← All Reports

Midas mHYPER

2.9
mHYPER / Ethereum (also deployed on Monad, Plasma, Katana) / February 7, 2026 (updated April 9, 2026)
View full report on GitHub →

Score Breakdown

Overview

mHYPER is a tokenized certificate (Liquid Yield Token / LYT) issued by Midas Software GmbH, a German-incorporated tokenization platform. It references the performance of market-neutral, stablecoin-focused strategies managed by Hyperithm, a digital asset management firm based in Tokyo and Seoul.

mHYPER is not a stablecoin — its value floats based on strategy performance. Yield is auto-compounded into the token price (NAV), updated onchain twice per week via a custom oracle (see oracle history). The token has appreciated from $1.00 at inception to ~$1.089 as of April 2026.

The yield strategy includes:

  • Leveraged USDe positions on Aave
  • Stablecoin farming on Pendle
  • Basis trading on Hyperliquid
  • Liquidity provision on Morpho vaults
  • Carry trades, liquidation arbitrage, reward farming

Legally, mHYPER tokens are structured as subordinated debt instruments of Midas Software GmbH. Midas operates two issuance structures: a Luxembourg securitisation vehicle with statutory asset segregation and bankruptcy remoteness, and a German GmbH structure. mHYPER uses the German GmbH structure.

Key Stats:

  • mHYPER Market Cap: ~$50.7M (total NAV across all chains per attestation report, April 7, 2026)
  • Total Supply: ~46,590,889 mHYPER across 4 chains (Ethereum ~41.5M, Monad ~2.5M, Katana ~1.8M, Plasma ~717K)
  • Holders: ~467 addresses (Ethereum only)
  • APY: ~9.24%
  • Midas Platform TVL: ~$368M SumCap tracker, DeFiLlama doesn't count all positions
  • KYC Required: Yes (greenlist enforced onchain)

Links:

Risk Summary

Key Strengths

  • Doxxed team with institutional backing — Goldman Sachs / Morgan Stanley alumni, backed by Coinbase Ventures, Framework Ventures, BlockTower
  • Institutional-grade custody — Fordefi MPC with tri-party MPC governance prevents unilateral fund access
  • Regulatory compliance — FMA-approved Base Prospectus (July 2025, valid until July 2026), German GmbH legal structure, KYC enforcement onchain
  • Proven redemption capacity — Processed $150M+ in redemptions within 48 hours under stress (Stream Finance incident)
  • Extensive audits + active bug bounty — 10 audits across 2023-2025 (Hacken, Côme, Sherlock) covering core contracts, vaults, bridges, and oracles. $1M bug bounty across Sherlock + Cantina. Clean track record (~9 months mHYPER, ~22 months Midas platform)

Key Risks

  • NAV reporting trust assumptions — Hyperithm reports NAV, which is now checked through the Attestation Engine (LlamaRisk + Canary verify, vlayer notarizes, Chainlink CRE publishes hashes onchain). This is a significant improvement over previous single-party reporting, but source artifacts and full portfolio composition remain offchain, and the oracle update itself is still admin-triggered
  • Negligible onchain liquidity — ~$11.5K on Uniswap (down from ~$32K), effectively $0 daily volume. Exit is entirely dependent on Midas's redemption infrastructure (1-3 days). There is limited instant liquidity 1-2% of total supply to mitigate this
  • Weak access control and partial timelock — While contract upgrades have a 48-hour timelock, DEFAULT_ADMIN_ROLE is held by three direct addresses: the 1/3 Gnosis Safe plus two EOAs. The Safe owner set includes two Midas-claimed MPC-controlled EOAs and one nested 3/7 Safe, but the two direct admin EOAs are a separate control plane. Any direct admin can grant mint/burn/pause/blacklist roles and seize or freeze user funds without delay. The oracle price is also controlled by a single EOA with no timelock
  • Unbacked minting - tokens can be minted without collateral by the admin
Full Report

Contract Addresses

All contracts use OpenZeppelin's TransparentUpgradeableProxy pattern with a shared ProxyAdmin.

Contract Proxy Address Implementation Address
mHYPER Token 0x9b5528528656DBC094765E2abB79F293c21191B9 0xE4386180dF7285E7D78794148E1B31c9EDfb0689
mHYPER/USD Oracle (CustomAggregatorFeed) 0x43881B05C3BE68B2d33eb70aDdF9F666C5005f68 0xFcA6c2087e6321385745f3080D586d088a7f707f
mHYPER DataFeed 0x92004DCC5359eD67f287F32d12715A37916deCdE 0xE3240302aCEc5922b8549509615c16a97C05654A
DepositVault 0x6Be2f55816efd0d91f52720f096006d63c366e98 0x570C15bC5faF98531A8b351d69E22E41e3505E47
RedemptionVaultWithSwapper 0xbA9FD2850965053Ffab368Df8AA7eD2486f11024 0xd2B5f8f1DED3D6e00965b8215b57A33c21101c63
MidasAccessControl 0x0312A9D1Ff2372DDEdCBB21e4B6389aFc919aC4B 0xDd5a54bA2ab379a5e642c58f98ad793a183960e2
ProxyAdmin (shared) 0xbf25b58cB8DfaD688F7BcB2b87D71C23A6600AaC N/A
Tokens Receiver 0xF356c5e9F69DaDB332Bb098C7Ed960Db1d3376DD N/A
Deployer 0xa0819ae43115420beb161193b8d8ba64c9f9facc N/A

Other Chain Deployments:

Audits and Due Diligence Disclosures

Audit Status: Extensive — 10 audits across 2023-2025 cover the Midas core contracts (vaults, tokens, access control, bridges, oracles). mHYPER is an implementation of these audited contracts. The 2025 audits cover the current core contracts.

2025 Audits:

Audit Firm Scope Link
Midas Core Contracts (2025) Côme Core contracts Report
Midas Core Contracts Contest (2025) Sherlock Core contracts Contest

2024 Audits:

Audit Firm Scope Link
Midas Core Contracts (2024) Hacken Core contracts Report
Midas Core Contracts Contest (2024) Sherlock DepositVault, RedemptionVault, MidasAccessControl, DataFeed Contest
Issuance & Redemption Vaults Sherlock Instant mint/redeem, BUIDL integration, new oracles Contest
Bridge Integrations Sherlock LayerZero & Axelar bridge integrations Contest
Oracle System Sherlock Oracle infrastructure Contest
Legacy Tokens & Vaults Sherlock Legacy components Contest
Midas Contracts (2024) Côme Contracts Report

2023 Audits:

Audit Firm Scope Link
Midas Contracts (2023) Hacken mTBILL token, DepositVault, RedemptionVault, ManageableVault, access control (15 contracts) Report

Hacken Audit Results (Dec 2023):

  • Security Score: 10/10 (post-fix). 100% branch coverage
  • 0 Critical, 1 High (Accepted — USD tokens with custom decimals), 2 Medium (1 fixed: missing oracle refresh; 1 accepted: 1:1 price assumption), 1 Low (permissive role for token burning — accepted), 4 Observations
  • Critical note: Auditors explicitly flagged the protocol as "highly centralized" with system admins controlling all critical roles

Sherlock Core Contracts Contest (2024):

  • 1 High (blacklist bypass via renounceRole — acknowledged), 2 Medium (corruptible upgradability pattern — fixed; excessive vault admin permissions — acknowledged)

Sherlock Issuance & Redemption Contest (2024):

  • 1 High (reclassified to Medium — RedemptionVaultWithBUIDL initialization DoS), 6 Medium (BUIDL balance handling, standard redemption allowance gaps, spec/code discrepancies)

Smart Contract Complexity: Low-Moderate

  • mHYPER extends mTBILL (simple ERC-20 with pausable, role-controlled mint/burn)
  • Standard OpenZeppelin TransparentUpgradeableProxy pattern
  • Custom oracle (CustomAggregatorFeed) wrapping Chainlink's AggregatorV3 interface — not a Chainlink data feed
  • Role-based access control via shared MidasAccessControl contract

Bug Bounty

  • $1,000,000 USD total allocated across two platforms (Midas docs):
    • Sherlock Bug Bounty — Live since March 31, 2026. Max payout: $500,000 USDC. Tiers: Critical $25K-$500K (10% of affected funds), High $5K-$25K, Medium $5K, Low $500-$1K. Covers Ethereum (contracts/**/*.sol) and Solana (programs/**/*.rs)
    • Cantina Bug Bounty — Live since March 23, 2026. Max payout: $500,000. Tiers: Critical $500K, High $25K, Medium $5K, Low $1K

Historical Track Record

  • Production History: mHYPER token created on Ethereum July 15, 2025 (~9 months in production). Midas platform launched with mTBILL in mid-2024 (~22 months total)
  • TVL Growth: Midas grew from ~$4M (July 2024) to ~$275M (February 2026), now ~$216.6M (April 2026)
  • mHYPER Market Cap: ~$45M with ~467 holders
  • Price History: mHYPER has traded between $1.024 (ATL, Sep 2025) and $1.089 (ATH, Apr 2026) — steady appreciation consistent with yield accrual. Oracle price: $1.08858 (round 78, last updated April 7, 2026)

Hyperithm Track Record:

  • Founded January 2018 (7+ years operating history)
  • Co-founded by Sangrok Oh (ex-Morgan Stanley) and Woojun Lloyd Lee (Forbes 30 Under 30)
  • Backed by Coinbase Ventures, Samsung Next, Hashed, Kakao, Naver. $11M Series B (Aug 2021)
  • Dual regulatory registration: SPBQII in Japan (FSA), VASP in South Korea (KoFIU)

Funds Management

Hyperithm is the strategy manager for mHYPER, deploying funds across multiple DeFi protocols using market-neutral, stablecoin-focused strategies. Funds remain under Midas control via Fordefi custody.

  • Fund Manager: Hyperithm (Tokyo/Seoul, founded 2018, AUM $300M+)
  • Strategy: Multi-chain stablecoin yield — leveraged USDe on Aave, farming on Pendle, basis trading on Hyperliquid, Morpho vault liquidity, carry trades, liquidation arbitrage. Per transparency page (April 10, 2026): Fluid 28.7%, Aave 21.6%, Kamino 19.3% (Solana lending), Morpho 15.0%, Pendle 14.7%, Wallet 0.7%, Hyperliquid/Lighter <0.1%. Total NAV ~$49.6M
  • Strategy Execution: Offchain by Hyperithm with discretionary investment decisions
  • Custody: Fordefi MPC custody with tri-party quorum per Fordefi case study (Midas + Hyperithm + independent signer — operations outside predefined rules require all three parties). Blockaid co-signer provides automated onchain transaction monitoring and threat protection (per Midas). Fordefi is the primary custodian for LYT products; Midas also uses Fireblocks for other product lines
  • Monitoring: NAV updates provided by Hyperithm, reviewed by Midas, then published onchain twice per week

Accessibility

  • KYC Required: Yes — users must complete KYC/AML screening (1-4 business days). Once approved, added to onchain greenlist via Greenlistable contract. Chainalysis Oracle integration for sanctions screening
  • Minting: Deposit USDC, receive mHYPER tokens. Default mode is instant issuance
  • Redemption: Two modes:
    • Instant: Atomic onchain at oracle price when liquidity is available, 0.50% instant redemption fee.
    • Standard: 1-3 business day queue (fallback when instant capacity is insufficient). Subject to Risk Manager setting aside funds
  • Fees: 0% management fee, 20% performance fee (from yield, earned by Midas), 0% standard mint/redeem fees, 0.50% instant redemption fee (earned by the mHYPER portfolio itself to compensate for cash drag from keeping redemption liquidity idle)
  • Geographic Restrictions: Not available to US persons, UK, China, and sanctioned countries.

Collateralization

  • Backing Model: Offchain / hybrid — mHYPER is a subordinated debt instrument of Midas Software GmbH, not a direct claim on underlying assets
  • Collateral Quality: Strategies target stablecoin-focused, market-neutral positions across Aave (blue-chip), Pendle (established), Hyperliquid (newer, centralized perps DEX), Morpho (established), Kamino (Solana). Includes leveraged positions and basis trading
  • Verifiability: Mostly onchain — per Midas, ~96% of mHYPER strategy positions are held onchain and visible via the transparency page; ~4% are held on CEX/offchain venues. Wallet-to-product attribution and the offchain component still depend on Midas/Hyperithm reporting and the Attestation Engine; the link between those wallets and mHYPER is not enforced by smart contracts
  • Risk Curation: Hyperithm has discretion over allocation within the broad strategy framework. Midas enforces policy limits via Fordefi policy engine (address, asset, contract method, notional size)
  • Tri-Party Governance (via Fordefi): Per Fordefi case study: Midas Treasury + Hyperithm (Asset Manager) + Independent Oversight Signer. Operations within predefined rules clear automatically; anything outside routes to tri-party quorum. No single group can act unilaterally for custody operations
  • Legal Structure: LYT holders are subordinate creditors of Midas Software GmbH. mHYPER uses the German GmbH issuance structure — no statutory asset segregation or bankruptcy remoteness. Midas's Luxembourg securitisation vehicle offers these protections but is used for other products, not mHYPER

Provability

  • Reserve Transparency: Hybrid. Strategy wallets are partially onchain, but full portfolio composition requires offchain reporting. The Midas Attestation Engine (SAVE, introduced March 2026) adds a multi-party verification layer via three contracts: KeystoneForwarder (Chainlink DON router), SaveCreReceiverProxy (receiver), and MidasSaveRegistryWithClaim (registry). The registry is a hash-only store: it records proof IDs, attestation hashes, claim hashes, verifier hashes, timestamps, and attestor/verifier addresses. It does not expose the actual reserve data, wallet balances, document content, or an onchain URI/CID that lets users retrieve the source artifact from the registry alone. Midas docs state that notarized source material is stored on IPFS, while public weekly PDF reports are available on Google Drive. The onchain registry proves that a specific hash was attested and independently verified, but interpreting the underlying NAV/reserve data still depends on offchain-disclosed artifacts and links
  • NAV/Price Updates: Token price updated twice per week by Midas via a privileged role on the CustomAggregatorFeed oracle. Current price: ~$1.089 (round 79, 8 decimals). The oracle enforces onchain bounds: maxAnswerDeviation of 0.35% per update (35000000 in 8-decimal precision), minAnswer of $0.10, and maxAnswer of $1,000 — providing tight deviation control per update. The oracle price is deterministic onchain at deposit time (users know the exact token amount). For standard redemptions, the price may update before processing — this ensures the payout accurately reflects current NAV, avoiding over/under-payment to either the redeemer or remaining holders. The Attestation Engine separately verifies and anchors NAV source-data hashes, but does not currently enforce oracle update correctness onchain
  • Verification Agent: The Attestation Engine introduces LlamaRisk and Canary Protocol as independent third-party verifiers that confirm data origins, processes, and handling meet defined criteria
  • Third-Party Verification: For Morpho integration, eOracle independently verifies and publishes pricing. Steakhouse applies market discounts for liquidation optimization. The Attestation Engine publishes verified hashes onchain via Chainlink Runtime Environment, replacing the previous self-generated attestation reports. The oracle wraps the Chainlink AggregatorV3 interface but the underlying price feed is not a Chainlink data feed

Liquidity Risk

  • DEX Liquidity: Negligible — ~$11.5K total on Uniswap V4 (mHYPER/USDC 0.2% pool). 24h volume effectively $0. Not a viable exit for any position size. DEX liquidity has declined ~64% since February 2026
  • Primary Exit: Via Midas redemption vaults (instant or standard mode)
  • Instant Redemption: 1-2% target capacity, topped up multiple times per day
  • Standard Redemption: 1-3 business day queue when instant capacity is insufficient
  • Pendle: ~$10.14M TVL in mHYPER Pendle pools across 5 markets (yield tokenization, not direct swap liquidity). Up from ~$5.53M in February
  • Stress Test: mHYPER processed $150M+ in redemptions in 48 hours when Stream Finance unwound its $75M leveraged position. This is a positive signal for the redemption mechanism but required standard (non-instant) processing and active coordination
  • Large Holder Impact: With ~467 holders and $45M market cap, average position is ~$96K. Large holders likely face multi-day standard redemption queues

Centralization & Control Risks

Governance

  • Contract Upgradeability: Yes — all contracts use TransparentUpgradeableProxy with a shared ProxyAdmin at 0xbf25b58cB8DfaD688F7BcB2b87D71C23A6600AaC
  • ProxyAdmin Owner: MidasTimelockController — a verified OpenZeppelin TimelockController with a 48-hour minimum delay. Contract upgrades must be proposed, wait 48 hours, then executed
  • Timelock Proposer/Executor: Gnosis Safe 0xB60842E9DaBCd1C52e354ac30E82a97661cB7E891/3 onchain threshold (any single Safe owner can propose/execute). The practical signer setup is stronger than a plain 1/3 EOA Safe, but part of that protection is offchain:
  • Access Control: Role-based via MidasAccessControl (0x0312A9D1Ff2372DDEdCBB21e4B6389aFc919aC4B)
  • DEFAULT_ADMIN_ROLE holders: Three addresses hold DEFAULT_ADMIN_ROLE on MidasAccessControl — role changes (mint/burn/pause/blacklist grants) bypass the timelock and can be executed immediately:
  • Governance Model: No onchain governance. Midas controls all admin functions
  • Privileged Roles:
    1. M_HYPER_MINT_OPERATOR_ROLE (0xe6046a6e8c55ddf579e30dbcefd2018a368c8b9d4836e839e4858921fb6305d7) — Can mint unlimited mHYPER tokens. The mint() function has no onchain collateral check — it only verifies the caller has the mint role, then calls OpenZeppelin _mint() directly. Currently held by:
    1. M_HYPER_BURN_OPERATOR_ROLE — Can burn mHYPER tokens from any address. Currently held by the same EOA 0x5683de280d0c3967fba2f04d707fa1ef5a044e25, plus the RedemptionVault and LayerZero adapter
    2. M_HYPER_PAUSE_OPERATOR_ROLE — Can pause/unpause the contract (freezing all transfers)
    3. DEFAULT_ADMIN_ROLE — Can grant/revoke all other roles (held by 1/3 Safe + two standalone EOAs, no timelock). A compromised admin can grant itself the MINT role and mint unbacked tokens in two transactions
    4. ProxyAdmin owner — Can upgrade all contract implementations (via 48hr timelock)
    5. Oracle updater — Can set the NAV price via CustomAggregatorFeed. Currently held by EOA 0xd1e01471f3e1002d4eec1b39b7dbd7aff952a99f — a single EOA with no timelock on price updates. Onchain bounds: max 0.35% deviation per update, price range $0.10-$1,000
    6. Blacklist operator — Can blacklist addresses from interacting with the token
  • Fund Seizure / Unbacked Minting: The mint operator can create tokens without depositing collateral (no onchain backing check). The burn operator can burn from any address. The blacklist/pause operators can freeze activity. Role grants bypass the timelock — any of the three DEFAULT_ADMIN_ROLE holders can grant themselves these roles immediately and unilaterally. renounceRole is disabled (always reverts)
  • Audit Assessment: Hacken auditors explicitly flagged the protocol as "highly centralized" with system admins controlling all critical roles

Programmability

  • System Operations: Primarily offchain. Strategy execution, NAV calculation, and redemption processing are handled by Midas/Hyperithm offchain
  • Oracle/NAV Updates: The CustomAggregatorFeed is updated twice per week by a privileged role. The Attestation Engine adds a programmatic verification layer via Chainlink CRE, but the onchain price update itself is still admin-triggered
  • PPS Definition: The oracle price IS the PPS. It is updated by an admin role, not computed onchain from reserves. NAV source data is now independently checked through the Attestation Engine pipeline, but oracle updates are not computed or enforced by that registry
  • Off-Chain Dependencies: Critical
    • Hyperithm's strategy execution and NAV reporting
    • Midas's redemption processing
    • KYC/AML verification (greenlist management)
    • Fordefi for MPC custody and transaction signing

External Dependencies

  • Hyperithm (Critical): Strategy management, NAV calculation, risk monitoring. Single external dependency for core value proposition. If Hyperithm fails or misreports, token holders have no onchain recourse
  • Fordefi (Critical): MPC custody of underlying assets with tri-party MPC governance. All fund movements depend on it
  • Strategy Counterparties (Critical):
    • Fluid — 28.7% of NAV, borrow/lend
    • Aave — 21.6% of NAV, leveraged USDe positions (blue-chip)
    • Kamino — 19.3% of NAV, Solana lending protocol (rebranded from Hubble Protocol, launched 2022)
    • Morpho — 15.0% of NAV, vault liquidity provision (established)
    • Pendle — 14.7% of NAV, yield token farming (established)
    • Hyperliquid — <0.1% of NAV, basis trading (newer, centralized perps DEX)
  • Stablecoin Dependencies: USDC, USDe (Ethena) — depegging events could impact strategy performance
  • Oracle: NAV reported via custom contract, now with independent verification through the Midas Attestation Engine (Chainlink CRE, LlamaRisk, Canary Protocol, vlayer)
  • MPC wallet platform (Critical): Midas holds distributed backup shares for the Fordefi workspace, allowing them to recover and secure key material in case of counterparty failure. Dual controls are enforced in all recovery procedures, preventing any single point of failure.

Operational Risk

  • Team Transparency: Fully doxxed. Dennis Dinkelmeyer (CEO, ex-Goldman Sachs), Fabrice Grinda (Executive Chairman, co-founded OLX, FJ Labs), Romain Bourgois (CPO, ex-Ondo Finance). Team includes alumni from Goldman Sachs, Anchorage Digital, Capital Group
  • Investors: Framework Ventures (lead), BlockTower, HV Capital, Coinbase Ventures, GSR, Hack VC, Cathay Ledger, 6th Man Ventures, FJ Labs, Lattice Capital. $8.75M seed (March 2024)
  • Documentation Quality: Comprehensive docs at docs.midas.app covering token mechanics, fees, risk management, smart contracts. Base Prospectus publicly available (approved by FMA Liechtenstein, July 17, 2025, valid until July 17, 2026 — succeeding the original July 2024 prospectus). mHYPER Final Terms and KID available
  • Legal Structure: Midas Software GmbH, Pappelallee 78/79, 10437 Berlin, Germany (HRB 254645, LEI 984500BB00BN6D2B7C48). Incorporated June 2023. The issuer is neither licensed nor registered with the Liechtenstein FMA or any other supervisory authority. Midas operates two issuance structures
  • Incident Response: During the Stream Finance incident, Midas/Hyperithm processed $150M+ in redemptions within 48 hours and communicated publicly. Demonstrated operational capability under stress

Monitoring

  1. Oracle/NAV Updates (CRITICAL)
  • Contract: 0x43881B05C3BE68B2d33eb70aDdF9F666C5005f68 (CustomAggregatorFeed)
  • Monitor: AnswerUpdated events, latestRoundData() values
  • Alert: Price decrease >1%, stale price (>10 days without update), unexpected large price jumps
  • Frequency: Hourly
  1. Access Control Changes (CRITICAL)
  1. Contract Upgrades (CRITICAL)
  1. Token Supply & Transfers (RECOMMENDED)
  • Contract: 0x9b5528528656DBC094765E2abB79F293c21191B9 (mHYPER)
  • Monitor: Paused/Unpaused events, large mint/burn events, Blacklisted events
  • Alert: Pause events, mints >$1M, any blacklist changes
  • Frequency: On event
  1. Vault Activity (RECOMMENDED)
  1. External Protocol Health (RECOMMENDED)
  • Monitor Aave, Pendle, Hyperliquid, Morpho, and Ethena (USDe) for incidents that could impact mHYPER's underlying positions

Reassessment Triggers

  • Time-based: Reassess in 3 months (July 2026)
  • TVL-based: Reassess if mHYPER market cap changes by more than 50%
  • Incident-based: Reassess after any exploit, NAV discrepancy, governance change, contract upgrade, or regulatory action
  • Hyperithm regulatory outcome: Reassess when South Korean regulatory filing matter is resolved
  • Timelock expansion: If Midas extends the 48-hour timelock to cover role changes (not just upgrades)
  • Minting: If Midas removes the option to mint unbacked tokens
  • Audit: If new audit covering current mHYPER contracts is published, reassess
  • Attestation Engine maturity: If the Attestation Engine demonstrates sustained operation and expanded coverage (e.g., real-time attestations, additional verifiers), reassess for potential Provability score improvement

Appendix: Contract Architecture

┌─────────────────────────────────────────────────────────────────────┐
│                     USER INTERACTION LAYER                           │
│                                                                     │
│  ┌───────────────────────────┐    ┌──────────────────────────────┐  │
│  │  DepositVault             │    │  RedemptionVaultWithSwapper   │  │
│  │  (TransparentProxy)       │    │  (TransparentProxy)          │  │
│  │  0x6Be2f558..e98          │    │  0xbA9FD285..024             │  │
│  │                           │    │                              │  │
│  │  User deposits USDC ──────┼───▶│  User redeems mHYPER        │  │
│  │  Vault calls mint()       │    │  Vault calls burn()          │  │
│  │  Has: MINT_OPERATOR_ROLE  │    │  Has: BURN_OPERATOR_ROLE     │  │
│  └─────────────┬─────────────┘    └──────────────┬───────────────┘  │
│                │ mints                           │ burns             │
│                ▼                                 ▼                   │
│  ┌──────────────────────────────────────────────────────────────┐   │
│  │  mHYPER Token (TransparentProxy)                             │   │
│  │  0x9b5528528656DBC094765E2abB79F293c21191B9                  │   │
│  │  impl: 0xE4386180dF7285E7D78794148E1B31c9EDfb0689            │   │
│  │                                                              │   │
│  │  mint(to, amount) ── only role check, NO collateral check    │   │
│  │  burn(from, amount) ── can burn from any address             │   │
│  │  pause() / unpause() / blacklist()                           │   │
│  └──────────────────────────────────────────────────────────────┘   │
│                                                                     │
│  ┌──────────────────────────┐    ┌───────────────────────────────┐  │
│  │  CustomAggregatorFeed    │    │  mHYPER DataFeed              │  │
│  │  (Oracle / NAV)          │    │  (TransparentProxy)           │  │
│  │  0x43881B05..f68         │    │  0x92004DCC..dE               │  │
│  │                          │    │                               │  │
│  │  Weekly admin-set price  │    │  Feeds price data to vaults   │  │
│  │  Current: $1.089 (r78)   │    │                               │  │
│  └──────────────────────────┘    └───────────────────────────────┘  │
│                                                                     │
│  ┌──────────────────────────────────────────────────────────────┐   │
│  │  MidasLzMintBurnOFTAdapter (LayerZero)                       │   │
│  │  0x148c86390a4ae6f7a02df5903bc0a89e8b4581a0                  │   │
│  │  Cross-chain bridge: has MINT + BURN roles                   │   │
│  └──────────────────────────────────────────────────────────────┘   │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────┐
│                     ACCESS CONTROL LAYER                             │
│                                                                     │
│  ┌──────────────────────────────────────────────────────────────┐   │
│  │  MidasAccessControl (TransparentProxy)                       │   │
│  │  0x0312A9D1Ff2372DDEdCBB21e4B6389aFc919aC4B                  │   │
│  │                                                              │   │
│  │  All token/vault operations check roles via this contract    │   │
│  │  grantRole() / revokeRole() ── admin can change any role     │   │
│  │  renounceRole() ── DISABLED (always reverts)                 │   │
│  └──────────────────────────────────────────────────────────────┘   │
│                                                                     │
│  ┌──────────────────────────┐    ┌───────────────────────────────┐  │
│  │  ProxyAdmin              │    │  MidasTimelockController      │  │
│  │  0xbf25b58c..AaC         │◀───│  0xE3EEe3e0..852             │  │
│  │                          │    │                               │  │
│  │  Can upgrade all proxy   │    │  48-hour minimum delay        │  │
│  │  implementations         │    │  Proposer/Executor: 1/3 Safe │  │
│  └──────────────────────────┘    └───────────────────────────────┘  │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────┐
│                     OFF-CHAIN DEPENDENCIES                          │
│                                                                     │
│  ┌──────────────────────────┐    ┌───────────────────────────────┐  │
│  │  Hyperithm               │    │  Fordefi MPC Custody          │  │
│  │  (Strategy Manager)      │    │  (Tri-party quorum)          │  │
│  │                          │    │                               │  │
│  │  Executes strategies:    │    │  Midas + Hyperithm +          │  │
│  │  Aave, Pendle,           │    │  Independent signer           │  │
│  │  Hyperliquid, Morpho     │    │                               │  │
│  │  Reports NAV offchain   │    │  Holds underlying assets      │  │
│  └──────────────────────────┘    └───────────────────────────────┘  │
│                                                                     │
│  ┌──────────────────────────────────────────────────────────────┐   │
│  │  Attestation Engine (March 2026)                             │   │
│  │  LlamaRisk + Canary Protocol verify → vlayer notarizes       │   │
│  │  → Chainlink CRE publishes hashes onchain                   │   │
│  └──────────────────────────────────────────────────────────────┘   │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────┐
│                        GOVERNANCE                                   │
│                                                                     │
│  DEFAULT_ADMIN_ROLE (3 holders, can grant/revoke ANY role):         │
│  ├─ 0xd4195cf4df289a4748c1a7b6ddbe770e27ba1227 (Fordefi MPC?)      │
│  ├─ 0x875c06a295c41c27840b9c9dfda7f3d819d8bc6a (Fireblocks MPC?)   │
│  └─ 1/3 Gnosis Safe 0xB60842E9DaBCd1C52e354ac30E82a97661cB7E89    │
│     ├─ EOA 0x8003544D32eE074aA8A1fb72129Fa8Ef7fe02E5f (Fordefi?)  │
│     ├─ 3/7 Safe 0x82B30194bEae06D991Bc71850F949ec8cB7E0CB7        │
│     └─ EOA 0xC50BD8430545C80a681C7cb33E6560fB0Bd86880 (Fireblocks?)│
│                                                                     │
│  Mint/Burn Operator EOA (holds BOTH roles):                         │
│  └─ 0x5683de280d0c3967fba2f04d707fa1ef5a044e25                     │
│                                                                     │
│  Oracle Updater EOA (sets NAV price, no timelock):                  │
│  └─ 0xd1e01471f3e1002d4eec1b39b7dbd7aff952a99f                     │
│                                                                     │
│  ⚠ Role changes bypass timelock (only upgrades go through 48h)     │
│  ⚠ mint() has no onchain collateral check                         │
│  ⚠ Any single DEFAULT_ADMIN can grant MINT role → unbacked tokens  │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

Data flow: User deposits USDC → DepositVault mints mHYPER at oracle
price. Funds go to Hyperithm via Fordefi custody for offchain strategy
execution. NAV updated 2x/week by oracle updater EOA. User redeems via
RedemptionVault (instant if liquidity available) or standard queue.

Attestation Engine (SAVE)

The Midas Attestation Engine uses three onchain contracts:

Contract Address Role
KeystoneForwarder 0x0b93082D9b3C7C97fAcd250082899BAcf3af3885 Chainlink DON router — validates oracle signatures, forwards reports
SaveCreReceiverProxy 0xC50102b6598924Aa8deB201c757bFb9a3dBdB9b6 Midas receiver — parses Chainlink report, calls setAttestation()
MidasSaveRegistryWithClaim 0x2D6e9F608807436DE5D9603B00Abe3FEd1Bc809d Registry — stores proof metadata. Owner: 0x8003544D32eE074aA8A1fb72129Fa8Ef7fe02E5f

Flow (example tx):

EOA 0xdE7E.. → report() on KeystoneForwarder (validates 4 Chainlink DON signatures)
  → onReport() on SaveCreReceiverProxy
    → setAttestation(proofId, hash) on Registry

What IS stored onchain (verify with cast call 0x2D6e9F608807436DE5D9603B00Abe3FEd1Bc809d):

Function Returns Example
proofExists(bytes32) true/false true
proofIdToName(bytes32) proof label "mhyper-por"
proofIdToLatestAttestation(bytes32) hash + attestor + timestamp hash 0x4188041f.., attestor 0xC501.., April 10 15:19 UTC
getClaimsForProofId(bytes32) claim IDs 1 claim from provider 0xc024..
getAllVerifications(bytes32) verification hashes + verifiers 2 verifications (EOA 0xF16C.. + proxy 0xc82f..)

Proof ID for mHYPER: 0xac9a528065afb4290ab62fb0ee1a9110d48ed834454d2d04ab369b4832bbda7a

What is NOT stored onchain:

  • No actual reserve data (amounts, balances, NAV, wallet addresses)
  • No ABI-exposed IPFS CID or URI getter — a proofIdToUri() call reverts
  • No document content or protocol-level breakdown

Where the actual data lives:

Midas docs state that source artifacts are stored on IPFS, while public weekly PDF reports are available on Google Drive. Each PDF contains total supply per chain, collateral breakdown (strategy + settlement reserve + funds in process), and price. The registry anchors hashes onchain, but users need offchain-disclosed artifacts or links to retrieve and interpret the underlying NAV/reserve data.

Submit report inaccuracy