sUSDe (sUSDe / USDe)
Oracle deep-dive for 0x9d39a5de30e57443bff2a8307a4256c8797a3497 — StakedUSDe (Ethena).
- Source: ERC-4626 Vault Rate
- Pair: sUSDe / USDe
- Score: 0.4
- Tier: High Risk
- Slug:
erc4626_eth_susde_usde
Contract Architecture
sUSDe (StakedUSDe) is an ERC-4626 vault where the share token represents staked USDe. The exchange rate is totalAssets() / totalSupply(), where totalAssets() is the USDe balance of the vault plus vesting rewards.
The pair is sUSDe / USDe (not sUSDe / USD) because convertToAssets() returns USDe amounts. Converting to USD requires an additional USDe/USD Chainlink feed.
Risk Dimensions
No market-derived price
The exchange rate is accounting-derived: share_price = totalAssets / totalSupply. There is no order book, AMM, or aggregated feed discovering the price through market activity. The rate reflects vault accounting, not secondary-market liquidity or trading consensus.
Protocol dependency
Ethena controls the reward distribution mechanism via transferInRewards(). Rewards vest over an 8-hour window, meaning the exchange rate steps up discretely rather than accruing continuously. The timing and size of reward injections are protocol-determined.
Vesting-driven dynamics
The 8-hour vesting window creates a predictable rate trajectory between reward events. This is exploitable if an oracle consumer assumes continuous accrual — the actual rate is piecewise-linear with discontinuities at each transferInRewards() call.
Balance-based sensitivity
totalAssets() depends on the vault's USDe token balance. Direct USDe transfers to the vault (donations) would alter the exchange rate without going through the reward vesting mechanism. While economically irrational at scale, this is a manipulation vector for flash-loan-style attacks.
Centralization surface
Admin capabilities include:
- Adjusting cooldown duration for unstaking
- Redistributing locked balances (from cooldown enforcement)
- Restricting addresses (blocklist functionality)
- Setting the vesting amount via
transferInRewards()
Why Not Very High Risk (0.2)
- Underlying asset (USDe) is liquid with deep secondary markets
- Deterministic ERC-4626 accounting — no proxy upgradeability
- No thin-DEX TWAP manipulation vector (not an AMM-based oracle)
- Contract is immutable (not upgradeable)
Why Not Moderate Risk (0.7)
- No independent market price aggregation whatsoever
- Fully dependent on protocol accounting state
- Admin can influence rate indirectly through reward timing
- Balance-based manipulation vector exists (donation attack)
Score Boundary
0.4 sits at the boundary between "accounting-derived but deterministic" and "protocol-dependent with admin influence." The immutability of the contract and liquidity of USDe prevent it from falling to 0.2, but the complete absence of market price discovery and the centralized reward mechanism prevent it from reaching 0.6+.