key: cord-0191512-0mku9ah5 authors: Klages-Mundt, Ariah; Harz, Dominik; Gudgeon, Lewis; Liu, Jun-You; Minca, Andreea title: Stablecoins 2.0: Economic Foundations and Risk-based Models date: 2020-06-22 journal: nan DOI: nan sha: 9abaf957c7b9956c1c9284c0c6c570b009c3c828 doc_id: 191512 cord_uid: 0mku9ah5 Stablecoins are one of the most widely capitalized type of cryptocurrency. However, their risks vary significantly according to their design and are often poorly understood. In this paper, we seek to provide a sound foundation for stablecoin theory, with a risk-based functional characterization of the economic structure of stablecoins. First, we match existing economic models to the disparate set of custodial systems. Next, we characterize the unique risks that emerge in non-custodial stablecoins and develop a model framework that unifies existing models from economics and computer science. We further discuss how this modeling framework is applicable to a wide array of cryptoeconomic systems, including cross-chain protocols, collateralized lending, and decentralized exchanges. These unique risks yield unanswered research questions that will form the crux of research in decentralized finance going forward. Stablecoins are cryptocurrencies with an added economic structure that aims to stabilize their price and purchasing power. There are two classes of stablecoin: custodial, which require trust in a third party, and non-custodial, which replace this trust with economic mechanisms. Major custodial examples such as Tether, Binance USD, USDC, and TrueUSD have a combined market capitalization of over USD 10bn. On the non-custodial side, of the USD 1bn of value locked in so-called Decentralized Finance (DeFi) protocols, more than 50% are allocated to Maker's Dai stablecoin. Several recent papers and industry reports provide overviews of stablecoins [13, 19, 66, 67, 76, 82] . These typically categorize stablecoins based on the type of collateral used, peg target, and technological mechanics (e.g., on-chain, off-chain, algorithmic) and informally relate stablecoin mechanisms to traditional monetary tools (e.g., interest rates). The history of money and stablecoins, and the institutional structures of stablecoins are discussed in [54] . The regulatory perspective of stablecoins, including classification, regulatory gaps, and systemic stability risks are discussed in [1] . In this paper our fundamental aim is different. Market events have demonstrated that even stablecoins themselves-supposedly price stable by definition-can exhibit significant volatility. On the 12th March 2020, amidst the SARS-COV-2 pandemic, market volatility affected the stablecoin Dai [58] so severely that it entered a deflationary deleveraging spiral, forcing it to deviate from its peg. While the aforementioned papers observe and categorize existing stablecoin designs, none of the works develop risk-based models of a broad design space of possible choices and their fundamental trade-offs. Here we seek to fill this gap, providing sound economic foundations to inform stablecoin design, focusing on financial risk. As such, the work is intended to serve as a "manual" for future stablecoin research. Firstly, we provide an overview of the relevant risk-based models from economics and computer science, seeking to avoid duplication of work by only extending models where necessary. Secondly, we provide a number of formalized open questions drawing on capital structure theory. Throughout we assume that stablecoin systems are used and operated by economically rational agents whose actions ultimately determine the stability and security of these systems. However, we do not solve the stated open problems in the context of this paper. This work builds on the previous attacks on decentralized stablecoins identified in [50] . We uncover five central dimensions of risks. In non-custodial stablecoins: (1) effects from deleveraging-like processes on collaterallike assets and risk in underlying collateral-like thing (as discussed, e.g., in [50, 51] ), (2) data feed and governance risks, (3) base layer risks from mining incentives, and (4) smart contract coding risks, on which the formal verification literature can be applied. In contrast, in custodial stablecoins, the first applies in a very different way to affect issuer incentives as well as an additional central risk dimension of (5) censorship and counterparty risk. Our stablecoin mechanism categorization decomposes the design space according to these dimensions of risk. Figure 1 summarizes our categorization along some of the most important dimensions of risk. • We provide a functional breakdown of custodial stablecoin designs with a correspondence to taxonomy and models for traditional financial instruments (Section 2). • We provide a common functional framework for relating the economic mechanics of all non-custodial stablecoin designs and a discussion of new risks that emerge in this setting (Section 3). • We provide questions of economic stability and security that apply in evaluating non-custodial stablecoins (Section 3). • We provide a framework of models toward measuring stability and security including open research questions based on agents' decisions (Section 4). • We provide methods for estimating agents' preferences as represented by utility functions, providing a minimal working example using historical data from Maker (Section 4). In custodial stablecoins, custodians are entrusted with off-chain collateral assets, such as fiat currencies, bonds, or commodities. An issuer (possibly the same entity) then offers digital tokens that are intended to represent an on-chain version of a reserve asset (e.g., USD). Holders of the digital token have some form of claim against the custodial assets, which maintains the peg. The custodial assets include reserve assets, which are what the stablecoin is pegged against (e.g., USD), and capital assets, which are other assets that back stablecoin supply. Capital assets are comparable to illiquid assets held by a bank and short-term treasuries held by money market funds. Custodial stablecoins introduce coin holders to counterparty and censorship risks related to the off-chain assets and economic risks of the capital assets. The economic and censorship risks are similar to risks in traditional assets. Counterparty risks may be heightened due to the shared account structure with the custodian and lack of government deposit insurance. In the event that the central entities are unable to fulfill their obligations (e.g., the result of fraud, mismanagement, theft, or government seizure), the stablecoin value can go to zero. Table 1 1 summarizes categories, applicable models, and projects. In Reserve Fund stablecoins, the stablecoin maintains a 100% reserve ratio-i.e., each stablecoin is backed by a unit of the reserve asset (e.g., 1 USD) held by the custodian. The price target is maintained via two mechanisms. Coins may be directly redeemable off-chain for the underlying reserve asset. In this case, arbitrage trades incentivize external actors to close any price deviations that occur. Alternatively, the issuer may designate 'authorized participants' (possibly the issuer itself) who alone have the ability to create and redeem stablecoins against the reserve. In this case, the authorized participants capture price deviation arbitrage. Reserve Fund stablecoins resemble the structures of e-money, narrow banks, and currency boards. E-money is a prepaid bearer instrument. Deposits at a narrow bank are backed by 100% reserves held at a central bank. A currency board maintains a fixed exchange rate of a sovereign currency using 100% reserves in a foreign currency (e.g., the Hong Kong Dollar maintains a USD peg using USD reserves). Of these, the Reserve Fund stablecoin most closely mirrors the currency board as the market price of the stablecoin floats subject to creation and redemption similarly to how the sovereign currency floats subject to creation and redemption of the currency board. On the other hand, e-money and narrow bank deposits are treated identically with the currency itself. Notably, unlike the currency board, the stablecoin reserves may be stored in commercial bank deposit accounts, which may bear bank run risks. Reserve Fund stablecoins can be modeled as Exchange-Traded Funds (ETFs). 2 In ETFs, an investment vehicle (the ETF) is created with indirect claims to a portfolio of underlying assets (e.g., stocks, bonds, and commodities) held by a custodian. 3 A set of authorized participants (APs) are allowed to redeem shares of the ETF for the underlying assets and create new shares of the ETF by depositing underlying assets at the net asset value (NAV). The ETF price is pegged to the NAV. This peg is maintained by the APs, who capture arbitrage between the ETF shares and the underlying portfolio. If direct redemption is allowed in a Reserve Fund stablecoin, then anyone can be an AP. 4 Some stablecoins make no promises about future redeemability; in this case, the de facto AP is the issuer itself. As with ETFs, given sufficiently liquid collateral, the price target is always maintainable within some bounds through these mechanisms. The tightness of the bounds, however, depend on the liquidity and volatility of the reserve assets. For instance, corporate bond ETFs traded at significant deviations from NAV during the financial crisis in 2008 [47] and during the SARS-COV-2 market panic in 2020 [5] . Even US government bonds, which are normally highly liquid, faced high liquidity stress in March 2020 [79] with corresponding ETFs facing similar NAV-price deviations. Empirical analysis of ETFs, e.g., [10] , suggest that securities with higher ETF ownership are more volatile, which raises concerns about the ETF mechanism. While ETF membership leads to wider access and so increased trading volume, the relationship with volatility is unclear as the empirical comparison is not controlled. Rather, we would want to compare with a setting in which the underlying portfolio is as easily accessible without the ETF. An equilibrium model analysis confirms a more nuanced relationship with volatility. [62] develops a model of endogenous feedback effects in ETFs, in which the liquidity of the underlying portfolio is influenced by the ETF. This model shows that ETFs are exposed to different demand shocks than the underlying basket. Even with small deviations, APs that arbitrage through leveraged positions can amplify the differences. 5 An ETF-like model is developed for Reserve Fund stablecoins in [57] and interpreted against Tether trading data. Models such as these are a natural starting point to address the following open questions about Reserve Fund stablecoins: • Issuer AP incentives. Issuers are in a position to prevent competition and decide timing in capturing arbitrage. There is a trade-off between the size of mispricings before APs intervene, and maintaining a stable asset, which affects demand and ultimately assets under management, for which they are awarded deposit interest. 2 To account for risk in underlying commercial bank deposits, we can also add a bank run model in serial to an ETF model. 3 ETFs can provide simpler access to underlying portfolio, which may not be accessible to the investor otherwise, and reduced frictions/fees in maintaining small positions. 4 Fees may discourage small redemptions, so that large redeemers are de facto APs. 5 As stated in [62] , "ETFs may be both a blessing and a curse. That is introducing new ETFs may lead to a significant amplification of speculative behavior of arbitrageurs, destablize the market, and lead to a spike in volatility; however, at the same time, a "good" ETF may actually stabilize the economy, lead to a significant reduction in volatility, and improve the liquidity of the underlying securities. " • Issuer target incentives. If the peg target is defined at the discretion of the issuer (e.g., not USD or an external index), then the issuer may have incentive to manipulate the target index to its advantage. For instance, if the stablecoin is large enough, changing the target can have a market impact, which may be advantageous to outside positions held by the issuer. • Effects on fiat currencies. Does stablecoin structure affect the ability of government to stabilize currencies? This is a concern of regulators regarding the size of potential stablecoins, like Libra. This effect could be modeled with ETF structure in series with currency models. • Effects on crypto markets. [41] suggested that stablecoins have been used to manipulate Bitcoin prices. A model of the economic structure in Bitcoin/stablecoin markets (e.g., [57] ) could help determine the direction of causality suggested by the data. Some of these open questions are relevant to the wider ETF literature itself and are not specific to stablecoins. A Fractional Reserve Fund stablecoin is backed by a mixture of reserve assets and other capital assets, and has a target price. The fund holds reserves in a target asset (or other highly liquid stable assets) that account for < 100% of the stablecoin supply in order to facilitate stablecoin redemptions. Similar to the Reserve Fund design, these reserve assets may resemble commercial bank deposits which exceed the government deposit insurance level, in which case they may take on commercial bank run risk. The other capital assets account for the remaining stablecoin supply value and earn a higher interest rate for the stablecoin issuer. The capital assets can be liquidated to handle additional stablecoin redemptions, but are subject to price risk. Within this class, the important dividing point is the type of capital assets held: illiquid assets (similar to a commercial bank) or low-risk assets (similar to a money market fund). In either case, the stablecoin has a floating price, and so the peg is maintained through similar ETF arbitrage trades involving fund redemptions. Thus applicable risk models would take the form of ETF models in serial with bank run or money market models, which we discuss next. Bank Fund. In a Bank Fund stablecoin, the issuer maintains a balance sheet functionally similar to a commercial bank. This balance sheet is based on fractional reserves with deposit obligations tied to stablecoins that are issued. Aside from the fractional reserve, the bank holds other capital assets that are illiquid and earn a yield for the bank. This is a nearly identical model to a normal bank with a few exceptions: (1) the stablecoin bank my not be regulated or audited, (2) the bank my not be government-insured against bank runs, and (3) the bank may be freer to deny redemptions and/or apply redemption fees. Bank Fund stablecoins can be understood using bank run models in series with ETF models. In a bank run, the fractional liquid reserve of the bank is depleted from redemptions, after which the bank defaults as the bank's remaining assets are illiquid and can only be sold quickly at large discounts (a fire sale). In a bank run, remaining depositors' lose their money. [31] shows multiple equilibria to the game played between depositors. This includes a bank run equilibrium, in which all depositors scramble to redeem their deposits, triggering the collapse in a self-fulfilling way. One approach is the global games setting of [23] adapted to bank runs in [81] and [39] . In this setting, depositors observe bank fundamentals with noise (e.g., the reserve ratio could be random), and they will choose to rollover (i.e., extend the maturity of) their deposits if their signal is above a threshold. [45] introduced a staggered debt structure of deposit maturities. A point of difference to existing bank run models are the non-negligible network effects among stablecoin holders, much less so than among traditional bank depositors. Bank runs used to happen somewhat regularly. To prevent frequent crises of faith, governments issued depositor insurance against bank runs. However, Bank Fund stablecoins are unlikely to have such insurance and so remain susceptible to bank runs. A key consideration here is that bank runs follow a threshold effect in depositor faith. After a threshold is reached, too many depositors try to redeem, sending the bank's balance sheet into a 'death spiral'. Below this threshold, however, the coin may be very stable. As noted above, a Bank Fund stablecoin may be freer to deny redemptions and/or apply redemption fees. An event like this triggered a crisis in Tether in Oct. 2018 (see Table 5 ). These levers may also be applied strategically to discourage the continuation of bank runs or could be abused to create profitable price discrepancies for the issuer to arbitrage. Thus open questions emerge around issuer incentives as in the Reserve Fund. Money Market Fund. In a Money Market Fund an underlying portfolio is meant to closely track a target, with some return. A traditional Money Market Fund maintains a fixed NAV for redemptions. While the underlying assets are usually highly liquid and relatively stable, their market values float and so there is some risk that the fixed NAV is unsustainable. This leads to a liquidity risk related to bank runs: shocks to the underlying assets leads money market funds to liquidate assets, which can have the effect of lowering prices further if liquidity is temporarily constrained, which can cause even more liquidations. Money Market stablecoins can be understood using money market fund models, e.g., [73] , in series with ETF models. There are many case studies of money market funds breaking the dollar during the 2008 financial crisis. In particular, [46] show that in the presence of high inflows, money market funds had expanded their risk-taking and they suffered runs as a result. Some of the proposed forms of Libra closely resemble money market structures. Central Bank Digital Currency (CBDC) is a consumer-facing fiat digital currency that aims to provide a risk-free store of value. CBDC proposes a different monetary system to the status quo. Currently, central bank reserve deposits are available to commercial banks, but not to consumers or non-bank businesses. Consumers and businesses hold commercial bank accounts. The non-cash money supply is determined by the lending of commercial banks (see [65] ). The government intervenes in this monetary system to create risk-free consumer deposit accounts by providing commercial bank deposit insurance. Instead, CBDC provides consumer-facing deposits at the central bank. 6 CBDC represents a change in the structure of money deposits within the banking system and not a change in the currency stability model itself. In fact, CBDC is in many ways a more ideal setting for existing currency models as it is closer in form to fiat than commercial bank deposits. Traditional currency models like [68] and [43] apply to understand the stability of fiat currencies. These models typically assume that the central bank/government is stability-seeking for its own sake as opposed to private banks discussed above, which are profit-seeking. A fiat currency is assumed to have the backing of a given country's economy, which provides a natural demand from economic activity in the currency, as well as military power and legal system. Given this setting, agents in these models hedge their current positions to account for demand in a next period, some of which occurs in the fiat currency and other of which occurs in a foreign currency, under a potential currency attack from an attacking agent. The ability to maintain a peg in this setting will depend on a relationship between reserves held by the central bank and economic demand. Research questions around CBDC focus on wider economic effects and indirect effects on stability, such as through commercial bank lending, credit availability, and funding in the real economy. [9] models the effects of CBDC on the wider economy through competition with commercial bank deposits. [72] explores the effect of CBDC on commercial bank lending to the real economy through a case study analysis of government subsidies. Non-custodial stablecoins aim to be independent of the societal institutions that custodial designs rely on. They achieve this by establishing economic structure between participants implemented through smart contracts. In this setting, directly confiscating assets is prevented by the underlying blockchain mechanism. Non-custodial stablecoins structurally resemble dynamic versions of risk transfer instruments, such as collateralized debt obligations (CDO) and contracts for difference (CFD). 7 CDOs are backed by a pool of collateral assets and sliced intro tranches. Any losses are absorbed first by the junior tranche; a senior tranche only absorbs losses if the junior tranche is wiped out. Functionally, a non-custodial stablecoin system contains the following components in some form: • Primary value: the economic structure of the base value in the stablecoin. This is an abstracted concept of collateral with the following types: exogenous when the collateral has primary outside use cases, endogenous when the collateral is created for the purpose of being collateral, and implicit when the design lacks explicit collateralization. • Risk absorbers: speculative agents who absorb risk and profit in the system (∼ the junior tranche of a CDO). • Stablecoin holders: agents who make up the demand side of the stablecoin market (∼ senior tranche holder of a CDO). • Issuance: a function performed by an agent or algorithm that determines stablecoin issuance (∼ how levered a CDO is), including a deleveraging process to reduce stablecoin supply. • Governance: a function performed by an agent or algorithm to manage system parameters, such as deleveraging factors and price feeds, and collects a fee on system operation (∼ an equity position in managing CDOs). • Data feed: a function to import external asset data (e.g., exchange price of assets in USD) into the blockchain virtual machine so that it is readable by the system's smart contracts. • Miners: agents who decide the inclusion and ordering of actions in the base blockchain layer (PoW or PoS). The specific form of components may differ, but the general functions are universal across stablecoin designs. Depending on the design, several functions may be performed by a single agent type and others may be algorithmic. Notice that the last three components can be simplified out of traditional financial models because of legal protections; in traditional systems, we typically assume these processes are mechanical as opposed to strategic actions. As a result, stablecoins are susceptible to new manipulation attacks around governance, price feeds, and miner-extractable value (MEV). Analogy to traditional monetary system. We provide an illustration between the Maker stablecoin system 8 and the traditional monetary system to aid the reader in understanding the components and functional differences. In Maker, vaults absorb risk and perform issuance. Vaults deposit ETH collateral (primary value), issue Dai against secured against this collateral, and invest proceeds from Dai issuance to achieve a leveraged position. The fiat system contains a central bank, commercial bank, and depositors. The central bank regulates commercial banks and holds bank currency reserves. Commercial banks decide the money supply through lending. Depositors hold fiat currency accounts at commercial banks. Maker vaults are parallel to commercial banks in that they both they decide money supply based on issuance incentives. For banks, this depends on profitability of lending, which incorporates the spread between long-term and short-term rates, subject to balance sheet and regulatory constraints and depositor withdrawal expectations. Vaults make a different bet collateral leverage. 9 Governance is parallel to the central bank. The central bank sets rates to target economic stability and capital requirements for banks. Models typically assume the central bank mechanically targets stability by mandate. Stablecoin governance takes a different form. Governance sets rates and collateral factors to maximize system profits, which we hope to be aligned with stability. Stablecoin holders are parallel to depositors. Whereas bank depositors are guaranteed deposit redemption, stablecoin holders may have no such guarantee. Instead, they must hope that system incentives are aligned to make the stablecoin floating price stable and liquid. A final useful parallel is in governance attacks. Through setting system parameters, stablecoin governors could inherently steal the value locked in the system, something we discuss in the context of models in the next section. A parallel attack in the traditional monetary system would be an infinite printing of money by the central bank, to the benefit of the government. The primary value is an abstract concept of collateral that is the basis for value in the stablecoin system. It incorporates the value of collateral with explicit market prices and/or non-tokenized value 'in the system' coordinated among participants, which we term implicit collateral. This primary value is derived from market expectations in some system. For exogenous cryptocurrency collateral (e.g., ETH), this is expectations and 'confidence' about Ethereum. In implicit collateral, it is coordinated 'confidence' in the stablecoin system itself. In comparison, in fiat currencies, this is confidence in a nation's government, economy, and legal system. In gold-backed currencies, it is confidence in gold. 10 In tokenized assets, it may be confidence in the custodian and expectations about cashflows of the underlying assets. Exogenous collateral. An exogenous collateral is an asset that has uses outside of the stablecoin system and for which only a small portion may be tied up in collateral for the stablecoin. An example is ETH in Maker. Stablecoins are issued against this collateral subject to a collateral factor that dictates the minimum overcollateralization allowed in the system. From a model perspective, the prices of exogenous collateral can be modeled exogenously. Endogenous collateral. An endogenous collateral is an asset created with the purpose of being collateral for the stablecoin. This means that it has few, if any, competing uses outside of the stablecoin system. Examples include SNX in Synthetix (in which issuance is agent-based) and 'shares' in seigniorage shares (in which issuance is algorithmic) [83] ). The price of endogenous collateral cannot be modeled exogenously due to endogenous feedback effects between stablecoin usage and collateral value. Its value is derived from a self-fulfilling coordination of 'confidence' between its participants. For instance, in a crisis of confidence, if expectations of stablecoin holder demand are low, then the value of the endogenous collateral should be low, which will further shake confidence in the system and demand. On the other hand, high expectations can be selffulfilling: with high collateral value, the stablecoin is, in a sense, more secure. If stablecoin holder demand is high, then a high price of the endogenous collateral can be justified. The distinction between exogenous and endogenous collateral may be best conceptualized as a spectrum. For instance, selected collateral has outside uses but are significantly intertwined with the stablecoin (e.g., Steem Dollars) and some stablecoins are backed by a collateral basket, including both exogenous and endogenous collateral (e.g., Celo). From a model perspective, this spectrum can be represented as the strength of these feedback effects. Implicit collateral. Some stablecoin designs do not have explicit collateral but instead propose market mechanisms to dynamically adjust supply to stabilize price. These designs work when speculators can be incentivized to absorb losses when the supply needs to be decreased by the prospect for rewards when the stablecoin supply needs to increase. We draw a parallel between the positions of such speculators and the endogenous collateral case with important functional differences. Both obtain value from self-fulfilling coordination of confidence in the stablecoin from usage and speculative expectations between the participants. Endogenous collateral represents the explicit tokenization of this, including obligation to absorb losses during supply decreases, which means it has a directly observable market price. Implicit collateral is not explicitly tokenized and risk absorbers do not have direct obligations to absorb losses. For modeling, implicit collateral can be interpreted like endogenous collateral behind-the-scenes and accounting for this difference in financial structure of risk absorbers.The behind-the-scenes 'market price' of this coordination will only be indirectly observable in the levels of stablecoin and speculative demand. However, they will play a similar role to endogenous collateral in valuing both the speculative and stablecoin positions. The stability of both endogenous and implicit collateral stablecoins will rely on how participants perceive and coordinate this value over time. One type includes Basis [2] and NuBits [53] . In these designs 'shares' are awarded stablecoin supply increases, but do not necessarily face direct losses when supply contracts (but, of course, they do face indirect losses from the share market price). Supply contraction relies on selling 'bond' positions to remove stablecoins from circulation in return for future rewards when supply is next increased. In Basis, this is algorithmic, whereas in NuBits, this is coordinated through share voting (and a couple other stabilization mechanisms, including share demurrage, are available for voters to choose from). If we tokenize an obligation to purchase 'bonds' during contractions and combine with 'shares' positions, then the result resembles seigniorage shares. As it is not tokenized in this way, the equivalent of 'collateral' is only implicit with no observable market price. Comparatively, seigniorage 'shares' ought be valued differently to be compensated for extra obligation. And downside price stabilization will depend on incentives of risk absorbers at the time as opposed to in advance. We refer to a second type as miner-absorbed (e.g., [38] ), which aims to stabilize the base asset of a blockchain by manipulating protocol incentives. These designs propose for the supply to be dynamically adjusted by manipulating mining rewards, mining difficulty, and the level and burning of transaction fees or interest charges. This means that miners take an implicit risk absorber position that is meant to absorb price risk, but without an obligation to continue mining/risk absorbing. In many ways, this parallels the Basis/Nubits design. Miners are rewarded with newly minted stablecoins when the supply needs to be increased and face slashed rewards and burned transaction fees if they choose to continue mining when the supply needs to be reduced. The stablecoin mechanism works when speculators are incentivized to absorb price risk. These risk absorbing positions have two primary forms. In equity risk absorption, a secondary asset exists, and any holder of this asset implicitly absorbs risk from the stablecoin. For instance, the Steem market cap implicitly backs Steem Dollars; a Steem Dollars holder can redeem Steem Dollars for newly minted Steem, and all Steem holders bear this inflation cost. In agent risk absorption, individual agents manage a vault containing primary value that absorbs stablecoin risk. In agent risk absorption, agents decide how much to participate with their asset whereas, in equity risk absorption, every holder of the secondary asset participates proportionately. In many cases, the risk absorber role is also combined with stablecoin issuance. An issuance process determines the stablecoin supply. A lot of variation is possible in the process specifics, but there are two general types. In agent-based issuance, the size of the stablecoin supply, or more specifically the leverage of the system (the size of the stablecoin supply relative to the collateral value), is decided by agents in the course of optimizing their positions. The deciding agents are typically the risk absorbers in the system. For instance, in Maker, vaults determine their stablecoin issuance in managing the leverage of their vaults. In NuBits, owners of 'equity'-like shares collectively vote on issuance decisions to balance demand. In algorithmic issuance, a process to adjust leverage (relative supply) is codified in the stablecoin protocol. For instance, in Duo Network, leverage is determined algorithmically through 'leverage resets', which balance the stablecoin supply relative to collateral value. In seigniorage shares, new issuance is awarded algorithmically to 'equity' holders to balance demand. A deleveraging process is also part of issuance that can be invoked to reduce the stablecoin supply if a deleveraging factor is breached, or if stablecoin holders are allowed to redeem stablecoins for the collateral. For instance, in Maker, if the stablecoin issuance of a vault is too large relative to the collateral value, the collateral is liquidated to reduce leverage. In Duo Network, 'leverage resets' may force the liquidation of some positions if a collateral factor is breached. In seigniorage shares, losses are born by 'equity' holders to reduce the stablecoin supply in a demand shock. In Steem Dollars, if price is below target, stablecoin holders may redeem for newly minted Steem. As introduced in [50] and [51] , non-custodial stablecoins face deleveraging risks, which can cause feedback spirals on primary value. These can take two forms. One is a feedback effect on the stablecoin market: collateral value may be consumed faster in liquidations due to drying of stablecoin liquidity. The cost of deleveraging in a crisis may be significantly higher than $1 per stablecoin, an occurrence observed in Maker during 'Black Thursday' in March 2020. The second is a feedback effect directly on endogenous and implicit collaterals. For endogenous collateral, liquidations can cause a liquidity and fire sale effect on the collateral asset market in addition to a feedback effect on reduced expectations. A similar feedback occurs in implicit collateral and affects the risk absorbers' positions and stablecoin demand. For both types of implicit collateral, there is a ceiling on how much can be absorbed. For seigniorage shares, this is in demurrage of equity holders. For miner-absorbed, this is likely around 0 block reward, except possibly in staking systems in which stake can be slashed as demurrage. The result is feedback in the participation incentives and value of the risk absorbing position. For instance, for miners to be willing to continue mining without a mining reward, the expectations of future profit need to outweigh the costs. A continued participation decision will depend on whether the investment can be repurposed and potential returns from competing alternatives. After this ceiling, the remaining flexibility is only in burning of fees charged in stablecoin usage, which has a feedback effect on the attractiveness of holding the stablecoins. This leads to two universal and fundamental questions: Question 1 (Incentive Security). Is there mutually profitable continued participation across all required parties? If not, then the mechanism cannot work as no one will participate. This question also includes incentives around attacks; in particular, if incentives lead to profitable attacks, then rational agents will be less inclined to participate. After this is answered, we can then make sense of the follow-up question: Question 2 (Economic Stability). Do the incentives actually lead to stable outcomes? Note that particular feedback effects can be mitigated. However, the result is typically to shift the risk from one agent to another. In either case, the risk will affect participation incentives. For instance, in collateral liquidations, some stablecoin holders could be liquidated at par for the collateral asset as opposed to at a floating market price. This eliminates the feedback effect on the stablecoin market price, reducing deleveraging risk on risk absorbers. Instead, however, the stablecoin may be less attractive to stablecoin holders as they now take on more liquidation risk. The type of stablecoin structure will also significantly affect incentives. When designs are more agent-based, agents have greater decision flexibility and are more likely to find a profitable participation level. In comparison, when designs are more algorithmic and/or with equity risk absorption, agents are more restricted and may be less likely to participate in the system relative to alternatives. 11 Several past stablecoin events serve as case studies for deleveraging effects. These are described in Table 4 in the Appendix. We now introduce design components that introduce manipulation potential in the system. In custodial systems, such manipulations are typically avoided by relying on societal institutions. In contrast, permissionless systems usually do not offer strong identities, which open up various anonymous attacks that cannot be prevented by institutions. The precise form of these components affect the size and scope of attack vectors, but don't substantially change their form; thus we focus our discussion on the functional forms that are important for economic models. We provide a list of historical manipulation events as case studies in Table 6 in the Appendix. Data Feeds. Non-custodial stablecoins require asset price data in terms of the target peg (e.g., ETH/USD prices). This data is not natively accessible on-chain since fiat-cryptocurrency conversions can only take place on off-chain exchanges. As a result, the stablecoin relies on a mechanism to import this data into the blockchain virtual machine so that it is readable by the stablecoin smart contracts (also known as an 'oracle'). As a result, the correctness of the imported data is not objectively verifiable on-chain, as opposed to native actions such as intra-blockchain transaction validity or interblockchain transaction validity [91] . There are various methods, both centralized and decentralized, to construct such data feeds. We give a brief overview of these in the appendix. Though, from a functional standpoint, we can abstract from the technical details to focus on the economic structure that these data feeds add. Data feeds introduce a new incentive problem: if importing data into the system has an extractable value X, then an attacker will spend up to X to manipulate that data. Centralized feeds can be manipulated by the counterparty, which introduces potentially perverse incentives for the counterparty as well as single points of failure. Decentralized methods typically collapse in the face of game-theoretic attacks. As a result, data feeds add an inherent manipulation potential into our general model. The important factors of this include who can manipulate the feed, how much the feed can be manipulated, and the cost involved in such manipulation. Given this, a reasonable aim is to achieve data feed incentive compatibility to report honestly in the combined data feed-stablecoin system. Governance. Stablecoin governance is tasked with managing system parameters, such as interest rates, collateral factors, data feed curation, time delays, system upgrades, and emergency system settlement. In return, they typically receive some fee revenue from the system. Governors may take the form of governance token holders who vote on parameters, the founding company, a subsumed role of other agents in the system, or may be algorithmic. If it is performed by agents, then these agents have power to manipulate the system through these parameters. For the system to be secure, governance must be disincentivized from fatally attacking the system. The potential for profitable attacks will feedback into the participation decisions of the other agents in the system. For instance, if governance is tokenized, then the token valuation/expectations, which could be slashed after an attack, and any other costs must be sufficiently higher than the proceeds of the attack. We discuss several attacks, involving manipulations of data feeds and parameters to extract collateral value, in the context of proposed models in the next section. Governance is also inter-related with system stability. In this anonymous setting, governance can be expected to maximize expected profits as opposed to targeting stability for its own sake, as is typically assumed in central bank models. It is an open question to what extent various governance structures align incentives with the targeting of stability. On the other hand, if governance is algorithmic, the stablecoin may be susceptible to gaming attacks from the other participants. These attacks can take a related form assuming the governance algorithm as given and construct similar end results: e.g., bribe the chosen data feeds in order to extract system value. Potential profitability of these attacks will feedback into participation incentives of the agents in the system. A non-custodial stablecoin is implemented in a base blockchain layer. This can either be "on top" of a blockchain in the form of smart contracts or directly into the core runtime. In either case, the base blockchain is maintained by a set of miners. In this paper, we subsume both miners (typically used in the context of PoW) and validators (typically used in PoS) under the term "miner". In maintaining the blockchain, miners decide transaction inclusion and ordering in the ledger-both in the next block mined and in the previous blocks, as a miner could always choose to re-mine an earlier block to change the transaction structure. Hence, they have full control over the history of the ledger. The blockchain system intends for miners to ensure desired properties of persistence and liveness of the ledger [37] . In this context persistence states that a valid transaction included in the ledger is eventually considered final, i.e., all honest agents will report the transaction in the same position in the ledger. The liveness property requires that a transaction sent from an honest agent is eventually inserted into the ledger. In return, miners are paid a rewards in the form of fees for including transactions into blocks and block rewards for extending the ledger with new blocks. Since present and future rewards are typically paid out in the base asset, miners have an incentive to avoid attacks that jeopardize these rewards. However, miners can also receive payoffs from other sources outside of the blockchain protocol. For instance, miners can capture arbitrage opportunities in the exchange of assets on the ledger or by placing bets and manipulating the outcomes in the course of mining, or receiving bribes to do so on behalf of others [64] . This is broadly summarized as Miner Extractable Value (MEV) [30] . A rational miner will decide profit-maximizing actions taking MEV into account, which may not always be honest mining supporting the blockchain. If MEV is valuable enough, miners will generally be incentivized to capture it through an attack. MEV poses a few risks in the context of stablecoins. First, specialized attacks are possible that exploit stablecoin deleveraging events and liquidations [50] . This leads to MEV opportunities that can incentivize destabilizing attacks on the stablecoin. Understanding security and incentive alignment in this context and game theoretic interaction of many stablecoin agents and miners remain open problems. Second, miner attacks pose consensus risk to the blockchain layer (e.g., affecting persistence). An attack of this form could have an effect on the base asset of the blockchain, which may be a collateral asset in the stablecoin. This can have an effect on stablecoin stability even if the stablecoin itself is not the focus of the attack. Third, in the case of stablecoins embedded in the base protocol, the stablecoin may directly manipulate miner reward incentives, as opposed to indirectly manipulating incentives via MEV. This presents a related open problem of whether such blockchains can function (e.g., whether liveness is achievable). Miscellaneous risks. We briefly mention two other risks. One is often called 'smart contract risk'. Since stablecoin systems execute algorithmically without specific institutional oversight, they face the risk of bugs in their specification and implementatione.g., transaction-ordering dependencies, overflows, and re-entrancy. These risks may be representable in similar ways to credit risk models by introducing some probability of 'default', in this case a software bug, and some random recovery ratio. Formal verification methods are typically used to mitigate these risks. Another risk is contagion risk from other protocols. In real environments, these systems do not occur in isolation. For instance, cascading liquidations in ETH and BTC between multiple leverage platforms occurred on 'Black Thursday' in March 2020. We suggest that cascading liquidations like this can be modeled using fire sale models of networks of common asset holdings (e.g., [15] ). Based on the novel risks in non-custodial stablecoins, existing financial models cannot be used 'out-of-the-box'. Here we introduce foundational models for non-custodial stablecoins which adequately capture these risks. First, we draw inspiration from capital structure models, extending a basic model to capture additional aspects and formulate four formal examples of such problems. Second, we consider forking models, moving from the single-shot nature of the capital structure models we present to games of multiple rounds. Third, we provide a brief review of models that focus on whether non-custodial incentive structures can lead to stable price dynamics. Finally, we include an estimation of utility functions specifically for the Maker protocol. We draw inspiration from capital structure models ( [34] , [70] ) to understand incentives and attacks in stablecoins. The original formulation of these models describe incentives in an IPO offering between equity holders, bond holders, and managers. In the stablecoin adaptation, the model describes incentives between governors who hold governance tokens (∼ equity), stablecoin holders (∼ bond holders), and vaults/risk absorbers (∼ managers). We relate vaults to managers as vaults decide the stablecoin supply. We consider three assets: COL (collateral asset, e.g., ETH), GOV (governance token), and STBL (stablecoin). In Problems 1-2, we consider vaults endowed with COL, governors endowed with GOV, and stablecoin holders who purchase STBL. In Problem 3, we consider a different formulation in which agents choose portfolios of assets, including strategic holdings of GOV. We define the following model components • N = dollar value of vault collateral (COL position) • R = random return rate on COL • F = total stablecoin issuance (debt face value) • b = return rate on a new opportunity; vault issues stablecoins (raises debt) to pursue this • β = collateral factor • δ = interest rate paid by vault to issue STBL • u = vault's utility from an outside COL opportunity • U (·) = stablecoin holder's utility function • B = STBL market price at issuance • P t = GOV market value at model time t with terminal valuation parameter p f . The model proceeds in three stages: (0) governance decides interest rate δ (i.e., the contract with the vault), (1) vault decides stablecoin issuance leveraged against a collateral position, and (2) the system is settled with an attack occurring if profitable. In a simplest formulation, the vault and governance are assumed to maximize expected value (risk neutral), and the stablecoin holder has risk averse utility U with unlimited demand depth at this utility, which we later relax. The GOV token prices are denoted P 0 , P 1 , and P 2 in respective periods. In the simplest form, these represent discounted cash flows accruing to governance given the information at each time. P 0 is the objective that governors optimize in period 0. P 1 is relevant for Problem 3 and gives the GOV valuation after vaults and stablecoin holders strategically participate in GOV ownership. P 2 is relevant for Problems 1-2 and gives the GOV valuation at the end of the model. Conditioned on no attack taking place, P 2 = δ F + p f , where p f is a terminal valuation parameter. If an attack occurs, then we assume participants abandon the system yielding P 2 = 0. The terminal valuation p f represents the growth potential of the stablecoin: for instance, if F becomes large in the future, then GOV cashflows δ F become large as well. 4.1.1 Problem 1: Capital structure with no attack. We introduce a simple setup with no attacks in Problem 1. This resembles the classic capital structure problem with a particular form of contract between the equity and manager: in the stablecoin setting, vaults receive all profits from leverage with an interest fee paid to governance. The governance choice problem is to maximize the expected fee revenue subject to the vault's stablecoin issuance. The vault choice problem is to maximize expected returns from leverage minus fees subject to the following constraints: (1) the collateral constraint, (2) the participation constraint, (3) stablecoin market price as the stablecoin holder's expected utility of holding one stablecoin. Notice that, for simplicity, there are several limitations to the model as formulated. In a more complete model, the vault may account for collateral liquidation costs (as in [51] ) and last-resort insurance roles of GOV to make up for any collateral shortfalls (which can be accounted for by adding terms of −[F (1 + δ ) − N (1 + R)] + to the governance objective and modifying the stablecoin pricing constraint). Some stablecoins also include an interest rate paid to or by stablecoin holders. Finally, notice that both the setups with sequential choices by the vault and the governance as well as concurrent choices are realistic. Governance choice max δ ∈[0, 1) E δ F + p f s.t. F is vault choice Vault choice max F ≥0 E[N R + F (Bb − δ )] s.t. F ≤ β N u ≤ E[N R + F (Bb − δ )] B = E U 1 F min(F, N (1 + R) − δ F ) Capital structure with governance attack. We consider a governance attack vector of the form described in [94] and [42] . In such an attack, an agent with a ζ fraction of GOV tokens is able to steal γ fraction of collateral in the system. As described in [94] , this could occur in the Maker system at the time with ζ = 0.1 and γ = 1 (or possibly γ > 1 after accounting for simultaneous attack on other systems using the stablecoin) because governance is granted the power to arbitrarily alter the contracts. 12 12 Note that governance attacks like this can be mitigated by limiting the contract structure governance can alter and implementing long time delays between changes, but it is a realistic attack vector in currently deployed systems that build in broad contract upgrade capability. The structure of the formal problem can also be altered by tailoring emergency settlement triggers. This attack is profitable if the proceeds exceed the costs: where α incorporates an outside cost to attack and ζ (δ F + p f ) is the opportunity cost of attack (the value of ζ fraction of GOV tokens). Note that in traditional financial settings, we typically have α >> γ N : α represents a high cost due to legal/reputational recourse. This simplifies the problem to Problem 1 as the attack is always unprofitable. In the Problem 2 setting, the governors split into two groups: attack and non-attack groups. If we think of individual governors having individual α costs to attack, then the attack group will form from the ζ fraction with lowest α. If we take ζ < 0.5, then the non-attack group will decide interest rate δ while the attack group will decide d ∈ {0, 1} whether to attack. If ζ > 0.5, then the attack group decides both δ and d. Problem 2 models the case of ζ < 0.5: the governance choice problem represents the non-attack group decision over δ , and the attack group decision is represented by the 1 d constraint. Note that a simple reformulation of the governance objective would model the case of ζ > 0.5. The vault decision is expanded to include the amount of collateral N locked in the stablecoin subject to an amountN available to the vault; the amount locked is subject to seizure by a governance attack. This compares to Problem 1, in which all vault COL is locked since there is no attack vector (the previous N is the newN ). For simplicity, the setup assumes that γ is such that, under a successful attack, no collateral is recoverable by the vault after accounting for F ; this could be relaxed with an extra term in the vault's objective. As an extension to Problem 2, α could also incorporate a bribe decision from the vault to governance to change attack incentives. In Problem 2, incentive alignment against attack (security) will depend critically on p f and α as it's unrealistic for δ F to be on the order of N (∼ 100% interest rate). In a long-run growth equilibrium p f will be related to the geometric sum δ F 1−r for some discount factor r . This allows us to understand the settings in which long-run incentive security will depend on a large α term, which equates to centralized recourse. In particular, combining the conditions for a non-attack decision with the collateral constraint, we need γ r ζ δ < β to have incentive security against attack with α = 0, which is very limiting for practical values of these quantities. Notice that, if incentive security is lacking or the opportunity is not profitable enough for the vault, an equilibrium can be no participation from the vault (in which case 1 (N >0) = 0 in the utility threshold constraint). Portfolio selection with collusion attack. We now consider a collusion attack vector of the form described in [49] . For instance, a group that controls a large share of GOV (e.g., 51%, though possibly lower) can manipulate price feeds and settle the system such that stablecoin holders or vaults have claim to greater share of collateral. If the group also holds the profitable position (e.g., stablecoins), then the attack can be profitable unless the GOV token holds adequate market value. These 51%-style attacks can't inherently be mitigated. 13 We model these attacks in a more complex setting; a full formal setup is in Appendix Problem 3. In this setting, vaults and stablecoin holders are endowed with a value and choose a portfolio of available assets, some of which entail participation in the stablecoin system and are subject to attack. They may strategically bid up the price of GOV to secure the system or acquire GOV and/or issue a bribe to try to trigger a instigate a profitable attack. A third agent is an outside GOV holder who may choose to collude with other agents. These agents make the following strategic decisions: • Vault decides portfolio x allocated between COL and GOV, level of participation in the stablecoin N and F , and bribe factor γ v to the outside governors. • Stablecoin holders decide portfolio y allocated between STBL, GOV, and COL and bribe factor γ s to the outside governors. • Outside governors hold ε fraction of GOV, decide interest rate δ and decide whether to collude with the vault (d v ), the stablecoin holder (d s ), or whether no attack occurs (d n ). The offered bribes are a γ v and γ s fraction of attack profitability. An attack is profitable if ζ fraction of governance collude (e.g., a threshold to manipulate the price feed)-we can generally take ζ ≥ 0.5, but could be lower if collusion with miners is added in. The portfolios x, y have components measured in dollar value and which sum to the total endowed valuesx,ȳ. The COL market is assumed to be perfectly liquid at the given price, and so portfolio decisions have no price effect on COL. We restrict the focus to modeling endogenous prices of GOV and STBL. The price of GOV is determined through the function P(x G , y G , δ, F ); we assume this = E[δ F +p f ] without vault or stablecoin holder participation in the GOV market. In the model, P 2 = P 1 conditional on no attack. If an attack occurs, then GOV price goes to zero. The STBL price is determined through the function B(F , y S ) in a way that balances supply and demand. Since the stablecoin holder has an endowed value in this problem, we no longer assume the STBL market demand has an unlimited depth at a given utility value, as done in the previous formulations. The behavior of this model will likely depend largely on the choice of functions P, B. A number of choices could be explored to consider different market structures. 13 Common mitigations include governance delays and maximum governance changes, but these are only effective to a certain extent. As discussed in [49] , once there is a profitable coalition, they can wait out any time delays-e.g., vaults are not able to exit if they can't buy back the stablecoins. Compared to Problem 2, the vault now decides the amount of COL to hold (x C ), equivalent to previousN ) and, of that amount, the amount to lock as collateral in the stablecoin (N ). Similarly, x G , y G represents the amount of GOV in the vault and stablecoin holder portfolios respectively. We now have three attack decision variables (d n , d v , d s ), precisely one of which will take the value 1. The logic for this is encoded in the 2nd-4th constraints of the outside governance choice problem. Miner-absorbed mechanism. The miner-absorbed system is a variation of the presented problems as it explicitly models miners as the core participants. The miner-absorbed stablecoin includes two agents: Miners taking the role of risk absorbers, governance and miners as well as stablecoin holders. Further, the system includes an algorithmic issuance role (i.e., part of the base blockchain consensus protocol). The primary value in a minerabsorbed mechanism is implicit collateral. In this problem setting, we assume that miners are risk-neutral, economically rational agents 14 . Further, we assume that the base blockchain includes a single currency STBL (i.e. the GOV and COL tokens are not present) and that it includes a correct and up-to-date price oracle. We define Problem 4 as follows: Should a miner generate a new block given an expectation of the rewards r being paid, the return rate on the rewards b at the market price of STBL B considering the cost for mining c as well as a long-term confidence in the system expressed as P 1 ? In c we subsume all variable and fixed costs for generating a block. The miner's decision is expressed by d such that d = 1 encodes generating a block and d = 0 the opposite. The stablecoin holder decides to participate in the minerabsorbed systems based on the expected stability of the system expressed by the utility function U . The stablecoin holder has a portfolio of assets y. The portfolio consists of two asset: STBL denoted as y S and a second exogenous stablecoin denoted as y A . For example, this could be a miner-absorbed system like Kowala and USDC as exogenous system. The stablecoin holder re-balances the weight of the portfolio from one block (denoted by y 0 ) to the next block (denoted by y 1 ). The decision is based on the price of STBL expressed by B and the price of the exogenous stablecoin denoted as B A . Additionally, there is a cost δ to acquire STBL. The stablecoin holders portfolio re-balancing has an impact on the price B expressed by the abstract function B(r , y 1 , d, P 1 ). If the stablecoin holder sells significant amounts of his STBL holdings, this should have a severe implications for the price. Last, we define the abstract function P(y S , d) that determines the confidence in the system of the stablecoin holder. For example, the stablecoin holder could short-term sell STBL without affecting the long-term confidence in the system. This is similar to a stablecoin holder using STBL to e.g., pay bills but planning to keep using the system in the long-run. Miner rewards r are adjusted by the issuance algorithm.The issuance algorithm is left abstract. However, the objective of the issuance algorithm is to minimize the change in price B. We note that in a PoW system the reward is constrained such that r ≤ 0 since the issuance algorithm can in the worst-case pay zero rewards but not "take-away" existing value. In a PoS system this can be achieved by slashing PoS miners as well as in seigniorage share systems 14 Non-risk neutral miners could also be observed and are covered for a non-stable currency in [25] were miners additionally hold a risky asset such as COL [83] . The issuance algorithm takes as inputs the price function, but has to assume that d = 1. The miner-absorbed problem adopts previous components and adds new ones as follows: • c = cost for mining a block • δ = cost to obtain a stablecoin • u = stablecoin holder's utility for an outside STBL opportunity • r = reward paid in the next block Given the problem 4, r depends on the the expectation the stablecoin holder has towards the price of STBL B and the subsequent re-balanacing of the portfolio y. If the stablecoin holder expects the price stability, he will either increase his holdings of STBL (considering the cost of obtaining expressed by δ ) or keep his current holdings. On the other hand, price instability will lead to a reallocation of portfolio weights towards the exogenous stablecoin 15 . We discuss the changes in portfolio allocation as these lead to more severe impacts on r . Case 1: Increased demand for STBL y 0 S < y 1 S . To keep the price stable (i.e. min |B() − 1|), the issuance algorithm sets r > 0. In turn, this increases the total supply F . Assuming that Bbr > c, miners should choose to mine a block such that d = 1. Notably, the issuance algorithm can increase r to meet any demand by simply increasing mining rewards. However, there is can still be a problem here: r is directly paid to miners. If miners are not spending STBL such that it is reallocated to stablecoin holders, even issuing r can lead to a price increase. Conversely, if r is set too high and miners sell STBL directly, the price of STBL can decrease. Hence, finding a price-stabilizing issuance algorithm is non-trivial given that the portfolio allocation and miner decisions cannot be known a priori. Case 2: Decreased demand for STBL y 0 S > y 1 S . In this case, stablecoin holders are selling STBL in favor of an exogenous stablecoin. The issuance algorithm reduces r in return to limit the increase of F or do not increase F at all. However, the problem of paying low rewards introduces two distinct problems. First, it is possible that even in the case of r = 0, B will still decrease if there is too much supply in the market. A short-term price increase might still be counter-acted if stablecoin holders and miners have long-term confidence in the system expressed by P 1 . However, second, without block rewards, the expected utility for miners is can be negative since they cost for mining a block c is only compensated with the long-term confidence P 1 . If miners only consider the next block (without P 1 ), the liveness of the ledger is sacrificed due to the "Gap Game" [24, 89] . Even worse, miners could fork the chain with the most valuable transactions from the previous blocks to continue to earn rewards. If the liveness of the miner-absorbed system is not present, it will likely also affect the long-term confidence in the system for stablecoin holders and miners. Moreover, if the miner can easily switch between different chains, they would likely abandon the current stablecoin chain for one that pays high rewards. One can motivate the miner to stay if the cost for switching is high, e.g., if a miner does not produce blocks in a given time they are slashed as in PoS systems. However, hard-to-leave also means hard-to-join: a miner needs to be ensured that his rewards will be positive in expectation. By adding up-front requirements like specialized hardware or acquiring certain currency, the rewards in expectation are minimized by the cost of acquisition as well as opportunity cost for maintaining the hardware/stake of coins. Endogenous collateral. We now need to account for the endogenous COL price: the actions of the stablecoin agents will have a direct price effect on COL if the primary use of COL is within the stablecoin system. One way is to define the COL price return as a function of the decision variables and update the vault and stablecoin holder objectives with this price formulation. In this way, a driving random variable (like R in the exogenous formulation) describing outside faith in the system would be an input to the price function in addition to agent decisions. As with the functions B, P in Problems 1-2, the precise formulation of this price function will play an important role in the problem, but we can explore a number of different market structures. In addition, the governance and vault roles may be merged into the same position if GOV = COL. Governance can also be an outside party without an explicit token-e.g., addresses controlled by the founding company. Algorithmic issuance. When stablecoin issuance is automated by the protocol, the vault is no longer a player. Instead, the issuance process becomes a constraint for the remaining players, as in Problem 4. The issuance process will directly affect the value of GOV, in which case, it may be worth considering a participation decision in owning GOV (e.g., in a portfolio selection problem). If all COL is implicitly backing the stablecoin, an insurance role will factor into a general COL holder's decision to hold COL, and thus into the pricing of COL. If GOV = COL, then this all comes down to the pricing of GOV. In the case that a specific portfolio of COL (and/or other assets) is backing STBL, and not all COL, then a money market model may be useful. Models such as [73] could be adapted to consider portfolio and last-resort insurance role of GOV (∼ sponsor support) in a stablecoin setting with added attack vectors. MEV: Miners as additional governance. Some single period MEV attacks can be modeled within the capital structure framework by including miners as a second governance-type agent, who decides transaction inclusion and ordering. For instance, miners could earn potential profits from front-running STBL issuance decisions or from bribes to limit the actions of other agents. For richer MEV attacks, we describe the adaptation of blockchain forking models in the next section. The capital structure models consider a single time-step: depending on the expectations of agents, they will choose to execute certain actions in the next round. In this section, we extend the models to explore how multiple rounds of agent decisions can affect stability and security of stablecoin systems. Specifically, we need to consider feedback mechanisms between different agents interacting over multiple rounds. In such a setting, agents adjust their future actions based on their beliefs of the other agents' actions and the output of the integrated algorithms (e.g., issuance or/and governance). Moreover, we consider that permissionless ledgers used in noncustodial designs (e.g. Maker) lack finality. Miners are able to reorder transactions and re-write history within certain depths of the ledger [37] . This allows agents to adjust past actions as well 16 . The resulting forking models are highly complex especially when considering a combination of a complex non-custodial system like Maker with a base blockchain like Ethereum. Below, we consider a simpler formulation with specific couplings between otherwise separate models of a base blockchain and an application layer. An output of one layer would serve as exogenous input to the other layer and vice versa. For instance, the size of MEV determined in application layer participation feeds back into incentives for forking attacks in the base layer, which feeds back into the probabilities of attack in application layer incentives. In this way, a complex forking model could be simplified into simpler problems that can be solved iteratively to find an equilibrium. This section is kept informal such that we describe the extensions required but do not include formal problems. Base blockchain. As explored in the blockchain folk theorem [11] , miners have an incentive to coordinate on the longest chain to increase their success of finding the next block. However, if a miner is already invested in a fork, the miner decides based on his vested interest (e.g., accumulated work or committed stake) whether to switch to a different chain. We need to take these two competing incentives into consideration when arguing about MEV, which serves as an implicit bribe for miners toward specific chains. A forking model can explore the success probability of bribing miners based on their prior incentives. Instead of modelling all miners with the same incentives, a forking model considers that miners already mining on a fork will have a higher incentive to take the bribe as they are invested in a fork. Additionally, the setup in [11] can be extended by a network game as a stochastic dynamic system [93] or a global game [69] with noisy observations (e.g., network delay, reward expectations). Moreover, we can incorporate various assumption of risk-appetite of miners [25] , selfish mining [36] , and the impact of block rewards in comparison to transaction fees [24, 89] . Application layer. A stablecoin that is built as an application on top of the base blockchain results in two directions of attack effects. In one direction, the application layer creates MEV that affects incentives on the base layer. For example, an agent wishing to prevent a liquidation transaction in Maker could offer a payment in another token to miners on Ethereum. Additionally, miners themselves are able to profit from their ability to determine the history of the ledger by e.g., execution of arbitrage opportunities, "time-bandit attacks", or oracle manipulation. Prior work on MEV in decentralized exchanges (DEXs) [30] and data feed issues [35, 92] describe some effects of this direction. The other direction affects participation in the application layer. We could imagine a forking model observing the success probability of an exogenous bribe within the base blockchain. If successful, an attack would capture value locked in the stablecoin. The possibility of such an attack (now or in the future) will have an effect on participation incentives in the stablecoin, similar to the description in the capital structure models. Stablecoin participation decisions in turn determine the size of MEV opportunities, which served as bribe inputs to the base layer model. Incentives created in the stablecoin system can therefore impact the security of the base blockchain system and vice versa. We provide a brief review on models that explore the higher-level problem of whether non-custodial stablecoin incentive structures can lead to stable price dynamics. A challenge here is in modeling the feedback effects of agent decisions, as discussed in the previous section. To illustrate, in the most closely related traditional financial models, an assumed stable asset is borrowed against collateral, whereas in the non-custodial stablecoin setting, the 'stable' asset that is borrowed has an endogenous price and/or participation level. The decisions of the other agents will affect this endogenous price and participation level of the stablecoin holder. [51] and [50] construct stochastic models involving endogenous stablecoin price in exogenous collateral systems, taking into account deleveraging and liquidation actions given imperfectly elastic stablecoin demand. In this context, they model vault issuance incentives considering that issuance involves taking a leveraged bet on the collateral asset. They illustrate potential deleveraging feedback effects on stablecoin markets that lead to stablecoin price appreciation and characterize stable and unstable regions for stablecoins. 17 There are several open follow-up questions. For instance, evaluating the effect deleveraging events have on stablecoin holder participation incentives (particularly for different designs and relative to alternatives available to stablecoin holders), exploring strategic interaction of many vaults, destabilizing effects of attacks such as in the previously mentioned forking models, and extending to endogenous collateral models. A few other papers are applicable to stability of stablecoins. [42] and [48] model cryptocurrency-collateralized lending platforms. These do not incorporate feedback effects on the stable asset market, but do incorporate feedback effects on collateral asset liquidity. 18 A simpler stablecoin problem involving no feedback effects is modeled in [16] . Option pricing theory is applied in [22] to value tranches in a proposed stablecoin using PDE methods, also under no feedback effects. Some stablecoins have also performed stability analyses (e.g., [26] , [77] ), though these are typically limited in scope and include generous assumptions. Agents' preferences, and in turn their behavior, are a central object in stablecoin design. In Appendix A.4, we first describe an framework which can be used to model preferences, and then outline two methods which can be used to estimate agents' risk attitudes. The attainment of a clear understanding of agents' risk attitudes would serve to improve protocol design and parameter selection. In this section we discuss a likely implication of our capital structure models. Further, we outline how the modelling framework presented herein is applicable to other cryptoeconomic systems including composite assets, cross-chain protocols, synthetic assets, collateralized lending protocols, and DEXs. As discussed in the context of our capital structure models, to maintain incentive security, governance value may have to grow faster than stablecoin supply and locked collateral. This suggests a serious scaling issue. The typical concept of governance value comes from expectations of cashflow generation from future system fees. A long-term equilibrium without large future growth expectations may not be possible from this source alone. Instead, other parties to the system may need to hold governance tokens to bid up governance market value. This will feedback into participation incentives of these other parties; there is no guarantee that equilibrium participation exists in this context either. To illustrate, stablecoin holders may need to hold significant positions in a risky governance asset in order to secure their stable positions, which may defeat their purpose in holding the stablecoin. This leads us to an informal impossibility conjecture: Conjecture 1. Many decentralized stablecoin formulations may have zero long-term participation in the context of our capital structure models. An analogy helps to illustrate potential impossibility of some designs: if incentive security requires a bank's equity market value to be worth multiples of total deposits, then no depositors will participate. 19 The conjecture reinforces the importance of studying mutual incentives in choosing the right stablecoin design. Note that the oracle incentive compatibility problem also closely resembles the stablecoin governance incentive problem. Solving these problems in a fully decentralized way remains an open problem. Current solutions implemented by stablecoins essentially centralize governance. This solution relies on a form of institutional liability and translates into a high α value (e.g., in Problem 2). This is not necessarily a problem; many traditional financial systems operate in this way. This is why banks do not need to be worth 19 Put another way, the bank's P/E ratio would need to be in the 100s or 1000s. multiples of total deposits. However, we should openly recognize that this trust line exists and may be vital. So far we have focused on primary stablecoin mechanisms. Another class of composite stablecoins involves baskets of primary stablecoins to try to further absorb risk. The simplest is an ETF stablecoin, which works using the ETF arbitrage mechanism to create/redeem the composite stablecoin against the basket. A DEX stablecoin aims to spread risk over the basket while providing an exchange service between the constituents, and so the basket weights change with exchange demand. DEX stablecoins take on the risk of liquidity provision to these exchanges. For constant function market maker (CFMM)-based exchanges, this risk is described in [3, 4] . Other DEX stablecoin designs propose limited 1-to-1 stablecoin swaps. In this case, if economic structure is not carefully considered, the value of the basket may devolve into the value of the least valuable constituent (e.g., if an underlying stablecoin fails). A CDO composite stablecoin segregates stablecoin risk into tranches. 20 For instance, the basket may have n stablecoins and n tranches. At settlement, the senior tranche holder gets first choice of which stablecoin to redeem for while holders of the most junior tranche picks last. Thus, junior tranche holders bear the risks of first stablecoin failures and are compensated with interest payments. This structure introduces a similar participation problem: enough agents need to be willing to take the different positions given the equilibrium level of interest payments. Other composite stablecoins may also be possible. The stability of all composite stablecoins relies on primary stablecoin failures not being highly correlated. Table 3 summarizes categories for composite stablecoins, applicable models, and projects. The foundations in this paper can also apply more broadly to synthetic and cross-chain assets. Synthetic assets use the same mechanisms as non-custodial stablecoins but with different target pegs (e.g., dYdX's perpetuals using synthetic BTC). In comparison, cross-chain mechanisms transfer assets between blockchains. Where both blockchains are able to verify state of the other, cross-chain assets do not require collateral as the issue and redeem procedure can be executed through transaction inclusion proofs via a chain relay on each blockchain (e.g. PeaceRelay [55] ). Hence, incentive design for these models is not required to maintain a price peg, but rather to keep the relays on each side up-to-date and protected against attacks such as relay poisoning [56, 91] . On the other hand, if the cross-chain mechanism enables asset transfers (i.e., not atomic swaps) from a blockchain without the capability to verify state of another blockchain (e.g., Bitcoin) to one that has this capability (e.g., Ethereum), collateral or trust in a third party is required. 21 These cross-chain mechanisms utilize intermediaries that hold custody over the locked asset. We can distinguish between trusted non-collateralized intermediaries where custodial models can be applied (e.g., wBTC) and non-custodial cross-chain mechanisms (e.g., XCLAIM, tBTC, RenBTC). Non-custodial designs 20 Note the difference from the CDO analogy used to describe primary stablecoins. 21 For a formal proof of this requirement see [90] . rely on collateral for incentive security in addition to collateral of the transferred asset itself. Exogenous collateral without governance assets (e.g. XCLAIM [44, 91] ) can be modelled using the capital structure models without considering long-term impact of governance value. Models that use exogenous collateral for the transferred asset in combination with endogenous collateral for incentives (e.g. tBTC), might be subject to a similar governance value problem as outlined in 5.1. However, in both cases the underlying asset is insured by exogenous collateral and hence the design provides protection of the transferred assets independent of the success of the cross-chain mechanism. Endogenous collateral structures, on the other hand, are subject to the same incentive sustainability issues that rely on an increasing governance value (e.g. RenBTC). Here, the security of the transferred asset relies on the long-term success of the cross-chain mechanism. Lending protocols. Collateralized lending protocols share a similar structure to non-custodial stablecoins and our models are easily adapted to describe such protocols. Lending protocols are simpler than non-custodial stablecoins in that borrowed assets are exogenous. However, when the primary defence mechanism used by these protocols is a system time delay, an important security implication of the exogeneity of the borrowed assets is that it can allow protocol participants to leave a protocol before a governance attack is fully realized. In the stablecoin setting, a vault is not able to deleverage and exit unless they can repurchase stablecoins. Thus in a governance attack, a system time delay built into the protocol would likely be ineffective as a (profitable) coalition between stablecoin holders could simply wait out the delay, preventing many vaults from exiting. In contrast, in the collateralized lending setting, the typical borrowed asset either has a much larger market or is a custodial stablecoin, in which case the vault can always create new stablecoins at par through the issuer to deleverage. A system time delay could therefore protect participants by allowing them to exit before many impending governance attacks could be realized. 22 DEXs. Some DEXs may similarly permit participants to exit before a governance attack is fully realized. However, where DEXs operate their own (governance controlled) chain, the ability for participants to exit under an attack can be fundamentally restricted. In this latter case, incentive security is an important question. The capital structure framework can also be applied in these cases. In DEXs, fees are based on exchange volume while incentive security of governance is related to supply deposits. A key modeling component will be a behavioral factor of volume relative to deposits. For Uniswap, annualized volume can be ∼ 100× deposits. In comparison, a collateralized stablecoin accrues fees on borrowed assets, which can be ∼ 1/4 of supply deposits. While equilibrium fees accruing to governance may be much smaller in DEXs than stablecoins, this ∼ 400× factor makes the feasible region for incentive security against governance attacks potentially larger in DEXs. This leads us to the following informal conjecture: 22 A likely exception is price feed attacks. Conjecture 2. It is fundamentally easier to economically secure DEXs against governance attacks than stablecoins in the context of our capital structure models. We have introduced a foundational framework for relating economic mechanics of all stablecoins and formulated three classes of models for non-custodial stablecoins, for which traditional financial models are sparse. These models evaluate measures of economic stability and incentive-based security considering mutual participation incentives of agents necessary for a mechanism to function. These models consider attack vectors including governance, data feeds, miners, and deleveraging market feedback effects. Centralized oracles control the risk of outside attack but can lead to perverse incentives for the provider-at some point, manipulating the feeds may be more profitable than providing data honestly. They also introduce single points of failure. Centralized approaches can Table 6 : Non-custodial system oracle manipulation events. be made more secure, for instance, through the use of trusted execution environments [92] . Through such methods, it can be proven that the data feed is an authentic representation of a particular source, but it is still inherently manipulable by the source. Decentralized oracle approaches exist, but remain an open research question. Existing solutions fall short of a full solution. They rely on Schelling point schemes, in which agents vote on the price feed and are incentivized by slashing if their vote deviates from the consensus. These are problematic because incentives are related to the consensus, which is not objectively verifiable for correctness and can be manipulable through game theoretic attacks. There are methods to mitigate these risks. For instance, medianizers are typically used to aggregate prices from a number of oracles, half of which must then be incorrect to manipulate the final feed. Some services, such as Chainlink, provide such a medianizer using an incentivized reputation system [35] . The security of such systems also remains an open question. Other methods attempt to create a price feed inferred from onchain metrics, which is then objectively verifiable on-chain. A related method attempts to couple the price of a token to the cost of mining in proof-of-sequential work (e.g., Elasticoin in [33] ). The security of these methods also remains an open question. Some cryptocurrency-to-cryptocurrency prices can be determined on-chain through decentralized exchanges, given appropriately controlled construction (e.g., to account for limited liquidity Outside governance choice x, y, N , F , γ v , γ s from vault and stablecoin holder choices δ, d, x, N , F from outside governor and vault choices and time-averaged over extended time periods to make manipulation more costly). A missing link is still to outside fiat prices, however. Prices in terms of other stablecoins may be used, but this faces the same inherent problem: we then rely on that stablecoin, which may be manipulated or fail, for the data feed. A.4.1 Utility functions. Provided an agent's preferences satisfy certain properties, an agents' preferences over consumption set Y can be represented by a utility function [63] . In particular, here we assume that an agents are mean-variance maximizers, roughly wanting to maximize the mean and minimize the variance of a portfolio, with preferences over a random variable X can be described as follows: where X ∼ N (µ X , σ X ), with µ X denoting the mean of X , σ X denoting the variance and ρ A denoting the coefficient of risk aversion. We provide more information on this formulation in A.4.5. A.4.2 Method 1: one risky asset, one riskless asset. In one simple framework, a mean-variance maximizer can invest proportion α of their wealth in a risky asset, and proportion (1 − α) in a risk free asset. From this setup, it is possible to derive, as we do in A.4.6, that their optimal choice of α is given as follows: where w denotes the agent's wealth, E[R] and V ar (R) the expected return and variance of a risky asset andr denotes the return on a risk-free asset. From this expression, all that is required to compute ρ A is knowledge of the five variables in this equation, making it a tractable place to begin with the estimation of agents' preferences. A.4.3 Method 2: preferences from portfolio weights. It is also possible to uses agents' investment history to infer agents' risk-aversion coefficients. In particular, [14] consider an investor who invests into k risky assets and a single riskless asset, basing their investment strategy on an exponential utility function, as above. As well as permitting multiple risky assets, in contrast to above, the closed-form solution to the portfolio choice problem provided by the authors is also explicitly multi-period. We present the details of this approach in A.4.7. A.4.4 An case study of MakerDAO using Method 1. We apply Method 1 to Equation 2 to seek to recover agents' risk aversion in choosing leverage in the MakerDAO protocol [58], a non-custodial collateral backed stablecoin (see Section 3). We use data on single collateral Dai (Sai) up until November 18th 2019. A histogram of the resulting values of ρ per CDP is given in Figure 2 23 . While these results should only be considered indicative, we find a mean value for ρ of 0.0011, which seems approximately consistent with other estimates of risk-aversion coefficients in the literature [8] . We also provide an average value of ρ per address, rather than per CDP, in Figure 3 . Looking at 'active' accounts with more than 10 CDP actions, we find a mean value for ρ A of 0.0012. The main takeaway from figure 3 is that on an address level, most addresses appear to exhibit some degree of risk aversion, with some estimates of ρ providing notably higher levels of risk aversion than appear in the literature. A.4.5 Utility function estimation -details. We take as our starting point a general class of utility functions: those representing Hyperbolic Absolute Risk Aversion (HARA), where the level of risk tolerance is a linear function of wealth: 23 Note that we exclude outliers in the plot, e.g. those with risk aversion above 1 where u(w) is the utility arising form a certain level of wealth w, a > 0, γ 0 and aw 1−γ + b > 0. A standard measure of risk is the Arrow-Pratt coefficient of absolute risk-aversion [6, 78] , which extracts a measure of risk-aversion that is invariant to affine transformations as follows: 24 Importantly, imposing parameter restrictions a > 0, b = 1 and γ → −∞ ( [84] on equation (3) yields an exponential utility function u(w) = −e −aw , with the property of constant absolute risk aversion (CARA): A(w) = − −a 2 e −aw ae −aw = a = ρ A . CARA implies that the amount an agent optimally invests in a risky asset does not depend on their wealth. In turn, assuming that agents' utility functions feature can be characterized as CARA, then for random variable X , provided X ∼ N (µ X , σ X ) where µ X denotes the mean of X and σ X denotes the variance, it can be shown that the expected utility E[u(X )] is given by E[u(X )] = −e −ρ A µ X − ρ A σ 2 X 2 [87] . The agent maximizes this expected utility when they maximize µ X − ρ A σ 2 X 2 . Therefore, if we characterize an agent as having exponential utility, and therefore CARA, then when they maximize this utility when faced with a normally distributed random variable X , they can be considered a mean-variance maximizer, with utility given by: Treating agents as mean-variance maximizers yields one tractable framework within which agents risk aversion, an aspect of their preferences, can be measured. Yet there are several points to note about this approach. Firstly, assuming that agents exhibit CARA-where their investment in a risky asset does not depend on their wealth-may not be wholly realistic. Perhaps agents actually invest a constant proportion of their wealth. Moreover, here we are implicitly assuming that agents are not concerned with the shape of the risk, aside from the variance, so for instance are not concerned with heavy tails. In the stablecoin setting, this may too be an unrealistic representation of the true distributions. We note these limitations and posit this framework as a tractable entry point for future research. A.4.6 Method 1: one risky asset, one riskless asset. Let us assume that an agent can invest proportion α of their wealth in a risky asset, and proportion (1 − α) in a risk free asset. 25 This would provide a total return X (α) = αR+(1−α)r . Since E[X (α)] = r +α(E[R]−r ) and var (X (α)) = α 2 var (R), setting µ X = E[X (α)] and σ 2 X = var (X (α)), an agent with wealth w will maximize 24 See [63] for further information on expected utility theory and the relevance of affine transformations. 25 Here we are not considering the participation question about whether to invest at all, but instead considering how, given a fixed amount to invest, this can be done optimally. with respect to α, yielding optimal solution as given in Equation 2. From Equation 2 all that is required to compute ρ A is knowledge of the five variables in this equation, making it a tractable place to begin with the estimation of agents' preferences. A.4.7 Method two: preferences from portfolio weights. Letting X τ be a random return vector of k risky assets, and supposing that X τ and a vector of p predictable variables z τ jointly follow a vector autoregressive process of order 1, the authors prove that the optimal multi-period portfolio weights for all periods [0,T − 1] can be analytically stated. In particular, by Corollary 2, letting X τ = (X τ ,1 , X τ ,2 , ..., X τ ,k ) ′ be a sequence of independently and identically normally distributed vectors of k risky assets (X τ ∼ N (µ, Σ) ), r f ,τ be the riskless asset return, and provided Σ is positive definite, then ∀t = 1, ...T : whereμ = µ − r f ,T −t +2 1, which can be rearranged to yield an explicit expression for ρ A : On this approach, provided data is available on agents' portfolio weights through time, a value for ρ A could potentially be calibrated more precisely than method one would allow; however, this data requirement in itself is more demanding. In particular, in the context of stablecoins, for example, the possibility that one agent uses multiple blockchain addresses would obfuscate the true portfolio weights through time. However, to the extent that future work is able to accurately determine these weights, this offers a promising approach to calibrate values of ρ A . A.4.8 Empirical case study of Method 1. To illustrate how these utility function estimation techniques can be applied, we provide a minimal working example, applying method 1 to MakerDAO [58] . A core component of the Maker stablecoin system is the issuance of a stablecoin against the value of collateral. In particular, down to a threshold value of 150%, agents choose how much stablecoin to issue as debt against their collateral. For example, for 150 USD worth of ETH collateral, at the 150% threshold an agent can issue up to 100 USD of stablecoin debt. However, if the ETH/USD price falls, then the agent would become undercollateralized relative to the 150% threshold, and would incur liquidation costs. On the converse-and one of the primary use cases of such a stablecoin-if the agent repurchases more ETH with their debt, the agent has accessed leverage. If the ETH/USD price rises, then the agent will stand to benefit more from this price increase than if they had not issued themselves debt. Thus, following method 1, in this section the goal is to estimate equation (2) . We proceed with the following demonstrative steps. (1) Data collection. We use the MakerDAO GraphQL API [59] to obtain data on Collateralized Debt Position (CDP) actions. 26 (2) Data cleaning and sample selection. We clean the data, focusing only on Externally Owned Accounts prior to the 26 This API only covers the stablecoin SAI, the precursor to DAI. launch of multi-collateral DAI. We further only consider CDPs with more than 50 USD of collateral. (3) Wealth calculation (w). We assume that each time an agent issues themselves with the stablecoin, this is used to buy more ETH. Therefore for each agent we calculate their total wealth as the sum of their ETH holdings (ETH collateral and ETH bought with stablecoin) less their debt. (4) Risky asset holding (α). We calculate the ratio of ETH holdings to original ETH collateral. Leverage is represented as α > 1. (5) Computation of mean and variance of risky asset (E [R] and V ar (R)). We compute the mean and variance of the risky asset by computing the cumulative rolling moving average mean and variance of daily ETH/USD returns. (6) Assumption of a risk free rate (r ). We assume that the investor has access to a risk-free interest rate of 2% annually. Anton van der Kraaij, et al. 2020. A regulatory and financial stability perspective on global stablecoins Basis: A Price-Stable Cryptocurrency with an Algorithmic Central Bank Improved Price Oracles: Constant Function Market Makers An analysis of Uniswap markets The recent distress in corporate bond markets: cues from ETFs Aspects of the theory of risk-bearing The technology of retail central bank digital currency Risk and probability premiums for CARA utility functions The macroeconomics of central bank issued digital currencies Do ETFs increase volatility? The Blockchain Folk Theorem BSIP58: Global Settlement Protection Through Price Feeding The state of stablecoins On the exact solution of the multi-period portfolio choice problem for an exponential utility under return predictability Networks of common asset holdings: aggregation and measures of vulnerability Incentives for Crypto-Collateralized Digital Assets Collateralized Debt Obligations for Issuer-Backed Tokens STEEM DOLLAR Peg to $1 USD is Broken Again âĂŞ But not how you might think! In search for stability in crypto-assets: Are stablecoins the solution? bZx Integrates with Chainlink to Prevent Future Price Oracle Exploits Choosing a Reliable Solution for bZxâĂŹs Oracle Designing stable coins Global games and equilibrium selection On the instability of Bitcoin without the block reward An Axiomatic Approach to Block Rewards An analysis of the stability characteristics of Celo Bitfinex Repays Tether $100 Million of $700 Million Loan Fractional Reserve Stablecoin Tether Only 74% Backed by Fiat Currency, Say Lawyers Crypto Exchange Bitfinex Suspends Fiat Deposits, Expects to Resume 'Within a Week Flash Boys 2.0: Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability Bank runs, deposit insurance, and liquidity In search for stability in crypto-assets: are stablecoins the solution? Melmint: trustless stable cryptocurrency Capital structure and dividend irrelevance with asymmetric information Majority is Not Enough: Bitcoin Mining is Vulnerable The Bitcoin Backbone Protocol: Analysis and Applications Demand-deposit contracts and the probability of bank runs. the A Free Money Miracle Is bitcoin really un-tethered? Available at SSRN The Decentralized Financial Crisis: Attacking DeFi Risk and wealth in a model of self-fulfilling currency attacks Balance: Dynamic Adjustment of Cryptocurrency Deposits Rollover risk and credit risk How Safe Are Money Market Funds?* The curious case of ETF NAV deviations An Analysis of the Market Risk to Participants in the Compound Protocol Vulnerabilities in Maker: oraclegovernance attacks, attack DAOs, and (de)centralization Ariah Klages-Mundt and Andreea Minca. 2019. (In) Stability for the Blockchain: Deleveraging Spirals and Stablecoin Attacks While Stability Lasts: A Stochastic Model of Stablecoins End of a stablecoin Stablecoins, Digital Currency, and the Future of Money PeaceRelay: Connecting the many Ethereum Blockchains BTC Parachain Specification: Staked Relayers What Keeps Stablecoins Stable? MakerDAO GraphQL API The Market Collapse of March 12-13, 2020: How It Impacted MakerDAO Decreasing the Stability Fee A dynamic equilibrium model of ETFs Microeconomic theory Smart Contracts for Bribing Miners Money creation in the modern economy What is Stablecoin?: A Survey on Price Stabilization Mechanisms for Decentralized Payment Systems SoK: A classification framework for stablecoin designs Unique equilibrium in a model of self-fulfilling currency attacks Global Games: Theory and Applications. Cowles Foundation Discussion Papers 1275R. Cowles Foundation for Research in Economics Corporate financing and investment decisions when firms have informationthat investors do not have Central Bank Digital Currencies and the Long-Term Advancement of Financial Stability Fragility in money market funds: Sponsor support and regulation bZx Hack Full Disclosure (With Detailed Profit Analysis bZx Hack II Full Disclosure (With Detailed Profit Analysis Monetary Stabilization in Cryptocurrencies-Design Approaches and Open Questions Terra money: stability stress test Risk aversion in the small and in the large Great liquidity crisis' grips system as banks step back Increasing Robustness of the Terra Oracle Coordination failures and the lender of last resort: was Bagehot right after all The state of stablecoins A Note on Cryptocurrency Stabilisation: Seigniorage Shares Decision sciences: theory and practice Synthetix Response to Oracle Incident The End of a Stablecoin âĂŤ The Case of NuBits Macroeconomic theory Global Settlement for BitUSD The Gap Game SoK: Communication Across Distributed Ledgers. Cryptology ePrint Archive XCLAIM: Trustless, Interoperable, Cryptocurrency-Backed Assets Town Crier: An Authenticated Data Feed for Smart Contracts On modeling blockchain-enabled economic networks as stochastic dynamical systems How to turn $20M into $340M in 15 seconds