# rwaUSD - System Model

rwaUSD only accepts **deeply liquid, institutional-grade collateral** assets whose risks can be clearly assessed and insured by Lloyd’s of London. Approved collateral may include:

* **Tokenized U.S. Treasury bills** or short-duration Treasury products (NAV- or price-based)
* **Tokenized stablecoins** (e.g., USDC-like assets and do not accept algorithmically backed assets)
* **Tokenized gold**, spot-priced and verified for real-time liquidity

The focus is on transparency, resilience, and reliable liquidity under all market conditions.

***

### 1. System model

rwaUSD is generated against locked collateral inside **Collateral Accounts**. Each account has:

* one or more collateral balances (by collateral profile)
* a minted rwaUSD liability
* accumulated carry charges (fees) applied over time

Solvency is enforced by:

1. **Conservative valuation**: risk-adjusted pricing and haircuts
2. **Safety thresholds**: minimum collateral coverage per profile
3. **Automated unwinds**: unsafe accounts are closed via collateral sales
4. **System backstop**: explicit deficit accounting + reserve buffer + last-resort recap

A simplified view:

```
Collateral tokens  →  protocol custody  →  rwaUSD minted  →  used externally
         ↑                                     ↓
    redeemed on exit                     repaid + fees to unlock
```

***

### 2. Terminology

This specification avoids inherited naming from other systems. Terms are precise and used consistently:

* **Collateral Account**: user-owned position container holding collateral and a rwaUSD liability.
* **Collateral Profile**: per-asset configuration (token address + oracle + risk parameters).
* **Minted Principal**: the account’s base liability (the amount generated before time-based fees).
* **Fee Index**: a per-profile accumulator that grows over time and converts principal into the current liability.
* **Current Liability**: what must be repaid now = principal scaled by the fee index (+ any direct charges).
* **Safety Factor**: minimum required collateral coverage multiplier for a profile.
* **Haircut**: additional discount applied to oracle prices for solvency checks.
* **Unwind**: liquidation process for an unsafe account.
* **Auction House**: collateral sale mechanism used to settle liabilities.
* **Peg Rail**: fixed-spread conversion module between rwaUSD and a reference stablecoin.

***

### 3. Design constraints and invariants

#### 3.1 Core constraints

* **Overcollateralized at all times under normal conditions**\
  Issuance is only permitted when the account remains above the safety threshold using risk-adjusted prices.
* **Liquid collateral assumptions must be true**\
  Collateral profiles in this pool must be liquid enough to unwind on-chain at scale without relying on multi-week redemption.
* **Minimal trusted compute**\
  The accounting core should not depend on off-chain computation for state transitions. Oracles provide prices; the core remains deterministic.
* **Composable token, conservative core**\
  rwaUSD is a standard ERC‑20 with a narrow, auditable mint/burn surface area.

#### 3.2 Protocol invariants (must always hold)

1. **No untracked issuance**\
   Total rwaUSD supply must equal aggregate liabilities recorded by the accounting core (minus any explicitly recorded deficits).
2. **Risk checks gate issuance and withdrawals**\
   Any operation that increases risk (mint more, withdraw collateral) must pass the safety check.
3. **Unsafe accounts are unwindable without special permissions**\
   Any actor can trigger unwinds. The system must not rely on a privileged operator to remain solvent.
4. **Shortfalls are explicit**\
   If collateral sales cannot cover liability, the deficit is recorded and resolved via reserves/recap. No silent socialization.

***

### 4. Internal accounting model

The protocol uses a two-layer liability model to avoid per-account “continuous interest updates”:

* Store **principal** per account
* Maintain a per-profile **fee index** that grows over time
* Compute current liability lazily on interaction

#### 4.1 Fixed-point conventions

Use distinct precisions to avoid rounding drift:

* **AMT (1e18)**: token-style amounts and rwaUSD quantities
* **RATE (1e27)**: high-precision indices and rates
* **ACC (1e45)**: internal products of AMT × RATE when needed

> Names are implementation details; the point is deterministic fixed-point math with enough precision for long-lived positions.

#### 4.2 Liability formulas

For an account `a` and profile `p`:

* `principal[a,p]` in AMT
* `index[p]` in RATE
* `liability[a,p] = principal[a,p] * index[p] / RATE`

Total account liability is the sum across profiles if multi-profile borrowing is allowed. Two options exist:

* **Option A (simpler, recommended):** one borrowing profile per account
* **Option B (flexible):** shared liability bucket with weighted indices

v1 should pick **Option A** unless there is a strong reason to support mixing collateral profiles in one account.

#### 4.3 Solvency check

For each collateral profile `p` in an account:

* `locked[a,p]`: collateral amount
* `refPrice[p]`: oracle USD price
* `haircut[p]`: discount factor
* `adjPrice[p] = refPrice[p] * (1 - haircut[p])`

Collateral value:

* `collateralValue[a] = Σ locked[a,p] * adjPrice[p]`

Required coverage:

* `required[a] = liability[a] * safetyFactor[p]`

Safe if:

* `collateralValue[a] ≥ required[a]`

This check gates:

* increasing principal (minting)
* withdrawing collateral
* certain collateral swaps inside the account