could upgrade the USTB token to malicious code, mint unlimited tokens, or burn tokens from any address, all with no delay. Other EOAs control AllowList (freeze addresses), RedemptionIdle (withdraw USDC, pause redemptions), and Oracle (manipulate pricing). Mitigated by Turnkey secure enclaves but each remains a single point of failure.
  • Admin burn capability — The adminBurn() function can confiscate tokens from any holder. While documented as a regulatory compliance tool, this gives Superstate unilateral power over user funds.
  • No upgrade delay — All 3 proxy contracts (USTB Token, AllowList, RedemptionIdle) can be upgraded immediately with no timelock for users or protocols (like Aave, Morpho, Spark) to react.
Full Report

Contract Addresses

All addresses verified onchain April 2026.

Contract Address
USTB Token (Proxy) 0x43415eB6ff9DB7E26A15b704e7A3eDCe97d31C4e
USTB Implementation (SuperstateTokenV5_1, VERSION "5") 0x1f50a1ee0ec8275d0c83b7bb08896b4b47d6e8c4
USTB ProxyAdmin 0xb9d285dcad879513dc9c1a3b2e0cccb21c3c2146
AllowList V3.1 (Proxy) 0x02f1fa8b196d21c7b733eb2700b825611d8a38e5
AllowList Implementation (Allowlist, VERSION "3.1") 0x2f67d98bd20d9580f52efa5ff70edaed9f2f316d
AllowList ProxyAdmin 0xb819692a58db9dd4d3b403a875439b6ca155c610
Superstate Continuous Price Oracle (not a proxy) 0xe4fa682f94610ccd170680cc3b045d77d9e528a8
Chainlink USTB NAV/Share Oracle 0x289B5036cd942e619E1Ee48670F98d214E745AAC
RedemptionIdle (Proxy) 0x4c21b7577c8fe8b0b0669165ee7c8f67fa1454cf
RedemptionIdle Implementation 0x8efba8af37af48d2e0a04b0aae60f0e9bc8de007
RedemptionIdle ProxyAdmin 0xcaba8c12873fffed13431d98bf6b836dff08e869
USDC Sweep Destination (EOA) 0x774AE279c21B6a17a6E2BD5ab5398FF98F398807

Owner Addresses

The system is controlled by 4 distinct EOAs (all code size 0, no multisig):

Role Address
USTB Token Owner + USTB ProxyAdmin Owner 0xad309bb6f13074128b4f23ef9ea2fe8552afca83
AllowList Owner + AllowList ProxyAdmin Owner 0x7747940adbc7191f877a9b90596e0da4f8deb2fe
RedemptionIdle Owner + RedemptionIdle ProxyAdmin Owner 0x8cf40e96e7d7fd8A7A9bEf70d3882fbBC4D40765
Oracle Owner 0x4B1df64357a5D484563c9b7c16a80eD8B8fB1395

Audits and Due Diligence Disclosures

Superstate has undergone 11 security audits from 3 firms (0xMacro, ChainSecurity, Offside Labs) plus formal verification by Certora, making this one of the most extensively audited RWA tokenization protocols.

Audit History

# Firm Date Scope Key Findings
A-1 0xMacro Jul 2024 Redemption contract 2M (1 fixed, 1 won't do — USDC peg assumption)
A-2 0xMacro Jul 2024 USTB/USCC Token + AllowList 1M (fixed — EIP-2612 non-compliance), 8 code quality
A-3 0xMacro Nov 2024 Liquidation, Oracle, Token V2 3M (all fixed — oracle underflow, SafeERC20, deploy scripts)
A-4 0xMacro Nov 2024 Token + Redemption V2 2H (fixed — redemption fee bypass, subscribe allowlist bypass), 1M (fixed)
A-5 0xMacro Jan 2025 Token V3 + Redemption No H/M/L issues — cleanest EVM audit
A-6 0xMacro Apr 2025 Token + Redemption updates No H/M/L issues
A-7 0xMacro May 2025 Solana Allowlist Program 2C (fixed — ownership validation bypass), 1H (fixed — PDA frontrunning DOS)
A-8 0xMacro May 2025 Equity Token (new product) 1H (fixed — incorrect event source)
A-9 0xMacro Jul 2025 AllowlistV3 (EVM) No issues found — cleanest audit
-- ChainSecurity 2023 Compound SUPTB (original token) 2 Critical (fixed — encumbrance transferability, transferFrom permission bypass)
-- Offside Labs May 2025 Solana Allowlist Separate program audit
-- Certora -- Formal verification Mathematical verification of contract properties

Total findings across all audits: 2 Critical (Solana), 4 High, 7 Medium — all fixed or acknowledged with rationale.

Smart Contract Complexity: Moderate — Upgradeable EIP-1967 proxy, ERC-20 with ERC-7246 (deprecated in V4), AllowList-gated transfers, onchain subscription via Chainlink oracle, multi-chain bridging. Clean OpenZeppelin patterns with proper storage gaps.

Bug Bounty

  • Platform: Self-hosted (security@superstate.co)
  • Formal Rewards: None — "Superstate does not have a formal reward policy. Researchers should not expect compensation for discovering vulnerabilities."
  • Safe Harbor: CFAA and DMCA safe harbor language for good-faith researchers
  • Note: The lack of formal monetary rewards is a weakness compared to Immunefi-style programs

Safe Harbor

Superstate is not listed on the SEAL Safe Harbor registry. This is typical for regulated RWA issuers.

Historical Track Record

  • Fund Launch: February 2024 on Ethereum (~26 months in production)
  • Contract Deployment: December 6, 2023 (block 18,725,909)
  • Contract Upgrades: Token has been upgraded through 5 versions (V1→V5_1, VERSION "5"), AllowList through 3 versions (V1→V3.1, VERSION "3.1"). Each upgrade was audited prior to deployment.
  • Smart Contract Exploits: None. No security incidents, hacks, or exploits reported.
  • Price History: NAV/Share has increased monotonically from ~$10.00 (inception) to ~$11.05 (April 2026), consistent with steady Treasury yield accrual. ATL: $10.29 (Feb 2025), ATH: ~$11.05 (current).
  • AUM Growth:
    • Feb 2024: Launch
    • Oct 2024: ~$114M (per LlamaRisk report)
    • Mar 2025: ~$300M allocated by Spark alone
    • Mar 2026: ~$650M+ total AUM, ~$572M onchain TVL (DeFiLlama)
    • Apr 2026: ~$625M onchain (56.59M USTB × $11.045 NAV, verified onchain)
  • Holder Distribution: ~70 onchain holders on Ethereum. Top 10 holders hold ~83.5% of supply. This concentration is expected for an institutional-grade permissioned fund. Top holders include EOAs (institutional investors) and smart contracts (DeFi integrations).
  • Incidents: None. No hacks, exploits, or adverse events involving Superstate or USTB.

Funds Management

Yield Sources

  1. U.S. Treasury Bills — Primary holding. At least 95% of the fund invested in short-duration (< 1 year maturity) U.S. Treasury Bills and Agency securities.
  2. Cash — Up to 5% held in cash for liquidity facilitation.

The fund uses a laddered approach with holdings spread across various near-term maturities for liquidity and interest rate management.

Accessibility

  • KYC Required: Yes — investors must be Qualified Purchasers ($5M+ in investments for individuals, $25M for institutions) AND Accredited Investors. Full KYC/AML screening required.
  • Subscriptions (Minting):
    • Onchain atomic: subscribe() function atomically transfers USDC and mints USTB at the Continuous NAV/S price. Available 24/7.
    • Offchain: USD wire transfer, processed on Market Days (NYSE/Federal Reserve open days).
    • Max subscription fee: 0.1% (10 bps), configurable per stablecoin.
  • Redemptions (Burning):
    • Onchain atomic: Via RedemptionIdle contract, burns USTB and sends USDC at Continuous NAV/S price. USDC instant redemption facility with variable capacity (currently ~$1.7M as of April 2026, verified onchain via balanceOf()). Superstate announced "$10M USDC instant redemption facility, refilled twice daily" on the Aave governance forum (Jan 2025), but docs only state: "USDC liquidity will be replenished in this contract regularly" — the actual onchain balance varies significantly.
    • Offchain: Transfer tokens to contract address or call offchainRedeem(). Proceeds in USDC or USD wire. T+0 if before 9:00 AM EST on Market Days, otherwise T+1.
    • No redemption fees for standard redemptions.
  • Geographic Restrictions: Available to qualified purchasers in the U.S. and select offshore jurisdictions (Cayman Islands, BVI, Bermuda). Not available to sanctioned countries.
  • Management Fee: 0.15% annually (waived until AUM exceeds $200M — now exceeded).

Collateralization

  • Backing Model: Offchain — USTB tokens represent shares in a fund that holds U.S. Treasury Bills and Agency securities at UMB Bank (OCC-regulated qualified custodian).
  • Collateral Quality: U.S. Treasury Bills are considered the lowest-risk financial instrument globally — backed by the full faith and credit of the U.S. government.
  • Sub-Advisor: Federated Hermes — a major institutional asset manager managing $800B+ AUM — handles daily portfolio management.
  • Bankruptcy Remoteness: The fund is a separate legal entity (series within a Delaware Statutory Trust) with inter-series liability protection, bankruptcy-remote from Superstate Inc.
  • Verification: Ernst & Young conducts annual audits. NAV Consulting / NAV Fund Services provides independent NAV calculation.

Provability

  • NAV/Price Updates: The Superstate Continuous Price Oracle (0xe4fa682f94610ccd170680cc3b045d77d9e528a8) extrapolates real-time prices using linear interpolation between NAV/S checkpoints. Updates every second, 24/7/365. Compatible with Chainlink AggregatorV3Interface. Checkpoint expiration: 5 days — if the Oracle Owner does not post a new checkpoint within 5 days, latestRoundData() reverts with StaleCheckpoint(), which causes both subscribe() and redeem() to revert, freezing all onchain USTB operations. The 5-day window covers weekends and U.S. holidays. Note: Since prices are linearly interpolated between checkpoints, the onchain price is an estimate that may diverge from the actual NAV between checkpoint updates — the price catches up only when the next checkpoint is posted by Superstate.
  • Chainlink NAV Feed: Chainlink provides an independent NAV/Share data feed (0x289B5036cd942e619E1Ee48670F98d214E745AAC).
  • Onchain Supply: Total USTB supply is verifiable onchain via totalSupply().
  • Offchain Assets: The underlying Treasury portfolio is held offchain at UMB Bank. Token holders cannot independently verify the specific Treasury holdings onchain. However:
    • Independent NAV calculation by NAV Consulting/NAV Fund Services
    • Annual audit by Ernst & Young
    • Chainlink Proof of Reserves was in development (per LlamaRisk, Oct 2024)
    • Redundant record-keeping across fund calculation agent, internal records, and onchain records
  • Reserve Transparency: USTB publishes headline NAV, AUM, and yield data publicly on superstate.com/assets/ustb. However, granular portfolio holdings (specific T-Bill CUSIPs, maturities, allocations) are only accessible through the authenticated investor portal (requires Qualified Purchaser onboarding and 2FA). The fund is structured under SEC exemptions with regulatory reporting requirements.

Liquidity Risk

  • Primary Exit: Onchain atomic redemption via RedemptionIdle contract at Continuous NAV/S price. USDC instant redemption capacity varies (~$1.7M as of April 2026, regularly refilled).
  • Secondary Exit: Offchain redemption via wire transfer or USDC. T+0 if before 9:00 AM EST on Market Days, otherwise T+1. No withdrawals during weekends/U.S. holidays.
  • DEX Liquidity: None. USTB has $0 24h trading volume on DEXs. Not listed on any exchanges. This is by design — the token is a regulated fund product, not a freely tradeable token.
  • Transfer Restrictions: All transfers require both sender and receiver to be on the AllowList. Removing an address from the AllowList effectively freezes their tokens.
  • DeFi Integrations (Liquidity Venues):
    • Spark Protocol (MakerDAO): $300M allocated to USTB as yield-generating reserve
    • Aave Horizon: USTB accepted as collateral to borrow USDC, GHO, RLUSD. ~$19.9M supplied (March 2026), 8.33x max leverage. Uses LlamaGuard NAV Oracle (risk-adjusted, built with Chainlink).
    • Morpho / Pareto / Gauntlet: USTB-adjacent via Pareto Credit Vault CV tokens as Morpho collateral; Gauntlet levered RWA strategy (~13% APY, ~$51M collateral)
    • M^0 Protocol: USTB designated as first eligible collateral for all M^0 network stablecoins (MetaMask mUSD, Noble USDN)
    • FalconX: USTB used as prime brokerage trading collateral
    • BitGo: Tri-party derivative collateral
  • Stress Scenario: In a scenario requiring large-scale redemption, liquidity depends on Superstate's ability to sell the underlying Treasury portfolio (highly liquid) and process USDC conversions via Circle. T-Bills are among the most liquid financial instruments globally, mitigating this risk.

AllowList Freeze Risk (Critical for DeFi Integrations)

If an address is removed from the AllowList, the USTB tokens held by that address are completely frozen with zero exit paths:

  1. transfer() reverts — AllowList checks sender AND receiver
  2. transferFrom() reverts — same AllowList check
  3. Onchain redemption via RedemptionIdle reverts — requires AllowList status
  4. offchainRedeem() reverts — requires AllowList status
  5. DEX swap impossible — $0 liquidity AND DEX contracts would also need AllowList permission

There is no fallback exit mechanism. The only recovery path is to contact Superstate to be re-whitelisted, or have Superstate perform an adminBurn() and process a manual offchain redemption.

Implications for Yearn: Yearn's vault/strategy contract must be whitelisted by Superstate via protocol address permissions. If Superstate removes this permission (regulatory action, policy change, sanctions, dispute, or operational error), Yearn's entire USTB position becomes frozen and unredeemable. This is a fundamentally different risk profile from permissionless DeFi tokens where DEX liquidity provides a fallback exit.

Onchain verification (April 2026): Confirmed that DeFi protocols integrating USTB (e.g., Midas RedemptionVault at 0x569d7dccbf6923350521ecbc28a555a500c4f0ec, Frax FrxUSDCustodian at 0x5fbaa3a3b489199338fbd85f7e3d444dc0504f33) are individually whitelisted on the AllowList with assigned entity IDs. Maple Finance's protocol contracts are NOT whitelisted — Maple's USTB collateral is held by borrowers in their own wallets as offchain collateral arrangements, not locked in Maple smart contracts.

Centralization & Control Risks

Governance

Governance Model: Fully centralized — Superstate Inc. controls all administrative functions. No onchain governance, no DAO, no community voting.

Key Privileged Roles (verified onchain, April 2026):

Role Address Type Powers
USTB Token Owner + USTB ProxyAdmin Owner 0xad309bb6f13074128b4f23ef9ea2fe8552afca83 EOA mint, bulkMint, adminBurn, pause/unpause, accountingPause/accountingUnpause, setOracle, setStablecoinConfig, setRedemptionContract, setChainIdSupport, setMaximumOracleDelay. Can upgrade() / upgradeAndCall() USTB token implementation via ProxyAdmin.
AllowList Owner + AllowList ProxyAdmin Owner 0x7747940adbc7191f877a9b90596e0da4f8deb2fe EOA setEntityIdForAddress, setEntityAllowedForPublicInstrument, setEntityAllowedForPrivateInstrument, setProtocolAddressPermission. Can upgrade() AllowList implementation via ProxyAdmin.
RedemptionIdle Owner + RedemptionIdle ProxyAdmin Owner 0x8cf40e96e7d7fd8A7A9bEf70d3882fbBC4D40765 EOA pause/unpause, setRedemptionFee, setSweepDestination, setMaximumOracleDelay, withdraw (extract USDC). Can upgrade() RedemptionIdle implementation via ProxyAdmin.
Oracle Owner 0x4B1df64357a5D484563c9b7c16a80eD8B8fB1395 EOA addCheckpoint / addCheckpoints (set NAV price), setMaximumAcceptablePriceDelta. Oracle is not a proxy — cannot be upgraded.

Critical centralization concerns:

  1. EOA-controlled administration — The system is controlled by 4 distinct EOAs, each with no multisig, no timelock, and no governance delay. The USTB Token Owner (0xad309bb6f13074128b4f23ef9ea2fe8552afca83) controls minting, burning from any address, pausing all operations, changing the oracle, and upgrading the USTB contract implementation. Separate EOAs control the AllowList, RedemptionIdle, and Oracle — splitting control across more keys reduces single-key blast radius but none have multisig protection.
  2. Admin burn capability — The owner can call adminBurn(address, uint256) to forcibly burn tokens from any holder's address. This is documented as being for "exogenous legal circumstances" (regulatory compliance).
  3. No timelock on any operation — Contract upgrades, parameter changes, and critical admin functions execute immediately with no delay period for users to react.
  4. AllowList control — Removing an address from the AllowList effectively freezes their tokens (they cannot transfer or redeem). This is a compliance feature but also a centralization vector.
  5. Oracle pricing control — The Oracle Owner (0x4B1df64357a5D484563c9b7c16a80eD8B8fB1395) controls NAV checkpoints via addCheckpoint(). While the oracle uses programmatic linear interpolation between checkpoints, the checkpoint values themselves are set by this EOA. A malicious or compromised oracle owner could post incorrect NAV values affecting subscription/redemption pricing.

Mitigations:

  • Turnkey secure enclaves — Private key operations are performed inside hardware-enforced Trusted Execution Environments (TEEs). Keys are never exposed to Superstate or the application.
  • Two-step ownership transferOwnable2StepUpgradeable requires propose + accept for ownership changes, preventing accidental transfer.
  • renounceOwnership disabled — Cannot accidentally or maliciously renounce ownership.
  • Regulatory accountability — Superstate Inc. is a U.S. corporation operating under SEC exemptions, with registered transfer agent status. Malicious admin actions would have direct legal consequences.
  • Institutional-grade service providers — UMB Bank (custodian), Ernst & Young (auditor), and Federated Hermes (sub-advisor) provide independent oversight of the underlying fund.

Programmability

  • NAV/Price: The Continuous Price Oracle computes real-time NAV/S onchain using linear extrapolation between NAV checkpoints set by Superstate. Chainlink provides an independent feed. NAV checkpoints are set by the admin, but the extrapolation is programmatic.
  • Subscriptions: Atomic onchain subscription at oracle price is programmatic (anyone allowlisted can call subscribe()).
  • Redemptions: Atomic onchain redemption is programmatic (via RedemptionIdle contract).
  • Transfers: Programmatic AllowList enforcement on every transfer (onchain check).
  • Minting/Burning: Admin-only. Minting reflects offchain subscriptions. Admin burning is for regulatory compliance.
  • Accounting: Dual pause mechanism (transfers vs. mint/burn) is admin-controlled.

External Dependencies

  1. U.S. Treasury Market (Critical) — Fund holds U.S. Treasury Bills and Agency securities. An unprecedented U.S. government default would directly impact the fund. Extremely low probability.
  2. UMB Bank (Critical) — Qualified custodian for the underlying assets. UMB is an OCC-regulated national bank.
  3. Federated Hermes (Critical) — Sub-advisor handling daily portfolio management. Major institutional asset manager with $800B+ AUM.
  4. Circle (High) — USDC subscriptions and redemptions route through Circle. A USDC depeg would not affect USTB NAV (backed by Treasuries) but would affect the USDC redemption path.
  5. Chainlink (Medium) — NAV/Share oracle feed. Superstate also runs their own Continuous Price Oracle as primary source.
  6. Turnkey (Medium) — Non-custodial key management via secure enclaves. Failure could delay admin operations.
  7. Ernst & Young (Low) — Annual audit of the fund. Provides independent verification.
  8. NAV Consulting (Low) — Independent NAV calculation agent.

Operational Risk

  • Team: Robert Leshner (Co-Founder & CEO, previously co-founded Compound Finance, CFA, UPenn Economics), Reid Cuming (Co-Founder & COO, ex-Square, Stripe, Chime), Jim Hiltner (Co-Founder & Head of BD, ex-Compound Sales), Dean Swennumson (Co-Founder & Head of Ops, ex-Compound Operations). Team also includes alumni from Goldman Sachs, Coinbase, SEC, Frax Finance. ~23 employees.
  • Funding: ~$100.5M raised across 3 rounds:
    • Seed: $4M (June 2023) — ParaFi, Cumberland, 1kx
    • Series A: $14M (November 2023) — Distributed Global, CoinFund, Breyer Capital, Galaxy, Hack VC
    • Series B: $82.5M (January 2026) — Bain Capital Crypto, Distributed Global, Brevan Howard Digital, Galaxy Digital, Haun Ventures
  • Documentation: Comprehensive docs at docs.superstate.com covering fund mechanics, legal structure, smart contracts, security. Actively maintained.
  • Legal Structure:
    • Superstate Inc. (Delaware corporation) — parent company and investment adviser
    • Superstate Asset Trust (Delaware Statutory Trust, organized June 15, 2023) — bankruptcy-remote fund entity
    • Superstate Advisers LLC — Exempt Reporting Adviser (SEC)
    • Superstate Services LLC — SEC-registered transfer agent (March 2025)
    • Fund operates under Section 3(c)(7) of the Investment Company Act; offered pursuant to Rule 506(c) of Regulation D
    • Restricted to Qualified Purchasers and Accredited Investors
  • Incident Response: Turnkey secure enclaves for key management. Admin can pause transfers and/or accounting independently. Can force-burn and re-mint to new addresses for compromised investor wallets. No publicly documented formal incident response playbook.
  • License: BUSL 1.1 (Business Source License)
  • Industry Participation: Superstate Industry Council (50+ institutional members). Active engagement with SEC Crypto Task Force (formal submission June 2025).

Monitoring

Key Contracts to Monitor

Contract Address Purpose Key Events/Functions
USTB Token 0x43415eB6ff9DB7E26A15b704e7A3eDCe97d31C4e Token state Mint, AdminBurn, OffchainRedeem, Bridge, SubscribeV2, Paused/Unpaused, AccountingPaused/AccountingUnpaused, SetOracle, SetRedemptionContract, SetStablecoinConfig, SetMaximumOracleDelay, OwnershipTransferStarted, totalSupply()
Continuous Price Oracle 0xe4fa682f94610ccd170680cc3b045d77d9e528a8 NAV pricing (not a proxy) NewCheckpoint, SetMaximumAcceptablePriceDelta, OwnershipTransferStarted, latestRoundData()
AllowList V3.1 0x02f1fa8b196d21c7b733eb2700b825611d8a38e5 Permission changes EntityIdSet, ProtocolAddressPermissionSet, PublicInstrumentPermissionSet, PrivateInstrumentPermissionSet, OwnershipTransferStarted
RedemptionIdle 0x4c21b7577c8fe8b0b0669165ee7c8f67fa1454cf Redemption liquidity RedeemV2, Withdraw, SetRedemptionFee, SetSweepDestination, Paused/Unpaused, OwnershipTransferStarted, USDC balanceOf()
USTB ProxyAdmin 0xb9d285dcad879513dc9c1a3b2e0cccb21c3c2146 USTB proxy upgrades Upgraded event on USTB proxy, OwnershipTransferred
AllowList ProxyAdmin 0xb819692a58db9dd4d3b403a875439b6ca155c610 AllowList proxy upgrades Upgraded event on AllowList proxy, OwnershipTransferred
RedemptionIdle ProxyAdmin 0xcaba8c12873fffed13431d98bf6b836dff08e869 RedemptionIdle proxy upgrades Upgraded event on RedemptionIdle proxy, OwnershipTransferred

Admin EOAs to Monitor

EOA Role Key Actions
0xad309bb6f13074128b4f23ef9ea2fe8552afca83 USTB Token + ProxyAdmin Owner Mint, adminBurn, pause, upgrade USTB impl, set oracle/redemption/stablecoin config
0x7747940adbc7191f877a9b90596e0da4f8deb2fe AllowList + ProxyAdmin Owner Add/remove addresses, set permissions, upgrade AllowList impl
0x8cf40e96e7d7fd8A7A9bEf70d3882fbBC4D40765 RedemptionIdle + ProxyAdmin Owner Pause redemptions, withdraw USDC, set fees, upgrade RedemptionIdle impl
0x4B1df64357a5D484563c9b7c16a80eD8B8fB1395 Oracle Owner Set NAV checkpoints (pricing), set price delta

Critical Monitoring Points

  • NAV/Share: Track Continuous Price Oracle (latestRoundData()) and Chainlink feed — should increase monotonically. Alert on any decrease (would indicate fund losses). Current: ~$11.045. Staleness check: read checkpoints(latestRoundData().roundId).effectiveAt, compute block.timestamp - effectiveAt; alert if > 4 days (345600s) — oracle reverts StaleCheckpoint() at 5 days (432000s), freezing subscribe/redeem.
  • Admin Burns: Monitor AdminBurn events — forced burns from holder addresses are a critical event.
  • Pause Events: Monitor Paused/Unpaused and AccountingPaused/AccountingUnpaused on USTB Token AND RedemptionIdle.
  • Contract Upgrades: Monitor all 3 ProxyAdmins for Upgraded events — USTB ProxyAdmin (0xb9d285dcad879513dc9c1a3b2e0cccb21c3c2146), AllowList ProxyAdmin (0xb819692a58db9dd4d3b403a875439b6ca155c610), and RedemptionIdle ProxyAdmin (0xcaba8c12873fffed13431d98bf6b836dff08e869). Any proxy upgrade executes immediately with no timelock.
  • Oracle Changes: Monitor SetOracle events on USTB Token and NewCheckpoint events on the Oracle. Monitor SetMaximumAcceptablePriceDelta on Oracle (current: $1.00).
  • AllowList Changes: Monitor ProtocolAddressPermissionSet and EntityIdSet events, especially protocol address permissions (DeFi integrations).
  • Redemption Capacity: Monitor USDC balanceOf() on RedemptionIdle — current ~$1.7M. Also monitor Withdraw events (owner can extract USDC) and SetRedemptionFee (currently 0).
  • Ownership Transfers: Monitor OwnershipTransferStarted on all 4 contracts (USTB, AllowList, RedemptionIdle, Oracle) and OwnershipTransferred on all 3 ProxyAdmins.
  • Large Supply Changes: Alert on mints/burns >5% of total supply in 24h. Current supply: ~56.59M USTB.
  • Recommended Frequency: Hourly for NAV/pause/admin events. Daily for AllowList and redemption capacity.

Reassessment Triggers

  • Time-based: Reassess in 6 months (October 2026) — longer interval given the stability of the underlying asset and regulatory framework
  • TVL-based: Reassess if AUM changes by more than 50%
  • Incident-based: Reassess after any exploit, admin key compromise, contract upgrade, governance change, or regulatory action
  • Governance-based: Reassess if Superstate adopts multisig, timelock, or other governance improvements (potential score improvement)
  • Regulatory-based: Reassess if SEC takes enforcement action or Superstate's regulatory status changes (transfer agent, ERA)

Appendix A — Audit Reports

0xMacro Audits

# Date Scope Link
A-1 Jul 2024 Redemption contract Report
A-2 Jul 2024 USTB/USCC Token + AllowList Report
A-3 Nov 2024 Liquidation, Oracle, Token V2 Report
A-4 Nov 2024 Token + Redemption V2 Report
A-5 Jan 2025 Token V3 + Redemption Report
A-6 Apr 2025 Token + Redemption updates Report
A-7 May 2025 Solana Allowlist Program Report
A-8 May 2025 Equity Token Report
A-9 Jul 2025 AllowlistV3 (EVM) Report

Other Audits

Firm Date Scope Link
ChainSecurity 2023 Compound SUPTB (original token) Report
Offside Labs May 2025 Solana Allowlist Superstate Docs
Certora -- Formal Verification Superstate Docs

Appendix B — Contract Architecture

Verified onchain April 7, 2026. All owners are EOAs (code size 0). No multisig, no timelock on any contract.

GOVERNANCE LAYER (4 EOAs — all code size 0, no multisig)
═══════════════════════════════════════════════════════════

  [EOA-1] USTB Token owner + USTB ProxyAdmin owner
  [EOA-2] AllowList owner + AllowList ProxyAdmin owner
  [EOA-3] RedemptionIdle owner + RedemptionIdle ProxyAdmin owner
  [EOA-4] Oracle owner (addCheckpoint, setMaxAcceptablePriceDelta)
          │               │                │               │
          ▼               ▼                ▼               │
PROXY ADMIN LAYER                                          │
═════════════════                                          │
                                                           │
  [PA-1] upgrade(USTB)       ← owned by [EOA-1]           │
  [PA-2] upgrade(AllowList)  ← owned by [EOA-2]           │
  [PA-3] upgrade(Redemption) ← owned by [EOA-3]           │
          │               │                │               │
          ▼               ▼                ▼               │
TOKEN LAYER                                                │
═══════════                                                │
                                                           │
  [USTB] USTB Token (Proxy)                                │
  impl: SuperstateTokenV5_1 (VERSION "5")                  │
                                                           │
  Admin (owner [EOA-1] only):                              │
  ├── mint() / bulkMint()  ← no backing check onchain    │
  ├── adminBurn(address, amount)                           │
  ├── pause() / unpause()                                  │
  ├── accountingPause() / accountingUnpause()              │
  ├── setOracle(newOracle)                                 │
  ├── setRedemptionContract(newContract)                   │
  ├── setStablecoinConfig(stablecoin, dest, fee)           │
  ├── setChainIdSupport(chainId, supported)                │
  └── setMaximumOracleDelay(delay)                         │
                                                           │
  User functions (AllowList-gated):                        │
  ├── subscribe(to, amount, stablecoin)                    │
  ├── offchainRedeem(amount)                               │
  ├── bridge(amount, dest, chainId)                        │
  └── transfer / transferFrom                              │
          │               │                │               │
     reads│          reads│           reads│               │
          ▼               ▼                ▼               ▼
PROTOCOL LAYER
══════════════

  [AL] AllowList V3.1 (Proxy)    [ORC] SuperstateOracle      [RI] RedemptionIdle (Proxy)
  owner: [EOA-2]                  (NOT a proxy)                owner: [EOA-3]
                                  owner: [EOA-4]
  Admin:                                                       Admin:
  ├ setEntityIdForAddress()       Admin:                       ├ pause/unpause()
  ├ setEntityAllowedFor           ├ addCheckpoint()            ├ setRedemptionFee()
  │ PublicInstrument()            ├ addCheckpoints()           ├ setSweepDestination()
  ├ setEntityAllowedFor           ├ setMaxAcceptable           ├ setMaximumOracleDelay()
  │ PrivateInstrument()           │ PriceDelta()               ├ withdraw()
  ├ setProtocolAddress            └ transferOwnership()        └ transferOwnership()
  │ Permission()
  └ transferOwnership()           Exposes:                     User:
                                  latestRoundData()            └ redeem(amount)
  Gating:                         (Chainlink-compat)
  isAddressAllowedForFund()                                    USDC bal: ~$1.7M
  hasAnyProtocolPermissions()     NAV: $11.045/share           Oracle delay: 1h
                                  Expiry: 5 days               Fee: 0

EXTERNAL / UNDERLYING LAYER
════════════════════════════

  [USDC] USDC                 [CL] Chainlink NAV Feed       Offchain
  Used for subscribe/redeem   Independent NAV source         ├── UMB Bank (custodian)
                                                             ├── Federated Hermes (sub-adv)
  [SWEEP] Sweep destination                                  ├── Ernst & Young (auditor)
  (subscription + redemption USDC)                           ├── NAV Consulting (NAV agent)
                                                             └── U.S. Treasury Bills (~95%)

Address Legend:

Label Address
[EOA-1] 0xad309bb6f13074128b4f23ef9ea2fe8552afca83
[EOA-2] 0x7747940adbc7191f877a9b90596e0da4f8deb2fe
[EOA-3] 0x8cf40e96e7d7fd8A7A9bEf70d3882fbBC4D40765
[EOA-4] 0x4B1df64357a5D484563c9b7c16a80eD8B8fB1395
[PA-1] USTB ProxyAdmin 0xb9d285dcad879513dc9c1a3b2e0cccb21c3c2146
[PA-2] AllowList ProxyAdmin 0xb819692a58db9dd4d3b403a875439b6ca155c610
[PA-3] RedemptionIdle ProxyAdmin 0xcaba8c12873fffed13431d98bf6b836dff08e869
[USTB] USTB Token (Proxy) 0x43415eB6ff9DB7E26A15b704e7A3eDCe97d31C4e
[AL] AllowList V3.1 (Proxy) 0x02f1fa8b196d21c7b733eb2700b825611d8a38e5
[ORC] SuperstateOracle 0xe4fa682f94610ccd170680cc3b045d77d9e528a8
[RI] RedemptionIdle (Proxy) 0x4c21b7577c8fe8b0b0669165ee7c8f67fa1454cf
[CL] Chainlink NAV Feed 0x289B5036cd942e619E1Ee48670F98d214E745AAC
[USDC] USDC 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48
[SWEEP] Sweep Destination (EOA) 0x774AE279c21B6a17a6E2BD5ab5398FF98F398807

Proxy Upgrade Paths

Each proxy can be upgraded immediately (no timelock) by its ProxyAdmin owner:

Proxy ProxyAdmin Owner (EOA) Functions
USTB Token 0x43415eB6ff9DB7E26A15b704e7A3eDCe97d31C4e 0xb9d285dcad879513dc9c1a3b2e0cccb21c3c2146 0xad309bb6f13074128b4f23ef9ea2fe8552afca83 upgrade(), upgradeAndCall(), changeProxyAdmin()
AllowList 0x02f1fa8b196d21c7b733eb2700b825611d8a38e5 0xb819692a58db9dd4d3b403a875439b6ca155c610 0x7747940adbc7191f877a9b90596e0da4f8deb2fe upgrade(), upgradeAndCall(), changeProxyAdmin()
RedemptionIdle 0x4c21b7577c8fe8b0b0669165ee7c8f67fa1454cf 0xcaba8c12873fffed13431d98bf6b836dff08e869 0x8cf40e96e7d7fd8A7A9bEf70d3882fbBC4D40765 upgrade(), upgradeAndCall(), changeProxyAdmin()

The Oracle (0xe4fa682f94610ccd170680cc3b045d77d9e528a8) is not a proxy and cannot be upgraded. However, the USTB Token owner can replace it entirely via setOracle(newAddress).

Submit report inaccuracy