3Jane — USD3

Audits and Due Diligence Disclosures

3Jane-Specific Audits

Auditor	Date	Type	Scope	Critical	High	Medium	Low/Info	Status
Veridise (4 analysts, 20 person-days)	Aug 7–18, 2025	Audit	MorphoCredit, USD3/sUSD3, ProtocolConfig, CreditLine, Helper, MarkdownController, InsuranceFund, IRM	1	2	2	5	6 Fixed, 4 Acknowledged
Sherlock (Kirkeelee, mstpr-brainbot)	Aug 4–20, 2025	Collaborative Audit	MorphoCredit, USD3/sUSD3, CreditLine, Helper, IRM (2 repos: 3jane-morpho-blue + usd3)	0	7	5	3	All fixed/acknowledged
Electisec (Panda, Fede — 10 days, 13 contracts ~2000 LoC)	Oct 18, 2025	Audit	Full moneymarket + Jane token, RewardsDistributor, PYTLocker	0	1	2	10	All fixed/acknowledged
Sherlock 2 (Obsidian lead, ~40 wardens)	Oct 7–17, 2025	Private Contest	Full moneymarket + USD3/sUSD3 + Jane/PYTLocker/RewardsDistributor	0	1	7	0	All fixed/acknowledged

Notable findings across all audits:

• V-3JNE-VUL-001 (Veridise Critical): Funds draining via malicious market creation — attacker could create fake markets with malicious MarkdownManager and CreditLine contracts to drain the MorphoCredit waUSDC wallet. Fixed via access control on market creation.
• Sherlock H-1: Settlement flow double deduction and incorrect balance clearing — MorphoCredit settlement flow contained critical accounting vulnerabilities that could lead to protocol insolvency. Fixed.
• Sherlock H-2 through H-7: Various high-severity issues across credit line settlement, repayment flows, and balance tracking. All fixed.
• Electisec H-1: Pendle YT token interests lost during lock period in PYTLocker — locker never claims accrued yield, so YT tokens are worth $0 at expiry. Feature subsequently removed from codebase.
• Sherlock 2 H-1: Loss of all YT yield accrued due to PYTLocker staleness (same root cause as Electisec H-1). Fixed.
• Veridise H-1/H-2: Griefing via small donations resetting lock timer; lock period bypass via uncontrolled startCooldown(). Both fixed.
• Electisec M-1/M-2: Cooldown restart allows users to bypass cooldown mechanism; JANE burn mechanism is unfair and gameable. Acknowledged/Fixed.

Veridise auditor recommendations: Split the ProtocolConfig.owner role into separate keys with different delays for emergency vs. configuration actions. Enforce access control on market creation (least privilege approach).

Total across all 4 audits: 1 Critical, 11 High, 16 Medium — all fixed or acknowledged. The high volume of findings (particularly in the first Sherlock audit with 7 highs) indicates the codebase had significant issues that were caught and resolved before mainnet deployment.

Inherited Morpho Blue Audits

The core lending logic is a modified fork of Morpho Blue, which has been extensively audited:

Auditor	Date	Scope
OpenZeppelin	Sep–Oct 2023	Morpho Blue & Speed Jump IRM
Cantina	Nov 2023 – Mar 2024	Morpho Blue managed review, IRM, Competition, Periphery, Fixed rate IRM

Note: The inherited audits cover the base Morpho Blue logic. 3Jane's modifications (credit-based lending, tranche system, markdown controller) are the novel risk surface covered by the 4 3Jane-specific audits above.

The source code includes a /certora directory indicating formal verification efforts for rate math.

Bug Bounty

• Not listed on Immunefi, Sherlock, or Cantina
• Not listed on SEAL Safe Harbor
• No active bug bounty program found

Historical Track Record

• Production time: USD3 deployed August 25, 2025 (~9 months as of May 2026)
• TVL: ~$3.15M idle reserves (DeFiLlama), with ~$6.91M borrowed and ~$9.93M total USD3.totalAssets() (sources: DeFiLlama, totalAssets() call at block ~24,887,082, May 5 2026)
• Token supply: ~$8.59M USD3 supply (totalSupply()), ~$5.81M sUSD3 supply; PPS = 1.155560 USDC/USD3 and 1.081790 USD3/sUSD3 (May 5, 2026)
• Utilization: ~$6.91M borrowed / ~$9.93M deposited → ~70% (was ~44% in March 2026 assessment)
• TVL change since March: USD3 deposits dropped ~51% ($20.3M → $9.93M); idle reserves dropped ~66% ($9.2M → $3.15M); borrowed roughly flat ($7.2M → $6.91M)
• Security incidents:
  • April 18–28, 2026 — emergency shutdown / restart event. Per merged PR #112 the team had already executed strategy.shutdownStrategy() and strategy.emergencyWithdraw(...) "in prod" before April 27, 2026. DeFiLlama TVL series confirms idle reserves collapsed from ~$4.78M on Apr 19 to ~$269K on Apr 20 and stayed at $120K–$273K for ~7 days, recovering to ~$2.92M by May 2 and ~$3.15M today. Restoration required deploying a new USD3.restartStrategy() reinitializer (PR #112 merged Apr 28, 2026); current onchain state is isShutdown() = false. Root cause and post-mortem: TODO — not publicly disclosed by 3Jane. Verified May 5 2026: no post-mortem on the docs site (FAQ checked), no incident document in the 3jane-protocol/audits or 3jane-protocol/moneymarket-contracts repos, and no incident announcement surfaced via web search. The only public artefact is PR #112 describing the restartStrategy() fix.
• Peg history: USD3 is USDC-denominated and redeemable from idle reserves; no public depeg event reported. Note that during the April shutdown window, redemptions were effectively unavailable from the Yearn V3 strategy path.
• Phase 1 (bootstrapping): During initial phase, USD3 operates in a "fully risk-off" configuration where funds are only deposited into Aave's USDC market. The unsecured lending component ramps up over time.

Funding: $5.2M seed round (June 2025) led by Paradigm, with participation from Coinbase Ventures, Robot Ventures, Wintermute Ventures, Breed VC, and Bodhi Ventures. Andre Cronje listed among backers.

Funds Management

USD3 funds are deployed into two channels:

1. Aave V3 USDC market — baseline yield on idle capital
2. Unsecured credit lines — funds lent to approved borrowers at interest (base rate + risk premium + potential penalty rate)

Accessibility

• Minting: Deposit USDC → receive USD3 (1:1). Anyone can mint.
• Staking: Stake USD3 → receive sUSD3 (junior tranche). Lock period applies (1 month in Phase 1).
• Redemption: USD3 redeemable for USDC from idle reserves (Aave). A redemption queue with time-based throttling exists for liquidity management.
• Minting/redeeming is not fully atomic — subject to available idle reserves and throttling mechanisms.

Collateralization

USD3 is fundamentally different from traditional overcollateralized stablecoins:

• Not overcollateralized — USD3 is backed by USDC deposits that are then lent out via unsecured credit lines
• Credit-based model: Borrowing limits are based on offchain reputation and financial records, not onchain collateral
• Default risk: If borrowers default, losses are absorbed first by sUSD3 (junior tranche), then by the Insurance Fund, and finally by USD3 holders (senior tranche)
• Insurance Fund: 0x4507B5B23340D248457d955a211C8B0634D29935 holds ~868,288 waEthUSDC (≈ $868K, May 5 2026) — waEthUSDC is the static-wrapped Aave V3 USDC token at 0xd4fa2d31b7968e448877f69a96de69f5de8cd23e. The fund is yield-bearing and grows through Aave interest. The earlier "$1M USDC" figure was approximate; actual onchain balance is ≈$868K, never funded above ~$868K since deployment.
• Markdown mechanism: MarkdownController (0xF0eaE71092F3c9411A9EAb8F81E7d91D29726214) gradually reduces the value of defaulted loans from their initial value to zero over time, preventing sharp market shocks
• No liquidation mechanism — there is no onchain collateral to liquidate. Default recovery relies on offchain legal enforcement via U.S.-based collection agencies

Default Recovery Process

Per-loan recovery sequence applied to a defaulted credit line:

1. Immediate credit score reduction (slashing 3Jane score)
2. Overdue interest reallocation
3. Markdown: protocol marks down delinquent/defaulted positions to reflect recovery rate
4. NPL Auction: non-performing loans sold to registered U.S. collection agencies via Dutch-style auctions
5. Offchain legal recovery via credit bureau reporting and regulatory enforcement

Any residual loss after the per-loan recovery above is then absorbed in the tranche loss waterfall (same order as in Collateralization above):

1. sUSD3 (junior tranche) — first-loss capital
2. Insurance Fund — ~868,288 waEthUSDC (≈$868K, May 5 2026); see Collateralization for address details
3. USD3 (senior tranche) — last-resort loss absorption

Provability

• USD3/sUSD3 share prices are computed onchain via ERC-4626 standard
• Outstanding loans and interest accruals are tracked onchain in MorphoCredit
• Credit assessment is offchain — the 3CA (3Jane Credit Algorithm) is a proprietary black box. Credit line sizes, default risk rates, and repayment schedules are computed offchain
• zkTLS + Reclaim Protocol provides zero-knowledge proofs of offchain data (bank statements, credit scores), verified by EigenLayer AVS nodes
• Offchain data sources: Plaid (bank data), Credit Karma (credit scores)
• Total reserves cannot be fully verified onchain because outstanding loan values depend on offchain repayment status

Liquidity Risk

• Primary exit: Redeem USD3 for USDC from idle reserves in the Aave V3 pool
• Throttling: Redemption queue with time-based throttling exists for large withdrawals
• Utilization risk: If a high percentage of deposited USDC is lent out to borrowers, idle reserves shrink and redemptions may be delayed
• Current utilization: ~$6.91M borrowed out of ~$9.93M totalAssets (~70% utilization, May 5 2026) — up sharply from ~44% in March 2026
• Stress event (April 2026): During the strategy shutdown, Yearn V3 isShutdown()=true blocked the standard deposit/redeem paths. DeFiLlama-visible idle reserves collapsed from ~$4.78M to ~$269K and stayed depressed for ~7 days before recovering. This is the protocol's first observed liquidity stress event, and it required a contract upgrade (new restartStrategy() reinitializer) — i.e. a 24h-timelocked governance action — to fully reopen the strategy.
• DEX liquidity is effectively zero. Verified onchain May 5 2026: only one pair exists, a Uniswap V3 USD3/USDC 0.01% pool at 0x8E12388Ea7366Aa87445d747F83B810aD538a981 holding 0.000001 USD3 / 0.001002 USDC (dust). No Uniswap V2 USD3/USDC or USD3/WETH pair, no Curve pool (Curve MetaRegistry find_pool_for_coins returns 0x0). All meaningful exit liquidity is therefore via the protocol's own redemption path against idle reserves.
• sUSD3 exit: Subject to lock period (1 month in Phase 1) plus cooldown mechanism. During the April incident, sUSD3 supply was largely unchanged while USD3 supply contracted, which is consistent with senior holders redeeming and junior holders being locked.

Centralization & Control Risks

Governance

Ownership structure:

All core contracts (MorphoCredit, ProtocolConfig, CreditLine, USD3) are owned by a TimelockController with a 24-hour delay:

• TimelockController: 0x1dCcD4628d48a50C1A7adEA3848bcC869f08f8C2 — 24h minimum delay
• Proposer/Executor/Canceller: 3-of-5 Gnosis Safe 0x33333333bd7045f1a601a1e289d7ab21036fb5ef
• Safe signers (5 EOAs):
  • 0x208662548D73755b4C96a9f7809a035910E55631
  • 0x5A519B341962307a98BB196EcFc21b8fa89395D1
  • 0x751A84FCE3dd5161ecC741Da47929337a7e6f64f
  • 0xa84Bd17f9efBA6A4dbB631285C689D9E58d56D33
  • 0x1226858E04b9d077258F153275613734421cD06B
• Signer identities are not publicly labeled on Etherscan

Contracts are upgradeable — MorphoCredit, USD3, sUSD3, ProtocolConfig, and AdaptiveCurveIRM use TransparentUpgradeableProxy patterns. Each proxy has a dedicated ProxyAdmin (e.g. USD3 → 0x41c838664a9c64905537ff410333b9f5964cc596, sUSD3 → 0xecda55c32966b00592ed3922e386063e1bc752c2) whose owner() is the TimelockController. The 3-of-5 multisig can upgrade contract logic after the 24h timelock delay. CreditLine and Helper are standalone (non-proxy) contracts.

EmergencyController v2 — deployed Feb 25, 2026 at 0x84b31b84917485e221305edf590b8e3660d2e051 (verified onchain as the active ProtocolConfig.emergencyAdmin and CreditLine.ozd). Migrated from Ownable to AccessControlEnumerable per PR #109, introducing role separation:

• OWNER_ROLE (count 1): the 3-of-5 multisig 0x33333333Bd7045F1A601A1E289D7AB21036fB5EF
• EMERGENCY_AUTHORIZED_ROLE (count 2): the multisig + an EOA 0x48c59b01af01515e69460b6b5b55e557e914941d — per PR #111 description, this is the Hypernative monitoring/automation address. (Identity inferred from PR text "Hypernative + multisig"; not labeled on Etherscan.)
• Capabilities: pause protocol, set debt cap to 0, stop USD3 deployments to MorphoCredit, stop new deposits, revoke individual borrower credit lines. Emergency actions bypass the 24h timelock (binary stop controls only).

OperationalController (PR #111, merged Apr 29, 2026 — NOT yet wired in onchain): designed to introduce an additional OPERATOR_ROLE for routine credit operations (setCreditLines, closeCycleAndPostObligations, addObligationsToLatestCycle, settle) so frequent ops can run via a smaller operational multisig while emergency actions remain on Hypernative + main multisig. As of May 5, 2026 the deployment scripts (01_DeployOperationalController.s.sol, 02_Schedule…, 03_Execute…) are merged but ProtocolConfig.emergencyAdmin and CreditLine.ozd still resolve to the v2 EmergencyController above — i.e. the role split is partially implemented.

Privileged roles (from Veridise audit trust model):

• ProtocolConfig.owner (= TimelockController, behind 3/5 Safe + 24h delay): pauses protocol, sets bounds on grace/delinquency periods, loan sizes, tranche ratios, interest rate configurations, and rotates emergencyAdmin.
• CreditLine.owner (= TimelockController) and CreditLine.ozd (= EmergencyController v2): the latter currently aggregates emergency + operational duties (approving credit lines, posting minimum repayments, settling debt from insurance fund). The pending OperationalController is the planned split.

Auditor (Veridise) recommendation status: The original recommendation to split ProtocolConfig.owner/CreditLine.ozd into separate keys with different delays for emergency vs configuration actions has been partially addressed by the EmergencyController v2 role separation and Hypernative integration; full operational/emergency split via OperationalController is deployed in code but not yet executed onchain.

Programmability

• Onchain: Interest accruals, share price computation (ERC-4626), loan state tracking, markdown decay — all programmatic
• Offchain (critical): Credit assessment (3CA algorithm), borrower approval, minimum repayment posting, credit line sizing — all require admin intervention
• PPS (price per share): Computed onchain algorithmically via ERC-4626 standard, but the total asset value depends on outstanding loan values which can be marked down by admin
• Hybrid system: Automated onchain mechanics + significant manual offchain operations

External Dependencies

Dependency	Criticality	Notes
Aave V3	Critical	Base yield on idle USDC (held as waEthUSDC static-wrapped Aave aToken). Well-audited, blue-chip dependency
Morpho Blue (forked)	Critical	Core lending logic. Modifications (credit, tranches, markdown) are the novel risk surface
Yearn V3 TokenizedStrategy	Critical	USD3 is a Yearn V3 tokenized strategy proxy; shutdown/emergencyWithdraw/reinitializer(...) semantics on StrategyData storage slots are load-bearing — see April 2026 incident which required a restartStrategy() reinitializer to clear the shutdown flag (PR #112)
Reclaim Protocol / zkTLS	High	Offchain data verification for credit scores and bank data. Novel technology with limited battle-testing
EigenLayer AVS	High	ZK proof distribution and verification. Early-stage infrastructure
Hypernative	Medium-High	Automated monitoring + emergency response (one of two EMERGENCY_AUTHORIZED_ROLE holders on EmergencyController v2). New runtime trust dependency; failure mode is a missed-or-malicious automated pause
Plaid	Medium	Bank account data access. Centralized offchain dependency
Credit Karma	Medium	VantageScore/FICO data. Centralized offchain dependency

Operational Risk

• Founder: Jacob Chudnovsky — publicly identified, previously at Ribbon Finance / Aevo. Active on X/Twitter
• Team: Only founder is publicly known. Rest of team not disclosed
• Developed in stealth before the June 2025 funding announcement
• Legal entity: Not publicly disclosed
• Documentation: Good — comprehensive docs covering architecture, risks, and developer resources. Gap: the April 2026 emergency shutdown is not (yet) acknowledged in public docs or the audits repo as of May 5, 2026 — no post-mortem found.
• Incident response: First real-world test occurred April 18–28, 2026. Team executed shutdownStrategy() + emergencyWithdraw() and then had to ship new code (USD3.restartStrategy() reinitializer in PR #112) before the strategy could be reopened — i.e. the existing v2 reinitialize() could not reverse a Yearn V3 shutdown, which is consistent with the runbook in PR #112 stating that "Differs from the v2 multisig pattern". Net read: the team was able to halt and recover, but full recovery required a 24h-timelocked governance upgrade rather than a pre-rehearsed runbook, and idle reserves were depressed (~$120K–$273K) for ~7 days.
• Funding: $5.2M seed from tier-1 investors (Paradigm, Coinbase Ventures)

Monitoring

Key Contracts (Ethereum)

Contract	Address	Monitor
USD3 Token (Proxy)	0x056B269Eb1f75477a8666ae8C7fE01b64dD55eCc	Supply changes, large deposits/withdrawals, share price
sUSD3 Token (Proxy)	0xf689555121e529Ff0463e191F9Bd9d1E496164a7	Supply changes, lock period changes, cooldown events
MorphoCredit (Proxy)	0xDe6e08ac208088cc62812Ba30608D852c6B0EcBc	Borrow/repay events, utilization ratio, new market creation, delinquency/default state changes
ProtocolConfig (Proxy)	0x6b276A2A7dd8b629adBA8A06AD6573d01C84f34E	Config changes (pause, debt cap, supply cap, tranche ratios)
CreditLine	0x26389b03298BA5DA0664FfD6bF78cF3A7820c6A9	New credit line approvals, credit line revocations, repayment postings
Helper	0x82736F81A56935c8429ADdbDa4aEBec737444505	Borrower interactions
AdaptiveCurveIRM (Proxy)	0x1d434D2899f81F3C3fdf52C814A6E23318f9C7Df	Rate model parameter changes
TimelockController (24h)	0x1dCcD4628d48a50C1A7adEA3848bcC869f08f8C2	Scheduled/executed/cancelled operations, role changes (getMinDelay() = 86400)
Multisig (3/5 Safe)	0x33333333bd7045f1a601a1e289d7ab21036fb5ef	Signer/threshold changes, submitted transactions (threshold = 3, owners unchanged from prior assessment)
EmergencyController v2	0x84b31b84917485e221305edf590b8e3660d2e051	Pause/cap/revoke actions, EMERGENCY_AUTHORIZED_ROLE membership changes (Hypernative + multisig today)
Hypernative agent (EOA)	0x48c59b01af01515e69460b6b5b55e557e914941d	Automated emergency calls; nonce/activity spikes
InsuranceFund	0x4507B5B23340D248457d955a211C8B0634D29935	waEthUSDC balance (currently ≈$868K); bring() calls (drain to CreditLine)
MarkdownController	0xF0eaE71092F3c9411A9EAb8F81E7d91D29726214	Markdown parameter changes, defaulted-position write-downs

Critical Events to Monitor:

• Protocol pause/unpause events
• USD3.isShutdown() flips (the April 2026 incident was visible here days before the protocol publicly acknowledged it)
• Debt cap or supply cap changes
• New credit line approvals (borrowers being approved)
• Delinquency and default state transitions
• Markdown events on defaulted positions
• USD3/sUSD3 share price deviations
• Insurance Fund waEthUSDC balance changes (esp. outflows via bring())
• Contract upgrades via TimelockController (CallScheduled / CallExecuted events on 0x1dCcD4...)
• Multisig signer/threshold changes
• EMERGENCY_AUTHORIZED_ROLE / OPERATOR_ROLE grants/revokes on EmergencyController v2 (and on the future OperationalController once deployed)
• Large withdrawal requests and redemption queue depth
• Aave V3 USDC utilization (affects idle reserve availability)
• DeFiLlama TVL series for 3Jane — sharp idle-reserve drops are an early signal of a strategy shutdown or mass redemption

Appendix: Contract Architecture

 Governance Layer
 ┌─────────────────────────────────────────────────────────────────────┐
 │  3-of-5 Safe  ──owns──►  TimelockController (24h delay)             │
 │  0x33333333…              0x1dCcD4628d…                             │
 │                              │                                      │
 │                              ├──owner──► ProxyAdmin(USD3)  0x41c8…  │
 │                              ├──owner──► ProxyAdmin(sUSD3) 0xecda…  │
 │                              ├──owner──► MorphoCredit (proxy)       │
 │                              ├──owner──► ProtocolConfig (proxy)     │
 │                              └──owner──► CreditLine (non-proxy)     │
 │                                                                     │
 │  EmergencyController v2  0x84b31b8…  (AccessControlEnumerable)      │
 │   ├─ OWNER_ROLE: 3/5 Safe                                           │
 │   └─ EMERGENCY_AUTHORIZED_ROLE: 3/5 Safe + Hypernative EOA 0x48c5…  │
 │   ⇧ wired in as: ProtocolConfig.emergencyAdmin AND CreditLine.ozd   │
 │                                                                     │
 │  [PENDING] OperationalController (PR #111 merged Apr 29 2026,       │
 │            not yet executed onchain — would replace EC v2 above     │
 │            and add OPERATOR_ROLE for routine credit ops)            │
 └─────────────────────────────────────────────────────────────────────┘

 Token / Vault Layer (Yearn V3 TokenizedStrategy)
 ┌─────────────────────────────────────────────────────────────────────┐
 │  USD3 (proxy)   0x056B269E…   impl 0xaf1554f3… (USD3 contract)      │
 │     ▲ deposits USDC, mints USD3                                     │
 │     │ shutdownStrategy() / emergencyWithdraw() / restartStrategy()  │
 │     │   ← all admin-callable; April 2026 incident exercised these   │
 │  sUSD3 (proxy)  0xf6895551…   impl 0x4f6694dd… (junior tranche)     │
 │     ▲ stake USD3, mint sUSD3, 1-month lock                          │
 └─────────────────────────────────────────────────────────────────────┘

 Protocol Layer (forked Morpho Blue)
 ┌─────────────────────────────────────────────────────────────────────┐
 │  MorphoCredit (proxy)   0xDe6e08ac…   ←  market state, accruals     │
 │  ProtocolConfig (proxy) 0x6b276A2A…   ←  global params, emergency   │
 │  CreditLine             0x26389b03…   ←  borrower approval,         │
 │                                          repayment posting,         │
 │                                          settlement                 │
 │  Helper                 0x82736F81…   ←  borrower entry point       │
 │  AdaptiveCurveIRM(prox) 0x1d434D28…   ←  rate model                 │
 │  MarkdownController     0xF0eaE710…   ←  default markdown decay     │
 │  InsuranceFund          0x4507B5B2…   ←  ~868K waEthUSDC,           │
 │                                          .bring() ⇒ CreditLine      │
 └─────────────────────────────────────────────────────────────────────┘

 Underlying / Offchain Layer
 ┌─────────────────────────────────────────────────────────────────────┐
 │  Aave V3 USDC market  ←  base yield on idle (held as waEthUSDC      │
 │                          0xd4fa2d31…)                               │
 │  Reclaim Protocol / zkTLS  ←  proofs of bank/credit data            │
 │  EigenLayer AVS            ←  proof distribution / verification     │
 │  Plaid + Credit Karma      ←  centralized offchain data sources     │
 │  Hypernative (offchain)    ←  monitoring agent that drives the      │
 │                                EOA holding EMERGENCY_AUTHORIZED_ROLE│
 └─────────────────────────────────────────────────────────────────────┘

Trust boundaries

• The 3-of-5 Safe + 24h timelock is the only path to upgrade contract logic, change ProtocolConfig, or rotate emergencyAdmin/ozd.
• EmergencyController v2 bypasses the timelock for binary stop controls only (pause / set caps to zero / revoke a credit line). Both the multisig and the Hypernative agent EOA can invoke it.
• The CreditLine contract trusts an ozd for credit-line approval / repayment posting / debt settlement; today this resolves to EmergencyController v2, which is the same address as emergencyAdmin. The pending OperationalController (PR #111) is the planned split.
• The restartStrategy() reinitializer added in PR #112 demonstrated that recovery from a Yearn V3 shutdown sits behind the timelock-gated upgrade path — a coupling worth highlighting because it determines worst-case redemption-restart latency.

Reassessment Triggers

• Time-based: Reassess in 2 months (July 2026) — shorter cadence given Elevated Risk tier and pending OperationalController deployment
• TVL-based: Reassess if USD3.totalAssets() changes by more than ±30% from the May 2026 baseline of ~$9.93M, or if idle reserves drop below $500K for >24h
• Shutdown-based: Reassess on any USD3.isShutdown() = true event, with target turnaround <72h
• Governance-based: Reassess once OperationalController (PR #111) is deployed onchain — this is a pending governance change with material impact on role separation
• Incident-based: Reassess after any borrower default exceeding $500K, any exploit, any further emergency shutdown, or any change to the multisig signer set
• Default-based: Reassess if default rate exceeds 5% of outstanding loans, or if the Insurance Fund waEthUSDC balance drops by >$100K
• Audit-based: Reassess if additional audits are completed or a bug bounty is established (could improve score)
• Dependency-based: Reassess if Aave V3, EigenLayer AVS, or Hypernative experience significant security events
• Phase-based: Reassess when Phase 1 bootstrapping ends and full unsecured lending is active
• Post-mortem trigger: Reassess once 3Jane publishes a public post-mortem of the April 2026 shutdown event (currently absent — TODO)