DeFiPunk'd

Tether Gold

RWA

TVL $3.2B
Type RWA
Chains Ethereum, Monad, Plasma, Avalanche, Arbitrum +3
View on DeFiLlama ↗
Control — tentative red Ability to exit — tentative red (4/3 models submitted) Autonomy — red Open Access — tentative red Verifiability — tentative red Control Exit Autonomy Open Access Verifiable
Control criteria
Upgradeability Upgradeable Bug bounty tether.to Governance forum Docs gold.tether.to
About

Tether Gold (XAUt) is a tokenized gold asset: DeFiLlama describes it as ownership of real physical gold, and the Ethereum contract is an ERC-20-like XAUt token. Users transfer XAUt on-chain, while issuance/redemption against gold is issuer-operated; Ethereum is an upgradeable proxy and L2 deployments expose OFT-style cross-chain mint/burn.

Risk analysis

One card per dimension, sorted by severity. Only Verifiability and Autonomy carry automated signals in Phase 0. See methodology for scope.

Audit a dimension yourself · DEFI@home Contribute an LLM-run assessment — any model, any dimension. Three agreeing runs merge automatically into the public record.

DEFI@home is a distributed audit network modeled on SETI@home: instead of CPU cycles, it crowdsources LLM reasoning. Paste a slice prompt into Claude, ChatGPT, Gemini, or any browsing-capable model, and submit the JSON output as a pull request. The quorum bot merges it once ≥3 independent runs (from different models) reach the same grade — no single model, and no single contributor, can move the needle alone. How it works →

  • Address discovery 10 addresses on file · 1 run Submit run ↗
  • Verifiability ✓ 4/4 models agree AI-only weak red — weak consensus margin Submit run ↗
  • Control ✓ 3/3 models agree AI-only weak red — weak consensus margin Submit run ↗
  • Ability to exit 4/3 submitted Submit run ↗
  • Autonomy ✓ 3/3 models agree AI-only 3/3 with chat share link Submit run ↗
  • Open Access ✓ 3/3 models agree AI-only weak red — weak consensus margin Submit run ↗
  • Audit all 5 dimensions · one prompt Submit run ↗
  1. Verifiability tentative 4/4 models agree AI-only 3/4 with chat share link
    Ethereum proxy and implementation verified on Etherscan; but no public source repo found, no recognized-firm smart-contract audit in protocol.audit_links, and implementation owner has no verified bytecode
    Verdict

    Choosing red because no public source repository for XAUt smart contracts was found and no recognized-firm audit exists in protocol.audit_links (none recorded), satisfying both the 'no public repo' and 'no audit' red conditions. The Ethereum proxy and implementation are verified on Etherscan, which is a partial mitigating factor, but verification without a public repo or recognized audit does not reach orange or green under the rubric.

    Steelman argument
    Steelman argument No public source repository exists for the XAUt contracts, and no recognized smart-contract audit firm has reviewed the deployed code; a previously-disclosed vulnerability (the 2023 public-transfer bug) was found by external researchers rather than an internal audit process, suggesting limited proactive security review.
    Evidence (7)
    V1
    Ethereum proxy (0x68749665ff8d2d112fa859aa293f07a622782f38): verified on Etherscan (ABI source = etherscan, per defipunkd surfacer). Implementation (0x4C0d2c74A8D26f1E4F5653021c521F5471F9e566): also verified on Etherscan (ABI source = etherscan). Both proxy and current implementation are verified. The implementation owner (0x7224BEef47a6A7B414a0d0AdADf3f691C2691005) has no verified ABI on Etherscan or Sourcify.
    V1
    Arbitrum proxy (0x40461291347e1ecbb09499f3371d3f17f10d7159): verified on Etherscan/Arbiscan (ABI source = etherscan, per defipunkd surfacer). Arbitrum implementation (0x9001dbe4D68d36ab87923A2a9Dfb0c745fd25001) is referenced from the proxy surfacer page — verification status not confirmed in this run.
    V2
    No public GitHub repository for XAUt smart contracts found. The Tether GitHub organization (github.com/tetherto) has 130 repositories but none appear to contain the XAUt/TetherGold ERC-20 implementation based on search results. No source-to-repo correspondence could be established.
    V3
    protocol.audit_links is empty (none recorded). No linked audit PDF to open. A Cyberscope page for Tether Gold was found in search results but Cyberscope is not a recognized firm under the rubric's V4 list. BlockSec disclosed a public-transfer vulnerability in April 2023 (non-audit security research). BDO Italia audits are reserve attestations, not smart-contract security audits.
    V4
    No audit from a recognized firm (Trail of Bits, Zellic, Spearbit, OpenZeppelin, ConsenSys Diligence, Certora, Quantstamp, Halborn, Peckshield, Sigma Prime, ChainSecurity, Ackee, MixBytes, Statemind) found in protocol.audit_links or from this run's searches. Cyberscope is the only named auditor found, and it is not on the recognized list.
    V5
    Post-audit drift assessment not possible: no baseline recognized-firm audit exists to compare against. The BlockSec vulnerability disclosure in 2023 (transferFrom public-transfer bug) was apparently fixed in the current deployment, but this is a security researcher disclosure, not an audit.
    V6
    The Ethereum proxy (0x68749665...) is verified; its implementation (0x4C0d2c74...) is also independently verified. This V6 relationship is satisfied for the Ethereum pair. The implementation owner (0x7224BEef...) is an unverified contract — its role is administrative (owner of the implementation), not fund-holding, but it represents an unauditable control surface.
    Why is this consensus tentative?
    • weak consensus margin

    A fresh independent run can strengthen (or overturn) the verdict.

    Run your own prompt Submit run ↗
    Sources claude-sonnet-4-6 url ↗ GPT-5.5 Thinking url ↗ claude-sonnet-4-6 (autorun) no url grok-xai url ↗ View raw submissions ↗
  2. Control tentative 3/3 models agree AI-only 3/3 with chat share link
    3-of-6 operator multisig (threshold fails Security Council) controls upgrade, mint, and fund-seizure with no timelock
    Verdict

    Choosing red because T1 functions (upgradeTo, mint, destroyBlockedFunds) are reachable on the uncontested fast path with 0-second delay by the 3-of-6 MultiSigWallet (0xC6CDE7C39...), which fails every Security Council criterion: threshold 3/6 = 50% is below the 51% minimum, signer identities are not publicly announced, and no non-insider signers are documented. The Arbitrum 3-of-5 Safe (0x4DFF9b5b...) has the same structural deficiency on its chain.

    Steelman argument
    Steelman argument Three insider signers acting in concert can upgrade the implementation to arbitrary bytecode, mint unbacked tokens, or seize user funds immediately with no timelock, and none of the six signers are publicly announced, so no independent accountability exists.
    Evidence (9)
    C1
    Ethereum XAUt proxy (0x68749665ff8d2d112fa859aa293f07a622782f38) owner() returns 0xC6CDE7C39eB2f0F0095F41570af89eFC2C1Ea828, a 3-of-6 MultiSigWallet (classic Gnosis MultiSig). Signers: 0xAC3B242E2E561da9F4cE34746E67d004E6341FA0, 0xEe5207d3c88562fc814496Af0845B34CFD4afc8c, 0x61D5a4d5Bd270e59E9320243e574288e2a199fED, 0x25bB61643e4881147E6aabb65e6DD45CF2904155, 0x4096a34E582664F969753b34dA6E72D55b3C85C1, 0x4D915Dd2c56814BD3Db51a1dA35b302BCC9c8973. Threshold required() = 3; MAX_OWNER_COUNT = 50. Signer identities are not publicly announced.
    C1
    Arbitrum XAUt proxy (0x40461291347e1ecbb09499f3371d3f17f10d7159) owner() returns 0x4DFF9b5b0143E642a3F63a5bcf2d1C328e600bf8, a 3-of-5 Gnosis Safe (v1.4.1) with 5 signers: 0x7D8e979dcC6EC933c70FBe28B2B7700907D2aFEA, 0x488A3d37442F583c1c0a356118d1d6181b22434c, 0x00F6D2b4B69Ce697f913Da16A9D73283dc4C78F2, 0x4192D72c281dB0eF10464dD274EE583C33256ac5, 0x5F0DcA105195Bd58277aa4b4CABC90a791E1b982. Threshold = 3/5 (60%). Signer identities not publicly announced.
    C1
    Ethereum implementation contract (0x4C0d2c74A8D26f1E4F5653021c521F5471F9e566) owner() returns 0x7224BEef47a6A7B414a0d0AdADf3f691C2691005, which has no verified ABI on Etherscan or Sourcify per defipunkd. Actor class unknown.
    C2
    The Ethereum token is a TransparentUpgradeableProxy (0x68749665...) pointing to implementation 0x4C0d2c74.... The merged ABI exposes upgradeTo(address) and upgradeToAndCall(address,bytes) and changeAdmin(address) callable by the proxy admin (the 3-of-6 multisig). No ProxyAdmin contract intermediary identified; upgrade path is direct from multisig to proxy.
    C3
    Execution path: 3-of-6 multisig submits+confirms transaction → immediately executable. No timelock contract detected in the control chain. Uncontested fast-path delay = 0 seconds.
    C4
    Single upgrade-control multisig on Ethereum: 3-of-6 MultiSigWallet (0xC6CDE7C39...), threshold 3, 6 signers, no publicly identified signer, all presumed Tether insiders. This multisig also holds mint, addToBlockedList, destroyBlockedFunds, and transferOwnership powers. On Arbitrum: 3-of-5 Gnosis Safe (0x4DFF9b5b...), similarly insider. No independent committee, no non-insider signers documented.
    C5
    No on-chain governance (no Governor, GovernorBravo, Aragon Voting) detected on any contract in the address_book.
    C6
    No distinct emergency-pause role found. The same 3-of-6 multisig holds all admin powers including individual-address blocking via addToBlockedList(address) and fund seizure via destroyBlockedFunds(address). No time cap on any of these powers.
    C7
    T1 — FUND-CRITICAL: the 3-of-6 multisig can call upgradeTo(address) to replace the implementation of the fund-holding proxy with arbitrary bytecode, and can call mint(address,uint256) to issue unbacked tokens to any address, and can call destroyBlockedFunds(address) to seize any user's balance after blocking them. All three are T1 functions reachable with 0-second delay.
    Why is this consensus tentative?
    • weak consensus margin

    A fresh independent run can strengthen (or overturn) the verdict.

    Run your own prompt Submit run ↗
    Sources claude-sonnet-4-6 url ↗ GPT-5.5 Thinking url ↗ grok-xai url ↗ View raw submissions ↗
  3. Ability to exit 4/3 models submitted
    There is no permissionless on-chain redemption to the underlying asset; transfers can be blocked indefinitely and blocked balances can be burned by the owner multisig.
    Tentative grades
    • GPT-5.5 Thinking red
    • claude-sonnet-4-6 orange
    • grok-xai red
    • claude-sonnet-4-5 (autorun) red

    No quorum yet — verdict and steelman hidden until ≥3 models agree.

    Evidence (28)
    E1
    User-facing movement is transfer/transferFrom/multiTransfer. redeem(uint256) exists but is onlyOwner and burns from owner(), so it is not a permissionless holder exit.
    E2
    transferFrom is onlyNotBlocked; _beforeTokenTransfer blocks transfers from blocked accounts unless msg.sender is owner; redeem/mint/blocklist/burn are onlyOwner.
    E3
    The pause-equivalent guard is owner-controlled isBlocked; no maximum block duration was found, and destroyBlockedFunds burns a blocked balance.
    E4
    No distinct time-capped emergency pause versus governance pause was identified; blocklist/burn uses the owner path.
    E5
    No on-chain queued-redemption system, maximum queue duration, or daily cap was found.
    E6
    No forced-exit or permissionless emergency withdrawal was found for a blocked holder or unprocessed redemption.
    E7
    Direct on-chain token calls are possible through explorer write tabs/generic wallets, but that does not create permissionless gold redemption.
    E1
    User-facing exit functions on the Ethereum implementation: redeem(uint256) burns tokens and emits Redeem event; transfer(address,uint256) and transferFrom allow peer-to-peer or DEX exit. The physical gold settlement after redeem() is handled entirely off-chain by Tether Gold.
    E2
    The current Ethereum implementation ABI (0x4C0d2c74...) does NOT contain a paused() view, pause(), or unpause() function, and no whenNotPaused modifier is visible. The only user-level restriction modifier is isBlocked: blocked addresses cannot transfer or redeem. redeem(uint256) appears callable by any non-blocked holder.
    E3
    No global PAUSE_ROLE or guardian role exists in the current implementation. The owner (3-of-6 multisig 0xC6CDE7C39...) holds addToBlockedList(address) which can permanently block a specific address's ability to transfer or redeem, with no time cap or appeal process on-chain. There is no PAUSE_INFINITELY function but the per-address block is functionally infinite.
    E4
    No distinct emergency vs governance pause distinction found: the current implementation has no global pause. The individual blocking via addToBlockedList is the only restriction mechanism, exercised by the owner multisig with no time limit.
    E5
    No queued redemption mechanism or maximum queue duration found on-chain. The redeem() function is direct (no queue). Physical gold delivery off-chain requires minimum 50 XAUt for direct purchase; full bar redemption requires approximately 400+ oz minimum per the RID document.
    E6
    No forced-exit or escape-hatch mechanism found in the ABI. Blocked users have no on-chain path to exit; the only route would be to petition the multisig for unblocking. Users can sell on DEX if not blocked.
    E7
    The redeem() function is directly callable via Etherscan Write Contract tab or any compatible wallet without using the official frontend. Secondary market exit (DEX, CEX) is also available for non-blocked holders without any frontend dependency. Physical gold delivery requires engagement with Tether Gold's official process.
    E1
    User-facing on-chain exit/transfer: standard ERC-20 transfer/transferFrom/approve (no dedicated withdraw/redeem/burn for users in ABI); off-chain redeem for physical gold or USD via TG Commodities app[](https://gold.tether.to/faq).
    E2
    On-chain transfer functions have no pause/onlyRole/whenNotPaused modifiers (ABI shows no paused() or access control beyond owner for mint/block); off-chain redeem requires login+KYC+account verification before request placement or claim.
    E3
    No pause guard or PAUSE_ROLE in any contract (no paused()/isPaused in proxy or implementation reads); blocklist allows owner (multisig) to addToBlockedList and destroyBlockedFunds indefinitely with no time cap[](https://defipunkd.com/address/1/0x4c0d2c74a8d26f1e4f5653021c521f5471f9e566).
    E4
    No emergency vs governance pause distinction; only privileged block+destroy by multisig (no time cap, no auto-expiry). Off-chain redemption fully gated by Tether entity approval.
    E5
    No on-chain queued redemption or daily caps; off-chain redeem has min ~430 XAUt (1 bar) + 25bp fee + delivery, processed in business days after KYC[](https://gold.tether.to/faq).
    E6
    No forced-exit, escape-hatch, or permissionless emergency exit for adversarial admin; blocked addresses can have funds destroyed by multisig with no recourse on-chain.
    E7
    On-chain transfers directly callable via any wallet/Etherscan write tab (ERC-20 standard, no frontend required); off-chain physical redeem requires official app + KYC.
    E1
    Primary exit functions are redeem(uint256), transfer(address,uint256), and transferFrom(address,address,uint256). The redeem function burns tokens on-chain (emits Redeem event), while transfers move tokens to other addresses, enabling exit to exchanges or self-custody.
    E2
    The ABI includes addToBlockedList(address), removeFromBlockedList(address), isBlocked(address), and destroyBlockedFunds(address). These are owner-restricted functions (onlyOwner modifier pattern typical in OpenZeppelin Ownable contracts). The presence of BlockPlaced, BlockReleased, and DestroyedBlockedFunds events confirms active blocklist enforcement on user operations.
    E3
    The owner() function returns 0xC6CDE7C39eB2f0F0095F41570af89eFC2C1Ea828, which is a 3-of-6 multisig (required=3, 6 owners). This multisig holds the power to call addToBlockedList, removeFromBlockedList, destroyBlockedFunds, mint, and upgrade functions. There is no on-chain time cap visible on blocklist duration—once blocked, a user remains blocked until the multisig removes them.
    E4
    No distinction between emergency and governance pause paths; the contract does not expose paused() or whenNotPaused modifiers in the ABI. However, the blocklist mechanism serves as a per-address freeze that is effectively an indefinite, targeted pause on that user's ability to transfer or exit.
    E5
    No queued redemption mechanism visible on-chain. The redeem(uint256) function appears to be a direct burn operation. Off-chain redemption for physical gold requires KYC with TG Commodities and a minimum of ~430 XAUt (~1 full gold bar), but the on-chain burn via redeem is immediate if not blocked.
    E6
    No permissionless escape hatch or emergency exit mechanism exists. If a user is added to the blocklist, only the 3-of-6 multisig can remove them. There is no on-chain governance vote requirement, no timelock on blocklist actions, and no user-initiated appeal process visible on-chain.
    E7
    All exit functions (redeem, transfer, transferFrom) are standard ERC-20-style nonpayable functions callable directly via Etherscan, a wallet interface, or any contract interaction tool. No frontend dependency for execution. However, if a user is on the blocklist, the transaction will revert regardless of the interface used.
    Why is this slice uncertain?
    • only 4 of 3 model submissions on record — quorum requires ≥3 agreeing models
    • submitted models do not yet agree on a single grade

    A fresh independent run can establish (or overturn) a verdict.

    Run your own prompt Submit run ↗
    Sources GPT-5.5 Thinking url ↗ claude-sonnet-4-6 url ↗ grok-xai url ↗ claude-sonnet-4-5 (autorun) no url View raw submissions ↗
  4. Autonomy red 3/3 models agree AI-only 3/3 with chat share link
    ~100% of TVS depends on a single off-chain related-party gold custodian; owner multisig can mint unbacked tokens; no on-chain proof-of-reserves or circuit breakers
    Verdict

    Choosing red because the ~$3.4B TVS (Ethereum ~$3.33B, ~99% of total) is entirely dependent on the off-chain related-party Swiss gold custodian maintaining accurate reserves — a failure or fraud there causes total principal loss with no on-chain mitigation — and the owner multisig can mint unbacked tokens instantly with no on-chain cap. The LayerZero bridge on Arbitrum (A3) is de minimis at ~0.01% TVS. Impacted TVS under custodian failure or multisig mint abuse: ~100%.

    Steelman argument
    Steelman argument The ~$3.4B principal value of XAUt is entirely backed by physical gold held off-chain by a related-party Swiss custodian, with no on-chain proof-of-reserves enforcement; a compromised or fraudulent custodian destroys 100% of value, and the insider multisig can mint unbacked tokens with no on-chain check.
    Evidence (8)
    A1
    No external contract calls detected in the Ethereum or Arbitrum XAUt implementations from the on-chain ABI. The token contracts are self-contained: no oracle, no AMM pool, no lending pool dependencies. The only external reference on Arbitrum is the oftContract() (LayerZero OFT adapter at 0xf40542a7B66AD7C68C459EE3679635D2fDB6dF39) used for cross-chain transfers.
    A2
    Mint authority is held by the 3-of-6 operator multisig (0xC6CDE7C39...) on Ethereum via mint(address,uint256) with no on-chain cap or proof-of-reserve check. If the multisig signs a fraudulent mint, unbacked tokens are created immediately. The physical gold custody is managed entirely by a named related-party Swiss custodian (per the RID document), creating an off-chain trust dependency: if the custodian fails, misrepresents holdings, or is compromised, token holders' principal is impaired with no on-chain recourse. Committee size: 3-of-6 multisig insiders.
    A3
    The Arbitrum deployment uses a LayerZero OFT adapter (oftContract = 0xf40542a7B66AD7C68C459EE3679635D2fDB6dF39) for cross-chain token minting/burning (crosschainMint, crosschainBurn methods visible in ABI). This introduces a bridge dependency for cross-chain XAUt. Arbitrum TVS is ~$415K out of ~$3.4B total (DeFiLlama), approximately 0.01% — de minimis.
    A4
    XAUt is a single-layer RWA: the collateral is physical gold (no nested DeFi collateral chain). There is no restaking or receipt-of-receipt design. The only depth is: on-chain token → off-chain gold bar in Swiss vault held by related-party custodian.
    A6
    No on-chain fallback mechanisms or circuit breakers found in the contract ABI. No oracle sanity check, no proof-of-reserve feed, no mint cap enforced on-chain. BDO Italia provides quarterly attestations of physical gold holdings, but this is an off-chain audit process with no automated on-chain enforcement. Activation status: DOCUMENTED/OFF-CHAIN only — does not count as an on-chain mitigation.
    A7
    Not applicable: XAUt is permissionlessly deployed on third-party L2s (Arbitrum, Polygon), not its own appchain. No sequencer dependency from the protocol itself.
    A8
    No keeper/relayer/auto-compounder dependency identified in the on-chain contracts. Minting/burning is manual operations by the operator multisig. No automated liquidation bots required.
    A9
    The owner multisig can call setOFTContract(address) on Arbitrum to replace the LayerZero OFT bridge endpoint with no timelock, silently introducing or swapping a cross-chain bridge dependency. On Ethereum, upgradeTo(address) allows swapping the implementation contract to one that calls any external dependency. Both are governance-mutable with 0-second delay.
    Sources claude-sonnet-4-6 url ↗ GPT-5.5 Thinking url ↗ grok-xai url ↗ View raw submissions ↗
  5. Open Access tentative 3/3 models agree AI-only 3/3 with chat share link
    Contract enforces an on-chain per-address blocklist (addToBlockedList) updatable without limit by the 3-of-6 owner multisig; direct redemption is KYC-gated at the platform level
    Verdict

    Choosing red because the contract enforces an on-chain blocklist (addToBlockedList) updatable by the 3-of-6 multisig as a single party with no time cap or documented procedure, directly satisfying the 'enforces an on-chain blocklist updatable by a single party' red criterion. Although the A3b independent paths (DEXes, CEXes) exist for non-blocked users, blocked users have no on-chain recourse, and the blocklist is a direct contract-level restriction on user exit.

    Steelman argument
    Steelman argument The contract enforces an on-chain per-address blocklist that a single multisig can update with no time limit or procedural constraint, effectively allowing the operator to unilaterally deny any user's ability to exit or transfer tokens; this is a contract-level gate on user exits updatable by a single party.
    Evidence (7)
    A1
    The contract exposes addToBlockedList(address) and isBlocked(address): any address flagged by the owner can be prevented from transferring, approving, or redeeming tokens. The owner (3-of-6 multisig) can update this blocklist at any time with no procedural constraint, time limit, or documentation requirement. Removal is also owner-controlled via removeFromBlockedList(address).
    A2
    Transfer and redeem functions for non-blocked users appear to operate without requiring off-chain operator approval. No admission-time oracle or sequencer approval is visible in the ABI. The operator dependency (mint/burn) is relevant to issuance, not to secondary transfers between existing holders.
    A3
    Official platform restrictions (A3-active): Tether's ToS restricts users from Canada, Cuba, DPRK, Iran, Singapore, Syria, Venezuela, Crimea, and US non-ECPs from using the Tether.to/gold platform. These are publisher policies on the official frontend, not contract-level restrictions. Direct KYC required for primary market purchase and redemption with a minimum of 50 XAUt. These do NOT affect secondary market transfers.
    A3b
    Independent access paths for non-blocked users: (1) Uniswap DEX pools for XAUt/ETH and XAUt/USDC on Ethereum exist; (2) Binance, Kraken, BingX list XAUt for secondary trading; (3) any compatible ERC-20 wallet can hold and transfer XAUt directly. These paths are independent of the official Tether Gold frontend.
    A4
    The contract-level blocklist (addToBlockedList) is an on-chain compliance mechanism. Additionally, the Arbitrum implementation has isTrusted(address) which may gate certain operations. These are contract-level restrictions updatable by a single party (the owner multisig).
    A5
    Read access: the XAUt contract is fully read-permissionless (balanceOf, totalSupply, isBlocked visible to anyone). Write access: transfer/redeem is permissionless for non-blocked addresses; blocked addresses have no write access.
    A6
    Official ToS jurisdictional clause (from tether.to): 'Persons domiciled, or resident in Canada; Cuba; the Democratic People's Republic of Korea (North Korea); Iran; Singapore; Syria; the Government of Venezuela; and Crimea are prohibited from using the Tether.to platform. U.S. persons are also restricted from using the Tether.to platform unless they are Eligible Contract Participants.' Source: tether.to/en/in-what-countries-and-states-does-tether-have-limited-functionality/
    Why is this consensus tentative?
    • weak consensus margin

    A fresh independent run can strengthen (or overturn) the verdict.

    Run your own prompt Submit run ↗
    Sources claude-sonnet-4-6 url ↗ GPT-5.5 Thinking url ↗ grok-xai url ↗ View raw submissions ↗

Stage

Preview of the Phase-3 maturity framework. DeFiPunk'd will adopt DeFiScan v2's stages verbatim; the section is rendered below in its intended shape so the structure is visible today.

Tether Gold has not yet been assessed under the DeFiScan v2 stage framework.
The walkaway test is the central criterion. Once stages land, protocols reach Stage 1 only if users can exit in the presence of malicious operators even when the emergency council disappears.
Scope of assessment
Stages are assessed per-protocol against DeFiScan v2's criteria: governance structure, upgradeability path, timelock durations, emergency-council scope, and the walkaway test. The analysis depends on onchain discovery (roles, owners, timelocks) and deeper review of deployed contracts — neither of which DeFiPunk'd automates at Phase 0.
Stage 0 requirements pending
Governance is largely off-chain, contracts are upgradeable with short or no timelock, and the protocol depends on a multisig or team with full discretion. At Phase 0 DeFiPunk'd does not automatically evaluate these; the assessment lands with crawler-based onchain discovery.
Stage 1 requirements pending
Users can exit or opt out on their own terms even if the team disappears. Upgrades run through a meaningful timelock with an emergency security council clearly scoped. The walkaway test is the headline criterion.
Stage 2 requirements pending
Protocol is fully permissionless and immutable, or upgrades require a supermajority of token holders with a long timelock and no emergency override. This is the terminal stage of the DeFiScan v2 framework.
Learn more about DeFiScan v2 stages →
Stages are an opinionated assessment of maturity, not a rating of security or safety. A protocol can sit at Stage 2 and still carry substantial technical or economic risk; the framework exists to incentivize decentralization, not to rank protocols.

Contract surface

Every contract in scope for this protocol — pooled from DeFiLlama's TVL adapter (mechanical) and DEFI@home discovery submissions (LLM-curated). Verified-source flags come from Etherscan + Sourcify; owner / multisig metadata is read on-chain when available. Reviewer audit context, not a slice score. A lending protocol's adapter set will list third-party collateral tokens alongside its own contracts; attribution is the grader's job.

  • 8addresses
  • 0verified source
  • 0proxies

TVL adapter pinned at 683d369. Sourcecode fetched 2026-05-06. Control fetched 2026-05-14.

Arbitrumtoken (implementation)0x9001…5001discoverytoken
Arbitrumtoken (proxy)0x4046…7159discoverytoken
Ethereumtoken (implementation)0x4c0d…e566discoverytoken
Ethereumtoken (old, migrated)0x4922…4a2adiscoverytoken
Ethereumtoken (proxy)0x6874…2f38discoverytoken
flowstgUSDC0xf181…5d14TVL
Polygontoken (implementation)0x6d20…2c35discoverytoken
Polygontoken (proxy)0xf181…5d14discoverytoken

Protocol Info

Links

[defillama] Source: DeFiLlama [:] Source: DEFI@home quorum
Website
https://gold.tether.to
Twitter
@tethergold
Docs
https://gold.tether.to

Security

[defillama] Source: DeFiLlama [:] Source: DEFI@home quorum
Audits
unknown
Bug bounty
https://tether.to/en/bug-bounty/
Security contact
unknown

Technical

[:] Source: DEFI@home quorum
Upgradeability
Upgradeable

Provenance

[defillama] Source: DeFiLlama
Review status
listed
Updated
2026-06-01 11:27 UTC