Origami
About
Origami is an automated leverage protocol on Ethereum and Berachain that provides one-click vault products for folded exposure to yield-bearing tokens (YBTs). It offers three product generations — V1 ovTokens, V2 lov-Strategy vaults (leveraged positions on single YBTs like sUSDe, wstETH, weETH), and V3 OPAL vaults (tokenised portfolios holding multiple assets & liabilities across Aave V3, Morpho, and Euler markets). The protocol targets DeFi users who want leveraged yield without manual health-factor monitoring or position management.
Where Does Yield Come From?
Origami's products earn yield by automatically multiplying the returns on yield-bearing tokens (YBTs) — tokens that already generate rewards on their own, like sUSDe or wstETH.
How V2 vaults (lov-Strategy) work:
You deposit a YBT into a vault. The vault uses that deposit as collateral to borrow more of the same kind of asset from outside lending markets (Morpho, Spark). It then swaps the borrowed funds back into the original YBT and repeats the process, building a multi-layered position.
The vault earns profit from the gap (spread) between two rates:
- The native yield the YBT already pays (for example, sUSDe earns staking rewards from Ethena, wstETH earns staking rewards from Lido)
- The borrow interest the vault must pay to the lenders who supplied the borrowed assets
As long as the YBT's yield is higher than the borrowing cost, the vault's reserves grow and each share becomes more valuable.
On top of that, the vault collects bonus rewards from external programmes (Ethena Sats, ether.fi Loyalty Points, EigenLayer Points) on the full leveraged amount, which adds to the returns.
How V3 OPAL vaults work (Perpetual PT Collection):
These vaults hold leveraged positions in a special token called a Pendle Principal Token (PT). PTs trade at a discount — they are worth less today than the underlying asset will be worth at a set future date. The vault earns the difference between that discount and the cost of borrowing to create the leverage. When the PT expires, the vault automatically rolls into the next maturity, keeping the strategy running.
Where you see the yield:
All earnings show up in the vault's share price — you do not need to claim rewards separately.
Fees the protocol takes:
- A performance fee on positive yield only (about 0.5% for OPAL vaults, 2–10% for V2 vaults), collected by minting new shares that go to a fee collector
- Some vaults also charge deposit and/or exit fees
The automation layer (called "Overlord"):
The protocol continually rebalances positions and watches for liquidation risk, so users do not need to monitor health factors or manage the position themselves.
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
Jacopod Audits02-12-2025 - 29-01-2026 |
| The audit found no security vulnerabilities of any severity level (critical, high, medium, or low), and the sole informational issue was acknowledged by the team without requiring a code change, reflecting strong code quality and a security-first architecture in the OPAL contracts. |
Guardefy / Pavel Anokhin (@panprog)17-11-2025 - 02-12-2025 |
| The audit identified no high or medium severity issues; all three low-severity and one informational finding were reviewed and confirmed fixed, indicating the OPAL Vault code was in good security posture at the time of review. |
Panprog (Pavel Anokhin / Guardefy)05-11-2025 - 11-11-2025 |
| The audit found no high or medium severity issues, and all low-severity findings were fixed during the review cycle, indicating the bundler contracts are well-secured for deployment. |
Nethermind Security28-11-202501-12-2025 |
| The audit identified no critical, high, medium, or low severity vulnerabilities, with all 4 findings classified as informational or best-practice severity and 3 out of 4 resolved before the final report, reflecting a well-architected codebase with no material security risks. The protocol can be considered safe to deploy from a security standpoint, though the acknowledged performance-fee dust-loss edge case should be monitored. |
Nethermind03-11-2025 |
| No critical, high, or medium severity vulnerabilities were identified; the three informational findings were either fixed or acknowledged with documentation improvements, indicating a low residual risk for the audited Bundler contract scope. |
Spearbit09-12-2024 - 15-12-2024 |
| The audit found no critical or high-risk issues; the single medium-severity finding and most low/informational items were promptly fixed, leaving only a dust-rounding limitation acknowledged, which does not pose a material security risk to the protocol. |
Cantina07-02-2025 - 08-02-2025 |
| One medium-severity issue was identified and verified as fixed by the Cantina reviewers, with no critical or high-severity findings, confirming the bundler3 update is safe for deployment. |
Open Zeppelin05-12-2024 - 11-12-2024 |
| The Morpho Bundler V3 codebase was found to be well-designed and robust with no critical, high, or medium severity issues; all 2 low-severity findings and the client-reported reentrancy concern were resolved, and 11 of 12 informational notes were addressed, indicating a strong security posture at the conclusion of the engagement. |
| This path contains formal verification specification files and documentation, not an audit report with findings or severity ratings; therefore no security assessment can be extracted from the material at this URL. | |
Electisec14-07-2025 - 15-07-2025 |
| The audit found no vulnerabilities of critical, high, medium, or low severity, indicating the CowSwapper contract has strong baseline security with only minor informational recommendations for operational improvements. The three informational items pose no direct risk to funds and were either acknowledged or addressed by the Origami team. |
Jacopod Audits (Jacobo Lansac / @Jacopod)17-06-2025 - 25-06-2025 |
| The SKY+ vault passed the audit with no critical, high, or medium severity findings; the single low-risk issue (theoretical double-fee on a future protocol upgrade) and both informational items were addressed or acknowledged by the team, indicating a strong security posture for deployment. |
SBSecurity22-09-2024 - 03-10-2024 |
| The audit found no critical or high-risk issues; the single medium-severity inflation attack and all seven low/informational findings were resolved before or during the engagement, indicating a solid security posture for the Origami Super Savings USDS vault contract suite. |
Jacopod14-05-2025 |
| The audit found no critical or high-severity vulnerabilities, and all findings (1 medium, 2 low, 2 informational) were addressed or acknowledged, indicating a strong security posture for the AutoStaking system. |
Nethermind04-04-2025 |
| The audit found only one Best Practices issue (zero-share joins due to rounding) which was fixed, and no vulnerabilities of any severity band were identified, reflecting strong code maturity and a well-documented design for the Origami hOHM tokenized vault system. |
Panprog07-03-2025 |
| No critical or high-severity vulnerabilities were found, and the one medium and two low issues were fixed, making the core vault logic safe for deployment; the acknowledged low-severity surplus-buffer-excess finding is a design consideration managed by protocol parameters rather than a code vulnerability. |
Electisec18-03-2025 - 19-03-2025 |
| The audit found no security vulnerabilities in the hOHM Migrator contract; only minor gas optimizations were identified and promptly addressed, indicating the code is safe for deployment from a security standpoint. |
Electisec27-02-2025 - 06-03-2025 |
| The audit found no critical or high-severity issues, with all identified findings promptly fixed or acknowledged by the Origami team, indicating a well-reviewed codebase. The residual risk is limited to rounding edge cases in the innovative balance-sheet vault design, which were addressed during the review. |
Panprog (Guardefy)14-04-2025 - 22-04-2025 |
| The audit found no critical or high-severity vulnerabilities, with the medium-severity issue causing rebalance failures being the most impactful; all findings were reported but not confirmed resolved, so residual integration risk around rebalancing and oracle alignment remains. |
Pyro12-03-2025 - 14-03-2025 |
| The audit found no issues of any severity, yielding a clean report for the scoped Origami contracts. No remediation was required. |
Jacopod18-03-2025 |
| No critical or high-severity issues were discovered; the sole low-severity finding was acceptably remediated by making the vesting duration immutable. The audit indicates sound re-architecture safety for the oriBGT V2 contracts. |
Panprog (Pavel Anokhin, doing business as Guardefy)15-01-2025 - 22-01-2025 |
| The audit identified no high or medium severity vulnerabilities; three low-severity and four informational issues were all remediated and verified by the auditor, indicating the Boyco Vault contracts are safe for deployment after the fixes. |
Halborn11-12-2024 - 16-12-2024 |
| The audit identified no critical or high-risk vulnerabilities, with the single low-severity centralization risk mitigated by a planned 2/4 multisig, and all findings addressed, indicating a reasonable security posture for the Boyco contracts. |
Zellic02-01-2024 - 25-01-2024 |
| The audit found no critical or high-risk issues; three low-severity findings were all either remediated or mitigated by protocol design and operational controls, indicating a strong security posture for the Origami Finance v2 contracts. |
| The audit competition submissions page could not be accessed due to a DNS resolution failure, making the intended document unavailable for direct analysis. No conclusions about the protocol's safety can be drawn from the inaccessible source. | |
yAudit23-01-2023 - 12-02-2023 |
| The audit found no critical vulnerabilities, with one high-severity front-running risk and one medium-severity accounting issue—both addressed by the team—suggesting a reasonable security posture for a protocol with trusted operator roles and an upgradeable earn account that concentrates custodial risk. |
yAudit21-02-2023 - 26-02-2023 |
| This recheck confirms all prior findings were correctly mitigated, and the one new High-severity issue (incorrect recipient on token exit) plus informational items were promptly fixed, demonstrating a responsible remediation process and a healthy codebase with full test coverage. |
Jacopod (Jacobo Lansac)15-07-2025 - 22-07-2025 |
| The audit found no critical or high-severity issues, with the single medium-severity finding resolved via a code fix, and two low-severity items acknowledged by the team, suggesting the Morpho Auto-Compounder contracts are well-constructed for deployment. |
yAcademy23-01-2023 - 12-02-2023 |
| The audit identified one high-severity front-running vector that was acknowledged and addressed, and no critical vulnerabilities were found, indicating a generally sound codebase with residual trust assumptions around privileged roles and the upgradeable earn account. |
yAcademy21-02-2023 - 26-02-2023 |
| The recheck confirms all previously identified issues were correctly remediated, with only one new High-severity finding (incorrect recipient on token exit) that was promptly fixed by the team. The protocol's residual risks relate primarily to the privileged Governable, Operator, and minter roles, as noted in the code evaluation matrix. |
Legal
Legal form
Limited Liability Company (LLC) — Veltrix LLC. An affiliated entity, Origami Foundation, is referenced as a Cayman Islands support entity.
Registration jurisdiction
Veltrix LLC is incorporated in the Republic of Panama. Origami Foundation (affiliate) is a Cayman Islands entity.
Status and notes
The operating entity that provides the Site and Services is Veltrix LLC, a company incorporated in the Republic of Panama, as disclosed in the Terms of Service and Disclaimer/Legal Notices at origami.finance/disclaimer, origami.finance/terms-of-service, and origami.finance/privacy-policy. Origami Foundation is a separate Cayman Islands affiliate that supports the Origami ecosystem but does not operate the Services. The Terms of Service are governed by the laws of the Cayman Islands. No other legal entity, registration number, or commercial registry details were disclosed on the official website or documentation.