Blend v3 Proposal -- Zenith #57
Replies: 2 comments 4 replies
-
|
Thanks to @NotIshanSingh for putting a detailed proposal on the table. We agree on more than the framing might suggest, so we want to be precise about where we align and where we think the proposal preserves the two things that have most clearly failed Blend to date. In short: the proposal keeps an under-capitalized, wrong-way backstop, keeps a deposit base that is overwhelmingly XLM and stablecoins, and defers the actual RWA work to "around Blend" without naming who builds it, who funds it, or who is accountable for keeping it secure. We'll take it section by section. Where we agreeWe want to state this up front, because what follows is a disagreement on architecture:
We'd note one thing about this list, though: none of these improvements depends on retaining the backstop, the token, or the current pool composition. They are risk hygiene. They are necessary, but they are not a v3 thesis, and they should not be presented as a reason to leave the harder questions untouched. Where we disagree1. Backstop philosophyThis is where we most firmly disagree The proposal's central claim is that the backstop should be preserved largely as-is, that "ditching the backstop is effectively ditching the BLND token," and that the backstop "worked." We can't let the last point stand, because it is testable, and the test already ran. The empirical record (YieldBlox, Feb 2026). The USTRY oracle manipulation opened a hole of roughly $9–11M in the pool. The backstop, worth approximately $2M at the time, was auctioned off first and it covered under a quarter of the shortfall. The residual bad debt was then socialized across all suppliers: the bXLM exchange rate fell from 1.0 to roughly 0.45, marking XLM suppliers down by about 55%, with USDC suppliers taking a further haircut. Depositors were ultimately made whole only because the Stellar Foundation voluntarily compensated them off-protocol. That is not the backstop working as intended. That is the team backstopping the backstop. Any honest post-mortem has to start there. The structural reason it failed, and will fail again. The backstop LP is 80% BLND / 20% USDC. BLND is correlated to exactly the downside the backstop is meant to insure. When a pool takes losses or the market is under stress, BLND falls, so the dollar value of first-loss capital evaporates at the precise moment claims against it spike. This is textbook wrong-way risk. The whitepaper's "backstop size correlates to TVL" mechanism does not address it; correlating size to TVL in calm markets says nothing about denomination risk in a crisis, and the crisis is the only time the backstop matters. "Ditching the backstop is ditching the token": addressed on its own terms. Blend is ungoverned; BLND carries no voting power. Per Blend's own documentation, the token's sole utility is the backstop. So the argument reduces to: we must preserve a mechanism because removing it would strip the token of its only function. That is circular. The token is not the thing being protected here; lender solvency is. If the mechanism underperforms at its one job, "preserving the token's identity" preserves a fig leaf, not a safety net. The market has already priced this. BLND's fully-diluted valuation is roughly $3M (CoinGecko, current). Against a protocol TVL in the ~$140M range, that is a TVL/FDV ratio north of 40×. Comparable lending-protocol tokens sit in the single digits to low teens: Aave ~11×, Compound ~10×, Kamino ~6×, Morpho ~4×. Blend is a 4–10× outlier on the exact metric that asks "does the token credibly capitalize the risk it secures?" You cannot insure $140M of deposits with a $3M token, and the market is telling you it doesn't believe you can either. Leaving the token unchanged does not lead to sustainable growth; serious reform here is the minimum bar, not an optional Phase 3. Institutions cannot hold the token, and their risk teams will not approve it. Set aside whether the backstop is large enough, participating in it at all requires holding an 80/20 BLND:USDC LP, i.e. a mandated long position in a sub-$3M-FDV token that trades a few thousand dollars a day. For an institutional risk or treasury desk that is a non-starter, and not as a matter of taste. A token this illiquid fails standard eligible-asset, market-cap, and liquidity screens; it cannot be hedged (no liquid spot market, no derivatives) or exited at size; and it lands as a hard-to-mark, Level-3-style line that auditors will impair heavily. The proposal wants Blend to be institution-friendly and RWA-friendly while keeping a first-loss mechanism that obligates every backstopper to underwrite the protocol's own micro-cap token risk. Those two goals are mutually exclusive. An allocator that comes to lend stablecoins or tokenized treasuries will not, and under most mandates cannot, accept BLND exposure as the price of providing insurance. The institutions this proposal is courting are therefore structurally excluded from the very mechanism it insists on preserving. The "configurable take rate so pool operators can skim it" idea makes this worse. Letting operators divert a cut of the backstop take rate thins the first-loss buffer that already proved insufficient, and routes that value to the operator rather than to the lenders bearing the risk. That is the opposite of the direction the evidence points. 2. RWA "around Blend, not inside it"Blend today is, by deposit value, >99.9% XLM, USDC, and EURC. That single fact is the strongest argument against the proposal's RWA stance, because "keep RWA-specific logic around Blend rather than inside it" is not a plan to change that number, but rather a description of the status quo dressed as a roadmap. It guarantees Blend remains a venue for borrowing stablecoins against XLM. Two further problems:
The future of Stellar, and of Blend, is RWA-centric. A v3 that explicitly keeps RWA out of the core is choosing the wrong future. 3. "Uniswap of lending"Uniswap earns that label through thousands of permissionless, long-tail markets and deep composability. Blend serves three assets. A primitive whose entire live book is XLM/USDC/EURC is not the Uniswap of lending; it is a XLM-stablecoin money market. The slogan is aspirational, and the proposal's own "keep everything else outside the core" posture is what ensures the long tail never actually arrives on Blend. You don't get to claim the Uniswap analogy and simultaneously architect against the breadth that makes it true. 4. Fixed rate via "config magic," fixed duration as "OTC on top"
5. Hook systemComposability is a real goal and we're not against it in principle. But a general pre-/post-action hook surface across borrow, withdraw, liquidation, interest, onboarding, and compliance is a large new attack surface, and the proposal concedes as much, noting a bad hook system "could introduce more risk than value." Proposing to widen the protocol's attack surface months after a live, oracle-driven $10M loss inverts the risk priorities the moment demands. Hooks also do not solve the backstop problem or the RWA-onboarding problem; they relocate both into third-party code with no committed audit owner. New attack surface, same unsolved problems. 6. Oracle configuration and borrow capsWe agree, with one observation: these are a direct admission that the current design was unsafe. Per-reserve staleness, market-depth awareness, and borrow caps are exactly the controls that would have blunted YieldBlox. We welcome them, and we note that endorsing them while defending the rest of the status quo as "working" is internally inconsistent. They are table stakes, not a vision. 7. Forced withdrawals / permissioned assetsFor a proposal positioning itself to steward v3 and serve institutions, leaving clawback and SEP-57 handling as a list of open questions is the tell. This is the hard part of the RWA mandate — how the protocol safely supports forced-transfer assets without importing centralization into the core — and it is precisely the part left unspecified. Templar's v3 work takes concrete positions here. 8. Stewardship, incentives, and capacityWe'll be direct but fair about this, because it underlies everything above. Capacity. Zenith's public GitHub organization lists a single member, and this proposal is authored by a separate account that does not appear in that membership. Whatever the exact headcount, this is a very small team proposing to simultaneously: (a) own the ongoing security of a protocol that just absorbed a ~$10M oracle exploit, (b) design and audit a new general hook system, (c) onboard and white-glove RWA issuers and LPs, and (d) maintain the core indefinitely. In an environment where exploitation is increasingly AI-assisted, continuous, and adversarial, protocol security is a full-time function, not a part-time one. That scope is not credibly deliverable at this size, and security is the one area where optimism about bandwidth is most expensive. Incentive alignment. The proposal explicitly routes value capture to "apps, curators, integrations, and services built around Blend" while opposing any protocol-level mechanism to fund the core ("avoid protocol-level taxes"). That is a structural misalignment. If all the upside is designed to accrue to the wrappers (the layer the proposer would operate) then who is paid to keep the core secure, and who is paid to do the unglamorous, high-touch RWA onboarding the proposal also defers to that same periphery? A steward that opposes funding the core is, in effect, declining to fund the core. We'd ask plainly: what is the standing incentive for ongoing, sustainable maintenance, and for white-glove RWA issuer service, under this design? One factual note, offered without malice. The proposal cites Orbit as evidence of build capability "from scratch." Orbit's public UI is a fork of Where this leaves usWe share the goal of a minimal, reliable, composable primitive, and we support borrow caps, per-reserve oracle configuration, and timelocked oracle updates without reservation. Our opposition is to the two choices at the center of this proposal:
|
Beta Was this translation helpful? Give feedback.
-
Backstop philosophy“The backstop failed because it didn’t cover an oracle rug on a pool someone else ran” YieldBlox wasn’t the protocol backstop failing in its intended role, it was a pool operator using a spot-price VWAP oracle on thing SDEX liquidity for USTRY. The backstop LP did exactly what it’s supposed to do. Sure, that only covered a fraction of the hole but you can’t insurance against an infinite leverage on manipulated inputs with finite capital unless you’re running a Ponzi. BLND should correlate to the protocol health since it’s pretty much aligned to skin in the game. I like to relate BLND to HYPE since they act in a similar fashion in one category, in this sense being the ability to make custom “markets”. On Hyperliquid you need HYPE to make HIP-3 markets and BLND to make Blend markets. So when things are calm, backstop grows with the rest of the protocol. In crisis, yeah value drops but that’s why proper configs exist. Every first-loss mechanism has correlation risk, the alternative is just history imo For institutions, fair point on liquidity and pricing. But that is just until you remember this is post-incident and it also being an early stellar dapp. You are comparing apples to oranges, many have inflated tokens from governance theaters or emissions farming. Low FDV could also just mean more room to grow Institutions are probably going to go down an OTC lending scenario imo, like they would want more control so a curator vault or OTC lending vault would be more ideal for them. Where then you can abstract it away. You will likely see someone adding the RWA to their own pool like what is being done with etherfuse. Allowing pool operators to attract better backstop capital by sharing upside isn’t skimming. It marginally would thin the buffer, instead it would probably incentivize quality over zombie pools. Maybe the yieldblox pool could have that cut be controlled by their DAO which then gives them more capital, which would incentive more people to hold their token / get involved. RWA “around Blend, not inside it”99.9% XLM/USDC/EURC deposits is the strongest argument for keeping RWA logic modular. I know that right now its hard to integrate RWA tokens into blend and I said I would want to figure out how to make it work for the core protocol. I am not saying keep RWA out of core. But things like permissioned pools / curated could be built on top right now. This is still early in comparison to other DeFi protocols, and also if you just look at the assets on Stellar 99% is just those tokens. The biggest non-rwa related / wrapped token is AQUA, there isn’t an array of coins that people are trading like on Solana so there really isn’t much to do there. That liquidity for xlm/usdc/eurc all exist today so it just makes sense that would exist. RWAs issuers won’t just magically appear because you make blend into this protocol filled with every compliance, tenor, or legal wrapper into the core protocol. They come from issuers who need configurable rails, for example when I talked with the Arf team in Rio they said bluntly is if they can get good rates for loans they would borrow where the liquidity presents itself. My point of keeping it around blend isn’t supposed to be like status quo cope, its to keep the core simple and permissionless. My idea with hooks + external curators/issuers handles the kyc flows, oracle feeds for illiquid paper, or like jurisdiction-specific compliance. That creates the composability needed instead of one big blob trying to do everything. Fair critique on execution risk, but pretending the alternative with force RWA into the immutable core magically solves onboarding is fantasy. White-glove RWA is hard precisely because of the off-chain realities you listed. I am going to make another discussion post of the OTC lending protocol I want to build on top of Blend that solves most of these issues. Uniswap of lendingCalling Blend “the Uniswap of lending” is about it being permissionless, isolated pool creation with efficient backstopping. Uniswap through hooks was able to build so many cool applications layers on top, for example I really like panoptic which makes a very cool way of building options on top of the Uniswap LP. Today it’s XLM/USDC/EURC, that’s not a shocker since that’s just where all the liquidity and demand is on Stellar. We don’t have thousands of coins that people would actually lending and borrow with. The architecture is built exactly so the long tail can arrive with new collateral types, rwa tranches, whatever. Uniswap didn’t shop with 5000 pairs on day one either. Fixed rate via "config magic," fixed duration as "OTC on top"Fixed rate: The current reactive is deliberately made for capital efficiency. You could do it now just a bit of work. Fixed duration: I’m not being contradictory, institution-friendly doesn’t mean stuffing rigid logic. Institutions can get fixed-rate/term products through dedicated maturity pools, OTC desks, and wrappers built on top. For example someone can build a protocol like loopscale right now on Blend and the pro for them is Blend would handle the liquidation, backstop, accounting, etc. Hook systemValid concerns. I do agree it does widen the attack surface and I can agree sloppy implementation adds more risk than value. But that could be said about Uniswap too, they have just as much risk. That said, rejecting hooks outright because ‘new surface = bad’ also inverts priorities. The alternative is a bloated core with a bunch of features that probably the average pool wouldn’t touch. It’s like Uniswap v3 vs v4 is my argument here. If it’s built in a controlled way to add extensibility then it’s good. Oracle configuration and borrow capsCalling these “direct admission that the current design was unsafe” is a bit dramatic. These are the kind of post-incident hardenings you would expect after a poorly configured pool got oracle-rugged. Real gaps in pool operator hygiene was exposed and we are just learning our lesson. Welcoming these controls isn’t me being inconsistency, they should have shipped earlier. But labeling them proof the entire status quo was broken while ignoring what did work is selective. Forced withdrawals / permissioned assetsForced transfers and clawbacks are the hardest part of RWAs because they import legal and centralization risk straight into the asset’s behavior. Hard-coding concrete positions into an immutable core is how you turn a permissionless lending primitive into a compliance hostage. You can also assume bad actors could use this to potential steal money. Stewardship, incentives, and capacityBlend was shipped by a 3-person team as well, who were also in college / just leaving. We shipped a protocol with a tiny crew, capacity isn’t just a headcount. We have already built on Blend and delivered real integrations. Even helping give advice to others building on it too. Opposing protocol-level taxes isn’t misalignment, it’s just keeping the base primitive clean and ungoverned. Value flowing to apps, curators, and wrappers is exactly how you attract capital and builders instead of creating another emission dependent token. People who are building the layers on top of Blend would want to maintain the base layer. Essentially what I wanna do, I want to build my credit application on top of blend and being the steward of the base protocol helps me there Orbit UI being a fork is irrelevant noise, also knowing Blend’s history the protocol ideally wouldn’t need a UI since people would make their own UIs for it. You are also looking at the wrong Github repo, that was for a MVP we had our own UI. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Blend V3 Proposal
Overview
Zenith Protocols proposes to take an active role in the development, maintenance, and long-term stewardship of Blend Protocol v3.
Our view is that Blend should remain the core lending primitive of Stellar and become the Uniswap of lending. The goal of v3 should not be to turn Blend into a Swiss Army knife of products.
Instead, Blend v3 should make the primitive stronger, safer, and easier to build on top of.
Zenith’s proposal focuses on four main themes:
Blend should be the Uniswap of lending on Stellar. The base protocol should stay minimal and reliable, while businesses, curators, vaults, credit products, and institutional integrations compose around it.
I am following the writing style of the Templar post for ease of comparison.
Updates
RWA Focus
Zenith supports making Blend more institution-friendly, but we believe most RWA-specific logic should live around Blend rather than inside the core protocol
Institutions need custom configurations like LTVs, liquidation thresholds, oracle setups, compliance checks, collateral rules, tenor preferences, and asset-specific risk logic. Blend v3 should make these configurations easier to support, but it should avoid becoming a Swiss Army knife protocol where every institutional use case requires a new pool type or protocol-level feature
Priorities
Fixed Rate / Fixed Duration
Fixed-rate lending may be possible through smarter pool configuration and external market structure. This is worth exploring if it can be done without weakening the core interest rate controller or adding unnecessary complexity. This could actually already be done with some config magic
Fixed-duration lending should not be added directly to the Blend core protocol. Fixed-duration loans are a different system with different assumptions around maturity, rollover, liquidity, and default handling. They make more sense as an OTC or higher-order product built on top of Blend rather than as a native pool feature
In narrow RWA or institutional credit cases, fixed-rate / fixed-duration structures can still exist. They should just be implemented through external contracts, curators, order book mechanics, or OTC-style systems that use Blend liquidity underneath
Developer Focus
Zenith is strongly in favor of making Blend more developer-friendly, but strongly against turning Blend into a bloated application layer
The biggest unlock for Blend v3 is a well-designed hook system
Zenith built Orbit from scratch on Stellar, and one of the clearest lessons from that process is that builders often need custom logic around lending markets. Today, that usually means writing extra contracts, increasing audit surface, fragmenting liquidity, or rebuilding functionality that should be easier to compose with
Hook System
Blend v3 should explore pre-action and post-action hooks for key protocol actions.
Potential hook categories:
The hard part is deciding what actions should support hooks. In Blend, submissions can do many things, so the design needs to avoid becoming too open-ended or dangerous
The hook system should be powerful enough for real builders, but narrow enough that the core protocol remains safe and understandable
If hooks become the centerpiece of Blend v3, they must be designed very carefully. A bad hook system could introduce more risk than value. A good hook system could become the main reason v3 is worth doing
Wanna see how hooks can be for developers? Check out all the cool hooks built on Uniswap by open-source developers here
Backstop Philosophy
Zenith does not support removing or weakening the Blend backstop.
Ditching the backstop is effectively ditching the BLND token. At that point, the protocol is no longer really Blend v3; it becomes something closer to a different lending system entirely.
The backstop is one of Blend’s defining mechanisms and should remain part of the protocol’s identity.
That said, the backstop take rate is effectively a protocol-level tax and can be discussed as a configurable parameter. Any changes to how value flows through the backstop should be handled carefully and separately from the broader v3 upgrade. An idea I personally like is making it configurable in a way that allows pool operators to take fees from it.
Priorities
Risk Management
Zenith supports practical risk improvements that make Blend safer without overcomplicating the protocol.
The most obvious addition is borrow caps.
Borrow caps allow pools to limit exposure to specific assets and reduce the risk of a single reserve creating systemic issues. This is especially important for new assets, long-tail collateral, RWA assets, and assets with weaker liquidity.
Borrow Caps
Borrow caps should be configurable by pool creators and adjustable through existing governance or timelock mechanics.
Benefits:
Oracle Configuration
Zenith agrees that oracle logic should mostly remain external where possible, but Blend v3 should improve how oracles are configured and applied.
Current oracle assumptions are too broad. A blanket staleness window does not work equally well for volatile assets, stable assets, pull oracles, and RWA assets.
Blend v3 should consider:
A 24-hour blanket oracle setting is too blunt. Stable assets and volatile assets should not necessarily share the same oracle rules.
Note, there is probably more stuff that can be added here to make the protocol safer but these were the ones that stuck out most to me.
Forced Withdrawals / Permissioned Assets
One area that needs more design work is how Blend should handle assets with forced transfer or clawback-like behavior.
For example, if a SEP-57-style token supports forced transfers, Blend needs to understand whether forced withdrawals are enough and whether the protocol can safely rely on the underlying forced transfer call.
This is especially relevant for RWA assets, permissioned assets, and regulated entities.
Open Questions
forced_withdrawenough for these assets?This should be explored carefully before Blend v3 supports more permissioned or RWA-heavy use cases.
Breaking Protocol Changes
Zenith believes Blend v3 should avoid unnecessary breaking changes.
Potential Protocol-Level Changes Worth Exploring
Changes Zenith Does Not Currently Support in the Core Protocol
Beta Was this translation helpful? Give feedback.
All reactions