← All Reports

BUCK (Bitcoin Dollar SavingsCoin)

5.0
BUCK / Ethereum / March 3, 2026
View full report on GitHub →

Score Breakdown

CategoryWeightScore
Audits & Historical20%4.00
Centralization & Control30%4.83
Funds Management30%3.75
Liquidity Risk15%4.50
Operational Risk5%3.50
Final Score5.0 / 5.0
20%30%30%15%
High Risk

Overview

BUCK is a yield-bearing "savings coin" launched on January 5, 2026 by Buck Labs. It is designed to generate ~10% APY for holders through contractual dividends from STRC (Strategy Inc.'s Variable-Rate Series A Perpetual Preferred Stock, NASDAQ: STRC). Users deposit USDC to mint BUCK tokens, and the proceeds are used by the protocol to purchase STRC shares on the open market. STRC pays monthly cash dividends (initially 9% per year on $100 par value), which are distributed to BUCK holders as yield via the Rewards Engine contract.

BUCK is not a stablecoin — its price appreciates over time as yield accrues (e.g., $1.00 → $1.10 over 365 days at 10% APY). The protocol maintains overcollateralization through a reserve of USDC and STRC equity holdings.

Important: Strategy Inc. and Michael Saylor are NOT affiliated with BUCK and do not sponsor or endorse the token. Buck Assets Ltd. purchases STRC on the open market as an independent third party.

  • Current Price: ~$1.00
  • Total Supply: ~976,245 BUCK
  • Total Holders: 199
  • Total Reserves: ~$1.65M ($124K USDC + $1.52M STRC)
  • Reserve Ratio: 1.69x
  • Current APY: ~10% (raised from 7% in February 2026)
  • Not listed on DeFiLlama

Links:

Risk Summary

Key Strengths

  1. Multiple audit coverage — 4 audits from 3 firms (Halborn, Cyfrin, 2× Spearbit), all publicly available. 155 total findings (2 Critical, 11 High). All critical/high findings reported as resolved.
  2. Overcollateralized — 1.69x reserve ratio with USDC + STRC backing
  3. Thoughtful band system — GREEN/YELLOW/RED bands with escalating fees and tightening refund caps provide structured reserve protection
  4. Real yield source — Yield derived from STRC contractual preferred dividends, not token emissions
  5. Monthly third-party attestation by The Network Firm under AICPA standards provides some reserve transparency

Key Risks

  1. Single EOA controls everything — One address owns all 8 contracts with no multisig, no timelock, and unlimited admin powers including instant upgrades, pausing, and module reconfiguration
  2. Extremely thin liquidity — Only ~$108K permissionless DEX liquidity, highly variable daily volume, no CEX listings
  3. Very early stage — 8 weeks in production, 199 holders, ~$1.6M reserves, not on DeFiLlama
  4. Offchain collateral — STRC holdings are offchain, verified only by monthly Network Firm attestations and single attestor EOA postings
  5. Founder's track record — Previous company (Bird) overstated revenue by $31.6M and filed for Chapter 11 bankruptcy

Critical Risks

  • Single EOA with no timelock can upgrade all proxy contracts instantly — if this private key is compromised, the entire protocol can be drained. This is the most severe governance risk possible. The documentation claims "48-hour timelock" for upgrades, but onchain verification shows no timelock exists.
  • Liquidity Window redemption is not a contractual right — per Terms & Conditions, tokens "cannot be redeemed at the instruction of Token holders." The company operates the refund facility "in its sole discretion."
  • Complete dependency on STRC/Strategy Inc. — if Strategy suspends dividends (e.g., severe BTC crash), the yield mechanism breaks entirely. Concentration in a single counterparty with no diversification.
  • No bug bounty program — for a protocol holding ~$1.6M in reserves with upgradeable contracts, the absence of a bug bounty is a significant security gap.
  • Discrepancy between documentation and onchain reality — docs claim "48-hour timelock and multi-sig for upgrades" but onchain verification shows single EOA owner with no timelock.
Full Report

Contract Addresses

Contract Address
BUCK Token (UUPS Proxy) 0xdb13997f4D83EF343845d0bAEb27d1173dF8c224
Liquidity Window (UUPS Proxy) 0x6E87adb23ac0e150Ca9F76C33Df2AdCae508548E
Liquidity Reserve (UUPS Proxy) 0x1A426E3a87368a4851f7443Ff656A054Af872f66
Policy Manager (UUPS Proxy) 0x79f86b9E0ac84C7580575089E453431D77905E36
Oracle Adapter 0xa6c5f4D041192C2019E77f679eA02e9684235Fd9
Rewards Engine (UUPS Proxy) 0x159c1C0F796a02111334cC280eE001b091a9580C
Collateral Attestation (UUPS Proxy) 0x1aEEEf99704258947A9ea77eF021d5e0551c0428
Access Registry 0xbCc6de2423B496cb36C3278dC487EfD9c5C550B6
Admin/Owner (EOA) 0x376269214bB78b3D4f31d17600499b439c1aCB4b
Deployer (EOA) 0xfec7b585a6f14a8ab306fdf9006532d32fac24a4
Treasury (EOA) 0x5d105791469064cA0764cfaCfc577c286351CFAD
Attestor (EOA) 0x6f31810c8e6bfaf3ba486b4b7ce651b023423fa3

Audits and Due Diligence Disclosures

BUCK has been audited by three firms (4 audits total). All reports are publicly available — Spearbit audits via Cantina, and Cyfrin + Halborn reports in the buck-v1 GitHub repo.

Halborn — Strong DAO Smart Contracts (Nov 17 – Dec 8, 2025)

  • Findings: 12 total — 1 Critical, 0 High, 0 Medium, 3 Low, 8 Informational
  • All findings addressed (100% per report)
  • Key Critical Finding: Phantom unit accounting causes over-minting and reward misallocation
  • Link: PDF in buck-v1 repo

Cyfrin — Strong Audit Report (Dec 19, 2025)

  • Repo: buck-labs/strong-smart-contracts-internal
  • Lead Auditors: Giovanni Di Siena, Blckhv, Slavcheww, BengalCatBalu
  • Findings: 1 Critical, 6 High, 9 Medium, 22 Low, 7 Informational, 5 Gas
  • Key Critical Finding: STRC rewards inflation results in risk of undercollateralization as more can be claimed than is distributed
  • Link: PDF in buck-v1 repo

Spearbit Audit 1 — Initial Smart Contracts (Dec 18 – Jan 5, 2026)

  • Repo: buck-labs/strong-smart-contracts-internal
  • Researchers: R0bert, Sujith Somraaj, Chinmay Farkya
  • Findings: 3 High, 6 Medium, 8 Low, 16 Informational, 6 Gas
  • All critical/high findings resolved
  • Key High Finding: ABI Struct Mismatch in Band Config — LiquidityWindow used a mismatched struct definition for BandConfig compared to PolicyManager, causing incorrect field decoding that could let refunds drain reserves below intended floor.
  • Link: Cantina Portfolio | PDF in buck-v1 repo

Spearbit Audit 2 — Follow-up (Jan 26 – Feb 2, 2026)

  • Repo: buck-labs/buck-smart-contracts-v1
  • Researchers: T1MOH, Sujith S, r0bert
  • Findings: 2 High, 14 Medium, 13 Low, 25 Informational
  • All high findings resolved; 5 medium findings acknowledged (not fixed)
  • Key High Findings:
    1. Oracle Validation Bypass in Mint Pricing — system allowed minting to bypass cross-oracle validation through a view-only path. Fixed via OracleAdapterV5.
    2. RewardsEngine V1.1 Implementation Incomplete — upgrade proxy lacked core V1 functions. Fixed with corrected contract inheritance.
  • Link: Cantina Portfolio

Audit Findings Summary

Firm Date Critical High Medium Low Info Total
Halborn Nov–Dec 2025 1 0 0 3 8 12
Cyfrin Dec 2025 1 6 9 22 12 50
Spearbit #1 Dec 2025–Jan 2026 0 3 6 8 22 39
Spearbit #2 Jan–Feb 2026 0 2 14 13 25 54
Total 2 11 29 46 67 155

Smart Contract Complexity: Moderate — UUPS upgradeable proxies, band state machine (Policy Manager), oracle integration (Pyth), access registry (Merkle tree), reward distribution system. 8 core contracts total.

Bug Bounty

No bug bounty program found on any major platform (Immunefi, Sherlock, Cantina contests, HackerOne, Bugcrowd).

Safe Harbor

BUCK is not listed on the SEAL Safe Harbor registry.

Historical Track Record

  • Launch Date: January 5, 2026 (~8 weeks in production)
  • Smart Contract Exploits: None to date
  • TVL: ~$1.65M total reserves ($124K USDC + $1.52M STRC). Not listed on DeFiLlama.
  • Holder Distribution: 199 holders. Very small holder base for a protocol managing ~$1.6M in reserves.
  • Peg Behavior: BUCK is not pegged — it is designed to appreciate as yield accrues. Price started at $1.00, currently ~$1.00 (early in yield cycle, first distribution was February 2026).
  • Incidents: None reported in the 8 weeks since launch.
  • Rewards Engine Upgrades: The Rewards Engine has been upgraded 3 times (blocks 24169542, 24386223, 24427333), indicating active iteration on a critical component.

Funds Management

Yield Source

BUCK yield comes from STRC dividends — Strategy Inc.'s Variable-Rate Series A Perpetual Preferred Stock (NASDAQ: STRC):

  • STRC pays monthly cash dividends at initially 9.0% per year on $100 par value
  • Strategy Inc. holds 700,000+ BTC (~$60B+) on its balance sheet
  • STRC has preferred creditor status — dividends must be paid before common dividends
  • Yield is distributed to BUCK holders on the 4th business day of each month via the Rewards Engine contract

Current APY: ~10% (raised from 7% in February 2026)

Accessibility

  • Minting: Users deposit USDC through the Liquidity Window contract. Requires access via the Access Registry (Merkle-based allowlist). Not open to US persons or 38+ restricted jurisdictions.
  • Redemption ("Refund"): Users call requestRefund() on the Liquidity Window to burn BUCK and receive USDC. Also restricted by the Access Registry.
  • Fees (band-dependent):
Band Reserve/Liability Ratio Half-Spread Mint Fee Refund Fee Daily Refund Cap
GREEN R/L >= 5% 0.10% 0.05% 0.10% 5.0% of supply
YELLOW R/L < 5% 0.15% 0.10% 0.15% 2.5% of supply
RED R/L < 2.5% 0.20% 0.15% 0.20% 1.0% of supply
  • Daily Refund Cap (GREEN): 48,812 BUCK/day (5% of 976K supply). Per-transaction limit: 50% of remaining daily capacity.
  • Emergency: Triggered when R/L <= 1%.
  • Current R/L Ratio: ~36.4% (solidly in GREEN band)

Critical legal caveat from Terms & Conditions: "Tokens cannot be redeemed at the instruction of Token holders. Token value can be realized only by selling Tokens on secondary markets or, where the Company elects in its sole discretion to operate any repurchase or liquidity facility." This means the Liquidity Window operates at the company's discretion, not as a contractual right.

Collateralization

  • Total Reserves: ~$1.65M ($124K USDC + $1.52M STRC)
  • BUCK in Circulation: 647K tokens (total supply 976K minus 329K in Treasury)
  • Reserve Ratio: 1.69x (overcollateralized)
  • Collateral Composition: STRC preferred equity (92%) + USDC (8%)
  • Single-asset concentration: Entire yield strategy depends on STRC dividends and Strategy Inc. solvency
  • STRC is a publicly traded equity — subject to market price volatility, trading hours (NASDAQ only ~32.5h/week vs crypto 24/7), and regulatory risk
  • Assets are held in Fireblocks institutional MPC custody (SOC 2 Type II certified) — per documentation; not verifiable onchain (Fireblocks MPC wallets appear as regular EOAs)

Provability

  • Onchain USDC reserves: The Liquidity Reserve contract holds USDC verifiable onchain (~$124K USDC at 0x1A426E3a87368a4851f7443Ff656A054Af872f66)
  • STRC holdings: Offchain. STRC is held in traditional brokerage/custodial accounts. Not verifiable onchain.
  • Collateral Attestation contract: 0x1aEEEf99704258947A9ea77eF021d5e0551c0428 — stores STRC valuation and collateral ratios, but values are posted by a single EOA attestor (0x6f31810c8e6bfaf3ba486b4b7ce651b023423fa3)
  • Third-party attestation: The Network Firm provides monthly independent attestation of treasury reserves under AICPA standards
  • Exchange rate: Not computed onchain algorithmically. BUCK is a standard ERC-20 (not ERC-4626). Yield is distributed as additional BUCK tokens via the Rewards Engine, not through an exchange rate mechanism.
  • Oracle: Uses Pyth oracle for STRC pricing (STRC/USD feed). The onchain Oracle Adapter currently operates in non-strict mode with strictMode = false. Pyth IS configured (contract 0x4305fb66699c3b2702d4d05cf36551390a4c69c6) with the STRC/USD price feed. The Pyth offchain feed is actively publishing prices, but Pyth is a pull oracle — prices must be pushed onchain by calling updatePriceFeeds(). The onchain Pyth price on Ethereum has not been updated since January 15, 2026 (single ever update tx, 46+ days stale), causing the staleness check (pythStaleAfter = 86400s) to fail and the system to fall back to an admin-set internal price of $1.00 (set on deployment via 0xccbbd3f3..., never updated). The priceUpdater role is set to 0x0 (not configured), meaning no keeper bot is pushing Pyth updates and only the owner EOA can update the internal price. Note: an earlier version (OracleAdapterV4) used RedStone + Pyth dual oracles, but RedStone was removed post-audit in OracleAdapterV5.

Liquidity Risk

All Paths from BUCK to USDC

Path 1: Liquidity Window Redemption (Protocol-Level)

  • Contract: 0x6E87adb23ac0e150Ca9F76C33Df2AdCae508548E
  • Available USDC: ~$123,597 in Liquidity Reserve
  • Access: RESTRICTED (Access Registry allowlist required)
  • Speed: Subject to daily caps (~49K BUCK/day in GREEN band) + Liquidity Reserve uses queueWithdrawal pattern (24h admin delay)
  • Cost: ~0.20% total (0.10% half-spread + 0.10% refund fee in GREEN band)
  • Limitation: Access-gated, daily caps, per-transaction 50% cap, not a contractual right per terms

Path 2: Uniswap V2 Direct Swap (BUCK → USDC)

  • Pool: 0xaab3e2a7908f557c2c28cadf7556353c9a08f82e
  • Reserves: 61,327 BUCK / 61,283 USDC ($122.6K TVL)
  • Access: Permissionless
  • Speed: Instant (single transaction)
  • Volume: ~$534/day (extremely low; variable day-to-day, ranging from $8 to $6K)
  • Created: January 5, 2026 by Buck deployer. Swaps occur primarily via DEX aggregator routers.
Trade Size Estimated Slippage USDC Received
$1,000 1.6% $983
$5,000 7.5% $4,625
$10,000 14.0% $8,600

Path 3: Curve StableSwap (BUCK → USDC)

  • Pool: 0x42cb0274c6492e3991bde2ce75abf8cdf7f11d66
  • Reserves: 53,855 BUCK / 46,573 USDC ($100.4K TVL)
  • Access: Permissionless
  • Speed: Instant (single transaction)
  • Volume: $5,215/day (variable; ranged from $0 to $6K)
  • Created: January 27, 2026 by Buck Treasury EOA
Trade Size Estimated Slippage
$1,000 <0.5%
$5,000 ~1-3%
$10,000 ~3-8%

Path 4: Multi-hop (BUCK → ETH → USDC)

  • Uniswap V4 BUCK/ETH pools have $10-$12 TVL each. Not viable.

Liquidity Summary

Source Available USDC Access Speed
Uniswap V2 Pool ~$61,283 Permissionless Instant
Curve StableSwap Pool ~$46,573 Permissionless Instant
Liquidity Reserve (via Window) ~$123,597 Restricted (allowlist) Daily-capped
Total (permissionless) ~$107,856
Total (including restricted) ~$231,453

Key concerns:

  • Total permissionless DEX liquidity is only ~$108K
  • Both DEX pools were deployed by Buck's own team (deployer + treasury) — protocol-managed liquidity, not organic
  • 24h volume across all pools is highly variable ($500 to $6K) — extremely thin
  • No CEX listings
  • The Liquidity Window is the primary exit but is access-gated and operates at company discretion per terms

Centralization & Control Risks

Governance

CRITICAL: All contracts are owned by a single EOA (0x376269214bB78b3D4f31d17600499b439c1aCB4b) with NO multisig and NO timelock on governance actions.

Contract Access Model Admin/Owner
BUCK Token Ownable2Step EOA 0x3762...
Liquidity Window Ownable2Step EOA 0x3762...
Oracle Adapter Ownable2Step EOA 0x3762...
Access Registry Ownable2Step EOA 0x3762...
Policy Manager AccessControl EOA 0x3762... (DEFAULT_ADMIN)
Rewards Engine AccessControl EOA 0x3762... (DEFAULT_ADMIN)
Collateral Attestation AccessControl EOA 0x3762... (DEFAULT_ADMIN)
Liquidity Reserve AccessControl EOA 0x3762... (DEFAULT_ADMIN)

Admin Powers (all executable instantly by single EOA):

Function Risk Description
upgradeToAndCall() CRITICAL Replace entire implementation of any proxy contract. No timelock.
pause() / unpause() HIGH Halt ALL transfers, mints, and burns instantly.
configureModules() HIGH Rewire all module addresses (minter, burner, fee routing, treasury, oracle). Can point to malicious contracts.
revoke() on Access Registry HIGH Freeze any address (cannot send or receive BUCK).
setFeeSplit() / addDexPair() MEDIUM Change fee parameters.

Denylist/Freeze mechanism: The Access Registry's revoke() function denylists addresses, preventing ALL transfers to/from that address. This is checked on every token transfer via _update().

Positive notes:

  • All Ownable contracts use Ownable2Step (2-step ownership transfer)
  • renounceOwnership() is overridden to revert on BUCK Token and Liquidity Window
  • enableProductionMode() is a one-way switch already enabled (prevents zeroing critical addresses)

The only delay in the system: Liquidity Reserve has adminDelaySeconds = 86,400s (24h) for queued admin withdrawals. This is operational, not governance.

No DAO governance exists in practice — despite marketing as having a "Buck Foundation" for governance, the Terms & Conditions explicitly state: "The Company retains sole discretionary authority" and tokens "do not provide Token holders with any governance, voting, or management rights."

Programmability

  • BUCK is a standard ERC-20 (not ERC-4626). Yield is distributed as additional tokens via the Rewards Engine on the 4th business day of each month.
  • Minting/refunding operates through the Liquidity Window with onchain band logic (Policy Manager)
  • Collateral values are posted by a single attestor EOA (0x6f31810c8e6bfaf3ba486b4b7ce651b023423fa3) — not computed onchain
  • Oracle Adapter in non-strict mode, falling back to admin-set $1.00 internal price (onchain Pyth data stale — no keeper pushing updates)
  • Reward distribution decisions are offchain (Foundation approval), execution is onchain
  • STRC purchase and custody are entirely offchain

External Dependencies

  1. Strategy Inc. / STRC (CRITICAL) — Entire yield model depends on STRC dividends. Strategy's 700K+ BTC provides backing, but BTC price crash could impact STRC value and dividends.
  2. Pyth Oracle (HIGH) — Configured for STRC/USD pricing via 0x4305fb66699c3b2702d4d05cf36551390a4c69c6. Pyth offchain feed is active, but onchain price on Ethereum not updated since Jan 15, 2026 (no keeper configured, priceUpdater = 0x0). System falls back to admin-set $1.00. When active, depends on NASDAQ feed availability (32.5h/week).
  3. Fireblocks Custody (MEDIUM) — Offchain STRC assets claimed to be held in Fireblocks MPC custody (per documentation, not independently verifiable).
  4. The Network Firm (LOW) — Monthly attestation provider for reserve verification.
  5. NASDAQ Market Hours (MEDIUM) — STRC trades only during NASDAQ hours. Pricing gaps over weekends/holidays create risk for BUCK operations.

Operational Risk

  • Founder: Travis VanderZanden — fully doxxed (LinkedIn). Previously founder/CEO of Bird (electric scooter company). Bird overstated revenue by ~$31.6M (2020–2022 restatement per SEC filing), was delisted from NYSE, and filed for Chapter 11 bankruptcy in December 2023.
  • VP Engineering: Brett Potter — previously Senior Blockchain Engineer at Binance.US, Head Developer at friesDAO.
  • Head of Treasury: Dan Hillery — founding member of MSTR True North community.
  • GitHub: Single pseudonymous contributor (CornBrother0x, 6 commits). "Full git history will be merged in after Buck Labs can properly sanitize the development repo." No updates since January 7, 2026. 2 stars, 0 forks.
  • Documentation: Adequate. GitBook-based docs, transparency dashboard, MiCA whitepaper. Some gaps (minting/redeeming details hard to find).
  • Legal Structure (source: MiCA Whitepaper, Part A):
    • Buck Assets Ltd. (BVI, Company No. 2183723, registered 2025-08-07) — Token issuer. Explicitly "NOT licensed, registered or otherwise regulated" in BVI. Directors: Clint Johnson and Gareth Thomas.
    • Buck Foundation (Cayman Islands, exempted limited guarantee foundation) — DAO/governance wrapper. Parent company of Buck Assets Ltd.
    • Buck Labs Inc. (USA, Miami FL) — Technology company / service provider.
  • Restricted jurisdictions: 38+ including US, Russia, China, Iran, Cuba, North Korea, Canada
  • Structure: Regulation S exemption from U.S. securities registration
  • Incident Response: No documented plan. Emergency pause capability exists. Circuit breaker activates on >25% STRC move in 24h or stale oracle >2h.

Monitoring

Key Contracts to Monitor

Contract Address Key Events/Functions
BUCK Token 0xdb13997f4D83EF343845d0bAEb27d1173dF8c224 Transfer, Paused, Unpaused, OwnershipTransferred, Upgraded, totalSupply()
Liquidity Window 0x6E87adb23ac0e150Ca9F76C33Df2AdCae508548E Mint/Refund events, Upgraded, band state changes
Liquidity Reserve 0x1A426E3a87368a4851f7443Ff656A054Af872f66 USDC balance changes, queueWithdrawal, executeWithdrawal, USDC balanceOf()
Policy Manager 0x79f86b9E0ac84C7580575089E453431D77905E36 Band state transitions (GREEN→YELLOW→RED), parameter changes
Collateral Attestation 0x1aEEEf99704258947A9ea77eF021d5e0551c0428 Attestation updates, collateral ratio changes
Access Registry 0xbCc6de2423B496cb36C3278dC487EfD9c5C550B6 revoke() / revokeBatch() events (address freezing), setRoot() events
Rewards Engine 0x159c1C0F796a02111334cC280eE001b091a9580C Distribution events, Upgraded events
Admin EOA 0x376269214bB78b3D4f31d17600499b439c1aCB4b ALL outgoing transactions (single point of control)

Critical Monitoring Points

  • Admin EOA Activity: Monitor ALL transactions from 0x3762... — any upgrade, pause, or module reconfiguration should trigger immediate alert
  • USDC Reserve Level: Track Liquidity Reserve USDC balance. Alert if reserve ratio drops below 5% (YELLOW band trigger) or 2.5% (RED band trigger)
  • Token Supply Changes: Monitor totalSupply() for unexpected minting
  • Proxy Upgrades: Monitor Upgraded events on all proxy contracts — no timelock means upgrades are instant
  • Address Freezing: Monitor revoke() calls on Access Registry
  • STRC Price: Monitor STRC market price (NASDAQ). Circuit breaker should activate on >25% 24h move.
  • Recommended Frequency: Hourly for reserve levels and admin activity. Daily for attestation updates and governance.

Reassessment Triggers

  • Time-based: Reassess in 3 months (May 2026) or when governance is upgraded to multisig + timelock
  • TVL-based: Reassess if total reserves exceed $10M
  • Governance-based: Reassess if admin transfers from EOA to multisig with timelock
  • Liquidity-based: Reassess if permissionless DEX liquidity exceeds $1M
  • Incident-based: Reassess after any exploit, pause event, admin key rotation, or proxy upgrade
  • Bug bounty: Reassess if a bug bounty program is launched
Submit report inaccuracy