Pareto (Pareto Credit)
About
Pareto is a private credit marketplace that connects institutional lenders and borrowers through on-chain Credit Vaults, offering transparent credit infrastructure with enterprise-grade compliance. Designed for asset managers, digital asset funds, and institutional investors, it provides regulatory-compliant access to alternative credit solutions, featuring both public and private credit facilities, optional senior/junior tranching, and a synthetic dollar product (USP). The protocol bridges institutional capital with on-chain credit markets by automating lending cycles through smart contracts, reducing operational costs and eliminating bureaucratic friction.
Where Does Yield Come From?
Yield on Pareto comes from Credit Vaults — smart contracts that let approved institutional borrowers take loans from verified lenders, all on-chain.
How a lending cycle works: Lenders put stablecoins into a vault during a fixed cycle (usually 1–4 weeks). At the start of each cycle, a curator (an underwriter who vets the borrower) triggers the transfer of all pooled funds to the borrower's wallet. Interest then builds up for lenders over the cycle. The curator also sets the vault's terms — APR, fees, and how long the cycle lasts — and handles opening and closing each cycle.
Interest rates can be fixed or variable. Variable rates are tied to outside data sources (benchmarks).
When lenders deposit, they receive cvLP tokens — these represent their original deposit plus any interest earned. The value of one cvLP token (its exchange rate) goes up over time as interest piles up.
To get money out takes two steps. First, at the end of Cycle I, a lender requests a withdrawal. Then, at the end of Cycle II — after the borrower has repaid interest and any requested principal — the lender can claim the funds.
There's also an early exit option: if the next cycle's interest rate drops by 1% or more, lenders can redeem within 72 hours.
Tranching (splitting risk): A vault can have two layers. The Senior slice has first claim on assets and gets at least 50% of the base yield. The Junior slice has second claim and gets whatever yield is left — which can produce higher, leveraged returns. How yield is split shifts based on the ratio of Senior to Junior liquidity.
The USP synthetic dollar layer works differently. Users mint USP 1:1 by depositing stablecoins (USDC or USDS). Those deposits are then spread across a mix of Credit Vaults, chosen by an automated system that uses statistical models (based on past redemption patterns and vault liquidity scores). The interest earned from those vaults goes only to sUSP stakers — shown as a rising sUSP/USP conversion rate. If you hold USP without staking it, you earn nothing.
Protecting USP's dollar peg: If a vault defaults, a Stability Fund absorbs the losses first. If losses go beyond that, the remaining hit reduces the sUSP conversion price (so stakers absorb the rest).
No protocol tokens or inflationary rewards are mentioned beyond vault fees. The protocol is monitored by Hypernative, which can automatically pause contracts if security issues are detected.
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
Sherlock (0x52)11-03-2026 - 12-03-2026 |
| The audit found no High or Medium severity vulnerabilities; a single Low/Info finding was reported and addressed. The audited code changes appear safe for the reviewed scope. |
Sherlock (0x52)21-02-2026 - 22-02-2026 |
| The audit found no security vulnerabilities in the reviewed scope, indicating that the refactored code and new features in the Pareto protocol passed review with a clean bill of health for the examined commit range. |
Sherlock (0x52)19-01-2026 - 20-01-2026 |
| With zero high or critical findings and both medium-severity issues resolved before the final commit, the audit indicates the Pareto Credit codebase was in a sound security posture at the conclusion of this engagement. |
Sherlock (0x52)19-08-2025 - 20-08-2025 |
| The audit identified 1 High and 1 Medium finding, all of which were resolved before finalization, meaning the new Pareto Credit Vault features passed the Sherlock review with no unresolved security issues. |
Sherlock24-04-2025 - 28-04-2025 |
| The Sherlock audit contest found no high-severity vulnerabilities and 2 medium-severity issues, all of which were addressed by the team before the final commit, indicating a solid security posture for the Pareto USD stablecoin protocol. |
X7721-04-2025 |
| The audit identified one high-severity storage-corruption risk and three medium-severity design issues, all of which the team reviewed during a same-day mitigation round; no critical issues were found, and the remaining low-severity items represent design/edge-case concerns rather than exploitable vulnerabilities. |
Hans Friese02-04-2025 - 07-04-2025 |
| All 11 findings (3 medium, 8 low) were remediated and verified by the auditor, leaving no critical or high-risk issues outstanding at the conclusion of the review. |
Sherlock13-12-2024 - 21-12-2024 |
| The Sherlock audit identified 2 High and 3 Medium severity issues, all of which were resolved or acknowledged by Idle Finance before the final commit. The protocol's security posture appears strengthened after remediation. |
Hans Friese04-11-2024 - 06-11-2024 |
| The audit found no high or critical issues, and the four medium-risk findings relate to edge cases in the withdrawal queue logic that could cause incorrect status handling or temporary revert conditions — these should be reviewed and addressed before deployment but do not present a systemic threat to the protocol. |
Hans Friese15-10-2024 - 16-10-2024 |
| The review identified two medium-severity issues with no high or critical risks, meaning no immediate emergency threats were found, but both findings (potential fund loss due to epoch mishandling and a possible DoS on deleteRequest) warrant remediation before deployment. |
Hans Friese02-10-2024 - 04-10-2024 |
| The review found no high or critical severity issues, with 4 medium and 1 low severity findings in the Idle DAO credit vaults code, indicating a moderately sound codebase that requires attention to the identified calculation, access, and DoS vectors before production use. |
Hans Friese30-07-2024 - 02-08-2024 |
| The review found no high or critical vulnerabilities, with three medium-risk issues related to edge cases in epoch/withdrawal logic and four low-risk recommendations; overall the protocol's core security posture appears sound, though the medium findings should be addressed before production use. |
Legal
Legal form
LLC (Limited Liability Company)
Registration jurisdiction
Marshall Islands
Status and notes
Operator is Idle DAO LLC, registered in the Marshall Islands (per Privacy Policy: "Idle DAO LLC, Marshall Islands"). Terms of Service (https://pareto.credit/terms-of-service) identify Idle DAO LLC as the contracting entity, with governing law designated as Delaware (Section 13). Privacy Policy (https://pareto.credit/privacy-policy) hosted via iubenda lists the same entity and jurisdiction. No imprint/disclosure page was found at standard paths (/imprint, /legal).