1Introduction
Commerce on the internet has come to rely on trusted third parties [1] to hold the real-world assets that onchain tokens represent. The tokenization of stocks, bonds, and commodities works well enough for most transactions, but it still suffers from the inherent weakness of the custodial model. A token that says eTSLA is only as good as the entity that promises a share of Tesla sits behind it: its broker-dealer, its jurisdiction, its prospectus, its solvency.
What is needed is a way to hold real-world-asset exposure onchain that does not depend on trust in a custodian, and that a holder can verify directly. Crypto already solved an analogous problem once: the collateralized debt position (CDP) gave us decentralized stablecoins like DAI [3]: synthetic dollars backed by transparent onchain collateral rather than a bank account. It is tempting to reach for the same tool for stocks. That instinct is wrong, and understanding why is the foundation of this protocol.
Two families of solution exist today, and they fail on opposite axes:
Backed tokens
Ondo, Backed / xStocks, Dinari. A regulated issuer holds the physical share and issues a claim. Tracks perfectly, but you must trust the custodian: counterparty risk, jurisdiction, opacity, redemption at the issuer's discretion.
Overcollateralized synthetics
The DAI model applied to an RWA. Trustless, but breaks for stocks: it backs a volatile asset with another volatile asset, so the collateral it demands scales with the very volatility you want to hold. Great for a $1 peg; wrong for a moving price.
Own Protocol proposes a third model that keeps the trustlessness of the CDP and the tracking fidelity of the custodial issuer, while discarding both of their defects. We call the instrument a Collateral-Secured Token. The remainder of this paper builds it up from first principles: first the failure of the CDP for RWAs (§2), then the CST and the insurance model behind it (§3), the vault that secures it and the lending market it underwrites (§4), how it is issued (§5), how the system stays solvent (§6–7), how the incentives compound (§8–9), who the system serves (§10), and finally the oracle and the trust model (§11–12).
2Why CDPs fail for RWAs
A CDP mints a synthetic token against locked collateral and relies on liquidation to keep it solvent. For a stablecoin this works beautifully. For a real-world asset it breaks, and the deeper reason is not tracking but capital: a CDP backs a volatile asset with another volatile asset, and the cost of doing that safely grows with the very volatility people want to hold.
2.1 One volatile leg, or two
A CDP's collateral ratio has to cover the worst-case adverse move over a liquidation window, so what decides its capital cost is simple: how many things in the system can move at once. To mint debt value \(D\) the user locks collateral value \(C\) at a minimum ratio \(\rho\):
A stablecoin has one volatile leg: the collateral (say ETH) moves, but the liability is pinned at \(\$1\). An RWA synthetic has two: the liability tracks a moving market price while the collateral moves independently, and without a hedge nothing nets one leg against the other. What that costs is not a matter of taste. \(\rho\) is set by the worst joint move a position must survive through liquidation: over that horizon let \(\delta_c\) be the worst credible collateral drawdown and \(\delta_e\) the worst credible rise in the liability. Solvency through liquidation requires \(C(1-\delta_c) \ge D(1+\delta_e)\), i.e.
One leg. For a stablecoin the liability is pinned, so \(\delta_e = 0\). The binding horizon is not a single liquidation window but a stress episode in which liquidation itself is impaired (congestion, cascading sales, zero-bid auctions: Black Thursday 2020), and ETH has halved in such episodes more than once. \(\delta_c = 50\%\) gives \(\rho \ge 2\). MakerDAO's parameter floor is 150% [3]; the ratio that survives in practice is \(\approx 2\times\), and \(e \le 0.5\).
Two legs. For an RWA the liability moves too, and with no hedge the position must provision for the joint worst case. Keep \(\delta_c = 50\%\) and take \(\delta_e = 30\%\) (single names gap on earnings and halts, and hot names rally that much in weeks): \(\rho \ge 1.3/0.5 = 2.6\) before the liquidation bonus and slippage. Call it \(3\times\), and \(e \le 0.33\). And it scales the wrong way: \(\delta_e\) grows with exactly the volatility people want to hold. In plain terms, a CDP asks the person who wants \$1 of Tesla exposure to lock up \$3, and the tax is heaviest for the very names that drive demand. That is negative leverage on a product whose entire appeal is exposure.
Capital is the structural failure; tracking is the practical one. Nothing in a CDP connects the synthetic's onchain price \(\tilde P_t\) to the true price \(P_t\) except speculative flow, so the two drift. §3 supplies both the missing capital model and the missing mechanism, and Eq. 2 itself returns in §6.1, inverted, as the sizing rule for CST collateral: the same bound over a bounded claim window instead of an open-ended horizon.
2.2 Reflexivity under stress
Finally, CDP liquidations are reflexive. When the collateral and the minted asset are correlated, as they are whenever crypto sells off, a price drop triggers liquidations, whose forced selling drives the price down further, triggering more liquidations. Stablecoins partly escape this because the debt (a dollar) is uncorrelated with the collateral. An RWA synthetic enjoys no such insulation. CDPs, in short, gave crypto trustless dollars; they cannot give it trustless stocks. The next section fixes each failure in turn.
| Axis | CDP synthetic RWA | Collateral-Secured Token |
|---|---|---|
| Price tracking | Fragile, oracle-dependent | Offchain hedge is the mechanism (§3) |
| Capital efficiency (minter) | \(e \le 1/\rho \approx 0.33\) | \(\approx 1\times\): minter pays notional, LPs post the insurance |
| Who posts safety collateral | The minter (wants exposure) | The LP (wants yield), roles separated |
| Stress behavior | Reflexive liquidation spiral | Self-healing liquidation (§8.3) |
3Collateral-Secured Tokens
A Collateral-Secured Token (CST) is a tokenized real-world asset whose price is maintained by an offchain hedge and whose solvency is insured by onchain collateral. The design move is a change in the collateral's job: stop backing the debt, start insuring the dealer.
A CDP asks one pool of locked collateral to do everything: provide the exposure, track the price, and guarantee solvency. That is why it charges \(\rho\) dollars per dollar and liquidates on every adverse move (§2). A CST splits the jobs across the two parties naturally suited to them, and moves the collateral from behind every position to behind the one party whose failure actually needs insuring:
- The market maker provides tracking. When a minter pays stablecoins to mint a CST, those stablecoins flow to a market maker who opens an offsetting hedge offchain (the real asset, a perp, or a broker position). The hedge, not an onchain arbitrage loop, is what makes \(\tilde P_t\) track \(P_t\). This is the mechanism a CDP structurally lacks (§2.1).
- The liquidity providers provide insurance. Independently, LPs deposit collateral into an onchain vault. This collateral does not fund the hedge and does not back any position. It stands behind the market maker's performance the way a clearinghouse default fund stands behind a member, and it is touched in exactly one scenario: the maker fails to honor a redemption, and the collateral is liquidated at the oracle price to make the holder whole (§7).
Three consequences follow, and each one is a CDP failure inverted:
- Holders carry no liquidation risk. There is no position to liquidate, only a default to insure. A price move, however violent, liquidates no one: collateral liquidation requires a credit event, not a price event (Eq. 4).
- Minters pay 1:1. The minter's dollar funds the hedge. It is working capital, not margin, so the punitive \(\rho\) of Eq. 1 leaves the minter's side entirely; the safety margin is posted by yield-seeking LPs instead (Eq. 3).
- The collateral stays productive. Backing capital sits idle against its own position. Insurance capital is at risk but not spent, so the same pool can underwrite a lending market and earn native yield while it secures issuance (§4).
The economic substance of a CST is therefore not the onchain collateral alone: the minter's dollars live in the hedge, and the collateral is the trustless insurance behind it. Hence the word: secured, not backed.
They're backed. We're secured.
A backed token asks you to trust a custodian holding the real share. A Collateral-Secured Token replaces that custodian with onchain collateral anyone can verify.
3.1 Backing vs insurance, quantified
Write \(k\) for the capital a party must commit per dollar of exposure. A CDP concentrates everything on the minter: \(k_{\text{minter}} = \rho \approx 3\), idle by construction, because that collateral is the sole and continuous backing of its own position. A CST splits the ledger:
The LP's \(1/U_{\max}\) is not the CDP's \(\rho\) wearing a different name; it differs in three ways that compound. It is pooled: one insurance base stands behind every asset and every position, instead of each position dragging its own worst-case buffer. It is productive: the pool earns native yield, a lending premium, and a spread share while it stands guard (§9), where CDP backing earns nothing. And it is voluntary: posted by parties who are paid a premium to underwrite, not extracted from the person who came for exposure. The minter's capital efficiency is exactly one, and the collateral that remains in the system is an earning asset rather than dead weight.
The second difference is the trigger. A CDP liquidates whenever the price crosses a threshold. A CST liquidates collateral in exactly one case: a maker defaults on a redemption.
Price events are frequent, correlated with market stress, and reflexive (§2.2): the liquidation itself moves the price that triggers the next one. Credit events are rare and idiosyncratic, the exposure a default can strand is capped at all times by the solvency invariant (§6), and settling a claim shrinks exposure and collateral together instead of dumping inventory on a falling market; §7 proves the resulting stability property (Eq. 12).
3.2 Neighbors, and why they are not this
The design space around tokenized exposure is crowded, and a CST should be judged against its nearest neighbors, not only against the two failures of §1:
| Design | Trust root | What makes it track | Capital per $1 | Where it breaks |
|---|---|---|---|---|
| Custodial wrapper (Ondo, xStocks) | Custodian | Real share held 1:1 | ~1× | Reintroduces the intermediary: counterparty risk, opacity, gated redemption. |
| CDP synthetic (DAI model on RWAs) | Code | Nothing structural (§2.1) | \(\rho \approx 3\times\), idle | Two volatile legs force punitive, unscalable collateral (§2). |
| Pooled-debt synths (Synthetix [5]) | Code | Oracle exchange against a shared debt pool | 4×+ historical | Stakers are the unhedged counterparty to every synth. |
| Perp DEX (Hyperliquid, Ostium) | Code + venue | Funding-rate convergence | Margin | A position, not a token: funding bleed, liquidation risk, no composability. |
| Delta-neutral dollar (Ethena [6]) | Code + venues | The collateral itself is the hedge | ~1× | Hedge and backing share one balance sheet; built for one asset, the dollar. |
| CST (this paper) | Code | Offchain hedge + oracle-priced forced redemption | 1× minter; pooled LP insurance | Capacity bounded by collateral; trust model of §12. |
The closest neighbor is Ethena [6]: a delta-neutral hedge stands behind a synthetic dollar, with an insurance fund for tail risk. A CST generalizes the hedge but inverts the architecture. In Ethena the deposited collateral is the hedge: one balance sheet both provides the exposure and secures it, so a hedge failure is a backing failure. In a CST they are strangers: the minter's payment funds the hedge, LP collateral sits onchain and never touches it, and every asset carries its own oracle-priced force-redemption anchor (§7). And where Ethena's insurance fund is protocol-owned surplus, MPV insurance is third-party LP capital that prices itself: underwriting pays a premium, so coverage scales with demand rather than with retained earnings (§9). Synthetix [5] proved pooled collateral can back synths, but asked stakers to be the unhedged counterparty at 400%+ collateralization; a CST moves the price risk to a hedged dealer and leaves LPs only the default risk.
The category has no clean name today (every incumbent is custodial), so we define one. A CST is a mechanism category, like stablecoin or rollup, not a token interface: at the token layer it is deliberately plain, and everything that makes it a CST lives in how it is issued and secured.
- Exogenous target. It tracks the price of an asset that trades outside the protocol.
- Separation. The capital that provides the exposure (funds the hedge) and the capital that secures solvency are distinct pools; collateral never funds the hedge.
- Insurance, not backing. Collateral liquidates only on issuer default (a credit event), never on a price move; holders are never liquidated.
- Verifiable solvency. That collateral covers exposure is checkable by anyone, onchain, at any time (Eq. 8).
- Permissionless exit. Any holder can force redemption at the oracle price against the collateral, without anyone's cooperation (§7).
Fail any one criterion and the instrument is something else; the failures map exactly onto Table 2. A custodial wrapper fails 4 and 5. A CDP synthetic fails 3. A delta-neutral dollar fails 2. A perp position fails the token premise itself. Concretely, a CST is a standard ERC-20 with ERC-2612 permit [7], one active token per asset, freely composable across DeFi [2]. Holders mint a CST, it is secured by an MPV, and an asset goes live as a CST: the vocabulary of the primitive.
4Multi-Purpose Vaults
An RWA token you cannot borrow against is a dead asset in DeFi. The Multi-Purpose Vault (MPV) exists so that no CST is ever that: one pooled collateral base that insures issuance, underwrites the lending market that makes CSTs worth holding, and earns yield while doing both.
Start with why lending is not optional. Crypto capital does not park. A holder who cannot redeploy against a position will sell it to fund the next trade, so an RWA with no borrow market loses exactly the users it was built for. Every asset that matters in DeFi (ETH, staked ETH, BTC, stablecoins) matters because a lending market exists for it. For CSTs to become an asset class rather than a curiosity, each one needs a borrow market from day one.
A lending market normally requires its own capital. The MPV's insight is that the insurance pool of §3 is already sitting there: at risk, but not spent. Because its jobs are layered in risk rather than in cash, the same deposited dollar works several non-conflicting jobs at once:
- It secures issuance. The pooled collateral is the insurance that guarantees CST redemptions (§7).
- It underwrites lending. The same collateral underwrites a lending market where CST holders borrow stablecoins against their tokens to build leverage (§8).
- It earns native yield. Yield-bearing collateral (aUSDC, wstETH) accrues its underlying return continuously; the ERC-4626 share price appreciates automatically.
- It absorbs risk. It is the first-loss capital that stands behind a market maker's performance, in exchange for a premium.
Multiple LPs deposit into a vault and receive ERC-4626 shares proportional to their contribution. There is one vault per collateral type (USDC, aUSDC, WETH, wstETH), and one vault manager per vault. Critically, vaults are not fund-flow intermediaries: minter stablecoins go to the market maker via the RFQ escrow, never through the vault. The vault holds LP collateral purely as trustless security. This is what lets the same dollar of collateral back issuance and earn yield and seed the lending book without being double-spent: the jobs are layered in risk, not in cash.
This is the second half of the thesis: security and utility fund each other. The lending book and the trading flow generate the premiums that pay LPs (§9); those premiums keep the insurance pool funded; and the funded pool lets the next CST launch with a lending market already underneath it. A CDP's collateral is a cost the minter pays. An MPV's collateral is a business.
5Issuance via RFQ
CSTs are issued through a request-for-quote (RFQ) marketplace: pricing happens offchain as a firm signed quote, and settlement happens onchain, atomically. There is no onchain mint or redeem fee: the market maker's margin is the bid/ask spread baked into the quote.
A quote is an EIP-712 signed object binding the taker, asset, side, amount, price, a single-use quote id, and an expiry. The signed digest commits the chain id and market address to prevent cross-chain and cross-contract replay, and each digest is consumable once. A quote is accepted only if it recovers to a registered signer. Two settlement paths exist:
- Market order: the taker submits the signed quote and it settles atomically in one transaction. Nothing is persisted.
- Limit order: the taker rests an order onchain, escrowing the input; a maker later fills it (fully or partially) with a signed quote whose price satisfies the limit.
On a mint, the full payment-token amount is routed from the taker to the market maker's linked settlement address, and eTokens are minted to the taker:
On a redeem, payment tokens flow from the market maker's linked address to the taker, the taker's eTokens burn, and global exposure shrinks. The market maker closes the corresponding leg of its offchain hedge. Decoupling the hot signing key from the funds custodian (the "linked address") bounds the damage a leaked key can do.
Price protection. Beyond the user's own limit, every market and limit settlement must price within a band of the asset's keeper-cached mark \(m\):
This caps the harm from a compromised signer key to \(\delta\) of notional. Force-executed redemptions are exempt from the band because they price at the bare oracle limit (§7).
6Pooled Solvency & Risk Accounting
All exposure and collateral valuation lives in a single risk hub and is valued only at keeper-cached oracle marks, never trade prices. Three O(1) caps protect solvency, checked and committed on the same path that mints.
Let \(u_a\) be the outstanding units of asset \(a\), \(m_a\) its cached USD mark, and \(C_{\text{USD}}\) the total counted collateral value across all vaults. The protocol maintains, as an \(O(1)\) running total,
and enforces the global solvency invariant on every risk-increasing mint:
Two further caps bound concentration and per-asset issuance:
A per-asset ceiling of zero blocks minting that asset: a fail-safe default. The concentration cap \(\kappa_v\) counts at most a capped share of any single vault's collateral toward the global total, so no one collateral type can dominate the backing. All three are re-checked whenever a permissionless keeper refreshes a mark.
Mark freshness. Opening exposure (risk-increasing) requires the asset mark to have been pulled within a freshness bound \(\tau\) (default 15 minutes); new exposure cannot open against a stale price. Closing exposure and redemptions deliberately tolerate stale marks; they only reduce risk. Because the same code path both validates and commits the mint, the issuance check is correct by construction: there is no window in which a mint is approved but not booked.
6.1 Sizing \(U_{\max}\): the buffer is a claim-window VaR
\(U_{\max}\) is not a style choice; it is sized by the guarantee's worst case. The guarantee must hold not at the last mark but at claim settlement: between the freshest accounting and the end of a forced redemption (the claim threshold \(T\), plus proof staleness), collateral can fall while the asset mark rises. Let \(\delta_c\) be the worst credible collateral drawdown over that window at the chosen confidence level, and \(\delta_e\) the worst credible rise in the asset mark. Solvency at settlement, even at the cap \(E = U_{\max} C\), requires \(C(1-\delta_c) \ge E(1+\delta_e)\), i.e.
This is Eq. 2 inverted, and the horizon shrinks from open-ended to a bounded claim window: that is the quantitative payoff of insurance over backing. A CDP's \(\rho\) must survive the joint worst case per position, continuously; the CST buffer only has to survive the move between a default and its settlement. Worked conservatively: stablecoin collateral (\(\delta_c \approx 0\)) against a 10% overnight equity gap gives \(U_{\max} \le 0.91\); staked-ETH collateral at a 99th-percentile 48-hour drawdown (\(\delta_c \approx 30\%\)) against the same gap gives \(U_{\max} \le 0.64\). The deployed ladder (65% stablecoin, 55% BTC, 50% staked ETH) sits inside these bounds, and the slack is deliberate: it absorbs oracle staleness, liquidation slippage, and correlation between crypto drawdowns and redemption waves. The golden rule of §9 forbids spending that slack on growth.
7The Redemption Guarantee
The collateral is the backstop; the hedge is the mechanism. In normal operation a market maker honors redemptions out of its hedge. The guarantee is what happens when it does not: the vault's collateral is liquidated onchain, permissionlessly, at the oracle price, to make the holder whole. In insurance terms, force execution is the claim process and the oracle-priced liquidation is the payout.
A redeemer holding eTokens is captive in a way a would-be minter is not: an unfilled mint simply leaves the user holding their stablecoins, but an unfilled redeem leaves the user holding a token they cannot exit. Force execution is the redeemer's recourse. After a global claim threshold \(T\) (default 48 hours) elapses from order creation with no maker fill, the order owner may force the redemption:
- The named vault must equal the protocol-designated force-execute vault (else the call reverts); if no vault is designated, force execution is disabled, a fail-safe.
- Fresh oracle proofs for the asset price \(P\) and collateral price \(P_c\) are supplied and verified (bounded staleness, not future-dated). The asset price must satisfy the order's limit floor.
- The remaining \(q\) eTokens are valued at the user's own limit price (the bare oracle price, with no maker spread), converted to the vault's collateral, and released directly to the redeemer:
the escrowed eTokens burn, and global exposure shrinks by \(qP\). The guarantee follows directly from the solvency invariant of Eq. 8: so long as \(C_{\text{USD}} \ge E_{\text{USD}}\), every outstanding CST can be redeemed for its full oracle value in collateral, whether or not any market maker participates. The hedge is a convenience; the collateral is the guarantee.
Claims are stabilising. A forced redemption of notional \(x = qP\) removes the same dollar amount from exposure and from collateral, so global utilization strictly improves:
and the solvency cap guarantees the condition (\(E \le U_{\max} C\) with \(U_{\max} < 1\)). Every claim leaves the system better collateralised than it found it. Contrast the CDP fire sale of §2.2, where each liquidation makes the next more likely: the same stress that cascades a CDP book strictly deleverages a CST book.
Emergency settlement. If an asset must be wound down permanently, an operator can halt it at a fixed settlement price, after which holders redeem at that price from a designated halt-redeem fund. Force execution and halt redemption together ensure a holder can always exit, in every regime.
8Lending & Leverage
Because a CST is a real ERC-20 secured by real collateral, it can be borrowed against. Each vault runs a lending market where holders post eTokens as collateral and draw stablecoins (sourced from the vault's external credit line) to loop into leveraged exposure. This is the same collateral base doing its second job.
8.1 Looping
A holder mints a CST, posts it as collateral, borrows stablecoins, mints more, and repeats. At a per-loop loan-to-value of \(\theta\) (default 70%), the geometric series bounds terminal exposure per unit of equity:
8.2 The two-slope rate and the kink
Debt accrues through a single global interest index on a two-slope curve. Borrowers pay the greater of the live external base rate (Aave v3 [4]) or a floor, plus a utilization-based premium \(\pi(u)\):
with defaults \(\pi_0=1\%\), kink \(u^{*}=80\%\), \(s_1=+4\%\), \(s_2=+75\%\). One dial sets both yield and supply. Below the kink, borrowing is cheap and the book fills, lifting LP income gently. Above the kink, the rate spikes, making leverage uneconomic so borrowers deleverage, an automatic brake that protects LPs and keeps their capital withdrawable. The premium above the base rate is swept to the vault manager, who redistributes it to LPs (raising the ERC-4626 share price).
8.3 Health and self-healing liquidation
A position with \(n\) eTokens of collateral valued at \(P_{e}\), against debt \(D\) and liquidation threshold \(\ell\) (default 80%), has health factor
When \(\mathrm{HF}<1\) a liquidator repays up to a close-factor cap and seizes collateral plus a bonus \(\beta\) (default 5%): seized units \(= \text{repaid}\cdot(1+\beta)/P_e\). Crucially, liquidating a CST borrower is self-healing: the burned/seized eTokens reduce protocol exposure \(E\) while the recovered stablecoins repay the vault's external debt; both health factors improve at once. This is the structural opposite of the reflexive CDP spiral of §2.2.
9Economic Security & Incentives
A guarantee is only as strong as the incentive to provide the collateral behind it. The MPV is designed so that LP yield rises precisely when demand for the guarantee is highest: the system pulls in the collateral it needs, exactly when it needs it.
9.1 Where the demand comes from
The natural borrower is a delta-neutral fund harvesting perpetual-futures funding. Perp longs on hot names pay funding to shorts; a fund that holds an offsetting long does not care which way the stock moves and collects the funding. Own supplies that long cheaply and with leverage. With equity \(x\), loop leverage \(L\), borrow rate \(r\), and perp funding \(f\), the net annualized return on equity is
For \(x=\$100\text{k}\), \(L=3\), \(f=13\%\), \(r=7\%\): \(\text{Net}=\$100\text{k}\,[3(0.13)-2(0.07)]=\$25\text{k}\), a ~25% gross return that is indifferent to the direction of the underlying. This makes the fund a stable, repeat borrower, exactly what keeps the lending book full.
9.2 The self-balancing flywheel
The borrow rate is the bridge that pays LPs. Borrowers pay \(r\); the premium above the external base rate flows to LPs, the market maker, and the protocol. Because the premium rises with utilization (Eq. 14), and utilization rises with borrowing demand, LP yield automatically increases when demand is hottest, with no parameter changes. Higher yield attracts more collateral, which expands lending capacity, which admits more borrowers: a compounding flywheel. Capacity is linear in collateral (\(E_{\max} = U_{\max}\,C\)), and collateral follows yield, so the system scales without ever loosening a safety parameter. LP income stacks three layers:
At a healthy operating point the stack lands 30–50% above each collateral's standalone benchmark; worked figures are in Appendix Table A2. When funding turns negative on a name, the market maker's hedge (going long the perp) is paid to hold it, and shares that funding with LPs, so LPs benefit across the funding cycle either way.
9.3 Why the market maker does not default
The guarantee makes holders whole if a maker defaults; it does not rely on makers choosing not to. The maker's own ledger does that. Because its book is hedged, what a defaulting maker can extract is not the notional it quotes but the residual between hedge and liability over one claim window. What it forfeits is the franchise: the discounted value of the spread business, plus everything recourse can reach:
\(\Delta_{\text{window}}\) is small by construction for a hedged book, while \(s\,V/r_d\) grows with the very volume that would make defaulting tempting. \(\Pi_{\text{recourse}}\) is enforced offchain: makers are KYC'd entities under a master service agreement, with daily signed proof-of-reserves, enumerated default triggers, personal guarantees, and quarterly audits (§12). The protocol does not assume honest makers; it makes dishonesty a bad trade, and then insures against it anyway.
10Who a CST Serves
A protocol clears when every participant gets something the alternatives do not offer. Each actor in this system has a distinct reason to show up, and each pays a visible price for it.
| Participant | What they get | What they give up / risk |
|---|---|---|
| Holder / minter | Verifiable RWA exposure at 1:1 capital. No funding rate, no holding cost, no liquidation risk; trustless and self-custodial. A composable ERC-20 that works across DeFi. | Bid/ask spread on entry and exit; worst-case exit waits out the claim window (§7). |
| Borrower (delta-neutral fund) | The cheap leveraged long leg of the funding arbitrage (Eq. 16): up to \(\approx 3.3\times\) via looping (Eq. 13) at a borrow rate kept below perp funding. | Pays the borrow premium that funds LP yield; carries liquidation risk on the loop (§8.3). |
| Liquidity provider | Underwriting income: native yield plus lending premium plus spread share (Eq. 17, Table A2), 30–50% above the collateral's standalone benchmark. | First-loss capital on a market maker default, mutualised across vaults (§12). |
| Market maker | The spread on every mint and redeem, hedged and therefore without directional risk, on distribution rails it does not have to build. | Must honor redemptions; a default forfeits the business and triggers the insurance liquidation. |
| DeFi at large | A new collateral class: equities, ETFs, and gold as permissionless, composable building blocks. | Inherits the trust assumptions of §12. |
The common thread is access. Much of crypto-native capital sits beyond the reach of traditional brokerage infrastructure. Own gives that capital the exposure, the leverage, and the yield natively, in stablecoins, onchain, with no custodian in the middle. The demand engine of §9 is not hypothetical users discovering stocks; it is existing capital that already wants this trade and has no other rail to run it on.
11Oracle & Price Attestation
Every valuation in the protocol (marks for risk accounting, force-execution payouts, the lending debt cap) is driven by an external oracle. Onchain spot prices (DEX reserves) are never used for valuation.
A dual-oracle architecture lets each asset select its price source:
- In-house signed oracle. An authorized signer submits an EIP-712 PriceAttestation(asset, price, timestamp). Per-asset bounds reject stale prices and jumps beyond a deviation band, and timestamps must be strictly increasing. Emergency signer removal is instant.
- Pyth Network [8]. Variable-exponent prices normalized to 18 decimals, gated by a confidence-interval bound and a max age, with up to four per-asset session feeds (regular, pre-market, post-market, overnight).
Both expose a cached read (for keeper marks) and an inline-proof read (for the force path). The oracle verifier is swappable behind the protocol registry, so the protocol can migrate to new price infrastructure ( Chainlink, a ZK oracle) by updating a single address. Signed messages bind chain id and contract address to prevent replay; a compromised signer is bounded within the staleness and deviation bounds and the settle band of Eq. 6.
12Trust Model & Limitations
The protocol assumes a small set of vetted privileged actors and treats end users as adversarial. The design goal is that no single actor can move value to itself, and that the onchain guarantee holds even if the market maker defaults.
| Actor | Trust | Role & bound |
|---|---|---|
| Protocol admin | Trusted (7-day timelock) | Register contracts, assets, oracles; set global params. |
| Operator | Trusted (instant) | Emergency only: pause, halt, remove signer; cannot move funds. |
| Vault manager / maker | Semi-trusted | Hedges offchain, earns spread + premium. LP collateral backstops its default. |
| Quote / oracle signer | Semi / trusted | Sign quotes / prices offchain. Damage bounded by settle band, single-use quotes, deviation bounds. |
| Keeper | Untrusted | Permissionless: refresh marks, accrue interest, fulfil exits. Cannot move value to itself. |
| LP | Untrusted | Provides backstop collateral, earns yield. Capital at risk on VM default. |
| Minter / redeemer | Adversarial | Trades via escrow marketplace; redeemer has onchain force-execution recourse. |
Accepted trade-offs. An auditor and an LP should weigh these deliberate choices:
- Cross-VM loss mutualization. A market maker's shortfall is covered by the global collateral pool; all vaults' LPs share the loss. This strengthens CST backing (a bigger pool stands behind every token) at the cost of mutualizing LP risk across vaults.
- Oracle signer trust. The in-house oracle relies on a protocol-operated signer (single now, M-of-N later). A compromised signer can mis-mark only within the staleness and deviation bounds.
- Stablecoin 1:1 peg. Lending math lifts stablecoins to USD at par; a depeg is invisible to debt valuation until marked.
- Offchain hedge is not onchain-verifiable. The market maker's hedge is attested, not proven. This is why LP collateral is the guarantee rather than the hedge; future versions target ZK proofs of offchain holdings. Additional real-world guards (KYC'd managers under a master service agreement, daily signed proof-of-reserves, personal guarantees, enumerated default triggers, and quarterly audits) bound this in operation.
Structural limitations. Beyond trust assumptions, four properties of the design itself that a holder or LP should price in:
- Exit latency in the worst case. If no maker quotes, a redeemer waits out the claim threshold (default 48 hours) before force execution (§7). A CST guarantees exit at oracle value, not instant exit; it is not a stablecoin-style at-par instrument.
- Capacity is collateral-bounded. Issuance can never exceed \(U_{\max}\,C\) (Eq. 8). Growth is deliberately supply-constrained: when demand hits the cap, the protocol must attract more collateral, never loosen the cap (§9). This trades growth speed for solvency.
- The flywheel runs in reverse. LP yield depends on borrowing demand. In a cold funding regime the premium compresses, collateral can leave, and capacity shrinks with it. The kink model slows the unwind (falling utilization makes borrowing cheaper, Eq. 14) but does not eliminate the cycle.
- Price exposure, not ownership. A CST confers the price of the asset, not the rights of a shareholder: no voting, no direct corporate actions. Synthetic exposure also faces jurisdictional restrictions that engineering cannot remove. The protocol layer stays permissionless and non-custodial; restrictions, where required, are applied at the distribution layer: by integrating apps, and by market makers, who choose whom they quote.
We state these plainly because a guarantee is only as credible as the failure modes it survives. The security posture still reduces to one line: the mechanism (the hedge) can fail, and the holder is made whole by the backstop (the collateral), enforced permissionlessly by the solvency invariant of Eq. 8. That is the difference between secured and backed.
13Conclusion
We have described a system for real-world-asset exposure onchain that requires trust in no custodian and imposes no overcollateralization tax on the holder. The CDP gave crypto trustless dollars but cannot give it trustless stocks: a stablecoin backs one volatile leg with collateral and pins the other at $1, while an RWA forces you to back a volatile asset with another volatile one, which demands punitive, unscalable collateralization. Custodial tokenization tracks the price but reintroduces the trusted intermediary.
The Collateral-Secured Token resolves both by moving the collateral from behind the debt to behind the dealer: an offchain hedge provides price tracking (the mechanism), and an onchain Multi-Purpose Vault insures solvency (the backstop), with the same collateral base simultaneously securing issuance, underwriting a lending market, and earning native yield. The redemption guarantee is not a promise from an issuer but a property of the code: as long as collateral covers exposure, any holder can redeem at the oracle price, permissionlessly, whether or not a market maker participates.
RReferences
- S. Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. 2008.
- V. Buterin. Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform. 2014.
- MakerDAO. The Dai Stablecoin System. 2017.
- Aave. Aave Protocol Whitepaper v1.0. 2020.
- Synthetix. Synthetix Litepaper: A Decentralised Synthetic Asset Issuance Protocol. 2020.
- Ethena Labs. Ethena: USDe, a Synthetic Dollar Backed by Delta-Neutral Derivatives Positions. 2024.
- F. Vogelsteller and V. Buterin, EIP-20: Token Standard, 2015; M. Lundfall et al., EIP-2612: Permit, 2020; J. Santoro et al., EIP-4626: Tokenized Vaults, 2022.
- Pyth Data Association. Pyth Network Whitepaper. 2022.
AAppendix: Parameters & Notation
| Symbol / param | Meaning | Default |
|---|---|---|
| \(U_{\max}\) · globalMaxUtilizationBps | Global solvency cap: exposure ÷ collateral | admin-set |
| \(\text{cap}_a\) · assetCapUSD | Per-asset USD issuance ceiling | 0 (blocks mint) |
| \(\kappa_v\) · collateralCapBps | Per-vault concentration cap | 0 (uncapped) |
| \(\delta\) · settleBandBps | Max settle deviation from mark | 5% |
| \(\tau\) · maxMarkAge | Mark freshness for opening exposure | 15 min |
| \(T\) · claimThreshold | Delay before force-execute allowed | 48 h |
| \(\theta\) · borrowLtvBps | Per-position borrow LTV | 70% |
| \(\ell\) · liquidationThresholdBps | Liquidation threshold | 80% |
| \(\beta\) · liquidationBonusBps | Liquidator bonus | 5% |
| \(u^{*}\) · kink | Target lending utilization | 80% |
| \(\pi_0,s_1,s_2\) | Base premium / slope 1 / slope 2 | 1% / +4% / +75% |
| timelock | Registry default-admin transfer delay | 7 days |
| Income layer | aUSDC vault | wstETH vault | cbBTC vault |
|---|---|---|---|
| Native base yield | 3.12% (Aave) | 2.55% (Lido) | ~0% (idle BTC) |
| + Lending premium | +0.8% | +0.6% | +0.7% |
| + Trading-spread share | +0.6% | +0.6% | +0.6% |
| = Organic LP yield | ~4.5% | ~3.8% | ~1.5% |
| vs. benchmark | +44% over Aave | +49% over stETH | vs ~0% idle |
Read each vault against its own benchmark: aUSDC competes with Aave/Morpho; wstETH earns extra where lending markets pay staked ETH almost nothing; cbBTC turns idle Bitcoin into yield while diversifying the collateral mix (Eq. 17).
Standards compliance
ERC-20 + ERC-2612 (eToken); ERC-4626 (LP vault shares); ERC-7540 (async deposit/withdraw queues); EIP-712 (RFQ quotes and price attestations, domain "Own Protocol", v1, bound to chain id + contract).
Notation
Pt true asset price · P̃t synthetic market price · ρ CDP collateral ratio · e capital efficiency · EUSD global exposure · CUSD global collateral · Umax utilization cap · ma asset mark · q eTokens · p quote price · L loop leverage · θ borrow LTV · r borrow rate · π(u) premium · u* kink · HF health factor · β liq. bonus · f perp funding · δ settle band · δc, δe claim-window collateral drawdown / asset gap.