DefiCareDefiCare
Checking auth...

Frax

About

Frax is a decentralized finance protocol that issues a family of stablecoins — frxUSD (fully backed by tokenized U.S. Treasury assets), frxETH (a liquid ETH staking derivative), and FPI (a consumer-goods-pegged stablecoin) — alongside its own high-performance EVM Layer 1 blockchain (Fraxtal) and a cross-chain interoperability layer (FraxNet). The protocol also operates subprotocols including Fraxlend (permissionless lending), Fraxswap (AMM with TWAMM), and BAMM (borrowing/lending module) to provide liquidity, stability, and yield-bearing opportunities for its stablecoin ecosystem. It is designed for both retail DeFi users and institutional participants seeking access to tokenized real-world assets and on-chain U.S. Treasury yield.

Where Does Yield Come From?

Frax generates yield through several distinct paths. Here is how each works, from simplest to most involved.

1. sfrxUSD (Staked Frax USD) — the benchmark yield strategy

When you stake frxUSD (a stablecoin backed by U.S. Treasury assets), you receive sfrxUSD — a vault token whose value quietly grows over time. The protocol takes all staked frxUSD and sends it to whichever opportunity currently pays the highest return. It chooses among three categories:

  • Carry-trade strategies — places like Ethena and Superstate
  • DeFi strategies — automated market operations that lend into protocols such as Aave, Curve, Convex, Compound, Fraxlend, Euler, and dTrinity
  • Real-world asset / T-Bill strategies — BlackRock and FinresPBC short-term U.S. Treasury bills

The system automatically rebalances between these as market conditions shift. There are no lock-up periods or fees for staking or unstaking. You can redeem sfrxUSD at any time for an increasing amount of frxUSD — the extra amount is the yield you earned. The design aims to keep sfrxUSD's rate among the most competitive on-chain.

2. FraxNet — direct T-Bill yield (for compliant users)

Users who complete identity verification (KYB/KYC) on FraxNet can earn a share of the yield from the U.S. Treasury bills that back frxUSD — without staking. The yield flows from the institutional-grade treasury funds (like BlackRock BUIDL, Superstate USTB, WisdomTree WTGXX, and Bridge USDB) that support frxUSD 1:1. Distribution follows the GENIUS Act regulatory framework.

3. sfrxETH (Staked Frax Ether)

You deposit frxETH (Frax's liquid ETH staking derivative) into the sfrxETH vault. Over time, this vault collects ETH staking rewards and MEV (value captured from validator order flow) from Frax-operated validators. The exchange rate of frxETH per sfrxETH rises as rewards pile up, so each sfrxETH holder ends up with a growing claim on the pool.

4. Protocol revenue and fees (accruing to the DAO and veFRAX holders)

The protocol earns revenue from multiple sources:

  • Fraxlend — interest rate spreads and liquidation fees from lending
  • Fraxswap — swap fees from the automated market maker
  • AMOs — returns on protocol-owned liquidity deployed across various DeFi venues
  • FXB (Frax Bonds) — zero-coupon bonds sold at a discount below 1 frxUSD and redeemable for 1 frxUSD at maturity; buyers earn yield through that discount, while the protocol locks liquidity and helps stabilize the peg

Holders who lock FRAX tokens into the veFRAX system gain voting power, boosted gauge weights, and a share of these protocol fees.

5. Issuer surplus

Under FIP-432, Frax Inc (the delegated issuer) keeps only what it needs for compliance and collateral management. Any extra revenue from frxUSD issuer activities flows back to the Frax DAO treasury.

A note on rates: The numbers you see on the landing page (for example, 3.38% or 4.1%) are point-in-time estimates based on current Treasury backing performance — they are not fixed guarantees. The benchmark yield strategy adjusts dynamically as opportunities change across carry trades, DeFi, and real-world asset markets. All of the mechanisms above are structural; the protocol does not promise any static rate.

Persons

  • Travis Moore

    Co-Founder and CTO

Audits

Audit / DateFindingsVerdict
CertiK06-11-2020
  • Critical3
  • High8
  • Medium0
  • Low11
  • Info17
All critical and the majority of major findings were resolved before or shortly after the audit, leaving only three unresolved major items and several minor/informational notes; the protocol benefits from a strong initial security review, though users should be aware of the unresolved issues and the age of this audit relative to subsequent code changes.
Trail of Bits11-06-2021
  • Critical0
  • High7
  • Medium0
  • Low5
  • Info11
The audit uncovered critical gaps in transfer return-value handling and access controls that could lead to loss of funds and system manipulation, though several of the highest-severity items were fixed before the final report. Residual risks around the delegatecall proxy, Aragon voting integration, and parameter bounds remain unaddressed and warrant continued attention.
Trail of Bits06-12-2021 - 21-12-2021
  • Critical0
  • High8
  • Medium8
  • Low1
  • Info6
The audit reveals significant architectural and implementation risks, particularly around collateral valuation, price manipulation, and access controls, with 16 high/medium findings that could lead to severe financial loss if exploited. Trail of Bits recommends reducing the rate of protocol expansion, consolidating duplicate code, implementing proper oracle pricing, and improving testing and CI before further deployments.
Trail of Bits03-08-2022
  • Critical0
  • High4
  • Medium1
  • Low1
  • Info0
The audit uncovered four high-severity data-validation flaws, one medium-severity access-control issue, and one low-severity logging gap across FraxSwap, FPIController, and FraxLend; Trail of Bits recommended immediately pausing affected deployments and integrating fuzzing into the development cycle to avoid similar issues in future iterations.
Code4rena22-09-2022 - 25-09-2022
  • Critical0
  • High2
  • Medium10
  • Low0
  • Info0
The audit uncovered two high-severity bugs (wrong syncRewards accounting and validator front-running) and ten medium-severity issues, many of which were confirmed by the Frax team and have proposed mitigations; overall the findings indicate that while the protocol design has known trust assumptions, the identified vulnerabilities require prompt remediation before mainnet deployment to protect user funds and ensure correct economic accounting.
Trail of Bits22-11-2022
  • Critical0
  • High1
  • Medium4
  • Low5
  • Info2
The audit found one high-severity and several medium-severity issues that should be addressed before deployment, but no critical flaws were identified, and the overall architecture of both Fraxlend and Fraxferry was deemed reasonably sound with proper access controls in most areas.
Trail of Bits15-05-2023 - 26-05-2023
  • Critical0
  • High2
  • Medium1
  • Low0
  • Info4
The two high-severity and one medium-severity vulnerabilities were all resolved in the fix review, removing the most critical attack paths, while the remaining informational findings pose limited practical risk to the governance protocol's safety.
Trail of Bits27-10-2023
  • Critical0
  • High2
  • Medium1
  • Low1
  • Info1
Frax resolved three of five findings (including both High-severity swap bugs and the misconfigured oracle), but two issues—the missing token-recovery function in FXB and the unprotected fee-recipient address in the redemption queue—remain unaddressed, posing residual operational risks.
Trail of Bits02-02-2024
  • Critical0
  • High0
  • Medium0
  • Low0
  • Info1
The audit found no high or medium severity vulnerabilities, with the sole finding being an informational issue around error-prone administrator management in the SnapshotDistributor contract. The Fraxchain codebase was assessed as reasonably secure with respect to the scope reviewed, though the report recommends significant improvements to test coverage and documentation before deployment.
Frax Security Cartel18-03-2024 - 29-03-2024
  • Critical2
  • High3
  • Medium5
  • Low6
  • Info7
The audit identified two critical vulnerabilities enabling asset theft via exchange rate manipulation and validator credential bypass, plus several high-severity design flaws—all of which were addressed and verified before deployment. The report indicates the codebase is substantially hardened, though residual risks around oracle operator trust and utilization rate edge cases remain acknowledged.
Frax Security Cartel15-04-2024
  • Critical1
  • High2
  • Medium4
  • Low3
  • Info8
The audit found one critical and two high-severity issues, all of which were resolved (fixed or acknowledged) before the report's publication, with the remaining medium/low/informational items either patched or accepted as documented design decisions. Overall, the reviewed codebases demonstrate a reasonable security posture after remediation, though users of the bridge functions must be aware of smart-contract-wallet risks that were accepted by the team.
Frax Security Cartel15-05-2024 - 22-05-2024
  • Critical0
  • High5
  • Medium5
  • Low2
  • Info3
The audit found five high-severity issues — including an exploitable oracle sandwich attack on the MintRedeemer and critical accounting flaws in FPISLocker's voting power calculations — all of which were fixed by the Frax team and verified by the Cartel. With all high and medium findings remediated and only design-level risks (e.g., hardcoded conversion rate) acknowledged, the codebase is in a significantly stronger security posture for deployment.
Frax Security Cartel22-05-2024 - 31-05-2024
  • Critical0
  • High2
  • Medium5
  • Low13
  • Info8
The audit identified two high-severity vulnerabilities (slippage miscalculation and sandwich attacks on ETH deposits) which were both remediated—the former via a code fix and the latter via operational safeguards (private transactions). All findings were addressed or acknowledged, and the residual risk is limited to the trusted-operator model and minor accounting inaccuracies that are deemed acceptable.
Certora30-09-2024 - 21-10-2024
  • Critical0
  • High0
  • Medium3
  • Low8
  • Info5
The Certora BAMM audit combined formal verification with manual review, finding 16 issues of which all 3 medium and most low-severity items were subsequently fixed, leaving only minor acknowledged design limitations. The protocol's core formal properties (mint/redeem integrity, vault validity, invariant correspondences) were verified as correct, providing reasonable confidence in the BAMM's fundamental safety.
Frax Security Cartel10-02-2025 - 21-02-2025
  • Critical2
  • High0
  • Medium0
  • Low3
  • Info4
The two critical vulnerabilities (contract re-initialization via StorageSetter and drainable frxETH approvals) have been fixed and verified, and the remaining issues were properly addressed or acknowledged, making the North Star hard fork's contract changes reasonably secure for deployment.
Zellic07-07-2025
  • Critical0
  • High0
  • Medium1
  • Low5
  • Info2
The audit found no critical or high-severity vulnerabilities, with only one medium-severity issue (missing slippage check) and five low-severity findings, all of which were acknowledged and mostly remediated, indicating a well-reviewed codebase with manageable residual risk.
ChainSecurity23-06-2025 - 14-07-2025
  • Critical0
  • High0
  • Medium0
  • Low10
  • Info13
The codebase provides a high level of security with no critical, high, or medium severity findings; all ten low-severity issues were addressed (code corrected, specification changed, or risk accepted), confirming the upgrades are safe for deployment under the stated trust assumptions.
Zellic24-09-2025
  • Critical0
  • High0
  • Medium1
  • Low1
  • Info6
The Zellic audit found no critical or high-severity vulnerabilities; the single medium and single low issues, along with six informational items, were all acknowledged and remediated by Frax Finance, indicating a generally sound codebase for the Frax0 Mesh contracts.

Backers

The Frax official website (frax.com) lists institutional partners for the frxUSD stablecoin, including BlackRock (whose BUIDL fund backs frxUSD), Securitize (transfer agent for tokenized assets), Superstate (which approved USTB and USCC to support frxUSD), Stripe, Bridge, WisdomTree, and Lead Bank. News articles on the site report that the Frax community approved frxUSD as a stablecoin backed by BlackRock's BUIDL fund (Jan 2025) and that frxUSD is powered by BlackRock's BUIDL and Securitize. No specific venture capital funding rounds, equity investors, or investment amounts are disclosed on the official Frax website, documentation, GitHub, or governance forum.

Legal

Legal form

Corporation (Frax Finance, Inc. referenced in Privacy Policy)

Registration jurisdiction

Cayman Islands (Terms of Service specify Cayman Islands law governs the agreement)

Status and notes

Operator is identified as "Frax Finance" (terms) and "Frax Finance, Inc." (privacy policy). The Terms of Service at app.frax.finance/terms state they are governed by the laws of the Cayman Islands. No registration number, registered address, or formal entity type (e.g. exempted company, foundation) is publicly disclosed on any official Frax website, documentation, or governance forum. No dedicated imprint page exists.