docs: Metronome Synths risk assessment (2.6 — Medium Risk)

[spalen0]

Summary

Comprehensive risk assessment for Metronome Synths (msUSD / msETH / msBTC), a multi-collateral multi-synthetic CDP protocol built by Bloq Inc.

• Final Score: 2.6/5.0 — Medium Risk with enhanced monitoring recommended
• Deployed on Ethereum, Base, Optimism via LayerZero OFT
• TVL: ~$21.04M across 3 chains (as of 2026-03-28)

Key Findings

• Strengths: Deep DEX liquidity ($93.4M), ~$170M in yield wrappers (Main Street, Stake DAO, Morpho, Convex, Vesper, Beefy, Yearn, Pendle), 3+ years production with no direct exploits, experienced team (Jeff Garzik / Bloq), fully on-chain over-collateralized model
• Critical risk — single-entity rug: LlamaRisk concluded Bloq can unilaterally rug users. All contract upgrades are controlled by a 3/5 multisig with anonymous signers that bypasses the on-chain Governor/Timelock. All 5 signers are identical across Ethereum, Base, and Optimism (5/5 overlap, verified on-chain). No on-chain evidence that promised external signers were added. Multisig can upgrade any contract to mint tokens, drain collateral, or brick the protocol — with no timelock on any chain.
• Governance abandoned: No Snapshot proposals since February 2025 (over 1 year of zero governance activity). Only 5-12 votes per proposal when active.
• Additional risks: Chainlink sole oracle with no fallback (unresolved Quantstamp finding), >92% of Ethereum collateral in Vesper yield-bearing tokens (multi-layer strategy risk), collateral factors raised without simulation testing, no insurance fund, $50K max bug bounty, no new audits since February 2023

Score Breakdown

Category	Score	Weight
Audits & Historical	2.5	20%
Centralization & Control	3.3	30%
Funds Management	2.25	30%
Liquidity Risk	2.0	15%
Operational Risk	2.0	5%
Final	2.6/5.0

Research Includes

• On-chain contract verification (Ethereum, Base, Optimism)
• Treasury collateral analysis (identified collateral held in Treasury contract, not Pool)
• Token supply verification across 3 chains via cast
• Multisig analysis (3/5 Safe, anonymous signers, 5/5 overlap between Ethereum and L2)
• DEX liquidity analysis (Curve, Aerodrome, Uniswap, Velodrome, Balancer)
• Audit review (Halborn, Quantstamp, internal Bloq audits)
• Cross-referenced with LlamaRisk assessment
• CoinGecko market data and DeFiLlama TVL verification

Changes in re-evaluation (2026-03-28)

• Refreshed all on-chain data: TVL $24.55M→$21.04M, DEX liquidity $75.9M→$93.4M, yield wrappers $87.4M→$170M
• Corrected signer overlap: 4/5→5/5 (all signers identical across all chains)
• Noted governance inactivity: no proposals since Feb 2025 (1+ year)
• Noted no new audits since Feb 2023 (3+ years)
• Added Contract Architecture appendix (ASCII diagram) per updated template
• Governance score 4.0→4.5, Centralization 3.2→3.3, Final 2.5→2.6 (still Medium Risk)

Test plan

• Verify contract addresses resolve correctly on Etherscan/Basescan/Optimistic Etherscan
• Validate scoring methodology and final risk tier
• Cross-reference with LlamaRisk independent assessment
• Verify on-chain token supplies and collateral balances
• Verify multisig signer overlap across chains (5/5 confirmed)
• Verify governance activity on Snapshot (last proposal Feb 2025)

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
risk-score	Ready	Preview, Comment	Mar 28, 2026 8:08pm

[spalen0]

PR #42 Verification Report — Metronome Synths Risk Assessment

Verification Date: February 17, 2026 (PR report date: ~February 13, 2026)
Verified by: Automated on-chain + API verification

---

1. Contract Address Verification ✅

All contract addresses confirmed to have deployed code on Ethereum mainnet (block 24478185):

Contract	Address	Status
Pool	0x3364f53cB866762Aef66DeEF2a6b1a17C1F17f46	✅ PASS
PoolRegistry	0x11eaD85C679eAF528c9C1FE094bF538Db880048A	✅ PASS
msUSD	0xab5eB14c09D416F0aC63661E57EDB7AEcDb9BEfA	✅ PASS
msETH	0x64351fC9810aDAd17A690E4e1717Df5e7e085160	✅ PASS
msBTC	0x8b4F8aD3801B4015Dea6DA1D36f063Cbf4e231c7	✅ PASS
Governor	0xc8697de7c190244bfd63d276823aa20035cb5a12	✅ PASS
Timelock	0x4c510878B907d6DDf69E6057ad2f865f60fB7775	✅ PASS

---

2. Liquidity Figures vs DeFiLlama ✅

Protocol TVL (DeFiLlama API):

Chain	PR Report	DeFiLlama Live	Drift
Ethereum	$14.86M	$15.12M	+1.7% ✅
Optimism	$2.01M	$2.03M	+0.8% ✅
Base	$1.12M	$0.71M	-36.6% ⚠️
Total	$17.98M	$17.86M	-0.7% ✅

⚠️ Base TVL drifted 36%, but the absolute difference is small ($400K) and total TVL is within range.

Token Prices (CoinGecko):

Token	PR Price	Live Price	Drift
msUSD	$0.9957	$0.9938	-0.2% ✅
msETH	$1,936.78	$1,948.08	+0.6% ✅

DEX Pool TVL (DeFiLlama Yields):

DEX	PR Report	Live	Drift
Aerodrome	$39.54M	$38.02M	-3.9% ✅
Curve	$30.90M	$27.15M	-12.1% ✅
Velodrome	$2.96M	$2.96M	+0.1% ✅
Primary DEX Total	$75.88M	~$70.7M	-6.8% ✅

---

3. Governance Structure ✅

Ethereum Governor (on-chain verified):

Parameter	PR Report	On-chain	Status
Governor Name	MetronomeGovernor	MetronomeGovernor	✅ PASS
proposalThreshold	25,000 MET	25,000 MET	✅ PASS
votingDelay	5,760 blocks	5,760 blocks	✅ PASS
votingPeriod	40,320 blocks	40,320 blocks	✅ PASS
Voting Token (esMET)	0xA28D...6bb8	0xA28D...6bb8	✅ PASS
Timelock	0x4c51...7775	0x4c51...7775	✅ PASS

Timelock Delay:

Parameter	PR Report	On-chain	Status
Delay	48 hours	172,800 seconds (48h)	✅ PASS

Quorum: quorumNumerator() reverts (uses custom/checkpointed implementation), but on-chain computation confirms 4% of esMET supply — quorum(block) / totalSupply(block) = 4.000000% consistently across different blocks.

L2 Governance (Base & Optimism Safe: 0xE01Df4ac1E1e57266900E62C37F12C986495A618):

Check	Base	Optimism
Threshold = 3	✅ PASS	✅ PASS
Owner count = 5	✅ PASS	✅ PASS
Same Safe address on both L2s	✅ PASS	✅ PASS
Signer #2 differs from Ethereum	✅ PASS	✅ PASS
All 5 signers match PR report	✅ PASS	✅ PASS

---

4. Risk Scoring Methodology ✅

Math verified:

(2.5 × 0.20) + (2.8 × 0.30) + (1.75 × 0.30) + (2.0 × 0.15) + (2.0 × 0.05)
= 0.50 + 0.84 + 0.525 + 0.30 + 0.10
= 2.265 ≈ 2.3/5.0 → Low Risk

Score justifications are consistent with evidence presented and scoring rubrics. Category scores are reasonable given the findings.

---

5. ProxyAdmin Safe Signers & Threshold ✅

Ethereum ProxyAdmin Safe (0xd1DE3F9CD4AE2F23DA941a67cA4C739f8dD9Af33):

Check	Expected	Actual	Status
Safe Version	1.3.0	1.3.0	✅ PASS
Threshold	3	3	✅ PASS
Owner count	5	5	✅ PASS
Signer 1: 0xa130...C339	Present	Present	✅ PASS
Signer 2: 0xB5Ab...Ef51	Present	Present	✅ PASS
Signer 3: 0xb398...9e23	Present	Present	✅ PASS
Signer 4: 0x25FC...804F	Present	Present	✅ PASS
Signer 5: 0xf3e9...C082	Present	Present	✅ PASS

ProxyAdmin Ownership:

ProxyAdmin	Expected Owner	Actual Owner	Status
Synths (0x2fa8...2dcc)	0xd1DE...Af33	0xd1DE...Af33	✅ PASS
Pool (0xd4de...a1be)	0xd1DE...Af33	0xd1DE...Af33	✅ PASS

---

Summary

Test Plan Item	Status
✅ Review all contract addresses against on-chain data	ALL PASS
✅ Verify liquidity figures against DeFiLlama	CONFIRMED (within acceptable drift)
✅ Confirm governance structure	ALL PASS (Governor, Timelock, L2 Safes verified)
✅ Review risk scoring methodology and final score	CORRECT (2.265 → 2.3 Low Risk)
✅ Verify ProxyAdmin Safe signers and threshold	ALL PASS (3/5 on all chains)

All 5 test plan items are verified. The report is accurate and ready for merge.

[spalen0]

Re-evaluation Update (2026-03-28)

Report has been re-evaluated with fresh on-chain data and updated to follow the new template.

Data Changes

Metric	Previous (Mar 20)	Current (Mar 28)	Change
Protocol TVL	$24.55M	$21.04M	-14%
msUSD Total Supply	~24.2M	~18.7M	-23%
msETH Total Supply	~15,598 ETH	~17,284 ETH	+11%
DEX Liquidity	$75.9M	$93.4M	+23%
Yield Wrappers TVL	$87.4M	$170M	+95%
Treasury USDC	364K	205K	-44%
msUSD Price	$0.997	$0.996	—
msETH Price	$2,123	$2,010	-5%

Key Findings in Re-evaluation

• Signer overlap corrected: Previously reported as 4/5 — verified on-chain that all 5/5 signers are identical across Ethereum, Base, and Optimism Safes
• Governance completely inactive: No Snapshot proposals since MIP-30 (February 2025) — over 1 year of zero activity
• No new audits: Most recent audit is from February 2023 (3+ years without a security review)

Score Changes

Category	Previous	Updated	Reason
Governance (sub)	4.0	4.5	5/5 signer overlap + 1yr governance inactivity
Centralization	3.2	3.3	Governance sub-score increase
Final Score	2.5	2.6	Still Medium Risk

Template Changes

• Added Appendix: Contract Architecture with ASCII diagram per updated template
• Added Safe Harbor check (not listed)
• Restructured sections to match new template ordering

[spalen0]

Review findings after verifying the report against live on-chain state and public APIs on 2026-03-28.

1. High: Ethereum parameter governance is mischaracterized. The report says Ethereum has a Governor + 48h Timelock for parameter changes and only upgrades bypass that path, but the live contracts point elsewhere. Pool.governor() on 0x3364f53cB866762Aef66DeEF2a6b1a17C1F17f46 returns 0xd1DE3F9CD4AE2F23DA941a67cA4C739f8dD9Af33, and PoolRegistry.governor() on 0x11eaD85C679eAF528c9C1FE094bF538Db880048A returns the same address. That is the same 3/5 Safe that owns both ProxyAdmins. So this is not just an "upgrades bypass Governor/Timelock" setup; live parameter control is also directly on the Safe. This affects the discussion around lines 115, 316-348, 533-537, and 556-561, and likely means the centralization framing should be made stricter, not softer.

2. Medium: The Snapshot inactivity date is off. The report repeatedly says the last proposal was in February 2025, but Snapshot currently shows MIP-30: New Revenue Splits for esMET Holders and Project Maintainers with start = 1741626000, which is 2025-03-10 17:00:00 UTC. Vote counts like 8, 5, 12, 7... do support the low-participation point, but the month should be March 2025, not February 2025. This affects line 342 and the repeated references around lines 520, 559, 561, 665, plus the PR body.

3. Low: The collateral-location wording is internally inconsistent. The report correctly says the Treasury holds collateral, and on-chain Pool.treasury() returns 0x3691EF68Ba22a854c36bC92f6b5F30473eF5fb0A. Also, USDC balanceOf(Pool) is 0 while USDC balanceOf(Treasury) is 205418246712 (205,418.246712 USDC). Given that, lines 245 and 534 should say collateral is verifiable on-chain in Treasury contracts, not Pool contracts.

Items I spot-checked that do look correct:

• Both Ethereum ProxyAdmins are owned by 0xd1DE..., and that Safe is 3/5.
• The Safe signer overlap is 5/5 across Ethereum, Base, and Optimism.
• msUSD and msETH total supplies by chain match the report within rounding.
• Current DeFiLlama protocol TVL and current CoinGecko price / market-cap / volume figures are in line with the quoted values.
• The audits directory in autonomoussoftware/metronome-synth-public does contain the audit files cited, with the newest visible file dated February 2023.

[spalen0]

Thanks @spalen0 — all three findings are valid and have been fixed in aaf3b29.

1. High: Pool.governor() returns the Safe, not the Timelock ✅

Verified on-chain:

Pool.governor()         → 0xd1DE3F9CD4AE2F23DA941a67cA4C739f8dD9Af33 (3/5 Safe)
PoolRegistry.governor() → 0xd1DE3F9CD4AE2F23DA941a67cA4C739f8dD9Af33 (3/5 Safe)

This is worse than the original framing. The Governor/Timelock is entirely unused — not just bypassed for upgrades, but also bypassed for parameter governance (collateral factors, deposit caps, fees). Updated all affected sections:

• Governance section: now states Pool and PoolRegistry governor both return the Safe
• Privileged Roles: consolidated into single Safe controlling everything
• Governance Score justification: "entirely unused" not "cosmetic for upgrades"
• Key Risks: "Single multisig controls everything" replaces separate upgrade/L2 bullets
• Critical Risks: updated to note Safe is both ProxyAdmin owner and Pool governor
• Architecture diagram trust boundaries: updated

2. Medium: Snapshot date off by one month ✅

MIP-30 start = 1741626000 → 2025-03-10 17:00 UTC → March 2025, not February. Fixed all 6 occurrences.

3. Low: Collateral in Treasury, not Pool ✅

Pool.treasury() → 0x3691..., USDC.balanceOf(Pool) = 0, USDC.balanceOf(Treasury) = 205,418 USDC. Fixed "Pool contracts" → "Treasury contracts" in Provability and Critical Risk Gates sections.