Protocol Due Diligence: Mai Finance (QI)

># Protocol Due Diligence: Mai Finance (QI) [ToC] ## MAI Finance Overview - [Site](https://www.mai.finance/) - [Gov](https://snapshot.org/#/qidao.eth) - [Docs](https://docs.mai.finance/) - [Audits and due dilligence disclosures](https://docs.mai.finance/risks/security) ## Rug-ability **Multi-sig:** Yes - QI DAO multisign (Fantom): 0x679016B3F8E98673f85c6F72567f22b58Aa15A54 It's using a 3/5 ratio. **Upgradable Contracts:** masterChef is not upgradable. **Decentralization:** - Some of the core team members (owners of the MS addresses) are semi-doxxed and anyone can watch them frequently on social media streams, but for security reasons not all of them are public and some want to remain anonymous. MAI team were kind to provide the Discord usernames: 0xLaozi#2485 Benjamin | QiDao Protocol#2455 justkila#5844 pablo12335#8946 [MultiSig](https://docs.mai.finance/risks/multisig) ### Operations [MasterChef](https://github.com/0xlaozi/qidao/blob/main/contracts/StakingRewards.sol): can’t rug principal. Deposit Fee: can’t rug principal. It is set up when a new LP is added to masterChef and can not be modified. `nonReentrant` :heavy_check_mark: Team MS 3 can call: - Function `fund` funds the farm, increase the end block (block number when farming ends). - Function `set` updates the given pool's ERC20 allocation point. - Function `add` adds a new LP to the pool. In case the owner adds the same LP token more than once, rewards will be messed up. - **Audit recommendation**: A mapping of existing LPs could sove this as it can check if a previously added LP is being added again. This could be accomplished via an array in which a boolean is written for each new LP entering the process. Function `emergencyWithdraw` is public and allows withdraws without caring about rewards. ## Audit Reports Audits are listed here: https://docs.mai.finance/risks/security There have been 2 Audits by Bramah Systems & Cloakwire. Both reports are available: https://www.bramah.systems/audits/Mai_Finance_Audit_Bramah.pdf https://cloakwire.com/qi-dao-security-audit/ Findings found during this Audits might be deemed informational and lack any critical severity. Some of them are: - Sensitive Setter Functions do not Emit an Event. - Failure Messages in some Functions should be More Specific. - Commented Out Code Remains in Final Version. - Hardcoded Addresses Should Possess a Setter Function. - Lack of Consistency in Solidity Version and Variable Naming. - Addition of New LP Could Result in Reward Miscalculation: `StakingRewards.sol` does not presently have a methodology by which LP’s added twice can be easily removed and properly reset. Function called by **onlyOwner**. The team has stated that “*While it is best practice to maintain uniformity, the different findings do not present a security concern for the contract*”. ## Strategy Details ### Summary The `SingleSidedBeethoven MAI-CONCERTO Pool USDC` is in charge of staking MAI Concerto Beets.fi LP, depositing it into the QI vault and later providing single side QI to Beets.fi in order to stake Qi Major Beets.fi LP into the second QI vault earning: - QI rewards 2 times. ### Strategy Design ![](https://i.imgur.com/JfVabip.png) ### Strategy current APR The APR will change based on Pool usage and QI Token performance. Currently it is roundabout 30%. #### Staking Rewards QI contract allows users to stake their incentivized LPs to earn QI. Functions can be found in the staking rewards contract: https://github.com/0xlaozi/qidao/blob/main/contracts/StakingRewards.sol - Max supply of QI tokens (hard cap): 200M. The strategy earns QI rewards from the 2 staking Pools: 1. MAI Concerto Beets.fi LP staked: Stable Beethoven Pool USDC-MAI. 2. QI Major Beets.fi LP staked: Weighted Beethoven Pool QI-WFTM (60/40). ![](https://i.imgur.com/H7qHcwg.png) ### Strategy Pitfalls - The main Pitfall is the 0.5% deposit fee by MAI, the strategy will accrue this lose when we deposit the Beethoven LP into QI-DAO protocol. - The liquidity on the Beethoven Pool is not very high this means that if deposits are large will incur a slippage. - Some of the profits are generated by staking the rewards generated on the USDC-MAI pool (QI) because we are holding this token for longer periods of times we are expose to fluctuation on its price, which will increase or reduce our overall APY. We are only staking a fraction of the main profits, so this should not impact a lot the APY, but worth mentioning it. ## Further DeepDive on QI Dao protocol and MAI finance MAI is a stablecoin backed by locked collateral tokens. MAI can only be made through locking collateral to back its value - either through approved collateral in vaults or through Anchor. Collateral can be static tokens like LINK, CRV,etc or Interest-bearing tokens like Beefy, Yearn, and Aave receipt tokens. ### Peg maintenance - Anchor: when the price of MAI falls below $0.99 or rises above $1.01, users can engage in risk-free arbitrage through Anchor. - Liquidation ratio: the liquidation ratio (minimum collateral to debt ratio) ensures that every MAI is always backed by the collateral value in the vaults. - Collateral Token Fluctuations: vaults are overcollateralized (by 110-150%, depending on the asset) to ensure that there is always collateral value to back the stablecoins minted. ### Vaults in Fantom The following tokens are currently accepted as collateral to borrow MAI on Fantom: ![](https://i.imgur.com/W1J5G2N.png) ### Liquidations When vaults fall below the liquidation ratio, liquidators repay 50% of the vault’s debt and withdraw a portion of the locked collateral tokens as compensation. The vault will then be returned to the original vault owner at a healthy collateral to debt ratio. ##### Example of partial liquidation process: A vault with a value of $100,000 USD in FTM borrows with a collateralization ratio (150%) and receives 66,666.67 MAI (valued at $66,666.67 USD). If the value of FTM in the vault drops to $95,000 USD and the remaining loan balance remains at 66,666.67 MAI, the vault is now undercollateralized (142% collateral to debt ratio). This triggers the ability for someone to partially liquidate the undercollateralized vault by paying down 50% of the vault’s debt. In this case, that would mean paying 33,333.33 MAI. After doing so, the user liquidating the vault would then withdraw $33,333.33-worth of FTM tokens, plus a 10% bonus ($3,333.33-worth of FTM). The vault is then returned to the original owner. #### The Key Risk Parameters for Vaults: - Debt Ceiling: the debt ceiling is the maximum amount that can be borrowed against a particular collateral type, so assets are diversified. - Repayment Fee: the repayment fee is the fee paid to the Treasury when a vault owner closes out their debt position to access their vault’s collateral. - Liquidation Ratio: this ratio refers to the minimum collateral to debt ratio that there can be in a vault, before it is opened for liquidation penalties. - Liquidation Penalty: this ensures that all debts and fees will be paid back to the system even if the original debt holder is unable to maintain their vault debt. ## Path-to-Prod #### Does Strategy delegate assets? No. #### Target Prod Vault Would be an endorsed version of what's pushed into ape tax. #### BaseStrategy Version 0.4.3 #### Target Prod Vault Version 0.4.3 ### Testing Plan The strategy should be tested on [Ape.tax](http://Ape.tax) first. At the moment, there are no USDC vaults on [ape.tax](http://ape.tax) so one should be created. The new 0.4.3 vault will only use this strategy for now. And should have a deposit limit of 100k until the strategy has proved to be profitable for a long period of time. Once we make sure the strategy works correctly and the APY is sustainable in the time, we will be able to move this to production. #### Ape.tax ##### Will Ape.tax be used? Yes ##### Will Ape.tax vault be same version # as prod vault? Yes ##### What conditions are needed to graduate? (e.g. number of harvest cycles, min funds, etc) - Be profitable - Expected APY after a few weeks to be similar or close to the advertise APY on MAI platform. (Taking into account the dilution of adding more money to the strategy). #### Prod Deployment Plan ##### Suggested position in withdrawQueue? 1. StrategyLenderYieldOptimiser 2. Rebalancer USDC Joint Provider 3. Beethoven-mai-strategy As Mai deposits have 0,5% fee we should avoid withdraws. ##### Does strategy have any deposit/withdraw fees? Yes, Deposit fees are paid by users when they submit their liquidity pool (LP) tokens to participate in liquidity mining rewards on MAI Finance. The fee is denominated in LP tokens and is equal to 0.5% of the LP token value. A user that provided 100 USD in liquidity will pay a 0.5 USD fee (100 USD * 0.5% fee) when depositing their LP tokens on the MAI pools. ##### Suggested debtRatio? Once we are ready to prod, we should do: 40% StrategyLenderYieldOptimiser 40% Rebalancer USDC Joint Provider 20% Beethoven-Mai-Strategy ##### Suggested max debtRatio to scale to? The final state should be: - 40% StrategyLenderYieldOptimiser - 20% Rebalancer USDC Joint Provider - 40% Beethoven-Mai-Strategy #### Checklist - [ ] Deploy a 0.4.3 USDC vault in ape.tax. - [ ] Deploy SingleSidedBeethoven STEADY-BEET Pool USDC with Beethoven and QI DAO protocol. - [ ] Test to make sure all functionality is working correctly. - [ ] Add SingleSidedBeethoven strategy with QI to production USDC vault. - [ ] Endorse to prod.