Own Protocol.

CST: A Trustless Real-World
Asset Standard

Bhargav Aparoksham bhargav@ownfinance.org ownfinance.org
Abstract

A tokenized stock should not require you to trust a custodian, nor to lock three dollars of collateral to hold one dollar of exposure.

Two models dominate onchain real-world assets (RWAs), and each fails a different half of the problem. Custodial tokens (Ondo, Backed/xStocks, Dinari) track the asset faithfully but reintroduce the very intermediary crypto set out to remove: an issuer, a broker-dealer, a prospectus you must trust. Collateralized-debt-position (CDP) synthetics, the model that made stablecoins like DAI work, are trustless, but break for RWAs. A stablecoin CDP carries only one volatile leg: the collateral moves, but the liability is pinned at $1, so the system only has to buffer swings on one side. An RWA synthetic carries two. The minted token tracks a moving market price while the collateral behind it moves independently. Backing one volatile asset with another, imperfectly correlated, forces punitive overcollateralization to stay solvent, and that capital does not scale.

We introduce the Collateral-Secured Token (CST): an ERC-20 that tracks a real-world asset, where an offsetting offchain hedge keeps the token priced to the asset and onchain collateral guarantees its solvency. A market maker takes the minter's stablecoins and hedges the exposure offchain; independently, liquidity providers post collateral into an onchain Multi-Purpose Vault (MPV). If a market maker ever fails to honor a redemption, the vault's collateral is liquidated permissionlessly, at the oracle price, to make holders whole. The same collateral base simultaneously secures issuance, powers a lending market, and earns native yield. This paper specifies the CST, the MPV, the RFQ issuance path, the pooled solvency accounting, the redemption guarantee, and the trust model, semi-technically, with the mechanism design made explicit.

1Introduction

Commerce on the internet has come to rely on trusted third parties [1] to hold the real-world assets that onchain tokens represent. The tokenization of stocks, bonds, and commodities works well enough for most transactions, but it still suffers from the inherent weakness of the custodial model. A token that says eTSLA is only as good as the entity that promises a share of Tesla sits behind it: its broker-dealer, its jurisdiction, its prospectus, its solvency.

What is needed is a way to hold real-world-asset exposure onchain that does not depend on trust in a custodian, and that a holder can verify directly. Crypto already solved an analogous problem once: the collateralized debt position (CDP) gave us decentralized stablecoins like DAI [3]: synthetic dollars backed by transparent onchain collateral rather than a bank account. It is tempting to reach for the same tool for stocks. That instinct is wrong, and understanding why is the foundation of this protocol.

Two families of solution exist today, and they fail on opposite axes:

Model A · Custodial

Backed tokens

Ondo, Backed / xStocks, Dinari. A regulated issuer holds the physical share and issues a claim. Tracks perfectly, but you must trust the custodian: counterparty risk, jurisdiction, opacity, redemption at the issuer's discretion.

Model B · CDP synthetic

Overcollateralized synthetics

The DAI model applied to an RWA. Trustless, but breaks for stocks: it backs a volatile asset with another volatile asset, so the collateral it demands scales with the very volatility you want to hold. Great for a $1 peg; wrong for a moving price.

Own Protocol proposes a third model that keeps the trustlessness of the CDP and the tracking fidelity of the custodial issuer, while discarding both of their defects. We call the instrument a Collateral-Secured Token. The remainder of this paper builds it up from first principles: first the failure of the CDP for RWAs (§2), then the CST and the insurance model behind it (§3), the vault that secures it and the lending market it underwrites (§4), how it is issued (§5), how the system stays solvent (§6–7), how the incentives compound (§8–9), who the system serves (§10), and finally the oracle and the trust model (§11–12).

2Why CDPs fail for RWAs

A CDP mints a synthetic token against locked collateral and relies on liquidation to keep it solvent. For a stablecoin this works beautifully. For a real-world asset it breaks, and the deeper reason is not tracking but capital: a CDP backs a volatile asset with another volatile asset, and the cost of doing that safely grows with the very volatility people want to hold.

2.1 One volatile leg, or two

A CDP's collateral ratio has to cover the worst-case adverse move over a liquidation window, so what decides its capital cost is simple: how many things in the system can move at once. To mint debt value \(D\) the user locks collateral value \(C\) at a minimum ratio \(\rho\):

$$ C \;\ge\; \rho\, D \qquad\Longrightarrow\qquad e \;=\; \frac{D}{C} \;\le\; \frac{1}{\rho}. $$
Eq. 1: capital efficiency of a CDP

A stablecoin has one volatile leg: the collateral (say ETH) moves, but the liability is pinned at \(\$1\). An RWA synthetic has two: the liability tracks a moving market price while the collateral moves independently, and without a hedge nothing nets one leg against the other. What that costs is not a matter of taste. \(\rho\) is set by the worst joint move a position must survive through liquidation: over that horizon let \(\delta_c\) be the worst credible collateral drawdown and \(\delta_e\) the worst credible rise in the liability. Solvency through liquidation requires \(C(1-\delta_c) \ge D(1+\delta_e)\), i.e.

$$ \rho \;\ge\; \frac{1+\delta_e}{1-\delta_c}\,. $$
Eq. 2: the collateral ratio is set by the joint worst case

One leg. For a stablecoin the liability is pinned, so \(\delta_e = 0\). The binding horizon is not a single liquidation window but a stress episode in which liquidation itself is impaired (congestion, cascading sales, zero-bid auctions: Black Thursday 2020), and ETH has halved in such episodes more than once. \(\delta_c = 50\%\) gives \(\rho \ge 2\). MakerDAO's parameter floor is 150% [3]; the ratio that survives in practice is \(\approx 2\times\), and \(e \le 0.5\).

Two legs. For an RWA the liability moves too, and with no hedge the position must provision for the joint worst case. Keep \(\delta_c = 50\%\) and take \(\delta_e = 30\%\) (single names gap on earnings and halts, and hot names rally that much in weeks): \(\rho \ge 1.3/0.5 = 2.6\) before the liquidation bonus and slippage. Call it \(3\times\), and \(e \le 0.33\). And it scales the wrong way: \(\delta_e\) grows with exactly the volatility people want to hold. In plain terms, a CDP asks the person who wants \$1 of Tesla exposure to lock up \$3, and the tax is heaviest for the very names that drive demand. That is negative leverage on a product whose entire appeal is exposure.

Capital is the structural failure; tracking is the practical one. Nothing in a CDP connects the synthetic's onchain price \(\tilde P_t\) to the true price \(P_t\) except speculative flow, so the two drift. §3 supplies both the missing capital model and the missing mechanism, and Eq. 2 itself returns in §6.1, inverted, as the sizing rule for CST collateral: the same bound over a bounded claim window instead of an open-ended horizon.

2.2 Reflexivity under stress

Finally, CDP liquidations are reflexive. When the collateral and the minted asset are correlated, as they are whenever crypto sells off, a price drop triggers liquidations, whose forced selling drives the price down further, triggering more liquidations. Stablecoins partly escape this because the debt (a dollar) is uncorrelated with the collateral. An RWA synthetic enjoys no such insulation. CDPs, in short, gave crypto trustless dollars; they cannot give it trustless stocks. The next section fixes each failure in turn.

Table 1: CDP vs. CST on the three failure axes.
AxisCDP synthetic RWACollateral-Secured Token
Price trackingFragile, oracle-dependentOffchain hedge is the mechanism (§3)
Capital efficiency (minter)\(e \le 1/\rho \approx 0.33\)\(\approx 1\times\): minter pays notional, LPs post the insurance
Who posts safety collateralThe minter (wants exposure)The LP (wants yield), roles separated
Stress behaviorReflexive liquidation spiralSelf-healing liquidation (§8.3)

3Collateral-Secured Tokens

A Collateral-Secured Token (CST) is a tokenized real-world asset whose price is maintained by an offchain hedge and whose solvency is insured by onchain collateral. The design move is a change in the collateral's job: stop backing the debt, start insuring the dealer.

A CDP asks one pool of locked collateral to do everything: provide the exposure, track the price, and guarantee solvency. That is why it charges \(\rho\) dollars per dollar and liquidates on every adverse move (§2). A CST splits the jobs across the two parties naturally suited to them, and moves the collateral from behind every position to behind the one party whose failure actually needs insuring:

  • The market maker provides tracking. When a minter pays stablecoins to mint a CST, those stablecoins flow to a market maker who opens an offsetting hedge offchain (the real asset, a perp, or a broker position). The hedge, not an onchain arbitrage loop, is what makes \(\tilde P_t\) track \(P_t\). This is the mechanism a CDP structurally lacks (§2.1).
  • The liquidity providers provide insurance. Independently, LPs deposit collateral into an onchain vault. This collateral does not fund the hedge and does not back any position. It stands behind the market maker's performance the way a clearinghouse default fund stands behind a member, and it is touched in exactly one scenario: the maker fails to honor a redemption, and the collateral is liquidated at the oracle price to make the holder whole (§7).

Three consequences follow, and each one is a CDP failure inverted:

  1. Holders carry no liquidation risk. There is no position to liquidate, only a default to insure. A price move, however violent, liquidates no one: collateral liquidation requires a credit event, not a price event (Eq. 4).
  2. Minters pay 1:1. The minter's dollar funds the hedge. It is working capital, not margin, so the punitive \(\rho\) of Eq. 1 leaves the minter's side entirely; the safety margin is posted by yield-seeking LPs instead (Eq. 3).
  3. The collateral stays productive. Backing capital sits idle against its own position. Insurance capital is at risk but not spent, so the same pool can underwrite a lending market and earn native yield while it secures issuance (§4).

The economic substance of a CST is therefore not the onchain collateral alone: the minter's dollars live in the hedge, and the collateral is the trustless insurance behind it. Hence the word: secured, not backed.

They're backed. We're secured.
A backed token asks you to trust a custodian holding the real share. A Collateral-Secured Token replaces that custodian with onchain collateral anyone can verify.
BACKED · TRUST THE CUSTODIAN Holder trusts Custodian / SPV Real share (opaque) One trusted party. Unverifiable. SECURED · VERIFY THE COLLATERAL Holder Offchain hedge MECHANISM verifies Onchain collateral BACKSTOP · MPV liquidate on default → Hedge tracks price · collateral guarantees redemption.
Figure 1. Backed tokens interpose a custodian the holder must trust (left). A CST routes price-tracking through an offchain hedge (the mechanism) and solvency through onchain collateral anyone can verify (the backstop), which liquidates to the holder if the hedge fails.

3.1 Backing vs insurance, quantified

Write \(k\) for the capital a party must commit per dollar of exposure. A CDP concentrates everything on the minter: \(k_{\text{minter}} = \rho \approx 3\), idle by construction, because that collateral is the sole and continuous backing of its own position. A CST splits the ledger:

$$ k_{\text{minter}} \;=\; 1, \qquad k_{\text{LP}} \;=\; \frac{1}{U_{\max}} \;\approx\; 1.5 \quad \text{(pooled, productive).} $$
Eq. 3: capital per dollar of exposure, by party

The LP's \(1/U_{\max}\) is not the CDP's \(\rho\) wearing a different name; it differs in three ways that compound. It is pooled: one insurance base stands behind every asset and every position, instead of each position dragging its own worst-case buffer. It is productive: the pool earns native yield, a lending premium, and a spread share while it stands guard (§9), where CDP backing earns nothing. And it is voluntary: posted by parties who are paid a premium to underwrite, not extracted from the person who came for exposure. The minter's capital efficiency is exactly one, and the collateral that remains in the system is an earning asset rather than dead weight.

The second difference is the trigger. A CDP liquidates whenever the price crosses a threshold. A CST liquidates collateral in exactly one case: a maker defaults on a redemption.

$$ \underbrace{\mathbf{1}\{\,C_t < \rho_{\text{liq}}\, D_t\,\}}_{\text{CDP: a price event}} \qquad\text{vs.}\qquad \underbrace{\mathbf{1}\{\,\text{maker default} \;\wedge\; \text{unfilled redemption}\,\}}_{\text{CST: a credit event}} $$
Eq. 4: what triggers a collateral liquidation

Price events are frequent, correlated with market stress, and reflexive (§2.2): the liquidation itself moves the price that triggers the next one. Credit events are rare and idiosyncratic, the exposure a default can strand is capped at all times by the solvency invariant (§6), and settling a claim shrinks exposure and collateral together instead of dumping inventory on a falling market; §7 proves the resulting stability property (Eq. 12).

CDP · COLLATERAL BEHIND EVERY POSITION $1 of debt $2 locked IDLE $1 of debt $2 locked IDLE $1 of debt $2 locked IDLE TRIGGER: PRICE MOVE · FREQUENT · REFLEXIVE Every position carries its own liquidation point. CST · COLLATERAL BEHIND THE DEALER holder holder holder Market maker OFFCHAIN HEDGE · MECHANISM on default only Pooled vault (MPV) INSURANCE · PRODUCTIVE TRIGGER: MAKER DEFAULT · RARE · CAPPED One pool insures the dealer. Holders are never liquidated.
Figure 2. Backing pins idle collateral behind every position and liquidates on price moves (left). Insurance pools productive collateral behind the market maker and liquidates only on default (right). The trigger moves from a price event to a credit event, and holders are never liquidated.

3.2 Neighbors, and why they are not this

The design space around tokenized exposure is crowded, and a CST should be judged against its nearest neighbors, not only against the two failures of §1:

Table 2: adjacent designs, and the axis on which each one breaks.
DesignTrust rootWhat makes it trackCapital per $1Where it breaks
Custodial wrapper (Ondo, xStocks)CustodianReal share held 1:1~1× Reintroduces the intermediary: counterparty risk, opacity, gated redemption.
CDP synthetic (DAI model on RWAs)CodeNothing structural (§2.1)\(\rho \approx 3\times\), idle Two volatile legs force punitive, unscalable collateral (§2).
Pooled-debt synths (Synthetix [5])CodeOracle exchange against a shared debt pool4×+ historical Stakers are the unhedged counterparty to every synth.
Perp DEX (Hyperliquid, Ostium)Code + venueFunding-rate convergenceMargin A position, not a token: funding bleed, liquidation risk, no composability.
Delta-neutral dollar (Ethena [6])Code + venuesThe collateral itself is the hedge~1× Hedge and backing share one balance sheet; built for one asset, the dollar.
CST (this paper)CodeOffchain hedge + oracle-priced forced redemption1× minter; pooled LP insurance Capacity bounded by collateral; trust model of §12.

The closest neighbor is Ethena [6]: a delta-neutral hedge stands behind a synthetic dollar, with an insurance fund for tail risk. A CST generalizes the hedge but inverts the architecture. In Ethena the deposited collateral is the hedge: one balance sheet both provides the exposure and secures it, so a hedge failure is a backing failure. In a CST they are strangers: the minter's payment funds the hedge, LP collateral sits onchain and never touches it, and every asset carries its own oracle-priced force-redemption anchor (§7). And where Ethena's insurance fund is protocol-owned surplus, MPV insurance is third-party LP capital that prices itself: underwriting pays a premium, so coverage scales with demand rather than with retained earnings (§9). Synthetix [5] proved pooled collateral can back synths, but asked stakers to be the unhedged counterparty at 400%+ collateralization; a CST moves the price risk to a hedged dealer and leaves LPs only the default risk.

The category has no clean name today (every incumbent is custodial), so we define one. A CST is a mechanism category, like stablecoin or rollup, not a token interface: at the token layer it is deliberately plain, and everything that makes it a CST lives in how it is issued and secured.

Definition A token is a Collateral-Secured Token if and only if all five hold:
  1. Exogenous target. It tracks the price of an asset that trades outside the protocol.
  2. Separation. The capital that provides the exposure (funds the hedge) and the capital that secures solvency are distinct pools; collateral never funds the hedge.
  3. Insurance, not backing. Collateral liquidates only on issuer default (a credit event), never on a price move; holders are never liquidated.
  4. Verifiable solvency. That collateral covers exposure is checkable by anyone, onchain, at any time (Eq. 8).
  5. Permissionless exit. Any holder can force redemption at the oracle price against the collateral, without anyone's cooperation (§7).

Fail any one criterion and the instrument is something else; the failures map exactly onto Table 2. A custodial wrapper fails 4 and 5. A CDP synthetic fails 3. A delta-neutral dollar fails 2. A perp position fails the token premise itself. Concretely, a CST is a standard ERC-20 with ERC-2612 permit [7], one active token per asset, freely composable across DeFi [2]. Holders mint a CST, it is secured by an MPV, and an asset goes live as a CST: the vocabulary of the primitive.

4Multi-Purpose Vaults

An RWA token you cannot borrow against is a dead asset in DeFi. The Multi-Purpose Vault (MPV) exists so that no CST is ever that: one pooled collateral base that insures issuance, underwrites the lending market that makes CSTs worth holding, and earns yield while doing both.

Start with why lending is not optional. Crypto capital does not park. A holder who cannot redeploy against a position will sell it to fund the next trade, so an RWA with no borrow market loses exactly the users it was built for. Every asset that matters in DeFi (ETH, staked ETH, BTC, stablecoins) matters because a lending market exists for it. For CSTs to become an asset class rather than a curiosity, each one needs a borrow market from day one.

A lending market normally requires its own capital. The MPV's insight is that the insurance pool of §3 is already sitting there: at risk, but not spent. Because its jobs are layered in risk rather than in cash, the same deposited dollar works several non-conflicting jobs at once:

  1. It secures issuance. The pooled collateral is the insurance that guarantees CST redemptions (§7).
  2. It underwrites lending. The same collateral underwrites a lending market where CST holders borrow stablecoins against their tokens to build leverage (§8).
  3. It earns native yield. Yield-bearing collateral (aUSDC, wstETH) accrues its underlying return continuously; the ERC-4626 share price appreciates automatically.
  4. It absorbs risk. It is the first-loss capital that stands behind a market maker's performance, in exchange for a premium.

Multiple LPs deposit into a vault and receive ERC-4626 shares proportional to their contribution. There is one vault per collateral type (USDC, aUSDC, WETH, wstETH), and one vault manager per vault. Critically, vaults are not fund-flow intermediaries: minter stablecoins go to the market maker via the RFQ escrow, never through the vault. The vault holds LP collateral purely as trustless security. This is what lets the same dollar of collateral back issuance and earn yield and seed the lending book without being double-spent: the jobs are layered in risk, not in cash.

This is the second half of the thesis: security and utility fund each other. The lending book and the trading flow generate the premiums that pay LPs (§9); those premiums keep the insurance pool funded; and the funded pool lets the next CST launch with a lending market already underneath it. A CDP's collateral is a cost the minter pays. An MPV's collateral is a business.

MPV ONE COLLATERAL BASE 1 · Secures issuance backstop for CST redemptions 2 · Powers lending underwrites borrow book 3 · Earns native yield aUSDC / wstETH appreciation 4 · Absorbs risk first-loss for VM default
Figure 3. The Multi-Purpose Vault. A single ERC-4626 collateral base is layered across four non-conflicting roles. LP shares appreciate from native yield, the lending premium, and the trading-spread share, 30–50% above the collateral's standalone benchmark (§9).
Pooled backing, isolated custody Solvency is accounted globally across all vaults (a mint anywhere draws on the protocol's total collateral and total exposure), but custody and yield are isolated per vault: each collateral type keeps its own LP shares, its own native yield, and its own lending book. A market maker's shortfall is mutualized across the global pool, strengthening CST backing at the cost of shared LP risk (§12).

5Issuance via RFQ

CSTs are issued through a request-for-quote (RFQ) marketplace: pricing happens offchain as a firm signed quote, and settlement happens onchain, atomically. There is no onchain mint or redeem fee: the market maker's margin is the bid/ask spread baked into the quote.

A quote is an EIP-712 signed object binding the taker, asset, side, amount, price, a single-use quote id, and an expiry. The signed digest commits the chain id and market address to prevent cross-chain and cross-contract replay, and each digest is consumable once. A quote is accepted only if it recovers to a registered signer. Two settlement paths exist:

  • Market order: the taker submits the signed quote and it settles atomically in one transaction. Nothing is persisted.
  • Limit order: the taker rests an order onchain, escrowing the input; a maker later fills it (fully or partially) with a signed quote whose price satisfies the limit.

On a mint, the full payment-token amount is routed from the taker to the market maker's linked settlement address, and eTokens are minted to the taker:

$$ q \;=\; \frac{a \cdot 10^{18}}{p}\quad\text{(decimal-adjusted),} $$
Eq. 5: eTokens minted for payment amount \(a\) at quoted price \(p\)

On a redeem, payment tokens flow from the market maker's linked address to the taker, the taker's eTokens burn, and global exposure shrinks. The market maker closes the corresponding leg of its offchain hedge. Decoupling the hot signing key from the funds custodian (the "linked address") bounds the damage a leaked key can do.

Price protection. Beyond the user's own limit, every market and limit settlement must price within a band of the asset's keeper-cached mark \(m\):

$$ \lvert p - m \rvert \;\le\; \delta \cdot m , \qquad \delta = \texttt{settleBandBps} \;(\text{default } 5\%). $$
Eq. 6: settle band bounds a compromised signer

This caps the harm from a compromised signer key to \(\delta\) of notional. Force-executed redemptions are exempt from the band because they price at the bare oracle limit (§7).

MINTER MARKET (onchain) MARKET MAKER MPV / LPs ① Submit quote pay USDC ② Check-and-commit verify solvency vs MPV ③ Hedge offchain ④ mint eToken →
Figure 4. Mint lifecycle. The market atomically checks new exposure against the MPV's global solvency caps (§6), routes payment to the maker's linked address, and mints the CST to the taker in a single transaction. The maker hedges offchain; LP collateral never moves; it only stands behind the position.

6Pooled Solvency & Risk Accounting

All exposure and collateral valuation lives in a single risk hub and is valued only at keeper-cached oracle marks, never trade prices. Three O(1) caps protect solvency, checked and committed on the same path that mints.

Let \(u_a\) be the outstanding units of asset \(a\), \(m_a\) its cached USD mark, and \(C_{\text{USD}}\) the total counted collateral value across all vaults. The protocol maintains, as an \(O(1)\) running total,

$$ E_{\text{USD}} \;=\; \sum_a u_a \, m_a , $$
Eq. 7: global exposure

and enforces the global solvency invariant on every risk-increasing mint:

$$ E_{\text{USD}} \;\le\; U_{\max}\cdot C_{\text{USD}}, \qquad U_{\max}=\texttt{globalMaxUtilizationBps}. $$
Eq. 8: the master solvency constraint

Two further caps bound concentration and per-asset issuance:

$$ u_a\, m_a \;\le\; \text{cap}_a \quad(\text{per-asset ceiling}); \qquad c_v \;\le\; \kappa_v \, C_{\text{USD}} \quad(\text{collateral concentration}). $$
Eq. 9: per-asset ceiling and per-vault concentration cap

A per-asset ceiling of zero blocks minting that asset: a fail-safe default. The concentration cap \(\kappa_v\) counts at most a capped share of any single vault's collateral toward the global total, so no one collateral type can dominate the backing. All three are re-checked whenever a permissionless keeper refreshes a mark.

Mark freshness. Opening exposure (risk-increasing) requires the asset mark to have been pulled within a freshness bound \(\tau\) (default 15 minutes); new exposure cannot open against a stale price. Closing exposure and redemptions deliberately tolerate stale marks; they only reduce risk. Because the same code path both validates and commits the mint, the issuance check is correct by construction: there is no window in which a mint is approved but not booked.

Why this beats the CDP In a CDP the solvency check is per-position and the collateral is posted by the minter. Here it is global and the collateral is posted by LPs. The minter pays full notional and receives full exposure (Eq. 5); the safety margin \(U_{\max}\) is provided by yield-seeking LPs, not extracted from the person who wants the exposure. That is the capital-efficiency inversion of Table 1.

6.1 Sizing \(U_{\max}\): the buffer is a claim-window VaR

\(U_{\max}\) is not a style choice; it is sized by the guarantee's worst case. The guarantee must hold not at the last mark but at claim settlement: between the freshest accounting and the end of a forced redemption (the claim threshold \(T\), plus proof staleness), collateral can fall while the asset mark rises. Let \(\delta_c\) be the worst credible collateral drawdown over that window at the chosen confidence level, and \(\delta_e\) the worst credible rise in the asset mark. Solvency at settlement, even at the cap \(E = U_{\max} C\), requires \(C(1-\delta_c) \ge E(1+\delta_e)\), i.e.

$$ U_{\max} \;\le\; \frac{1-\delta_c}{1+\delta_e}\,. $$
Eq. 10: the cap is a value-at-risk bound over the claim window

This is Eq. 2 inverted, and the horizon shrinks from open-ended to a bounded claim window: that is the quantitative payoff of insurance over backing. A CDP's \(\rho\) must survive the joint worst case per position, continuously; the CST buffer only has to survive the move between a default and its settlement. Worked conservatively: stablecoin collateral (\(\delta_c \approx 0\)) against a 10% overnight equity gap gives \(U_{\max} \le 0.91\); staked-ETH collateral at a 99th-percentile 48-hour drawdown (\(\delta_c \approx 30\%\)) against the same gap gives \(U_{\max} \le 0.64\). The deployed ladder (65% stablecoin, 55% BTC, 50% staked ETH) sits inside these bounds, and the slack is deliberate: it absorbs oracle staleness, liquidation slippage, and correlation between crypto drawdowns and redemption waves. The golden rule of §9 forbids spending that slack on growth.

7The Redemption Guarantee

The collateral is the backstop; the hedge is the mechanism. In normal operation a market maker honors redemptions out of its hedge. The guarantee is what happens when it does not: the vault's collateral is liquidated onchain, permissionlessly, at the oracle price, to make the holder whole. In insurance terms, force execution is the claim process and the oracle-priced liquidation is the payout.

A redeemer holding eTokens is captive in a way a would-be minter is not: an unfilled mint simply leaves the user holding their stablecoins, but an unfilled redeem leaves the user holding a token they cannot exit. Force execution is the redeemer's recourse. After a global claim threshold \(T\) (default 48 hours) elapses from order creation with no maker fill, the order owner may force the redemption:

  1. The named vault must equal the protocol-designated force-execute vault (else the call reverts); if no vault is designated, force execution is disabled, a fail-safe.
  2. Fresh oracle proofs for the asset price \(P\) and collateral price \(P_c\) are supplied and verified (bounded staleness, not future-dated). The asset price must satisfy the order's limit floor.
  3. The remaining \(q\) eTokens are valued at the user's own limit price (the bare oracle price, with no maker spread), converted to the vault's collateral, and released directly to the redeemer:
$$ x \;=\; \frac{q \cdot P}{P_c}\quad\text{(collateral units released),} $$
Eq. 11: force-execution collateral release

the escrowed eTokens burn, and global exposure shrinks by \(qP\). The guarantee follows directly from the solvency invariant of Eq. 8: so long as \(C_{\text{USD}} \ge E_{\text{USD}}\), every outstanding CST can be redeemed for its full oracle value in collateral, whether or not any market maker participates. The hedge is a convenience; the collateral is the guarantee.

Claims are stabilising. A forced redemption of notional \(x = qP\) removes the same dollar amount from exposure and from collateral, so global utilization strictly improves:

$$ \frac{E_{\text{USD}} - x}{C_{\text{USD}} - x} \;<\; \frac{E_{\text{USD}}}{C_{\text{USD}}} \qquad \text{whenever } E_{\text{USD}} < C_{\text{USD}}, $$
Eq. 12: a claim strictly deleverages the system

and the solvency cap guarantees the condition (\(E \le U_{\max} C\) with \(U_{\max} < 1\)). Every claim leaves the system better collateralised than it found it. Contrast the CDP fire sale of §2.2, where each liquidation makes the next more likely: the same stress that cascades a CDP book strictly deleverages a CST book.

REDEMPTION: THREE TIERS TIER 1 · NORMAL Maker fills the redeem out of its offchain hedge no fill TIER 2 · WAIT Claim threshold T 48h grace for a fair quote elapsed TIER 3 · GUARANTEE Force-execute liquidate collateral @ oracle Invariant: C ≥ E ⟹ every CST redeemable at oracle value in collateral The market maker is a convenience. The collateral is the guarantee.
Figure 5. The three-tier redemption path. Tiers 1–2 rely on the market maker; Tier 3 is the trustless backstop that makes the holder whole from vault collateral at the oracle price (Eq. 11), enforced by the solvency invariant (Eq. 8).

Emergency settlement. If an asset must be wound down permanently, an operator can halt it at a fixed settlement price, after which holders redeem at that price from a designated halt-redeem fund. Force execution and halt redemption together ensure a holder can always exit, in every regime.

8Lending & Leverage

Because a CST is a real ERC-20 secured by real collateral, it can be borrowed against. Each vault runs a lending market where holders post eTokens as collateral and draw stablecoins (sourced from the vault's external credit line) to loop into leveraged exposure. This is the same collateral base doing its second job.

8.1 Looping

A holder mints a CST, posts it as collateral, borrows stablecoins, mints more, and repeats. At a per-loop loan-to-value of \(\theta\) (default 70%), the geometric series bounds terminal exposure per unit of equity:

$$ L \;=\; \sum_{k=0}^{\infty}\theta^{k} \;=\; \frac{1}{1-\theta} \;\approx\; 3.3\times \quad(\theta=0.7). $$
Eq. 13: maximum loop leverage

8.2 The two-slope rate and the kink

Debt accrues through a single global interest index on a two-slope curve. Borrowers pay the greater of the live external base rate (Aave v3 [4]) or a floor, plus a utilization-based premium \(\pi(u)\):

$$ r(u) \;=\; \max(r_{\text{base}},\, r_{\text{floor}}) \;+\; \pi(u), \qquad \pi(u)=\pi_0+\begin{cases} s_1\,\dfrac{u}{u^{*}}, & u \le u^{*} \\[8pt] s_1 + s_2\,\dfrac{u-u^{*}}{1-u^{*}}, & u > u^{*} \end{cases} $$
Eq. 14: borrow rate; kink at target utilization \(u^{*}\)

with defaults \(\pi_0=1\%\), kink \(u^{*}=80\%\), \(s_1=+4\%\), \(s_2=+75\%\). One dial sets both yield and supply. Below the kink, borrowing is cheap and the book fills, lifting LP income gently. Above the kink, the rate spikes, making leverage uneconomic so borrowers deleverage, an automatic brake that protects LPs and keeps their capital withdrawable. The premium above the base rate is swept to the vault manager, who redistributes it to LPs (raising the ERC-4626 share price).

lending utilization u borrow rate r(u) kink u*=80% base rate (Aave): floor gentle: book fills, LP yield rises steep: forces deleverage operate ≈7% < perp funding ≈13%
Figure 6. The two-slope rate of Eq. 14. The premium above the external base rate accrues to the vault manager and flows to LPs. The kink is placed where borrowing stays cheaper than perp funding, so the trade stays profitable for borrowers while paying LPs the most it safely can.

8.3 Health and self-healing liquidation

A position with \(n\) eTokens of collateral valued at \(P_{e}\), against debt \(D\) and liquidation threshold \(\ell\) (default 80%), has health factor

$$ \mathrm{HF} \;=\; \frac{n\,P_{e}\,\ell}{D}. $$
Eq. 15: borrower health factor

When \(\mathrm{HF}<1\) a liquidator repays up to a close-factor cap and seizes collateral plus a bonus \(\beta\) (default 5%): seized units \(= \text{repaid}\cdot(1+\beta)/P_e\). Crucially, liquidating a CST borrower is self-healing: the burned/seized eTokens reduce protocol exposure \(E\) while the recovered stablecoins repay the vault's external debt; both health factors improve at once. This is the structural opposite of the reflexive CDP spiral of §2.2.

9Economic Security & Incentives

A guarantee is only as strong as the incentive to provide the collateral behind it. The MPV is designed so that LP yield rises precisely when demand for the guarantee is highest: the system pulls in the collateral it needs, exactly when it needs it.

9.1 Where the demand comes from

The natural borrower is a delta-neutral fund harvesting perpetual-futures funding. Perp longs on hot names pay funding to shorts; a fund that holds an offsetting long does not care which way the stock moves and collects the funding. Own supplies that long cheaply and with leverage. With equity \(x\), loop leverage \(L\), borrow rate \(r\), and perp funding \(f\), the net annualized return on equity is

$$ \text{Net} \;=\; x\big[\,L f - (L-1)\,r\,\big]. $$
Eq. 16: funding-arbitrage net yield

For \(x=\$100\text{k}\), \(L=3\), \(f=13\%\), \(r=7\%\): \(\text{Net}=\$100\text{k}\,[3(0.13)-2(0.07)]=\$25\text{k}\), a ~25% gross return that is indifferent to the direction of the underlying. This makes the fund a stable, repeat borrower, exactly what keeps the lending book full.

9.2 The self-balancing flywheel

The borrow rate is the bridge that pays LPs. Borrowers pay \(r\); the premium above the external base rate flows to LPs, the market maker, and the protocol. Because the premium rises with utilization (Eq. 14), and utilization rises with borrowing demand, LP yield automatically increases when demand is hottest, with no parameter changes. Higher yield attracts more collateral, which expands lending capacity, which admits more borrowers: a compounding flywheel. Capacity is linear in collateral (\(E_{\max} = U_{\max}\,C\)), and collateral follows yield, so the system scales without ever loosening a safety parameter. LP income stacks three layers:

$$ r_{\text{LP}} \;=\; \underbrace{y}_{\text{native yield}} \;+\; \underbrace{\phi_{\pi}\,\frac{\pi(u)\,B}{C}}_{\text{lending premium}} \;+\; \underbrace{\phi_{s}\,\frac{s\,V}{C}}_{\text{spread share}} $$
Eq. 17: the LP yield stack (\(B\) borrowed, \(V\) annual volume, \(s\) spread, \(\phi\) revenue shares)

At a healthy operating point the stack lands 30–50% above each collateral's standalone benchmark; worked figures are in Appendix Table A2. When funding turns negative on a name, the market maker's hedge (going long the perp) is paid to hold it, and shares that funding with LPs, so LPs benefit across the funding cycle either way.

The golden rule Never raise the backing cap \(U_{\max}\) to make room for more demand. The cap is the safety limit. When it binds, the fix is to attract more collateral (which raises the ceiling automatically), not to loosen the guarantee.

9.3 Why the market maker does not default

The guarantee makes holders whole if a maker defaults; it does not rely on makers choosing not to. The maker's own ledger does that. Because its book is hedged, what a defaulting maker can extract is not the notional it quotes but the residual between hedge and liability over one claim window. What it forfeits is the franchise: the discounted value of the spread business, plus everything recourse can reach:

$$ \text{default pays only if} \qquad \Delta_{\text{window}} \;>\; \underbrace{\frac{s\,V}{r_d}}_{\text{franchise value}} \;+\; \Pi_{\text{recourse}} $$
Eq. 18: the maker's default condition (\(s\) spread, \(V\) annual volume, \(r_d\) discount rate)

\(\Delta_{\text{window}}\) is small by construction for a hedged book, while \(s\,V/r_d\) grows with the very volume that would make defaulting tempting. \(\Pi_{\text{recourse}}\) is enforced offchain: makers are KYC'd entities under a master service agreement, with daily signed proof-of-reserves, enumerated default triggers, personal guarantees, and quarterly audits (§12). The protocol does not assume honest makers; it makes dishonesty a bad trade, and then insures against it anyway.

10Who a CST Serves

A protocol clears when every participant gets something the alternatives do not offer. Each actor in this system has a distinct reason to show up, and each pays a visible price for it.

Table 3: what each participant gets, and what it costs them.
ParticipantWhat they getWhat they give up / risk
Holder / minter Verifiable RWA exposure at 1:1 capital. No funding rate, no holding cost, no liquidation risk; trustless and self-custodial. A composable ERC-20 that works across DeFi. Bid/ask spread on entry and exit; worst-case exit waits out the claim window (§7).
Borrower (delta-neutral fund) The cheap leveraged long leg of the funding arbitrage (Eq. 16): up to \(\approx 3.3\times\) via looping (Eq. 13) at a borrow rate kept below perp funding. Pays the borrow premium that funds LP yield; carries liquidation risk on the loop (§8.3).
Liquidity provider Underwriting income: native yield plus lending premium plus spread share (Eq. 17, Table A2), 30–50% above the collateral's standalone benchmark. First-loss capital on a market maker default, mutualised across vaults (§12).
Market maker The spread on every mint and redeem, hedged and therefore without directional risk, on distribution rails it does not have to build. Must honor redemptions; a default forfeits the business and triggers the insurance liquidation.
DeFi at large A new collateral class: equities, ETFs, and gold as permissionless, composable building blocks. Inherits the trust assumptions of §12.

The common thread is access. Much of crypto-native capital sits beyond the reach of traditional brokerage infrastructure. Own gives that capital the exposure, the leverage, and the yield natively, in stablecoins, onchain, with no custodian in the middle. The demand engine of §9 is not hypothetical users discovering stocks; it is existing capital that already wants this trade and has no other rail to run it on.

11Oracle & Price Attestation

Every valuation in the protocol (marks for risk accounting, force-execution payouts, the lending debt cap) is driven by an external oracle. Onchain spot prices (DEX reserves) are never used for valuation.

A dual-oracle architecture lets each asset select its price source:

  • In-house signed oracle. An authorized signer submits an EIP-712 PriceAttestation(asset, price, timestamp). Per-asset bounds reject stale prices and jumps beyond a deviation band, and timestamps must be strictly increasing. Emergency signer removal is instant.
  • Pyth Network [8]. Variable-exponent prices normalized to 18 decimals, gated by a confidence-interval bound and a max age, with up to four per-asset session feeds (regular, pre-market, post-market, overnight).

Both expose a cached read (for keeper marks) and an inline-proof read (for the force path). The oracle verifier is swappable behind the protocol registry, so the protocol can migrate to new price infrastructure ( Chainlink, a ZK oracle) by updating a single address. Signed messages bind chain id and contract address to prevent replay; a compromised signer is bounded within the staleness and deviation bounds and the settle band of Eq. 6.

12Trust Model & Limitations

The protocol assumes a small set of vetted privileged actors and treats end users as adversarial. The design goal is that no single actor can move value to itself, and that the onchain guarantee holds even if the market maker defaults.

Table 4: actors and trust levels.
ActorTrustRole & bound
Protocol adminTrusted (7-day timelock)Register contracts, assets, oracles; set global params.
OperatorTrusted (instant)Emergency only: pause, halt, remove signer; cannot move funds.
Vault manager / makerSemi-trustedHedges offchain, earns spread + premium. LP collateral backstops its default.
Quote / oracle signerSemi / trustedSign quotes / prices offchain. Damage bounded by settle band, single-use quotes, deviation bounds.
KeeperUntrustedPermissionless: refresh marks, accrue interest, fulfil exits. Cannot move value to itself.
LPUntrustedProvides backstop collateral, earns yield. Capital at risk on VM default.
Minter / redeemerAdversarialTrades via escrow marketplace; redeemer has onchain force-execution recourse.

Accepted trade-offs. An auditor and an LP should weigh these deliberate choices:

  • Cross-VM loss mutualization. A market maker's shortfall is covered by the global collateral pool; all vaults' LPs share the loss. This strengthens CST backing (a bigger pool stands behind every token) at the cost of mutualizing LP risk across vaults.
  • Oracle signer trust. The in-house oracle relies on a protocol-operated signer (single now, M-of-N later). A compromised signer can mis-mark only within the staleness and deviation bounds.
  • Stablecoin 1:1 peg. Lending math lifts stablecoins to USD at par; a depeg is invisible to debt valuation until marked.
  • Offchain hedge is not onchain-verifiable. The market maker's hedge is attested, not proven. This is why LP collateral is the guarantee rather than the hedge; future versions target ZK proofs of offchain holdings. Additional real-world guards (KYC'd managers under a master service agreement, daily signed proof-of-reserves, personal guarantees, enumerated default triggers, and quarterly audits) bound this in operation.

Structural limitations. Beyond trust assumptions, four properties of the design itself that a holder or LP should price in:

  • Exit latency in the worst case. If no maker quotes, a redeemer waits out the claim threshold (default 48 hours) before force execution (§7). A CST guarantees exit at oracle value, not instant exit; it is not a stablecoin-style at-par instrument.
  • Capacity is collateral-bounded. Issuance can never exceed \(U_{\max}\,C\) (Eq. 8). Growth is deliberately supply-constrained: when demand hits the cap, the protocol must attract more collateral, never loosen the cap (§9). This trades growth speed for solvency.
  • The flywheel runs in reverse. LP yield depends on borrowing demand. In a cold funding regime the premium compresses, collateral can leave, and capacity shrinks with it. The kink model slows the unwind (falling utilization makes borrowing cheaper, Eq. 14) but does not eliminate the cycle.
  • Price exposure, not ownership. A CST confers the price of the asset, not the rights of a shareholder: no voting, no direct corporate actions. Synthetic exposure also faces jurisdictional restrictions that engineering cannot remove. The protocol layer stays permissionless and non-custodial; restrictions, where required, are applied at the distribution layer: by integrating apps, and by market makers, who choose whom they quote.

We state these plainly because a guarantee is only as credible as the failure modes it survives. The security posture still reduces to one line: the mechanism (the hedge) can fail, and the holder is made whole by the backstop (the collateral), enforced permissionlessly by the solvency invariant of Eq. 8. That is the difference between secured and backed.

13Conclusion

We have described a system for real-world-asset exposure onchain that requires trust in no custodian and imposes no overcollateralization tax on the holder. The CDP gave crypto trustless dollars but cannot give it trustless stocks: a stablecoin backs one volatile leg with collateral and pins the other at $1, while an RWA forces you to back a volatile asset with another volatile one, which demands punitive, unscalable collateralization. Custodial tokenization tracks the price but reintroduces the trusted intermediary.

The Collateral-Secured Token resolves both by moving the collateral from behind the debt to behind the dealer: an offchain hedge provides price tracking (the mechanism), and an onchain Multi-Purpose Vault insures solvency (the backstop), with the same collateral base simultaneously securing issuance, underwriting a lending market, and earning native yield. The redemption guarantee is not a promise from an issuer but a property of the code: as long as collateral covers exposure, any holder can redeem at the oracle price, permissionlessly, whether or not a market maker participates.

RReferences

  1. S. Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. 2008.
  2. V. Buterin. Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform. 2014.
  3. MakerDAO. The Dai Stablecoin System. 2017.
  4. Aave. Aave Protocol Whitepaper v1.0. 2020.
  5. Synthetix. Synthetix Litepaper: A Decentralised Synthetic Asset Issuance Protocol. 2020.
  6. Ethena Labs. Ethena: USDe, a Synthetic Dollar Backed by Delta-Neutral Derivatives Positions. 2024.
  7. F. Vogelsteller and V. Buterin, EIP-20: Token Standard, 2015; M. Lundfall et al., EIP-2612: Permit, 2020; J. Santoro et al., EIP-4626: Tokenized Vaults, 2022.
  8. Pyth Data Association. Pyth Network Whitepaper. 2022.

AAppendix: Parameters & Notation

Table A1: key parameters and design defaults (all admin-configurable unless noted).
Symbol / paramMeaningDefault
\(U_{\max}\) · globalMaxUtilizationBpsGlobal solvency cap: exposure ÷ collateraladmin-set
\(\text{cap}_a\) · assetCapUSDPer-asset USD issuance ceiling0 (blocks mint)
\(\kappa_v\) · collateralCapBpsPer-vault concentration cap0 (uncapped)
\(\delta\) · settleBandBpsMax settle deviation from mark5%
\(\tau\) · maxMarkAgeMark freshness for opening exposure15 min
\(T\) · claimThresholdDelay before force-execute allowed48 h
\(\theta\) · borrowLtvBpsPer-position borrow LTV70%
\(\ell\) · liquidationThresholdBpsLiquidation threshold80%
\(\beta\) · liquidationBonusBpsLiquidator bonus5%
\(u^{*}\) · kinkTarget lending utilization80%
\(\pi_0,s_1,s_2\)Base premium / slope 1 / slope 21% / +4% / +75%
timelockRegistry default-admin transfer delay7 days
Table A2: illustrative LP yield stack at a healthy operating point (model assumptions, mid-2026 rates; not a promise).
Income layeraUSDC vaultwstETH vaultcbBTC vault
Native base yield3.12% (Aave)2.55% (Lido)~0% (idle BTC)
+ Lending premium+0.8%+0.6%+0.7%
+ Trading-spread share+0.6%+0.6%+0.6%
= Organic LP yield~4.5%~3.8%~1.5%
vs. benchmark+44% over Aave+49% over stETHvs ~0% idle

Read each vault against its own benchmark: aUSDC competes with Aave/Morpho; wstETH earns extra where lending markets pay staked ETH almost nothing; cbBTC turns idle Bitcoin into yield while diversifying the collateral mix (Eq. 17).

Standards compliance

ERC-20 + ERC-2612 (eToken); ERC-4626 (LP vault shares); ERC-7540 (async deposit/withdraw queues); EIP-712 (RFQ quotes and price attestations, domain "Own Protocol", v1, bound to chain id + contract).

Notation

Pt true asset price · P̃t synthetic market price · ρ CDP collateral ratio · e capital efficiency · EUSD global exposure · CUSD global collateral · Umax utilization cap · ma asset mark · q eTokens · p quote price · L loop leverage · θ borrow LTV · r borrow rate · π(u) premium · u* kink · HF health factor · β liq. bonus · f perp funding · δ settle band · δc, δe claim-window collateral drawdown / asset gap.