Defense in Depth

ETH Strategy doesn't rely on any single mechanism to keep funds safe. Instead, the protocol stacks eight independent safety layers — each addressing a different risk vector, each functional even if another layer fails. This page documents how those layers work together.

For individual risk assessments, see Risks. For per-contract failure modes, see the "Failure Modes & Gotchas" section at the bottom of each Core Mechanics page.

The Layers

┌─────────────────────────────────────────────┐
│  8. Economic Self-Regulation                │  CDT supply governor, ethPerStrat invariant
│  7. Revenue Isolation                       │  7-day streaming, anti-frontrunning
│  6. Governance Constraints                  │  Nested multisig, delegated roles, events
│  5. Interest & Fee Reserves                 │  Delinquent fees upfront, linear accrual
│  4. Time-Based Liquidation                  │  No price oracles, no cascading liquidations
│  3. Collateral Architecture                 │  Burn-at-origination, encumbered separation
│  2. Position Immutability                   │  Entitlements fixed at creation
│  1. Smart Contract Foundations              │  Audits, battle-tested patterns, immutable code
└─────────────────────────────────────────────┘

Each layer is described below — what it protects against, how it works, and why it matters.

Layer 1: Smart Contract Foundations

Protects against: Code exploits, unauthorized access, reentrancy attacks, accidental ownership transfers.

The protocol's contracts use battle-tested security patterns:

ESPN contracts have been audited by Nethermind. Core protocol contracts (convertible notes, esETH, CDT, StakedStrat) have completed two full audits; reports will be published alongside code before permissionless launch. Treasury Lending will be audited before its Q2 2026 deployment.

If this layer fails: A contract vulnerability could enable unauthorized minting, broken accounting, or fund loss. This is the baseline risk of all DeFi and cannot be fully eliminated — which is why the remaining seven layers exist to limit blast radius.

Layer 2: Position Immutability

Protects against: Governance manipulation, retroactive term changes, rug pulls on existing positions.

Once a position is created, its terms are locked:

Parameter changes (PCF, GCF, borrow rate, delinquent fee rate) only affect new positions. Existing holders are never retroactively disadvantaged by governance actions.

If this layer fails: It can't — immutability is enforced at the smart contract level. The NFT contains the entitlements, and the contract reads from the NFT. There is no admin function to modify an existing note's terms.

Layer 3: Collateral Architecture

Protects against: Cascading liquidation auctions, collateral rehypothecation, complex liquidation mechanics that can be exploited.

ETH Strategy separates treasury assets into two distinct pools:

• Encumbered holdings — esETH backing note holders' ETH conversion rights. This capital is locked and can only leave when a note holder exercises conversion-to-ETH. It cannot be lent, used for operations, or accessed by governance during the note's life.

• Unencumbered holdings — the protocol's "free" capital, available for lending, yield distribution, and operations.

Treasury Lending uses a burn-at-origination model — not the typical escrow-and-liquidate pattern:

1. Borrower deposits STRAT + CDT → both are burned (destroyed), not escrowed

2. On repayment → equivalent STRAT + CDT are minted back

3. On default → collateral is permanently gone — no liquidation auction, no cascading failures, no bad debt from failed auctions

The dual-collateral requirement (both STRAT and CDT) ensures borrowers have exposure to both the equity and debt sides of the protocol.

If this layer fails: Even if the collateral model were somehow bypassed, layers 4–5 (time-based liquidation and reserve requirements) independently prevent value extraction.

Layer 4: Time-Based Liquidation

Protects against: Flash loan attacks, cascading liquidations, oracle manipulation, price-based margin calls.

This is a fundamental design departure from protocols like Aave or Compound:

A borrower's position cannot be liquidated before expiry — full stop. No oracle price, no market crash, no flash loan can trigger early liquidation. After expiry, if the borrower hasn't repaid, anyone can call liquidation. The liquidator receives nothing — liquidation is a public good, not a profit opportunity.

Convertible notes have their own time protection: the ~6.9-day timelock after bonding prevents immediate arbitrage, and the ~4.2-year expiry window gives the treasury time to recover from drawdowns before CDT holders can claim redemption.

If this layer fails: Even without time-based protection, layers 3 and 5 (burn-at-origination collateral and upfront fee reserves) ensure the protocol captures value from defaulting positions.

Layer 5: Interest & Fee Reserves

Protects against: Borrower default, underfunded positions, unpredictable loss from delinquent loans.

Treasury Lending carves out reserves at origination, not at default:

The full ETH backing is held in the TreasuryLend contract from day one. Only the borrowAmount goes to the borrower. The protocol already holds the worst-case interest and penalty — no matter what happens, the maximum loss scenario is fully reserved.

Interest accrues linearly. Early repayment is always cheaper:

• Day 1: nearly zero interest owed

• Halfway: half the maximum interest

• At expiry: full maximum interest (capped — no additional penalty accrues after expiry)

On default, the protocol collects maximum interest (to stakers) plus the delinquent fee (to all STRAT holders via increased backing). Defaults are not just survived — they're compensated.

If this layer fails: Even if reserves were somehow insufficient, layer 8 (the ethPerStrat invariant) ensures that borrowing and repaying cannot dilute other STRAT holders' backing.

Layer 6: Governance Constraints

Protects against: Compromised multisig, malicious parameter changes, single points of failure.

Governance uses Safe's nested multisig hierarchy:

Each sub-multisig has a narrowly scoped role. The Perpetual Note Multisig can manage ESPN vault operations but cannot change convertible note pricing. The rate setter can adjust borrow rates but cannot transfer ownership.

Additional constraints:

• All parameter changes emit on-chain events — OwnerChangedPCF, BorrowRateUpdated, DepositCapUpdated, etc. Anyone can monitor governance actions in real-time.

• Delegated roles for rate-sensitive parameters — the owner can delegate rate-setting authority to automated keepers without granting full ownership.

• Ownable2Step — ownership transfers require explicit acceptance by the new owner, preventing accidental or malicious transfers.

• CDT cannot be admin-minted — only authorized minter contracts (ConvertibleNote, TreasuryLend) can create CDT. There is no governance function to inflate debt.

See Governance & Alignment for every tunable parameter and who controls it.

If this layer fails: Even if a multisig were fully compromised, layers 2 and 3 (position immutability and collateral architecture) protect existing holders — their terms cannot be changed, and encumbered holdings cannot be accessed.

Layer 7: Revenue Isolation

Protects against: Frontrunning reward distributions, MEV extraction from staking, reward manipulation.

Protocol revenue flows to stakers through the StakedStrat contract, which streams rewards over a 7-day linear window rather than distributing them instantly:

• Anti-frontrunning — staking just before a large reward and exiting immediately captures negligible value. The economics of the attack don't work: locking capital for 7 days for a marginal share of a linear stream.

• Anti-griefing — dust deposits barely perturb an active reward stream. The blending formula uses value-weighted duration averaging, so small amounts don't reset the clock.

• Fair distribution — earlier stakers always retain their share. New stakers earn only from the moment they join, proportional to time and stake.

Revenue sources (ESPN fee share today, Treasury Lending interest once live) flow to a single contract — making yield transparent and on-chain.

sSTRAT-v2 is non-transferable, preventing secondary markets that could be used for yield-stripping or other manipulation. The only way to move a staked position is via migrateStake().

If this layer fails: Even without streaming protection, the underlying revenue is real (not inflationary emissions), so the system remains economically sound — only the fairness of distribution between stakers would degrade.

Layer 8: Economic Self-Regulation

Protects against: Runaway debt issuance, dilution of existing holders, broken accounting from lending.

Two self-regulating mechanisms keep the protocol's economics bounded:

CDT Supply as a Natural Governor

CDT total supply directly affects the price of new bonds:

Higher CDT supply → higher premium → fewer tokens per new bond → less attractive bonding terms. As the protocol takes on more debt, new bonds automatically become less generous, slowing issuance without governance intervention. This is a built-in brake on leverage.

The ethPerStrat Invariant

Borrowing, repaying, and rolling Treasury Lending positions cannot change the ETH backing per STRAT token:

Both numerator and denominator move proportionally when loans open (collateral burned, holdings transferred) and close (collateral re-minted, holdings returned). The math factors cleanly — lending activity neither dilutes nor inflates anyone else's STRAT value.

The one exception is liquidation, which increases ethPerStrat. Remaining holders receive a bonus from defaulting borrowers' delinquent fees.

If this layer fails: The invariant is enforced by the smart contract arithmetic itself (layer 1) — it holds as long as the interest revenue recipient is correctly configured to StakedStrat rather than a holdings address.

How the Layers Interact

No single layer is sufficient on its own. The defense works because the layers are independent — each one addresses a different failure mode, and each remains functional even if another is compromised:

What This Doesn't Protect Against

Defense in depth is not invincibility. Risks that these layers do not fully mitigate:

• Prolonged ETH price decline — if ETH falls far enough, post-expiry CDT redemption becomes pro-rata (less than $1 face value). The ~4.2-year expiry window provides recovery time, but a sustained multi-year drawdown affects all holders.

• LST-level failures — if an underlying liquid staking token (wstETH, rETH, etc.) suffers slashing or a depeg, esETH doesn't insulate the treasury from that loss. Multi-LST diversification limits but doesn't eliminate exposure.

• Regulatory action — permissionless smart contracts limit but cannot eliminate jurisdictional risk.

• Sustained volatility collapse — ESPN yield depends on option premiums, which depend on volatility. In a hypothetical zero-volatility ETH, ESPN's revenue model breaks down.

For the full risk assessment with severity, likelihood, and mitigations, see Risks.

Further Reading

• Risks — complete risk assessment with mitigations

• ESPN Risks — ESPN-specific risk scenarios

• Governance & Alignment — full parameter list and governance structure

• Treasury Lending — Safety Layers — lending-specific protections

• STRAT Staking — 7-Day Reward Streaming — anti-frontrunning mechanics

• Audits — audit reports and security status