search
About

Contract Suite

The rwaUSD system is modular. Each contract has a narrow responsibility and an explicit permission boundary.

hashtag
1. Overview diagram

flowchart TB
  subgraph User
    U[EOA / Safe]
  end

  subgraph Core
    L[Ledger Core]
    R[Account Manager]
    X[Risk Registry]
    F[Fee Accumulator]
  end

  subgraph Collateral
    A1[Asset Adapter: TBill]
    A2[Asset Adapter: Stable]
    A3[Asset Adapter: Gold]
  end

  subgraph Pricing
    P[Price Router]
    G[Price Guards]
    S[Signed Feed Verifier]
  end

  subgraph Liquidation
    W[Unwind Engine]
    H[Auction House]
  end

  subgraph Peg
    PR[Peg Rail]
  end

  subgraph Backstop
    B[Reserve Buffer]
    D[Deficit Recorder]
    C[Recap Mechanism]
  end

  U --> R
  R --> A1
  R --> A2
  R --> A3
  A1 --> L
  A2 --> L
  A3 --> L

  P --> L
  X --> L
  F --> L

  W --> L
  W --> H
  H --> L

  PR --> L
  L --> B
  D --> L
  B --> C

hashtag
2. rwaUSD Token (RwaUsdToken)

Type: ERC‑20 (+ EIP‑2612 permit recommended)

Responsibilities

  • Maintain rwaUSD balances

  • Mint/burn only by authorized core module(s)

Key rules

  • mint(to, amount) only callable by Ledger Core

  • burn(from, amount) only callable by Ledger Core (or via allowance-based burnFrom gated to core)

Interfaces (Solidity-style)

hashtag
3. Ledger Core (Ledger)

This is the accounting kernel. Keep it small, boring, and difficult to upgrade.

Responsibilities

  • Store collateral balances per account/profile

  • Store principal per account/profile

  • Enforce all solvency checks using prices and parameters

  • Mint/burn rwaUSD

  • Record protocol revenue and deficits

Key storage

  • locked[accountId][profileId] -> uint256

  • principal[accountId][profileId] -> uint256

  • index[profileId] -> uint256 (fee index)

  • totalPrincipal[profileId] -> uint256

  • pausedFlags -> bitmask

  • badDebt -> uint256 (explicit deficit tally)

External entrypoints (only from authorized modules)

  • lock(profile, account, amount)

  • unlock(profile, account, amount)

  • increasePrincipal(profile, account, delta)

  • decreasePrincipal(profile, account, delta)

  • applyIndex(profile) (or invoked by Fee Accumulator)

  • startUnwind(account) (called by Unwind Engine)

  • settleUnwind(account, clearedPrincipal, clearedFees, collateralOut) (called by Auction House)

Important: the Ledger never calls untrusted external contracts. Anything that touches tokens goes through adapters. Anything that moves collateral in liquidation goes through the Auction House.

hashtag
4. Account Manager (AccountManager)

User-facing orchestration: creates accounts, manages permissions, bundles operations.

Responsibilities

  • Create Collateral Accounts (accountId)

  • Operator permissions per account

  • Convenience methods: deposit+mint, repay+withdraw, multi-call sequences

Permissions model

  • account owner can grant operators

  • operators can be scoped:

    • collateral management

    • issuance/repayment

    • withdrawals

    • full control

Recommended interfaces

hashtag
5. Asset Adapters (AssetAdapter per profile)

Each collateral token requires an adapter to normalize token behavior and enforce custody constraints.

Responsibilities

  • Pull collateral tokens from user and hold in adapter custody

  • Push collateral tokens to user (withdrawals) or Auction House (unwinds)

  • Normalize decimals and non-standard ERC‑20 behavior

  • Enforce allowlist constraints if token requires eligible holders

Non-negotiables

  • No collateral leaves an adapter without a corresponding Ledger state update

  • Adapter must be approved holder if upstream token has restrictions

  • Adapter must handle tokens with:

    • 6 decimals

    • missing return values

    • fee-on-transfer (ideally disallowed for v1)

Interfaces

hashtag
6. Risk Registry (RiskRegistry)

On-chain parameter store for collateral profiles and global settings.

Per-profile parameters

  • safetyFactor (min coverage multiplier)

  • haircut (price discount used for solvency checks)

  • mintCap (max principal allowed for profile)

  • minPosition (dust threshold)

  • penaltyFactor (extra charge when unwound)

  • auctionConfig (see Auction House section)

  • oracleConfig (feed set + guardrails)

  • borrowEnabled / collateralEnabled flags

Global parameters

  • global issuance cap (optional)

  • peg rail limits

  • pause flags

Update rules

  • all changes via governance timelock

  • emergency roles may only tighten risk or pause modules

hashtag
7. Fee Accumulator (FeeAccumulator)

Maintains fee indices for profiles.

Model

  • Each profile has a per-second growth factor ratePerSecond in RATE precision

  • index[p] increases over time

Mechanics

  • Lazy update: accrue(profile) updates index based on block.timestamp - lastAccrual[p]

  • Mint/repay operations call accrue(profile) before computing new liability

Interfaces

PreviousrwaUSD - System ModelNextCollateral and Oracle Profile

Last updated