Superstate USCC

Contract Addresses

All addresses verified onchain May 31, 2026.

Contract	Address
USCC Token (Proxy)	0x14d60E7FDC0D71d8611742720E4C50E7a974020c
USCC Implementation (SuperstateTokenV5, VERSION "5")	0x9b7282Cb80baA4B1F8F6436f8D531B436BaE2A70
USCC ProxyAdmin	0x2Bb7B8B4dF7fD96baF7CB9a2Ce9e292eCd5BAF3D
AllowList V3.1 (Proxy, shared with USTB)	0x02f1fA8B196d21c7b733EB2700B825611d8A38E5
Chainlink USCC NAV Oracle (OffchainAggregator wrapper)	0xAfFd8F5578E8590665de561bdE9E7BAdb99300d9
Chainlink USCC Aggregator (OCR-style)	0x5C00518D3d423EC59D553Af123Be8a63B11078CF
Aggregator owner (Chainlink-controlled)	0x21f73D42Eb58Ba49dDB685dc29D3bF5c0f0373CA

Owner Addresses

Verified onchain May 31, 2026. All Superstate-controlled admin keys are EOAs (code size 0):

Role	Address
USCC Token Owner + USCC ProxyAdmin Owner (same EOA)	0x8abC89D9b56dFD90dA18e8E18CFaC9111100bDd1
AllowList Owner (shared with USTB)	0x7747940aDBc7191f877a9B90596E0DA4f8deb2Fe
Chainlink USCC NAV Aggregator Owner (Chainlink, not Superstate)	0x21f73D42Eb58Ba49dDB685dc29D3bF5c0f0373CA

Note that the prior USCC owner was 0x8c7db8a96d39f76d9f456db23d591c2fdd0e2f8a; ownership was transferred on Oct 31, 2024 (tx 0xd2d1c711…) via the Ownable2StepUpgradeable flow.

Audits and Due Diligence Disclosures

USCC reuses the same SuperstateTokenV5 implementation family as USTB and the same shared AllowList V3.1 contract, so the audit surface overlaps substantially. Per the Superstate Security page (as exposed via llms-full.txt), Superstate has commissioned 11 numbered 0xMacro audits, plus a ChainSecurity audit and Offside Labs Solana audit. Certora formal verification is referenced in the broader Security overview, but USCC-specific findings are not enumerated separately.

Audit History

#	Firm	Approx. Date	Scope	Notes
A-1..9	0xMacro	Jul 2024 – Jul 2025	Token + Redemption + AllowList across V1→V3.1 — see USTB report for individual findings	Findings fixed; 2H/4M/7M cumulative
A-10	0xMacro	TODO (post-Jul 2025)	TODO — fetch from 0xmacro.com/library/audits/superstate-10	Audit page lists this exists; full PDF not loaded
A-11	0xMacro	TODO (post-Jul 2025)	TODO — fetch from 0xmacro.com/library/audits/superstate-11	Audit page lists this exists; full PDF not loaded
--	ChainSecurity	2023	Compound SUPTB (original USTB token)	2 Critical, fixed pre-launch
--	Offside Labs	May 2025	Solana AllowList	Separate program
--	Certora	—	Formal verification	Referenced but no public report URL

Smart Contract Complexity: Moderate. Standard upgradeable EIP-1967 transparent proxy (legacy storage slot pattern: implementation accessible via ProxyAdmin.getProxyImplementation, not the canonical EIP-1967 slot). ERC-20 with AllowList-gated transfers, Ownable2StepUpgradeable access, cross-chain bridging via burn-and-mint to Solana (Token-2022) and Plume.

A key observation onchain: USCC has a strict subset of the V5 token's capabilities enabled:

• superstateOracle() = 0x0 — no Superstate Continuous Price Oracle attached
• redemptionContract() = 0x0 — no RedemptionIdle / atomic onchain redemption
• supportedStablecoins(USDC) = 0x0 — no onchain stablecoin subscribe config
• supportedChainIds(1) = false … bridging destinations all return false via the uint256 getter — TODO: verify how the active bridge destinations are configured (Solana mainnet ID, Plume ID); we observed a Solana Bridge event in production (block 22934217), so the path is live but the read path here may use a different signature than what was probed
• subscribe() reverts with OnchainSubscriptionsDisabled() (selector 0xdbf0cc51)

So all USCC mint operations are admin-driven (mint/bulkMint by the owner EOA) and the only onchain user actions are transfer (AllowList-gated), offchainRedeem (burn, settled offchain T+1), and bridge to Solana/Plume.

Bug Bounty

• Platform: Self-hosted (security@superstate.co)
• Formal Rewards: None — "Superstate does not have a formal reward policy"
• Safe Harbor: CFAA and DMCA safe harbor language for good-faith researchers
• Note: Same weakness as USTB. Not on the SEAL Safe Harbor registry.

Historical Track Record

• Fund Launch: July 15, 2024 onchain (first mint at block 20312293, Unix ts 1721051099). DeFiLlama first records Sep 9, 2024 at ~$15.7M TVL. ~22 months in production as of May 2026.
• Contract Upgrades: Token implementation reports VERSION "5". Earlier USCC versions (V1→V4) were upgraded through the same ProxyAdmin path used by USTB. Each version was audited prior to deployment.
• Smart Contract Exploits: None reported.
• Ownership Changes: USCC token ownership was transferred Oct 31, 2024 from 0x8c7db8a9… to 0x8abC89D9… via the two-step Ownable flow (Etherscan tx).
• TVL History (Ethereum, DeFiLlama):
  • Sep 2024 (first record): ~$15.7M
  • Oct 2024: ~$27M
  • May 2026: ~$145.66M onchain
• NAV History: NAV launched near $10.00, sits at $11.604523 in May 2026 (Chainlink USCC feed). Unlike USTB, NAV is not monotonic — the protocol's own docs warn that "daily NAV reflects mark-to-market gains and losses, including unrealized valuation changes" and that basis expansion can produce temporary NAV declines. TODO: enumerate any specific NAV-drawdown episodes; historical per-day NAV data is not available on the public Chainlink feed without scraping NewTransmission logs from aggregator 0x5C00518D3d….
• Holder Distribution: 55 onchain holders as of May 2026 (RWA.xyz). TODO: top-10 holder concentration not available without Etherscan Pro / Dune query.
• Incidents: None publicly reported.

Funds Management

Yield Sources

1. Bitcoin basis (cash-and-carry): Long spot BTC at Anchorage Digital, short BTC futures at a CFTC-permitted Trading Venue. Captures premium of futures over spot.
2. Ether basis (cash-and-carry, optionally with staking): Long spot ETH (potentially staked, capturing staking yield), short ETH futures at a CFTC-permitted Trading Venue.
3. U.S. Treasury Bills: Idle cash and futures-margin reserves earn short-dated Treasury yield (federal-funds-rate-like).

The fund "will trade only those digital assets for which the CFTC has permitted exchange-listed futures contracts" (per Steakhouse overview). The specific futures exchanges (CME-only? CME + offshore? Coinbase Derivatives?) are not disclosed publicly — TODO: confirm via offering documents; we could not extract this from the public docs at docs.superstate.com/llms-full.txt. Similarly, the ETH staking provider is not disclosed publicly — TODO.

Accessibility

• KYC Required: Yes — Qualified Purchaser ($5M+ individuals, $25M+ institutions) AND Accredited Investor status. 29 supported jurisdictions including U.S., Cayman, BVI, Bermuda, UK, Canada, Singapore, UAE, etc.
• Minimum Investment: $100,000.
• Subscriptions (Minting):
  • Onchain atomic via subscribe(): DISABLED — verified onchain. Calling subscribe(...) reverts with OnchainSubscriptionsDisabled() (selector 0xdbf0cc51). supportedStablecoins(USDC) returns the zero address with zero fee. Subscriptions are processed offchain only (T+1).
  • Offchain: USD wire or USDC transfer. T+1 if received before 5pm ET on a Market Day; T+2 otherwise.
  • Per docs: "There is no minimum redemption amount" but a $100K minimum applies to subscriptions unless waived.
• Redemptions (Burning):
  • Onchain atomic: NOT AVAILABLE — redemptionContract() returns 0x0 onchain. There is no RedemptionIdle contract for USCC.
  • Offchain: Send tokens to a redemption address or call offchainRedeem(uint256) which burns USCC. Proceeds paid as USD wire or USDC on Ethereum/Solana. T+1 if request received before 5pm ET on a Market Day; T+2 otherwise.
  • No redemption fees per docs (investor pays gas).
• Geographic Restrictions: 29 jurisdictions per docs. Not available to sanctioned countries.
• Management Fee: 0.75% annually (waived until AUM exceeds $50M — now exceeded).

Token Mint Authority

Mint mechanism: Ownable — a single owner EOA controls minting.

Mint requires backing: No — mint(address,uint256) and bulkMint(address[],uint256[]) are gated by onlyOwner and do not check or pull collateral onchain. Backing exists offchain at Anchorage Digital / Trading Venues and is asserted by the operator. The onchain mint is a unilateral admin action.

Per-address mint authority (verified onchain May 31, 2026, USCC token 0x14d60E7FDC0D71d8611742720E4C50E7a974020c):

Address	Can Mint	Can Burn	Role / Mechanism	Notes
0x8abC89D9b56dFD90dA18e8E18CFaC9111100bDd1	✓	✓ (adminBurn)	owner() of USCC token (Ownable)	EOA (code size 0, nonce 579). Same EOA is owner() of USCC ProxyAdmin, so it can also upgrade() the implementation to a malicious one and effectively grant mint power to anyone.
(no other onchain minters)	—	—	—	The V5 token contract has no AccessControl / MINTER_ROLE; hasRole(...) reverts.

Rate limits / supply caps: None onchain. There is no maxMintPerBlock, no global supply cap, no per-minter quota.

Backing check at mint time: None onchain. Backing is settled offchain; minted USCC is asserted to be 100% backed by the offchain portfolio (Anchorage cash + crypto + futures collateral + T-Bills) but this is not enforced or verified by any onchain mechanism.

Collateralization

• Backing Model: Hybrid offchain — USCC tokens represent shares in a fund holding:
  • Spot BTC/ETH at Anchorage Digital Bank N.A. (OCC-regulated digital-asset custodian)
  • Short futures positions and posted margin at Trading Venues (CFTC-permitted futures exchanges; specific exchanges not publicly disclosed — TODO)
  • U.S. Treasury Bills (idle cash and reserves)
• Collateral Quality:
  • T-Bills are the safest asset class globally
  • Spot BTC/ETH custody at Anchorage carries crypto custody risk (key management, slashing if ETH is staked, custodian operational risk)
  • Futures-leg margin posted at trading venues is the dominant counterparty risk — if a futures exchange becomes insolvent (FTX-style), the margin and any unrealized P&L on that venue is at risk. CFTC-regulated futures clearinghouses (CME-style) significantly reduce this risk vs offshore venues, but Superstate has not publicly committed to CME-only execution.
• Sub-Advisor:
  • Current (as of May 31, 2026): Superstate Inc. (self-managed)
  • Effective June 1, 2026: Bitwise Investment Manager, LLC (per superstate.com/assets/uscc)
  • TODO: confirm the sub-advisor change has cleared regulatory approval; the website date is reported as June 1, 2026
• Bankruptcy Remoteness: Fund is a series within Superstate Asset Trust (Delaware Statutory Trust) with inter-series liability protection — bankruptcy-remote from Superstate Inc.
• Verification: Ernst & Young annual audit. NAV Fund Services for independent NAV calculation. Daily NAV is mark-to-market, so unrealized losses on the futures leg do flow into the share price.

Provability

• NAV/Price Updates: Chainlink USCC NAV feed 0xAfFd8F5578E8590665de561bdE9E7BAdb99300d9 — an OCR (off-chain reporting) aggregator wrapper around 0x5C00518D3d…. 16 Chainlink-operated transmitters reach consensus on the daily NAV from Superstate. The aggregator owner is 0x21f73D42…, a Chainlink-controlled contract (not Superstate). This is the only onchain NAV source for USCC — unlike USTB, USCC has no Superstate Continuous Price Oracle, so there is no linear-interpolation extrapolation between checkpoints; the price is the most recent OCR transmission only.
• No Chainlink Proof-of-Reserves onchain: A Chronicle Labs PoR dashboard is referenced by Superstate but we were unable to load it during this assessment (HTTP 429); TODO confirm the live PoR feed exists and what its update cadence is.
• Offchain Assets: Treasury, BTC, ETH, and futures positions are all held offchain. Token holders cannot independently verify positions onchain. Independent verification layers:
  • NAV Fund Services (independent NAV agent)
  • Ernst & Young (annual audit)
  • Anchorage Digital (regulated digital-asset custody)
  • SEC regulatory framework (Reg D / Section 3(c)(7))
• Reserve Transparency: Superstate publishes headline NAV/AUM/yield on superstate.com/assets/uscc. Granular holdings (spot BTC quantity, futures positions, exchange venues, margin balances, T-Bill CUSIPs) are not publicly disclosed — they are accessible only through the authenticated investor portal.
• NAV Mark-to-Market Risk: Because the futures leg is mark-to-market daily, the share price reflects unrealized basis-trade P&L in real time. The protocol explicitly warns of "unrealized losses" during basis expansion. This is fundamentally different from USTB whose underlying T-Bills have a much smoother mark-to-market profile.

Liquidity Risk

• Primary Exit: Offchain redemption only — burn USCC via offchainRedeem(uint256) or send to a redemption address, then receive USDC/USD T+1 (before 5pm ET on Market Days) or T+2 (after 5pm or weekends/holidays).
• No Onchain Atomic Redemption: Verified onchain: redemptionContract() = 0x0. There is no USDC-backed RedemptionIdle contract like USTB has — USCC has zero instant onchain exit capacity at any size.
• No DEX Liquidity: $0 DEX volume by design. AllowList-gated transfers prevent secondary markets.
• Transfer Restrictions: All transfers require both sender and receiver to be on the AllowList (the same shared V3.1 contract as USTB). Removing an address from the AllowList freezes their tokens.
• DeFi Integrations: Smaller than USTB. Steakhouse Financial publicly evaluated USCC for inclusion in Morpho vaults; integration status / final decision is TODO. We could not identify large Aave / Spark / M^0 integrations for USCC equivalent to those listed for USTB.
• Stress Scenario: In a basis-blowup scenario (futures premium collapse, exchange counterparty event, slashing of staked ETH, or simultaneous redemption surge), the fund's liquidity depends on (a) unwinding futures positions at potentially worse-than-market prices, (b) Anchorage's ability to deliver spot, and (c) the futures venues' ability to honor margin. T-Bills are highly liquid; spot BTC/ETH are highly liquid; futures positions are liquid in normal markets but can become illiquid during stress (basis spreads can widen materially before they converge). The mark-to-market NAV will reflect this stress in real time, potentially producing meaningful unrealized losses for holders who do not exit before the basis converges.

AllowList Freeze Risk (Critical for DeFi Integrations)

Identical to USTB: if an address is removed from the shared AllowList, USCC tokens at that address are completely frozen with zero exit paths:

1. transfer / transferFrom revert (AllowList checks both sender and receiver)
2. offchainRedeem reverts (requires AllowList status)
3. bridge reverts (requires AllowList)
4. No DEX fallback ($0 liquidity + AllowList-gated DEX contracts would need permission too)

The only recovery is to be re-whitelisted by Superstate or have Superstate adminBurn and process an offchain payment manually.

Implication for Yearn: Yearn's vault/strategy contract must hold an active AllowList permission. If Superstate revokes it (regulatory action, dispute, sanctions, operational error), Yearn's entire USCC position becomes frozen and unredeemable. The risk profile here matches USTB.

Centralization & Control Risks

Governance

Governance Model: Fully centralized — Superstate Inc. controls all administrative functions. No onchain governance, no DAO, no community voting.

Key Privileged Roles (verified onchain, May 31, 2026):

Role	Address	Type	Powers
USCC Token Owner + USCC ProxyAdmin Owner	0x8abC89D9b56dFD90dA18e8E18CFaC9111100bDd1	EOA	mint, bulkMint, adminBurn, pause/unpause, accountingPause/accountingUnpause, setOracle, setRedemptionContract, setStablecoinConfig, setChainIdSupport, setMaximumOracleDelay, and upgrade()/upgradeAndCall() of the USCC implementation via ProxyAdmin. This single EOA controls both the token and its proxy admin, matching the USTB token/ProxyAdmin ownership pattern rather than improving on it.
AllowList Owner (shared with USTB)	0x7747940aDBc7191f877a9B90596E0DA4f8deb2Fe	EOA	setEntityIdForAddress, setProtocolAddressPermission, etc. Can also upgrade AllowList via its ProxyAdmin.
Chainlink USCC NAV Aggregator Owner	0x21f73D42Eb58Ba49dDB685dc29D3bF5c0f0373CA	Chainlink contract	Chainlink-side governance over the OCR feed; not Superstate-controlled.

Critical centralization concerns specific to USCC (in addition to USTB-style risks):

1. Single EOA controls both token and ProxyAdmin. This matches USTB's token/ProxyAdmin concentration (0xad309b… owns both on USTB). A compromise of 0x8abC89D9… lets the attacker mint unlimited USCC AND upgrade the implementation to embed any logic. There is no multisig and no timelock.
2. No timelock on any operation — proxy upgrades, parameter changes, and mint/burn execute immediately.
3. Unlimited admin mint with no onchain backing check — the owner can call mint(any_addr, any_amount) without depositing collateral. The backing-vs-supply relationship is enforced offchain only.
4. adminBurn confiscation — the owner can burn tokens from any holder. Documented as a regulatory-compliance tool.
5. NAV oracle is admin-set — although the Chainlink aggregator is Chainlink-controlled (16 OCR nodes), the NAV value itself is reported by Superstate to the OCR network. A malicious or compromised Superstate reporter could push an incorrect NAV — onchain there is no validation against the actual portfolio.
6. AllowList control (shared with USTB) — can freeze any holder; can revoke whitelisted DeFi protocol addresses unilaterally.

Mitigations (same shape as USTB):

• Turnkey secure enclaves for admin keys
• Ownable2StepUpgradeable two-step transfer
• renounceOwnership disabled
• Regulatory accountability: Superstate Inc. is a U.S. corporation under SEC exemptions, SEC-registered transfer agent (Superstate Services LLC), Reg D / 3(c)(7) framework

Programmability

• NAV pricing: Chainlink OCR feed only. Updated as the Chainlink network transmits new rounds (cadence depends on heartbeat / deviation thresholds — TODO verify exact heartbeat for this feed). No SuperstateOracle with linear interpolation as USTB has — between transmissions, the onchain price is simply stale.
• Subscriptions: Admin-driven (mint/bulkMint only). Onchain user subscribe() is explicitly disabled (OnchainSubscriptionsDisabled()).
• Redemptions: User-initiated burn (offchainRedeem) is onchain and programmatic, but settlement is offchain (T+1/T+2). No atomic onchain payout.
• Transfers: AllowList enforcement on every transfer (onchain and programmatic).
• Bridging: Burn-and-mint to Solana (Token-2022) and Plume via bridge() — programmatic per chain, but only enabled chain IDs are mintable destinations.

USCC is materially less programmatic than USTB: no atomic onchain subscribe, no atomic onchain redeem.

External Dependencies

1. Anchorage Digital Bank N.A. (Critical) — qualified custodian for spot crypto and cash. OCC-regulated. Operational failure or custodial breach is direct loss to fund holders.
2. Futures Trading Venues (Critical, identity not disclosed) — counterparties for short futures legs and margin. TODO: identify exchanges. FTX-style insolvency at a venue is direct loss.
3. Bitwise Investment Manager (Critical, effective June 1, 2026) — incoming sub-advisor. Daily portfolio management for the basis trades. Operational track record at Bitwise is strong (institutional crypto asset manager) but the transition itself introduces handoff risk.
4. U.S. Treasury Market (Critical) — for T-Bill reserves, same as USTB.
5. Chainlink (Medium-High) — sole onchain NAV oracle. No fallback Superstate-run oracle, unlike USTB.
6. Circle (Medium) — USDC redemption rail.
7. Ernst & Young (Low) — annual audit.
8. NAV Fund Services (Low) — independent NAV calculator.
9. Turnkey (Medium) — admin key custody (same as USTB).
10. Ethereum staking infrastructure (Medium, provider not disclosed) — if any ETH leg is staked, slashing risk applies. TODO: provider identity.

Operational Risk

• Team: Same as USTB. Robert Leshner (CEO, Compound Finance co-founder), Reid Cuming (COO), Jim Hiltner (BD), Dean Swennumson (Ops). ~23 employees per public reporting.
• Funding: $100.5M total raised; Series B of $82.5M closed January 2026 (Bain Capital Crypto, Distributed Global, Brevan Howard Digital, Galaxy Digital, Haun Ventures).
• Documentation: Generally comprehensive, but USCC-specific operational documentation (futures venues, leverage, ETH staking provider, counterparty risk policy) is noticeably thinner than USTB documentation. The fund Offering Documents (private) presumably cover this; the public docs do not.
• Legal Structure:
  • Superstate Inc. (Delaware corporation) — investment adviser
  • Superstate Asset Trust (Delaware Statutory Trust) — series-based, bankruptcy-remote
  • Superstate Advisers LLC — Exempt Reporting Adviser (SEC)
  • Superstate Services LLC — SEC-registered transfer agent
  • Reg D 506(c) / Section 3(c)(7) — Qualified Purchasers and Accredited Investors
• Sub-Advisor Transition: Superstate Inc. → Bitwise Investment Manager LLC effective June 1, 2026 — a material operational change ~1 month after this assessment. Reassessment warranted post-transition.
• Incident Response: Same Turnkey TEE key management as USTB. No publicly documented USCC-specific incident playbook (e.g., what happens if a futures venue fails).
• License: BUSL 1.1.

Monitoring

Key Contracts to Monitor

Contract	Address	Purpose	Key Events / Functions
USCC Token	0x14d60E7FDC0D71d8611742720E4C50E7a974020c	Token state	Mint, AdminBurn, OffchainRedeem, Bridge, BridgeToBookEntry, Paused/Unpaused, AccountingPaused/AccountingUnpaused, SetOracle, SetRedemptionContract, SetStablecoinConfig, SetChainIdSupport, OwnershipTransferStarted, totalSupply()
USCC ProxyAdmin	0x2Bb7B8B4dF7fD96baF7CB9a2Ce9e292eCd5BAF3D	USCC proxy upgrades	Upgraded event on the USCC proxy; OwnershipTransferred on the ProxyAdmin
AllowList V3.1 (shared)	0x02f1fA8B196d21c7b733EB2700B825611d8A38E5	Permission changes	EntityIdSet, ProtocolAddressPermissionSet, PrivateInstrumentPermissionSet
Chainlink USCC NAV Oracle wrapper	0xAfFd8F5578E8590665de561bdE9E7BAdb99300d9	NAV reporting	AnswerUpdated, latestRoundData()
Chainlink USCC Aggregator	0x5C00518D3d423EC59D553Af123Be8a63B11078CF	OCR transmission	NewTransmission, ConfigSet

Admin EOAs to Monitor

EOA	Role	Key Actions
0x8abC89D9b56dFD90dA18e8E18CFaC9111100bDd1	USCC Token + ProxyAdmin Owner	mint, adminBurn, pause, upgrade() USCC impl
0x7747940aDBc7191f877a9B90596E0DA4f8deb2Fe	AllowList Owner (shared with USTB)	Add/remove addresses; revoke protocol permissions

Critical Monitoring Points

• NAV/Share: Read the Chainlink USCC feed every transmission. Unlike USTB, NAV may decrease during basis stress — alert on day-over-day declines >2% to investigate whether it reflects market mark-to-market or an attestation issue.
• Admin Burns: Monitor AdminBurn events — forced burns from holder addresses are critical.
• Pause Events: Monitor Paused/Unpaused and AccountingPaused/AccountingUnpaused on USCC token.
• Contract Upgrades: Monitor USCC ProxyAdmin 0x2Bb7B8B4dF7fD96baF7CB9a2Ce9e292eCd5BAF3D for Upgraded events. No timelock — upgrades are instant.
• AllowList Changes: Monitor ProtocolAddressPermissionSet events on the shared AllowList for revocation of any contract holding USCC.
• Ownership Transfers: Monitor OwnershipTransferStarted on USCC token and ProxyAdmin.
• Large Supply Changes: Alert on mints/burns >5% of total supply in 24h. Current supply: ~12.55M USCC.
• Offchain Disclosures: Track Superstate Q&A / website AUM figures and Chronicle Labs PoR (if live) — the onchain totalSupply() × Chainlink NAV is only a backing claim if the underlying portfolio is verified independently.
• Sub-Advisor Transition (Jun 1, 2026): Track for any operational disruption around the Superstate → Bitwise handoff.
• Recommended Frequency: Per-transmission for NAV. Hourly for pause/admin events. Daily for AllowList changes.

Appendix: Contract Architecture

Verified onchain May 31, 2026. All Superstate-controlled owners are EOAs (code size 0). No multisig, no timelock on any contract.

GOVERNANCE LAYER
══════════════════════════════════════════════════════════════
  [EOA-USCC]  USCC Token owner + USCC ProxyAdmin owner
              0x8abC89D9b56dFD90dA18e8E18CFaC9111100bDd1
              (single EOA, code size 0)

  [EOA-AL]    AllowList owner (shared with USTB)
              0x7747940aDBc7191f877a9B90596E0DA4f8deb2Fe

  [CL-OWN]    Chainlink USCC NAV Aggregator owner (Chainlink-controlled)
              0x21f73D42Eb58Ba49dDB685dc29D3bF5c0f0373CA


PROXY ADMIN LAYER
═════════════════
  [PA-USCC]   USCC ProxyAdmin (owned by [EOA-USCC])
              0x2Bb7B8B4dF7fD96baF7CB9a2Ce9e292eCd5BAF3D
              ── upgrade(USCC proxy) → impl 0x9b7282Cb…

  [PA-AL]     AllowList ProxyAdmin (separate; verified for USTB)
              0xb819692a58db9dd4d3b403a875439b6ca155c610


TOKEN LAYER
═══════════
  [USCC]   USCC Token (Proxy)
           0x14d60E7FDC0D71d8611742720E4C50E7a974020c
           impl: 0x9b7282Cb80baA4B1F8F6436f8D531B436BaE2A70
           VERSION "5" (SuperstateTokenV5 family)

           Admin (owner [EOA-USCC] only):
           ├── mint() / bulkMint()      ← no onchain backing check
           ├── adminBurn(address, amount)
           ├── pause() / unpause()
           ├── accountingPause() / accountingUnpause()
           ├── setOracle(newOracle)     ← currently 0x0 (no SuperstateOracle)
           ├── setRedemptionContract(newContract)
           │                            ← currently 0x0 (no RedemptionIdle)
           ├── setStablecoinConfig(stablecoin, dest, fee)
           │                            ← USDC currently unset
           ├── setChainIdSupport(chainId, supported)
           └── setMaximumOracleDelay(delay)
                                        ← currently 0

           User functions (AllowList-gated):
           ├── subscribe(...)           ← REVERTS: OnchainSubscriptionsDisabled
           ├── offchainRedeem(amount)   ← burn; settled offchain T+1
           ├── bridge(amount, dest, chainId, ...)
           ├── bridgeToBookEntry(amount)
           └── transfer / transferFrom


PROTOCOL LAYER
══════════════
  [AL] AllowList V3.1 (Proxy)            [CL] Chainlink USCC NAV Feed
       0x02f1fA8B196d21c7b733EB2700B…         0xAfFd8F5578E8590665de561b…
       owner: [EOA-AL]                        wraps aggregator 0x5C00518D…
       (SHARED WITH USTB)                     owner: [CL-OWN] (Chainlink)

       Admin:                                 Mechanics:
       ├ setEntityIdForAddress()              ├ 16 OCR transmitters
       ├ setProtocolAddressPermission()       ├ NAV reported by Superstate
       ├ setEntityAllowedFor...()             └ No interpolation between rounds
       └ transferOwnership()

       Gating: isAllowed() onchain on
       every USCC transfer/burn/bridge


EXTERNAL / UNDERLYING LAYER
════════════════════════════
  Offchain:
  ├── Anchorage Digital Bank N.A. (spot BTC/ETH + cash custody)
  ├── Trading Venues (futures + margin) — identities not disclosed
  ├── Bitwise Investment Manager (sub-advisor, effective Jun 1, 2026)
  ├── Ernst & Young (annual auditor)
  ├── NAV Fund Services (NAV calculation agent)
  └── U.S. Treasury Bills (reserves)

  Cross-chain destinations (via bridge()):
  ├── Solana mainnet: Token-2022 BTRR3sj1Bn2ZjuemgbeQ6SCtf84iXS81CS7UDTSxUCaK
  └── Plume mainnet: 0x4c21b7577c8fe8b0b0669165ee7c8f67fa1454cf

Address Legend:

Label	Address
[EOA-USCC]	0x8abC89D9b56dFD90dA18e8E18CFaC9111100bDd1
[EOA-AL]	0x7747940aDBc7191f877a9B90596E0DA4f8deb2Fe
[CL-OWN]	0x21f73D42Eb58Ba49dDB685dc29D3bF5c0f0373CA
[PA-USCC]	0x2Bb7B8B4dF7fD96baF7CB9a2Ce9e292eCd5BAF3D
[PA-AL]	0xb819692a58db9dd4d3b403a875439b6ca155c610
[USCC] Token (Proxy)	0x14d60E7FDC0D71d8611742720E4C50E7a974020c
USCC Implementation	0x9b7282Cb80baA4B1F8F6436f8D531B436BaE2A70
[AL] AllowList V3.1 (Proxy)	0x02f1fA8B196d21c7b733EB2700B825611d8A38E5
[CL] Chainlink USCC NAV	0xAfFd8F5578E8590665de561bdE9E7BAdb99300d9
Chainlink USCC Aggregator	0x5C00518D3d423EC59D553Af123Be8a63B11078CF

---

Reassessment Triggers

• Time-based: Reassess in 3 months (Aug 2026) — shorter interval than USTB due to (a) the Bitwise sub-advisor transition Jun 1, 2026, (b) basis-trade NAV volatility warrants more frequent review, and (c) onchain-redemption infrastructure could change.
• TVL-based: Reassess if AUM changes by more than 30% (more sensitive than USTB given thinner holder base).
• Incident-based: Reassess after any exploit, admin key compromise, contract upgrade, AllowList policy change, sub-advisor transition issue, or any large NAV drawdown (>5% in a single day).
• Strategy-based: Reassess on any change to futures venues, ETH staking provider, leverage policy, or asset mix (e.g., addition of new basis pairs).
• Governance-based: Reassess if Superstate adopts multisig or timelock for USCC admin controls.