Re Protocol reUSD

Contract Addresses

Ethereum Network

Contract	Address
reUSD Token	0x5086bf358635B81D8C47C66d1C8b9E567Db70c72
reUSD Insurance Capital Layer (ICL)	0x4691C475bE804Fa85f91c2D6D0aDf03114de3093
reUSD ICL Custodial Wallet	0x295F67Fdb21255A3Db82964445628a706FBe689E
Deposit Token Registry	0x73d37A98C0fCBd049BfFFfe67Bf9af36d603c0F6
KYC Registry	0x82F1806AEab5Ecb9a485eb041d5Ed4940b123995
Decentralized Fund	0xF04422E68f55E7C25724128692C3063A775472f2
Share Price Calculator	0xd1D104a7515989ac82F1AFDa15a23650411b05B8
NAV Consumer (Chainlink Functions + Automation)	0x84d4eaeb10f9e57b67622f667c6c13e22fa4b2b6
Redemption Reserves Custodian	0x9eA38e09F41A9DE53972a68268BA0Dcc6d2fAdf8
Daily Instant Redemption Vault	0x5C454f5526e41fBE917b63475CD8CA7E4631B147
Instant Redemption (impl., fee + limits)	0xa31DeeBB3680A3007120e74bcBdf4dF36F042a40
Instant Redemption Interaction	0x8aEb9453EF22Cb38abC7a3Af9c208F65C1BfE31e
Share Token Minter/Burner (LZ wrapper)	0x0dFb42aa18CEeD719617cd554304F6cA412A6b18
ReMintBurnAdapter (LayerZero OFT)	0x2BB4046022B9161f3F84Ad8E35cac1d5946e0e85
Redemption Reserve Calculator	0x7E499842E7634cce793FFD5D44383BB4a2F086e0
PriceRouter	0xFe76cF5eD606593fB7764f33627B8D7E0f9Fab66
SharePriceOracle (reUSD PriceFeed)	0x0764BFa862164D28799F31e7e1e7206F5177B6bB
SimpleOracle (sUSDe PriceFeed wrapper)	0xb6aD3633cB3FAfed3D375d8c64240f122E19fB4D
Chainlink sUSDe/USD aggregator	0xFF3BC18cCBd5999CE63E788A1c250a88626aD099
AccessManager (OZ v5)	0x3f0DA1C363e34802C6f12F9C27276dC0e6696FD8
Governance Safe (3-of-5)	0x8EEc10616802Ef639ca55C98Ac856553FadeFbAd
Timelock Controller	0x69dDEa332723cF5407151aAF68B9b076557FCA93

Protocol Controls (Ethereum)

MPC team descriptions below come from Re's public protocol materials and cannot be independently verified onchain (MPC signer sets are offchain). What IS onchain-verifiable: (a) the Governance Safe is a 3-of-5 Safe multisig (not MPC) at 0x8EEc10616802Ef639ca55C98Ac856553FadeFbAd holding DEFAULT_ADMIN on reUSD/ICL and PROPOSER/CANCELLER on the Timelock; (b) the Timelock min delay is 172800 seconds = 48 hours; (c) an OpenZeppelin v5 AccessManager contract at 0x3f0DA1C363e34802C6f12F9C27276dC0e6696FD8 is the authority() for the Instant Redemption contract and is administered by the Access Admin EOA below.

Role	Controller Address	Control Mechanism (per docs)	Onchain Authority	Permissions
Oracle Admin	0x49BC5A880f77247A348764DdB95951cd9212A0ee	MPC 3-of-5 (docs), no timelock	EOA; role on Share Price Calculator not verified — current PRICE_SETTER_ROLE holders onchain: 0x6c15b25e...bfe57649 and 0x84d4eaeb10f9e57b67622f667c6c13e22fa4b2b6	Configure price feeds (per docs)
Redemptions Admin	0xEE16bE0374f2eFb34218affC1a8EbEe9310c47f8	MPC 3-of-5 (docs), 48 hours	EOA	Set redemption limits, top-up redemption vault (per docs)
Access Admin	0x80a62B72dF1136aCBc57141FB67Aa46812fECAFc	MPC 5-of-8 (docs), 48 hours	EOA; observed calling grantRole / labelRole on AccessManager 0x3f0DA1C363e34802C6f12F9C27276dC0e6696FD8	Admin of OZ AccessManager (roles for Instant Redemption, etc.)
Custodian Manager	0x9b6d7f2de2E4569297C7e88531E47679cEbE6eC9	MPC 3-of-5 (docs), 48 hours	EOA; holds CUSTODIAN_MANAGER_ROLE (0x0792b378…) on ICL — verified	Add/remove collateral custodians
Governance (Upgrades / DEFAULT_ADMIN)	0x8EEc10616802Ef639ca55C98Ac856553FadeFbAd	Safe 3-of-5 (onchain-verified; not MPC)	Holds DEFAULT_ADMIN + UPGRADER on reUSD and ICL, PROPOSER + CANCELLER on Timelock	Contract upgrades, role administration (routed through Timelock for timelocked actions)
Timelock executor	0x4BFea59b948a1a0FAC3C8C40BfD86E0e740738F3	EOA (onchain-verified)	Holds EXECUTOR_ROLE on the Timelock	Execute queued timelock transactions after 48h delay

Cross-Chain Deployments

Chain	reUSD Address
Avalanche	0x180aF87b47Bf272B2df59dccf2D76a6eaFa625Bf
Arbitrum	0x76cE01F0Ef25AA66cC5F1E546a005e4A63B25609
Base	0x7D214438D0F27AfCcC23B3d1e1a53906aCE5CFEa
Katana	0xe08853433fDBC504240455e295B644E0F44c3B29
BNB Chain	0xbA9425EC55ee0E72216D18e0ad8BBbA2553bFb60
Ink	0x5BCf6B008bf80b9296238546BaCE1797657B05d6

Audits and Due Diligence Disclosures

Re Protocol has 4 public smart-contract audit reports from Hacken and Certora, plus a 2025 Agreed-Upon Procedures (AUP) report from The Network Firm for offchain reserve/custody verification.

Audit / Due Diligence History

#	Date	Scope	Firm	Key Findings	Report
1	Sep 2024	Smart Contract Audit (DeFi)	Hacken	29 findings (0 Critical, 0 High, 4 Medium, 7 Low, 18 Observations), all resolved. Centralized minting, unaudited libraries, gas risk, 42.11% branch coverage	Hacken
2	Dec 2024	Smart Contract Audit	Hacken	Follow-up audit, issues remediated	Hacken
3	Apr 2025	NAV Oracle Audit	Hacken	Scope: the Chainlink-Functions-based NAVConsumer + related code at github.com/resilience-foundation/nav-oracle (commits ee7e98… / e3dd86ef…). 8 findings, all resolved. The audited contract IS deployed and active onchain at 0x84d4eaeb10f9e57b67622f667c6c13e22fa4b2b6, holds PRICE_SETTER_ROLE on the SharePriceCalculator, and runs daily at 23:45 UTC.	Hacken
4	Sep 2025	Re Core (comprehensive)	Certora	13 issues identified, all addressed and fixed. Formal verification and manual review.	Certora
5	Oct 2025	Agreed-Upon Procedures (reserve/custody verification; not a smart-contract audit)	The Network Firm	Independent verification of offchain operational controls and reserve attestation	AUP Report

Hacken Aug 2024 Findings (Detail)

• Centralization: USDRWA and ReToken contracts concentrate minting/burning in a single address
• Unaudited Dependencies: Protocol uses libraries/contracts without security audits
• Gas Risk: Iteration over large dynamic arrays risks denial of service from out-of-gas errors
• Missing Governance Audit: Governance code was not covered in the audit scope
• Low Test Coverage: 42.11% branch coverage -- deployment and basic interactions tested, multi-user interactions not thoroughly tested

Bug Bounty

• No Immunefi bug bounty program found for Re Protocol
• No Safe Harbor adoption found via SEAL Safe Harbor Registry

Known Issues

• Centralized oracle price updates for reUSD (daily, admin-controlled)
• Centralized minting/burning via single controller addresses
• Governance code not yet audited

Historical Track Record

• Production History: Re Protocol launched in late 2022. reUSD token inception June 12, 2025 (per RWA.xyz). Curve pool created ~9 months ago per GeckoTerminal.
• TVL: ~$198.1M (DeFi Llama, Apr 17, 2026). ~$186.7M market cap across all chains (CoinGecko). ~174.1M reUSD total supply (CoinGecko); ~172.6M on Ethereum (onchain totalSupply()).
• Written Premiums: $168.8M in 2025. >$134M in reinsurance capacity unlocked.
• Exchange Rate History: reUSD has appreciated from ~$1.00 to ~$1.067, representing ~6.7% cumulative yield since inception (June 2025).
• Incidents: No reported security incidents, exploits, or hacks found for Re Protocol's reUSD on Rekt News or DeFi Llama hacks database. Note: Resupply Protocol (a different project with a different reUSD token at a different address) suffered a $9.6M exploit in June 2025 -- this is unrelated to Re Protocol/re.xyz.
• Peg/Price Stability: reUSD is not a stablecoin in the traditional sense. Its price is designed to monotonically increase (accruing yield), so "depegging" is not applicable in the same way. The token price should only ever go up.

Funds Management

Token Mechanism

reUSD is an ERC-20 deposit token that uses a price-appreciation model (not rebasing):

• Users deposit admitted assets (USDC) into the ICL smart contract and receive reUSD; the token price increases daily based on the Applicable APY.
• Onchain price path (verified Apr 17, 2026): the share price is stored in SharePriceCalculator 0xd1D104a7515989ac82F1AFDa15a23650411b05B8 and written via setSharePrice(uint256). The standard writer is NAVConsumer 0x84d4eaeb10f9e57b67622f667c6c13e22fa4b2b6 — a Chainlink Functions + Chainlink Automation consumer (DON fun-ethereum-mainnet-1, subscription 85, daily at 23:45 UTC). NAVConsumer enforces a 10% onchain deviation cap (maxDeviationBps = 1000) and was audited by Hacken in April 2025 (github.com/resilience-foundation/nav-oracle, 8 findings, all resolved). The PriceRouter 0xFe76cF5eD606593fB7764f33627B8D7E0f9Fab66 reads the calculator via SharePriceOracle 0x0764BFa862164D28799F31e7e1e7206F5177B6bB; the same router reads sUSDe via SimpleOracle 0xb6aD3633cB3FAfed3D375d8c64240f122E19fB4D wrapping Chainlink's sUSDe/USD aggregator 0xFF3BC18cCBd5999CE63E788A1c250a88626aD099. The SharePriceCalculator itself only enforces newPrice != 0 — the deviation cap lives in the NAVConsumer, not the calculator.
• Residual concern: both PRICE_SETTER_ROLE on SharePriceCalculator and all admin/updater roles on NAVConsumer (including EMERGENCY_UPDATER_ROLE which can call forceNAVUpdate, and the ability to flip setDeviationCheckEnabled(false) to disable the guardrail) sit with the same EOA 0x6C15B25E9750Dccb698C1a4023f34015bFe57649. That EOA can bypass NAVConsumer entirely and write any positive price directly to the calculator.
• The Network Firm performs offchain attestations of the §114 Trust balances (cadence verified only via the single October 2025 AUP report). No Chainlink Proof-of-Reserve aggregator for reserves is consumed onchain — the onchain NAV Oracle publishes the share price, not reserves. See the Chainlink usage appendix at the end of this report.
• NAV formula: (Spread/365) + max[sUSDe(T)/sUSDe(T-7d) - 1 ; TBILL(T)/TBILL(T-7d) - 1] × (undeployed capital / total capital) + SOFR × (deployed capital / total capital). Spread = 250 bps.

Capital Deployment

1. Onchain: a portion of deposits is kept in onchain backing, verified at ~54% of Ethereum NAV on Apr 17, 2026 (see Collateralization). Held as USDC, USDT, USDe and sUSDe in the ICL Custodial Wallet and redemption reserves.
2. Offchain (§114 Trust): Remainder deployed offchain into U.S.-domiciled §114 Reinsurance Trust Accounts, providing admitted collateral for the partner reinsurer's insurance programs
3. Surplus Notes: The offchain entity issues legally binding surplus notes back to the ICL, contractually guaranteeing principal protection and the Applicable APY interest rate
4. Yield Sources: Delta-neutral ETH strategy (Ethena basis trade) or T-Bills, plus protocol spread from reinsurance premiums

Reinsurance Portfolio (summary)

Re reinsures a ~$174M diversified portfolio of U.S. insurance programs across 26+ active reinsurance contracts. Re classifies the book as "low-volatility" and claims a ~92% combined ratio over 2022-2024 with no capital impairment. Stress testing asserted by Re gives reUSD a 0.03% loss likelihood at a 135% combined ratio (reUSDe 0.9%, Re Capital 3.9%). All portfolio composition, combined-ratio, ROE, pipeline, and stress-testing figures are sourced from Re's own LP memo and intro deck — none are independently verified.

Capital Structure: reUSDe (Junior Tranche)

reUSDe is the protocol's junior/first-loss tranche (docs). It absorbs underwriting losses before they reach reUSD in exchange for a share of underwriting profits (historically 16-25% net annual returns per docs).

Loss waterfall (losses absorbed in order):

1. Re Capital (~$73M) — first-loss buffer, starts taking losses once portfolio combined ratio reaches 105%.
2. reUSDe (junior) — starts taking losses once combined ratio reaches 115% (i.e. after Re Capital is exhausted). Absorbs losses up to the 115-135% combined ratio range.
3. reUSD (senior) — only impaired if combined ratio exceeds 135%, meaning both Re Capital and all reUSDe reserves are depleted.

Re's marketing attaches modeled impairment likelihoods to each threshold (Re Capital ~3.9% at 105% CR; reUSDe ~0.9% at 115%; reUSD ~0.03% at 135%). These numbers come from a single chart on page 1 of the Nov 2025 LP Memo ("Re Capital Structure and Risk-Remote Design") and represent the modeled probability of the portfolio combined ratio reaching each threshold. The model is undisclosed: no distributional assumptions, correlation structure, simulation count, calibration window, confidence intervals, or actuarial sign-off are published. The tail figures also assume the subordinated buffer is fully intact at time of stress. Treat as Re-asserted, not independently attested.

reUSDe mechanics:

• Price based on quarterly-refreshed target NAV derived from actuarial reports; compounds daily but surplus realization occurs quarterly
• Idle capital earns sUSDe basis-trade yield until called for underwriting
• Redemptions are quarterly (72h window at fiscal quarter start), pro-rata if requests exceed capacity; unfilled rolls to next quarter
• Re's public materials describe a restoration order in which later reinsurance profits first recapitalize reUSD/reUSDe before the Re Capital buffer (not verifiable onchain).
• Issued by Resilience (BVI) Ltd.; Resilience Foundation is the Agent of both reUSD and reUSDe token holders
• reUSD is stated to be protected by subordinated assets (Re Capital + reUSDe combined); only Re Capital ~$73M is directly referenced in the LP Memo. The total subordinated buffer amount is a protocol claim, not independently verified.

Accessibility

• Deposits: KYC/AML required (via SumSub and Chainalysis). Users must pass KYC checks because a portion of protocol capital is deployed with a Cayman-regulated reinsurance company (CIMA-regulated).
• KYC on redemption — enforced onchain (verified Apr 17, 2026): every redemption entrypoint reverts with KYCRequired if kyc.isKYCApproved(msg.sender) == false. Checked functions in the InstantRedemptionInteraction contract 0x8aEb9453EF22Cb38abC7a3Af9c208F65C1BfE31e: redeemInstant, submitWindowRequest, adjustWindowRequest, claimWindowPayout. The same check is repeated inside InstantRedemption._processRedemption on the user argument. A KYC revocation therefore blocks not only new deposits but also the holder's ability to redeem onchain through the protocol. Selling on a DEX remains possible because DEX routers do not gate transfers on KYC.
• reUSD — Instant Redemption: available from the onchain instant liquidity buffer via redeemInstant(uint256 shares, uint256 minPayout) on the Interaction contract (which delegates to the InstantRedemption implementation at 0xa31DeeBB3680A3007120e74bcBdf4dF36F042a40). Atomic, same-block settlement. Onchain-verified parameters on Apr 17, 2026: minRedemption = 0.01 reUSD (1e16), maxRedemption = 1,000,000 reUSD (1e24), dailyLimitBps = 2000 (20% of capacity), userLimitBps = 1000 (10% per wallet), feeBps = 6 (0.06%), dayPayoutToken = sUSDe. At the fastest drain rate, ~5 days to exhaust all liquid onchain reserves (20% per day). The "250 reUSD minimum" cited elsewhere is not in the public docs and contradicts the onchain parameter; treat 0.01 reUSD as the contract-level floor.
• reUSD — Windowed Redemption: once the instant buffer is exhausted, the protocol opens a redemption window (minimum 24 hours). Requests fulfilled pro-rata based on available capital. Proceeds must be claimed within two months.
• reUSDe — redemption works differently (per docs): no instant redemption path exists. reUSDe redemptions are quarterly-only. Request window = first 72 hours of each fiscal quarter; an "actuarial gate" at quarter-end (≤10 business days) determines Available Surplus; payouts are pro-rata against that surplus; unfilled balances auto-roll into the next quarter while retaining queue seniority. Re explicitly notes "No secondary market maker pool is promised" for reUSDe. The senior-tranche instant buffer/vault described above applies to reUSD only, not reUSDe.
• DEX Trading (Re reUSD only): Fluid reUSD/USDT DEX pool (~$11.62M — note: USDT, not USDC); Curve reUSD/sUSDe (~$1.42M) and reUSD/USDC (~$450K); Avalanche Blackhole reUSD/USDC pools (~$1.47M combined). Total DEX liquidity ~$14.96M on Apr 17, 2026 (DeFi Llama yields API, filtered by underlying token 0x5086…0c72 / 0x180aF87b…625Bf). Larger pools labelled "reUSD/scrvUSD", "reUSD/sfrxUSD", "reUSD/fxUSD", "reUSD/sDOLA" on Curve/Convex/Stake-DAO/Beefy are Resupply Protocol's reUSD (0x57aB1E00…) and are NOT Re reUSD exits.
• Not available to U.S. persons
• Fees: Redemption fee of 6 bps (0.06%) — onchain-verified via InstantRedemption.feeBps() = 6 at 0xa31DeeBB3680A3007120e74bcBdf4dF36F042a40 (docs). No documented deposit fees, management fees, or performance fees. RWA.xyz reports 0.18% subscription and 0.18% redemption fees — discrepancy with docs may reflect different fee tiers or methodology. Onchain data shows ~$1,535 total deposit fees collected historically, suggesting a small deposit fee mechanism exists in the contracts (also flagged in Hacken audit finding F-2024-5214 "Unclaimed Deposit Fees Unaccounted For").

Collateralization

• Onchain reserve target: Re's public materials describe a target of ≥50% of deposits kept in onchain backing (USDC, sUSDe, and — per protocol claim — potentially T-bill wrappers such as BUIDL).
• Onchain reserves — verified Apr 17, 2026 against AUP address list: The Network Firm's Oct-2025 AUP report lists 15 Fireblocks-MPC-controlled addresses as in-scope for Re's supporting assets (AUP-Report-2025.pdf, Procedure 3 table). All 15 were checked for USDC / USDT / USDe / sUSDe / BUIDL balances today. 11 are empty; 4 hold all the reserves:

#	AUP-listed address	Chain type	Current USD value	Share
1	0x295F67Fdb21255A3Db82964445628a706FBe689E ICL Custodial Wallet	EOA	$24.39M (USDC $9.34M + USDT $1.99M + USDe $0.10M + sUSDe $12.96M)	24.4%
2	0x9eA38e09F41A9DE53972a68268BA0Dcc6d2fAdf8 Redemption Reserves Custodian	EOA	$65.38M (sUSDe)	65.4%
3	0xd4374008c88321Eb2e59ABD311156C44B25831e9	EOA	$2.56M (USDe $0.99M + sUSDe $1.57M)	2.6%
4	0x5C454f5526e41fBE917b63475CD8CA7E4631B147 Daily Instant Redemption Vault	Contract (RedemptionVault)	$7.60M (sUSDe)	7.6%
5	0x4691C475bE804Fa85f91c2D6D0aDf03114de3093 ICL	Contract (proxy)	$0	—
6	0xE1886BE2bA8B2496c2044a77516F63a734193082	Contract	$258 (dust)	—
7-15	0x19af…5896, 0x4F1f…DaE4, 0x802e…0291, 0x9AB6…1FE3, 0xb22a…fbe1, 0xD75E…eDE9, 0xe132…9d23, 0xfB60…4BB0, 0xfd40…B852	9 × EOA	$0	—
Total			~$99.93M	100%

(sUSDe valued at the onchain sUSDe/USDe exchange rate of 1.22757 via convertToAssets, assuming USDe ≈ $1.)

Coverage ratio: $99.93M / $185.10M Ethereum NAV = ~54.0% (~53.5% vs $186.72M total cross-chain NAV). The protocol-stated ≥50% target is met with ~4 percentage points of headroom.

Address 3 (0xd4374008…B25831e9) is listed in the AUP but was not previously enumerated in this report. It currently holds $2.56M of USDe and sUSDe. Its purpose is undocumented publicly; from its onchain behaviour it appears to be an auxiliary custody / rebalancing EOA in the Fireblocks set.

• Concentration concerns (onchain-verified):

  • ~90.1% of onchain reserves are in sUSDe, not USDC. This inherits Ethena counterparty / smart-contract risk and a 7-day cooldown to unstake sUSDe → USDe. Only ~$9.34M of the reserves (≈9.8%) is immediately-redeemable USDC.
  • No BUIDL or T-bill-wrapper balances were found at any of the ICL / vault / custodian addresses (Apr 17, 2026), even though Re's materials mention such assets as potential reserves. Apart from USDC / USDT / USDe / sUSDe, the only non-dust holding is ~1.35M reUSDsUSDe Curve LP tokens at the ICL Custodial Wallet (protocol-owned liquidity for the reUSD/sUSDe pool; excluded from the reserve total above). All other token balances at these addresses are airdrop spam or dust (<$500).
  • The ICL contract 0x4691…3093 itself holds $0 in reserves — assets sit at the Custodial Wallet (an EOA) and at the Redemption Reserves Custodian (also an EOA).

• Custody / asset-movement surface — 92% of reserves sit at plain EOAs (critical):

  Of the $99.93M onchain reserve, $92.33M (~92.4%) sits at three plain EOAs: the ICL Custodial Wallet (~$24.4M), the Redemption Reserves Custodian (~$65.4M), and the auxiliary address 0xd4374008…B25831e9 (~$2.6M). Only $7.60M (the Daily Instant Redemption Vault) sits behind contract-enforced role gating. From the chain's perspective, each EOA is indistinguishable from an ordinary single-key wallet. One ECDSA signature, one transfer(...) call, and those funds move anywhere — no onchain delay, no destination whitelist, no role check.

  Re's documentation and the October 2025 AUP describe these as "Fireblocks MPC (Multi-Party Computation) wallets" in which "the associated private key is split into encrypted 'shares'" (AUP Report 2025, footnote 2). Important caveats about what the AUP actually proves:

  • The AUP procedure for the Fireblocks assets was "observe Re Management access the Fireblocks blockchain-based MPC wallet" and then "query the blockchain-based addresses observed for Supporting Assets". This is watching someone log in; it is not cryptographic verification that N-of-M signers are required for any given transaction. TNF relied on Re's assertion of the MPC structure.
  • The AUP explicitly disclaims operating-effectiveness testing of internal controls: "We did not perform procedures regarding the operating effectiveness of the Re's internal controls."
  • The AUP was also scoped to exclude 1:1 backing, TVL, and token valuations: "We did not perform procedures over specific aspects of the Re Protocol, including but not limited to … 1:1 backing of reserves to the tokens or the total value locked (TVL) of the Re Protocol."

  Onchain, the EOAs have no code — no Safe multisig, no timelock wrapper, no onchain-whitelisted destination set, no per-asset spending caps. Whatever Fireblocks policies exist (transaction whitelists, per-asset limits, approval workflows) and whatever the real MPC quorum is are entirely offchain and unverifiable by anyone outside Re. The 48-hour Timelock does NOT protect these reserves — it only gates governance actions routed through TimelockController (upgrades, role changes).

  What's needed to drain $92.3M onchain:

  • If the claimed N-of-M MPC is real and Fireblocks policies are tight → compromise the policy + compromise or collude signer quorum → 1 signed tx.
  • If Fireblocks policies are permissive → signer-quorum compromise / collusion alone → 1 signed tx.
  • If an insider with quorum access is malicious → 1 signed tx.

  This is the single largest unmitigated custody risk in the system. The AUP provides evidence that the specific address list is in Re's MPC setup, not that unauthorized movement would be prevented by multi-party signing.

• Onchain buffer: Instant redemption vault and Redemption Reserves Custodian hold ~$72.98M of sUSDe plus $0 USDC for immediate redemptions (USDC instant exits unavailable under current config; see Liquidity).

• Offchain trust: §114 Reinsurance Trust holds cash and T-Bills in NAIC-compliant banks; Re's public materials name these as "an independent bank / custodian" without disclosing specific counterparty names. The only independently-verified attestation of these balances is the Oct 31, 2025 Agreed-Upon Procedures report by The Network Firm (AUP-Report-2025.pdf); no ongoing cadence is publicly established. Re's docs describe the publication as "published via Chainlink" — onchain, no Chainlink PoR aggregator is consumed (see the Chainlink usage appendix).

• Surplus Note protection: Surplus notes rank junior to policyholders but contractually protect depositor principal

• Re Capital buffer: ~$73M subordinated first-loss layer ahead of reUSDe and reUSD

• reUSDe as backstop: reUSDe (the risk-bearing token) absorbs first-loss risk across the reinsurance portfolio, providing a backstop to prevent losses reaching reUSD holders. Stress testing shows reUSD loss likelihood = 0.03% at 135% combined ratio

Provability

• reUSD price: Updated daily by a Chainlink-Functions-driven NAVConsumer 0x84d4eaeb10f9e57b67622f667c6c13e22fa4b2b6 calling SharePriceCalculator.setSharePrice. The NAV computation itself is not programmatically onchain — Chainlink Functions runs JS offchain (DON fun-ethereum-mainnet-1, subscription 85) and returns a single NAV value. Onchain safeguards: Chainlink Automation triggers daily at 23:45 UTC; NAVConsumer.maxDeviationBps = 1000 (10%) enforces a deviation guard; Hacken audited the NAV Oracle in Apr 2025. Residual concern: admin/updater roles on NAVConsumer and PRICE_SETTER_ROLE on SharePriceCalculator are both held by a single EOA that can bypass the guard.
• Onchain reserves: Visible onchain via the ICL contract and Redemption Reserves Custodian
• Offchain reserves: Attested daily by The Network Firm (third-party accountant with read-only access). Re's docs claim this attestation is "published via Chainlink" / "Proof-of-reserves, publicly auditable". This claim could not be substantiated (Apr 17, 2026): no Chainlink PoR feed for reUSD exists in Chainlink's public reference directory (reference-data-directory.vercel.app/feeds-mainnet.json, 23 mainnet PoR feeds — none for Re / reUSD / Resilience; also absent on Avalanche and BSC directories). No Chainlink PoR aggregator is consumed by any verified Re contract. The actual onchain Chainlink dependency is the sUSDe/USD price aggregator (0xFF3BC18cCBd5999CE63E788A1c250a88626aD099) used for collateral pricing, not reserves. See "Chainlink PoR claim — not substantiated" in the appendix.
• Insurance performance: Reinsurance returns are inherently offchain and depend on claim experience over multi-year treaty periods
• Minting requires backing (ICL path): All ICL deposit paths (deposit, depositFromCustodian, processPrestakedDeposit) enforce safeTransferFrom — backing tokens must be transferred to the ICL before reUSD is minted (verified in source at implementation 0x06d4acc104b974cd99bf22e4572f48a051e59670). However, the reUSD token contract has an unrestricted mint(address, uint256) gated only by MINTER_ROLE.
• MINTER_ROLE holders (verified via RoleGranted logs on Apr 17, 2026): THREE contracts hold the role, not one:
  1. InsuranceCapitalLayer 0x4691C475bE804Fa85f91c2D6D0aDf03114de3093 — backed mint path.
  2. InstantRedemption 0xa31DeeBB3680A3007120e74bcBdf4dF36F042a40 — burns reUSD on redemption; uses MINTER_ROLE because mint and burn typically share the role in this codebase.
  3. ShareTokenMinterBurner 0x0dFb42aa18CEeD719617cd554304F6cA412A6b18 — LayerZero OFT wrapper. Only the registered adapter can call mint/burn. The adapter is ReMintBurnAdapter 0x2BB4046022B9161f3F84Ad8E35cac1d5946e0e85, a LayerZero OFT with onchain rate limits of 2,500,000 reUSD / 24h (inbound and outbound) per peer chain. There is no token-level backing check on this mint path by design — cross-chain OFTs conserve supply by burning on the source chain. Risk: both ShareTokenMinterBurner.owner and ReMintBurnAdapter.owner are the same EOA 0x6C15B25E9750Dccb698C1a4023f34015bFe57649 (~0.099 ETH balance). Compromise of this key would let an attacker redirect the adapter and mint up to the 2.5M/day rate limit on Ethereum per connected peer chain.
• If MINTER_ROLE were granted to another address via Governance Safe, that address could mint without a backing check at the token layer.

Liquidity Risk

Primary Exit Mechanisms

1. Instant Redemption: From the onchain buffer. Atomic, same-block. Available until buffer is exhausted (< 1% of supply triggers window-only mode)
2. Quarterly Redemption: Processed pro-rata with available capital not reserved for reinsurance plus actuarially released funds
3. DEX Swap: Sell reUSD on Curve reUSD/USDC pool

DeFi Integrations

Onchain-verified integrations that consume Re Protocol's reUSD (0x5086…0c72):

Protocol	Type	Notes
Fluid DEX	DEX	reUSD/USDT pool (~$11.62M TVL, ~$1.67M daily volume). Largest trading venue.
Fluid Lending	Lending	Three lending markets supply reUSD: ~$23.58M (vs USDT), ~$23.34M (vs USDC), ~$15.35M (vs fxUSD). Total reUSD supplied ~$62.3M.
Curve	DEX	reUSD/sUSDe (~$1.42M), reUSD/USDC (~$450K). (reUSD/scrvUSD, reUSD/sfrxUSD, reUSD/fxUSD, reUSD/sDOLA pools are Resupply reUSD, not Re's.)
Morpho	Lending	Re reUSD vaults (~$4.74M + ~$2.29M ≈ $7.0M). PT-REUSD-25JUN2026 Pendle-PT markets also reference Re reUSD indirectly.
Pendle	Yield	reUSD yield-tokenization market (~$8.42M TVL).
Beefy	Vault	reUSD auto-compounding vault (~$786K).
Stake-DAO	Vault	reUSD vault (~$428K).
Blackhole (Avalanche)	DEX	reUSD/USDC pools on Blackhole CLMM + AMM (~$962K + ~$510K ≈ $1.47M).

Combined ~$69.3M of Re reUSD is supplied into Fluid + Morpho lending markets onchain.

Liquidity Summary

• Total DEX Liquidity (onchain-verified, Re reUSD only): ~$14.96M across Fluid, Curve, and Blackhole (~8.0% of ~$186.7M market cap). Fluid reUSD/USDT (~$11.62M) is the dominant venue (~78% of DEX depth). Significantly smaller than the initial "~$26.2M" figure, which erroneously included Resupply-reUSD Curve pools.
• 24h Trading Volume (token-level, CoinGecko): ~$7.3M.
• Instant redemption buffer (Apr 17, 2026, onchain): The Daily Instant Redemption Vault at 0x5C454f5526e41fBE917b63475CD8CA7E4631B147 holds 0 USDC and 6.188M sUSDe. The custodialWallet (labeled "Redemption Reserves Custodian" in this report) 0x9eA38e09F41A9DE53972a68268BA0Dcc6d2fAdf8 is an EOA and holds 0 USDC and 53.263M sUSDe. The configured dayPayoutToken is sUSDe (not USDC) on Apr 17, 2026, so instant redemptions settle into sUSDe under current config.
• Instant Redemption Interaction Contract: 0x8aEb9453EF22Cb38abC7a3Af9c208F65C1BfE31e — exposes redeemInstant(uint256 shares, uint256 minPayout) for instant redemptions.
• Onchain capital (Apr 17, 2026): ICL Custodial Wallet 0x295F67Fdb21255A3Db82964445628a706FBe689E holds 9.344M USDC + 10.496M sUSDe. ICL contract itself holds $0.
• Quarterly queue: Pro-rata fulfillment, may not be fully met if capital is locked in reinsurance
• KYC required: Both for deposit and redemption through the protocol
• Multi-chain: Available on 6+ chains. Liquidity concentrated on Ethereum Curve pools (~$16M) with ~$1.5M on Avalanche.

Centralization & Control Risks

Governance

• Governance (onchain-verified): A Safe 3-of-5 multisig at 0x8EEc10616802Ef639ca55C98Ac856553FadeFbAd (SafeProxy; 5 owners, threshold 3) holds DEFAULT_ADMIN + UPGRADER on reUSD and ICL, and PROPOSER + CANCELLER on the Timelock. The protocol docs also describe additional MPC-controlled admin EOAs (Oracle, Redemptions, Access, Custodian); those EOAs exist onchain, but the N-of-M MPC quorum is offchain and cannot be verified.
  • Oracle admin EOA: 0x49BC5A88…9212A0ee — no timelock (direct setSharePrice capability implied).
  • Redemptions admin EOA: 0xEE16bE03…310c47f8.
  • Access admin EOA: 0x80a62B72…812fECAFc (administers AccessManager 0x3f0DA1C363e34802C6f12F9C27276dC0e6696FD8; onchain-observed calling grantRole/labelRole).
  • Custodian manager EOA: 0x9b6d7f2d…cEbE6eC9 — holds CUSTODIAN_MANAGER_ROLE on ICL (onchain-verified).
  • Timelock executor EOA: 0x4BFea59b…740738F3 (onchain-verified).
• Upgrade Pattern: UUPS / ERC1967 upgradeable contracts (reUSD and ICL implementations verified).
• Upgrade Authority: Governance Safe → Timelock Controller (0x69dDEa332723cF5407151aAF68B9b076557FCA93). Timelock getMinDelay() = 172800 seconds (48 hours, onchain-verified).
• Timelock: 48-hour timelock on upgrades and role changes routed through Timelock. The setSharePrice path has no onchain timelock or guardrail — price writes take effect immediately.
• No onchain governance: Protocol is currently governed by an expert-led council (Resilience Foundation). Planned transition to DAO in the future.
• MPC signers: Re Team members — not publicly identified.

Programmability

• reUSD price: NOT programmatically computed. The NAV itself is produced offchain by a Chainlink Functions JS job, delivered onchain by NAVConsumer, and stored in SharePriceCalculator. Onchain, the NAV Consumer enforces a 10% deviation cap per update (maxDeviationBps = 1000). No Chainlink PoR aggregator for reserves is consumed onchain (see the Chainlink usage appendix). The calculator itself has no guardrail on setSharePrice; the admin EOA holds the role and can bypass the NAV Consumer path.
• Deposits: Require KYC verification through the KYC Registry contract
• Redemptions: Instant redemptions are programmatic (from buffer). Quarterly redemptions involve admin-managed processes
• Capital deployment: Offchain, managed by the protocol team through the Fireblocks custody infrastructure

External Dependencies

• Chainlink: Verified onchain use is (a) Chainlink Functions + Automation driving the daily reUSD NAV/share-price update and (b) the Chainlink sUSDe/USD price feed used for collateral pricing. Docs claim reserve attestations are published via Chainlink, but no Chainlink PoR aggregator for Re reserves was verified.
• The Network Firm: Third-party accountant for daily offchain reserve verification
• Ethena: USDe/sUSDe for basis-trade yield source
• Fireblocks: Custody for idle onchain capital (daily sweeps from ICL to Fireblocks vault)
• §114 Reinsurance Trust: Offchain U.S.-domiciled trust bank for regulatory collateral
• Cayman Reinsurer: Partner reinsurance company (CIMA-licensed, Class B(iii))
• SumSub / Chainalysis: KYC/AML verification
• Multiple blockchains: Cross-chain deployments on Ethereum, Avalanche, Arbitrum, Base, Katana, BNB Chain, Ink

Operational Risk

• Team: CEO Karn Saroya (publicly known, LinkedIn/Twitter). Previously co-founded Cover (YC-backed insurtech) and Stylekick (acquired by Shopify); part of early Shopify team. Reinsurance operations headed by former CEO of Willis Programs. Veteran team in insurance-tech for 10+ years.
• Company: Re (re.xyz). Founded 2022. Issuer entity: Resilience BVI Ltd. (British Virgin Islands, per RWA.xyz). Governance controlled by Resilience Foundation.
• Legal Structure: Partner reinsurance company domiciled in Cayman Islands, regulated by CIMA. Offchain trust accounts in U.S. jurisdiction (§114 Trust, NAIC-compliant banks). Token issuer domiciled in BVI.
• Investors: $14M seed round at $100M post-money valuation. Investors include Electric Capital, Tribe Capital, Stratos, SiriusPoint, Exor, Defy, Framework Ventures, Morgan Creek Digital.
• Custody: Re's public materials (docs.re.xyz) name Fireblocks MPC custody for idle onchain assets. The AUP-Report-2025 corroborates that Re operates a Fireblocks MPC wallet set covering the 15 listed addresses but does not cryptographically verify the N-of-M quorum. Public documentation does not name specific banking counterparties for the offchain §114 Trust assets.
• Documentation: Comprehensive documentation at docs.re.xyz. Clear description of mechanism, risks, and investor protections.
• Runtime Monitoring: ChainAnalysis for onchain transaction monitoring.
• Incident Response: Emergency pause mechanism exists. Recovery wallets designated for each ICL (e.g., 0xDf6bF2713b5c7CA724E684657280bC407938F447 for initial ICL).
• KYC/AML: Required for all participants (SumSub + Chainalysis). Revoked KYC = request cancelled, tokens returned.
• Not available to U.S. persons and may be restricted in other jurisdictions.
• Written Premiums: $178M gross written premium to date (intro deck). $4B pipeline dealflow. Protocol has demonstrated real-world insurance business traction.

Monitoring

reUSD Price Monitoring

• Share Price Calculator: 0xd1D104a7515989ac82F1AFDa15a23650411b05B8

  • Monitor reUSD price changes daily. Current: ~$1.072 (onchain getSharePrice() = 1072426668551449984, Apr 17, 2026).
  • Alert: If price decreases (should only ever increase under normal operation).
  • Alert: If price growth stops for >48 hours (indicates oracle feed interruption or yield issue).
  • Alert: Any new member granted PRICE_SETTER_ROLE on the Share Price Calculator (currently 0x6c15b25e…57649 and NAVConsumer 0x84d4eaeb…2b4b6).
  • Alert (Critical): Any setSharePrice call whose msg.sender is NOT the NAVConsumer — this is a bypass of the audited NAV path.

• NAV Consumer (Chainlink Functions + Automation): 0x84d4eaeb10f9e57b67622f667c6c13e22fa4b2b6

  • Alert (Critical): maxDeviationBps changes (currently 1000 = 10%); deviationCheckEnabled flipped to false; automationEnabled flipped to false; paused flipped to true.
  • Alert (Critical): Any call to forceNAVUpdate (admin override; minimum 4h interval).
  • Alert (Critical): Role changes on DEFAULT_ADMIN_ROLE, ADMIN_ROLE, UPDATER_ROLE, EMERGENCY_UPDATER_ROLE, KEEPER_ROLE.
  • Alert (High): configure(uint64,bytes32,string,bytes) — changes Chainlink Functions subscription / DON / source code.
  • Alert (High): Daily NAV update did not fire within the configured time window (default target 23:45 UTC).

ICL and Redemption Monitoring

• reUSD ICL: 0x4691C475bE804Fa85f91c2D6D0aDf03114de3093

  • Monitor for large deposits/withdrawals (>$1M).
  • Monitor total assets under management.

• Daily Instant Redemption Vault: 0x5C454f5526e41fBE917b63475CD8CA7E4631B147

  • Monitor buffer balance. Alert if buffer drops below 1% of reUSD supply (triggers window-only mode).
  • Monitor for rapid drawdowns indicating potential stress.

• Reserve EOAs — primary custody risk: ~92% of onchain reserves are at three plain EOAs (of the 15 Fireblocks-MPC-controlled addresses listed in the AUP-Report-2025). No onchain outflow restriction applies.

  • ICL Custodial Wallet (EOA): 0x295F67Fdb21255A3Db82964445628a706FBe689E — current balance ~$24.4M.
    • Alert (Critical): Any transfer (USDC / USDT / USDe / sUSDe) to a destination NOT on the historical allow-list (Ethena sUSDe/USDe contracts, Redemption Reserves Custodian, Daily Instant Redemption Vault, Fireblocks-pattern sweep addresses beginning 0x34b6…). First-time destinations = incident.
    • Alert (High): Any outbound transfer >$1M.
  • Redemption Reserves Custodian (EOA): 0x9eA38e09F41A9DE53972a68268BA0Dcc6d2fAdf8 — current balance ~$65.4M.
    • Alert (Critical): Any sUSDe transfer to a destination NOT on the historical allow-list (only 0x5C45…B147 RedemptionVault and sUSDe/USDe staking contracts observed to date).
    • Alert (High): Any single outbound >$5M.
  • Auxiliary custodian EOA 0xd4374008…B25831e9: — currently holds ~$2.6M in USDe+sUSDe. Listed in AUP, role undocumented publicly.
    • Alert (Critical): Any outbound transfer. Small size makes every movement worth a manual look.
  • All 12 other AUP-listed addresses (currently empty or dust): monitor for any incoming deposit >$1M and then for any subsequent outgoing transfer. Sudden use of a previously-empty AUP address is a governance signal (either new custody rotation or an unauthorized movement).

• Instant Redemption Interaction Contract: 0x8aEb9453EF22Cb38abC7a3Af9c208F65C1BfE31e

  • Monitor threshold value.
  • Alert: On changes to daily or per-wallet redemption caps.

Governance & Upgrade Monitoring

• Oracle admin EOA (MPC 3-of-5 per docs): 0x49BC5A880f77247A348764DdB95951cd9212A0ee

  • Alert: On any price feed configuration changes; on any new PRICE_SETTER_ROLE grant on Share Price Calculator.

• Access admin EOA (MPC 5-of-8 per docs): 0x80a62B72dF1136aCBc57141FB67Aa46812fECAFc — admin of AccessManager 0x3f0DA1C363e34802C6f12F9C27276dC0e6696FD8

  • Alert: On any role assignment or revocation in AccessManager; on MINTER_ROLE grant on reUSD token.

• Governance Safe (3-of-5, onchain-verified): 0x8EEc10616802Ef639ca55C98Ac856553FadeFbAd

  • Alert: On any transaction execution, owner change, or threshold change.

• Timelock Controller: 0x69dDEa332723cF5407151aAF68B9b076557FCA93 — the 48h delay between CallScheduled and CallExecuted is the primary review window for any privileged action; the monitor must fire the moment something is queued, not when it executes.

  • Alert: On CallScheduled(bytes32 id, uint256 index, address target, uint256 value, bytes data, bytes32 predecessor, uint256 delay) — decode target / data and surface the decoded function call. Every scheduled call deserves a manual review before the 48h window expires.
  • Alert: On CallExecuted(bytes32 id, uint256 index, address target, uint256 value, bytes data) — confirm the execution matches what was scheduled and did not diverge (OZ TimelockController replays the same payload, so any mismatch would be an upstream monitoring bug).
  • Alert: On Cancelled(bytes32 id) — a Safe-initiated cancel is informational; a cancel originating from anything other than the Governance Safe (0x8EEc10…) or addresses with CANCELLER_ROLE is an incident.

• UUPS Proxy Upgrades: Monitor for Upgraded events on reUSD token and ICL contracts.

  • Alert: Immediately on any implementation change (48-hour timelock provides review window, so this should have been preceded by a CallScheduled event ≥48h earlier — absence of that precursor is an incident).

Liquidity Monitoring

• Fluid reUSD/USDT pool: Monitor TVL and volume. Largest trading venue by volume (~$11.6M TVL).

  • Alert: If Fluid pool TVL drops below $5M.

• Curve Re reUSD pools — only two pools actually pair Re's reUSD (0x5086…0c72): reUSD/sUSDe and reUSD/USDC. (Curve pools labelled reUSD/scrvUSD, reUSD/sfrxUSD, reUSD/fxUSD, reUSD/sDOLA use Resupply's reUSD 0x57aB1E00… and must NOT be monitored as Re liquidity.) Monitor TVL and balance ratio.

  • Alert: If total Curve Re reUSD DEX liquidity drops below $1M (currently ~$1.87M combined).
  • Alert: If any pool imbalance exceeds 80/20 in either direction.

• Avalanche Blackhole reUSD/USDC (CLMM + AMM, Re's reUSD 0x180aF87b…625Bf): Monitor TVL.

  • Alert: If combined Avalanche TVL drops below $500K (currently ~$1.47M).

• CoinGecko reUSD price: Monitor for deviations from expected share price.

  • Alert: If CoinGecko price deviates >2% from onchain share price.

Offchain Reserve Monitoring

• The Network Firm attestation: the only Network Firm engagement publicly verified is the single Agreed-Upon Procedures report dated Oct 31, 2025 (published Dec 17, 2025). No onchain or public evidence establishes a daily or weekly cadence; the "daily attestation" phrasing in Re's docs is a protocol claim, not an observed publication pattern. No Chainlink PoR feed is consumed onchain, so reserve-attestation monitoring has to target Re's transparency channel directly.

  • Action: before relying on an "X-hours stale" alert, confirm the actual publication cadence with Re or by observing the transparency dashboard for a calendar month.
  • Alert: if reported reserves fall below total reUSD supply × share price.
  • Alert: if a new AUP report appears with an address list that differs from the 15 addresses in AUP-Report-2025.

• Onchain coverage ratio: Compute (USDC + USDT + USDe + sUSDe_in_USDe_terms) across all 15 Fireblocks-MPC-controlled addresses listed in the AUP-Report-2025, divided by reUSD Ethereum totalSupply × getSharePrice(). Currently ~54.0%.

  • Alert if coverage drops below 50% (Re's stated floor).
  • Alert if coverage drops below 55% (headroom erosion).
  • Alert if the sUSDe share of reserves exceeds 92% or the USDC share drops below 7% (current split: sUSDe ~88% / USDC ~9.3%).
  • Alert on first appearance of BUIDL or another T-bill-wrapper balance at any reserve address.

Monitoring Frequency

Category	Frequency	Priority
Timelock CallScheduled / CallExecuted / Cancelled / MinDelayChange	Real-time	Critical
Governance Safe tx execution / owner / threshold changes	Real-time	Critical
UUPS proxy upgrade events	Real-time	Critical
Access role changes (reUSD MINTER_ROLE, ICL admin, Timelock PROPOSER/EXECUTOR/CANCELLER)	Real-time	Critical
Share Price Calculator PRICE_SETTER_ROLE grant / revoke	Real-time	Critical
Instant redemption cap changes	Real-time	Critical
reUSD share price	Daily	High
Instant redemption buffer (USDC + sUSDe)	Every 6 hours	High
Onchain coverage ratio (reserves / NAV) + composition	Every 6 hours	High
Instant redemption interaction events	Every 6 hours	High
The Network Firm offchain attestation publication	Daily	High
DEX pool TVL/balance (Fluid reUSD/USDT + Curve)	Hourly	Medium
Total supply changes (Ethereum + cross-chain)	Daily	Medium

Reassessment Triggers

• Time-based: Reassess in 6 months (September 2026) or sooner if instant redemption vault remains empty for >30 days
• Governance-based: Reassess after roles are changed, or funds are
• Incident-based: Reassess after any exploit, governance change, reinsurer insolvency, or material claim event
• Liquidity-based: Reassess if DEX liquidity drops below $5M or if instant redemption vault remains empty for >30 days
• Regulatory-based: Reassess if CIMA regulatory status changes or new jurisdictional restrictions apply

---

Appendix: Contract Architecture

┌─────────────────────────────────────────────────────────────────────┐
│                     VAULT / TOKEN LAYER                             │
│                                                                     │
│  ┌──────────────┐    ┌──────────────────────┐                       │
│  │  reUSD Token  │◄──│  Share Price          │◄── PRICE_SETTER_ROLE │
│  │  (ERC-20,     │    │  Calculator           │    (EOA calls       │
│  │   UUPS Proxy) │    │  0xd1D1..11b05B8      │     setSharePrice)  │
│  │  0x5086..0c72 │    └──────────────────────┘                      │
│  └──────┬───────┘    (NAVConsumer: 10% onchain deviation cap;       │
│                      admin EOA can bypass via direct setSharePrice) │
│         │ mint/burn                                                 │
│  ┌──────▼───────────────────┐    ┌─────────────────────────┐        │
│  │  Insurance Capital Layer  │───►│  ICL Custodial Wallet    │      │
│  │  (ICL)                    │    │  (Fireblocks)            │      │
│  │  0x4691..3093             │    │  0x295F..689E             │     │
│  └──────┬───────────────────┘    └───────────┬─────────────┘        │
│         │                                     │                     │
│  ┌──────▼───────────────────┐                │ sweep                │
│  │  Daily Instant Redemption │                ▼                     │
│  │  Vault                    │    ┌──────────────────────┐          │
│  │  0x5C45..B147             │    │  Offchain Deployment  │         │
│  └──────────────────────────┘    │  (offchain §114 Trust)│          │
│                                   └──────────────────────┘          │
└─────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────┐
│                     PROTOCOL LAYER                                  │
│                                                                     │
│  ┌────────────────────┐   ┌────────────────────┐                    │
│  │  Deposit Token      │   │  KYC Registry       │                  │
│  │  Registry           │   │  (SumSub/Chainalysis)│                 │
│  │  0x73d3..03F6       │   │  0x82F1..9995       │                  │
│  └────────────────────┘   └────────────────────┘                    │
│                                                                     │
│  ┌────────────────────┐   ┌────────────────────┐                    │
│  │  Decentralized Fund │   │  Redemption Reserves│                  │
│  │  0xF044..72f2       │   │  Custodian (EOA)    │                  │
│  └────────────────────┘   │  0x9eA3..ADF8       │                   │
│                            └────────────────────┘                   │
└─────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────┐
│                     UNDERLYING LAYER                                │
│                                                                     │
│  ┌─────────────────┐  ┌──────────────────┐  ┌──────────────────┐    │
│  │  Chainlink       │  │  The Network Firm │  │  §114 Reinsurance│  │
│  │  (Price Feed +   │  │  (Daily offchain  │  │  Trust (U.S.)    │  │
│  │   Proof of       │  │   attestation)    │  │  Cash + T-Bills  │  │
│  │   Reserve)       │  │                   │  │                  │  │
│  └─────────────────┘  └──────────────────┘  └──────────────────┘    │
│                                                                     │
│  ┌─────────────────┐  ┌──────────────────┐                          │
│  │  Ethena (USDe)   │  │  Cayman Reinsurer │                        │
│  │  (Basis trade    │  │  (CIMA-licensed,  │                        │
│  │   yield source)  │  │   Class B(iii))   │                        │
│  └─────────────────┘  └──────────────────┘                          │
└─────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────┐
│                     GOVERNANCE                                      │
│                                                                     │
│  ┌─────────────────────┐  ┌─────────────────────┐                   │
│  │  Oracle Admin EOA    │  │  Redemptions Admin   │                 │
│  │  MPC 3-of-5 (docs)   │  │  MPC 3-of-5 (docs)   │                 │
│  │  0x49BC..0Aee        │  │  0xEE16..47f8        │                 │
│  │  no onchain timelock │  │  48h timelock (docs) │                 │
│  └─────────────────────┘  └─────────────────────┘                   │
│                                                                     │
│  ┌─────────────────────┐  ┌─────────────────────┐                   │
│  │  Access Admin EOA    │  │  Custodian Manager   │                 │
│  │  MPC 5-of-8 (docs)   │  │  (CUSTODIAN_MGR_ROLE)│                 │
│  │  0x80a6..AFc         │  │  0x9b6d..eC9         │                 │
│  │  admins AccessManager│  │  Add/remove          │                 │
│  │  0x3f0D..6FD8        │  │  custodians (ICL)    │                 │
│  └─────────────────────┘  └─────────────────────┘                   │
│                                                                     │
│  ┌─────────────────────────────────────────────┐                    │
│  │  Governance Safe (3-of-5, onchain)          │                    │
│  │  0x8EEc10..FadeFbAd                         │                    │
│  │  DEFAULT_ADMIN + UPGRADER on reUSD and ICL; │                    │
│  │  PROPOSER + CANCELLER on Timelock           │                    │
│  └─────────────────────────────────────────────┘                    │
│                                                                     │
│  ┌─────────────────────────────────────────────┐                    │
│  │  Timelock Controller  (getMinDelay = 48h)   │                    │
│  │  0x69dDEa..57FCA93                          │                    │
│  │  Executor: 0x4BFea59b..740738F3 (EOA)       │                    │
│  └─────────────────────────────────────────────┘                    │
└─────────────────────────────────────────────────────────────────────┘

Fund Flow:
  User ──USDC──► ICL (KYC gate) ──mint──► reUSD Token
  ICL ──sweep──► Custodial Wallet ──deploy──► §114 Trust (offchain)
  §114 Trust ──surplus notes──► ICL (principal + yield guarantee)
  Network Firm attestation ──► PRICE_SETTER EOA ──► setSharePrice on Share Price Calc ──► reUSD price
  Network Firm ──► offchain reserve attestation (no Chainlink PoR consumed onchain)
  Chainlink sUSDe/USD ──► SimpleOracle ──► PriceRouter (sUSDe leg only)

Trust Boundaries:
  ⚠ Onchain/offchain boundary at ICL Custodial Wallet sweep
  ⚠ Share price is written by an admin EOA with no onchain deviation cap
  ⚠ Redemption Reserves Custodian (0x9eA3..ADF8) is an EOA
  ⚠ MINTER_ROLE held by THREE contracts on reUSD (ICL, InstantRedemption, ShareTokenMinterBurner)
  ⚠ KYC Registry gates all deposits and protocol redemptions

---

Appendix: Chainlink usage by Re Protocol — what is real vs what is marketing

Verified Apr 17, 2026.

Re's documentation ties the protocol's reserve and price publication to Chainlink. The relevant quotes:

Source page	Quote
Security and Audits	"Off-chain bank balances are verified daily by The Network Firm and published via Chainlink. The Network Firm also verifies ownership and balances of protocol custody wallets."
How the Re Protocol Works	"Idle funds are held in a Fireblocks vault under multisig. Balances are published daily to a Chainlink oracle. Proof-of-reserves, publicly auditable."
How the Re Protocol Works	"On-Chain Mirror: Trust balances, premium inflows, and claim outflows are hashed and pushed to Chainlink, giving 24/7 proof of funds."
How the Re Protocol Works	"Chainlink Oracles: Publish price feeds, trust balances, surplus-note schedules, and redemption queues."
What is reUSD?	"A JSON price feed is pushed on-chain via Chainlink"

What's actually onchain (three Chainlink integrations, verified):

1. Chainlink Price Feed — sUSDe / USD (0xFF3BC18cCBd5999CE63E788A1c250a88626aD099) wrapped by SimpleOracle 0xb6aD3633…fB4D and read by PriceRouter. Used for the sUSDe collateral-pricing leg.
2. Chainlink Functions — NAVConsumer 0x84d4eaeb…2b4b6 subscribes to the mainnet DON fun-ethereum-mainnet-1 (subscription 85). A JS job in the DON computes the daily NAV offchain and the result is written onchain via fulfillRequest → navReceiver.setSharePrice → SharePriceCalculator.
3. Chainlink Automation — a keeper calls NAVConsumer.performUpkeep(bytes) daily (observed every ~86400 s; target time 23:45 UTC). This is what triggers (2).

So Re's claim "A JSON price feed is pushed on-chain via Chainlink" is correct in a loose sense: the NAV is produced by Chainlink Functions and pushed by Chainlink Automation, even though it's not a classic Chainlink "price feed aggregator". The NAV Oracle code was audited by Hacken in Apr 2025 (repo github.com/resilience-foundation/nav-oracle).

What is NOT onchain — the "Proof-of-Reserves, publicly auditable" claim:

1. Chainlink's public PoR directory does not list Re. The canonical list at reference-data-directory.vercel.app/feeds-mainnet.json has 23 Proof-of-Reserve feeds on Ethereum mainnet (FBTC, cbBTC, TUSD, eETH, Lombard, WBTC, M / MetaMask, C1USD, …). No feed matching reusd, resilience, re-protocol, or re_usd exists — nor on Avalanche (93 feeds) or BSC (178 feeds).
2. No Re contract consumes a PoR aggregator. InsuranceCapitalLayer, ShareToken, SharePriceCalculator, PriceRouter, SharePriceOracle, and the Redemption contracts make no latestRoundData call against a reserves feed. The @chainlink/ imports that appear in PriceRouter and SharePriceOracle are foundry path remappings, not live integrations.
3. Chainlink's own media has no announcement, case study, or press release about a Re Protocol integration.
4. What the NAV Oracle publishes is the share price, not reserves. It does not hash trust balances, premium inflows, or claim outflows onto Chainlink as Re's docs imply.

Bottom line:

• "JSON price feed pushed via Chainlink" → true (Functions + Automation, verified onchain).
• "Published via Chainlink oracle (for offchain bank balances)" → not verified; no such feed exists in Chainlink's registry and no Re contract reads one.
• "Proof-of-reserves, publicly auditable" → overclaim; reserve assurance is (a) direct onchain balance audit of the ICL/vault/custodian addresses and (b) The Network Firm's offchain AUP — there is no Chainlink-signed reserves oracle to cross-check either.

Action: when evaluating "Chainlink" claims in Re's docs, distinguish between Chainlink Functions + Automation (used for the share price, real and audited) vs a Chainlink PoR aggregator for reserves (does not exist onchain). If Re asserts the latter in conversation, ask for the aggregator address — it should be in Chainlink's mainnet directory and verifiable on Etherscan.