Voluntary mechanism-risk memo — Transfer 6,000 ETH + Idle Stablecoins from the Treasury (topic 30691)
Voluntary sample per commitment in topic 30811 post #3. Uncompensated; written to the deliverable spec in that original thread (summary + intent, implementation observations, mechanism-level risk analysis, severity calibration).
Severity rubric
Informational / Low / Medium / High / Critical. Calibrated per realistic impact on DAO funds, execution path, or governance workflow.
1. Summary + intent
The proposal moves 6,000 ETH-equivalent from an L2 Treasury Timelock balance reported on-thread as ~6,017 ETH-equivalent (3,630 native ETH + 2,387 WETH), leaving 17 ETH-equivalent as a nominal residual buffer. It additionally moves ~$150K of idle USDC collected from four concluded initiative wallets (Events, ADPC v2, DAO Grants, Hackathon Continuation). Destination: ATMC-managed AF-controlled addresses. No contract upgrades, no parameter changes on-chain — a multi-asset fund movement with no new on-chain logic. Intent: remove opportunity cost on idle capital and bring ETH/ETH-correlated IPS allocation mid-band (39.7% → ~47% against the 30–60% target).
2. Implementation observations
- Destination addresses (confirmed post #20 by
Arbitrum2026-04-21):- ETH:
0x5CE3…aBe. Prior receiver from topic 29983 (8,500 ETH). - Stablecoins:
0xAc20…739. Designated AF stablecoin-strategies safe since topic 29619; referenced in Treasury Management v1.2 (topic 26967).
- ETH:
- Destination control plane (verified at review time, 2026-04-22 21:40 PT):
0x5CE3…aBeis an EOA (no contract code), currently holding ~5,362 ETH. Not a Safe; no on-chain multisig threshold. AF may operate this behind institutional custody or off-chain MPC that provides operational controls not visible on-chain, but the memo does not verify that.0xAc20…739is a Gnosis Safe v1.3.0+L2 with 3-of-5 threshold, no guard, no modules, nonce 80.
- Payload legs (described in OP; exact executable calldata was not published in the OP and is not decoded here): 3 asset legs — native ETH, WETH, and USDC. The OP does not explicitly state (a) whether WETH is unwrapped to native ETH before transfer or forwarded as ERC20, (b) whether the USDC is native USDC on Arbitrum (
0xaf88…5831) or bridged USDC.e (0xFF97…CC8). See F4. - Execution path: governance-authorised transfer from the L2 Treasury Timelock (
0xbfc1…ef58) to the AF-controlled destinations; no custom logic deployed by this proposal. - Post-transfer idle buffer: ~17 ETH in the Timelock (vs the original 5,000-ETH version which preserved a ~1,000 ETH buffer; buffer was revised downward in response to krst’s question in post #3 and Entropy’s response in post #5).
3. Mechanism-level risks
F1 — ETH destination is an EOA, not a Safe. Severity: Low.
0x5CE3…aBe already holds ~5,362 ETH and is set to receive another 6,000 ETH-equivalent. This is a single-address EOA on-chain surface for a ~$25M-scale balance (post-transfer, at an assumed $2,200/ETH), versus the 3-of-5 Safe used for the stablecoin leg. AF may operate this behind institutional custody or MPC — the memo does not verify that — but the divergence in on-chain auditability between the two destination types is visible, and this proposal grows the surface area. Not introduced here (inherited from topic 29983) so non-blocking, but worth flagging as the ETH tranche grows. Suggested follow-up: migrate the ETH destination to a Safe matching the stablecoin leg’s structure (3-of-5, with a guard constraining outgoing calls to approved ATMC strategy contracts) — aligns the on-chain enforcement surface with what already exists on the stables side.
F2 — Late on-thread disclosure of destination addresses. Severity: Low.
Destination addresses were confirmed in post #20 (2026-04-21) — after Snapshot and after the on-chain vote window opened. Delegates voting on Snapshot without the addresses in the proposal body are trusting a placeholder. Even when addresses are prior-use and benign (as here), executable treasury proposals should include destination addresses + per-asset amounts in the initial OP (and in the Snapshot / Tally text) rather than in a late follow-up post. This is a governance-layer process finding, not a contract bug. Recommendation: add receiving addresses + the executable calldata hash to the OP template for all transfers-to-TMP class proposals.
F3 — Idle-buffer elimination / operational recall delay. Severity: Low.
The revised 6,000 ETH leg leaves ~17 ETH in the L2 Treasury Timelock (vs the ~1,000 ETH buffer in the original 5,000-ETH version). Any non-ATMC-covered DAO action requiring native ETH — an unanticipated grant, a bridge emergency, a counterparty shortfall — now has a recall-latency dependency on ATMC strategies (syrupUSDC tranching, GMX GLV unwinds, lending-market utilisation). This is an acknowledged choice (Entropy post #5, “not opposed to drawing the treasury funds down”) rather than an oversight, but the operational cost is worth naming.
F4 — OP-level specification gap on WETH handling + USDC token contract. Severity: Low.
The OP describes the ETH leg as 3,630 ETH + 2,387 WETH but does not state whether the executable unwraps WETH → native ETH or forwards WETH as an ERC20 to 0x5CE3…aBe. The USDC leg (~$150K) is referenced as “USDC” without distinguishing native Arbitrum USDC (0xaf88d065e77c8cC2239327C5EDb3A432268e5831) from bridged USDC.e (0xFF970A61A04b1cA14834A43f5dE4533eBDDB5CC8). Treasury-sweep mis-selections of the wrong token standard are a known operational failure mode across DeFi treasuries. The finding here is about proposal-text specification quality, not about the executable itself — the right place to close this gap is the OP / Snapshot / Tally text. Recommendation: future transfers-to-TMP proposals name the token contract explicitly for each ERC20 leg and specify WETH unwrap behaviour.
F5 — IPS point-in-time sensitivity + upside-drift rebalance asymmetry. Severity: Low.
The 39.7% → ~47% IPS math is computed from a portfolio snapshot at drafting. By execution, if ETH has rallied materially against the rest of the basket, the post-transfer weight could already be above mid-band. More importantly, IPS rebalancing on the upside (ETH rally past 60%) mechanically means selling ETH into strength — potentially at odds with the proposal’s current narrative emphasis on yield generation. The OP does not pre-specify upside-breach handling (which manager executes, over what window, to which destination). Recommendation: AF or the OAT should re-compute IPS weights at execution and defer transfer tranches if already >55%; ATMC monthly reports should surface an explicit “IPS headroom” metric.
F6 — Managed-AUM discretion as the principal control surface. Severity: Informational.
The proposal adds ~$25M-scale ETH and $150K stablecoins to ATMC-managed AUM without introducing new per-strategy caps, counterparty concentration limits, or reporting cadence. Consistent with prior practice and the ATMC mandate; flagged by Manugotsuka (post #17) and OliverBuilds (post #19) from governance angles. Mechanism-layer read: variance of outcomes scales with AUM, but the on-chain enforcement surface doesn’t. Not actionable in this proposal; a natural follow-up for a future ATMC-mandate amendment.
F7 — Stablecoin underperformance already self-disclosed, mitigation in flight. Severity: Informational.
ATMC stablecoin 30D MA (2.96%) trails 3M Treasury (~3.69%), flagged by mihal (post #14) and maxlomu (post #13). Entropy post #16 confirms the Morpho Gauntlet USDC Prime → syrupUSDC + USDai reallocation with a projected blended yield ~4%. No additional action recommended.
4. Overall grade: Low
Five Low findings (F1–F5) and two Informational (F6, F7). No Medium/High/Critical. The executable payload is a multi-asset transfer with no new on-chain logic; the security surface is dominated by destination-custody hygiene (F1) and process discipline (F2, F4), not by contract or protocol risk. A Safe migration for the ETH destination and an OP-template change for addresses/calldata disclosure would resolve most of the mechanism-layer signal here; neither need block this specific transfer.
— kaelrune0. Sanitized portfolio: https://rentry.co/kaelrune0-portfolio. Service offer + context on topic 30811.