Update No: 1 | May 13th, 2024 Referenced Report: Collateral Risk Assessment- tBTC | November 1, 2023 The following addendum references the Llama Risk assessment of tBTC published on November 1st, 2023. This update report presents the latest insights and developments from the initial risk assessment of tBTC as of May 13th, 2024. Our review will follow the same format as the one set out in the initial report. Sections and subsections that saw relevant changes are presented. This update is prepared for the Aave DAO in the context of the ARFC for onboarding tBTC to Aave v3 on Ethereum, Arbitrum, and Optimism. Below are the key changes since we published the report. Useful links

LlamaRisk_pyusd Introduction In this report, we will analyze staked PayPal USD (PYUSD) as a potential pegkeeper asset for crvUSD. The objective of this analysis is to comprehensively assess the risks associated with PYUSD to determine its suitability for pegkeeper onboarding. Our evaluation will employ both quantitative and qualitative methods, providing insights into the safety of integrating PYUSD and recommending any necessary exposure restrictions. We will categorize the assessment into three main areas: Performance Analytics - Concerns related stablecoin adoption, market liquidity, and volatility. On-chain Management - Considerations pertaining to smart contracts, dependencies, and other technology components. Regulation and Compliance - Aspects concerning reserves management, centralization potential, and legal/regulatory factors.

image Useful Links: Website: Frax Staking App | FinresPBC Documentation: Frax v3 Docs | Audits | GitHub Social: Twitter | Telegram | Discord Contracts: sFRAX | Frax Mainnet Deployments Governance: Forum | Snapshot | FrxGov | FIP-277 | FIP-285 Markets: Curve sFRAX/crvUSD

image.png Publish Date: November 1st, 2023 Useful Links Website: tBTC Bridge App Documentation: tBTC Docs | Audits | Keep GitHub Social: Twitter | Blog | Telegram Contracts: Mainnet Deployments Governance: Forum | Boardroom | Snapshot

Summary A bug within older versions of the Vyper compiler caused a failure in a security feature used by a limited set of Curve pools (see affected pools below). As a result attackers were able to drain the affected pools of their tokens. The exploit comes directly at the expense of Curve liquidity providers for these affected pools, although Curve is attempting to contact exploiters and recover user funds. Thanks to a white hat, a portion of tokens from one affected pool were recovered by the DAO. The Curve eDAO cannot pause Curve pools or handle user funds in any way. However, it can kill CRV gauge emissions to Curve pools. It is expected the eDAO will kill gauge emissions to all affected pools. For more information:join the Curve Announcements TG, follow Curve Finance on Twitter, join the Curve TG group join the Curve Discord