Reserve (Reserve Protocol)

About

Reserve is a decentralized protocol for creating and using asset-backed baskets of tokens called DTFs (Decentralized Token Folios), enabling entire portfolios to be held and transferred as a single onchain token. Its two core sub-protocols — the Index Protocol (tracking broad market indexes like CoinMarketCap 20 or CF Large Cap) and the Yield Protocol (baskets of yield-bearing assets such as liquid staking tokens or stablecoin yield positions) — let users either own diversified exposure or earn automated yield, all governed transparently by RSR token holders.

Where Does Yield Come From?

Reserve makes money — and passes it on to users — through two separate types of baskets, called DTFs (Digital Token Folios). Here's how each one works.

Yield DTFs (baskets of tokens that earn interest on their own)

These baskets are made up of tokens that naturally grow in value over time, like staked ETH versions (wstETH, weETH, rETH) or stablecoin yield tokens (sDAI, USDA). The returns come from the underlying protocols those tokens live on — think liquid staking services or lending markets.

A "Backing Manager" regularly checks whether the basket has built up extra value above what it needs as collateral. If there's surplus, it converts that extra value through onchain auctions. Governance decides where this harvested profit goes, splitting it among up to three destinations:

DTF holders — new DTF tokens are bought and burned (destroyed), which makes each remaining token worth more
RSR stakers — the surplus is swapped for RSR tokens and given to people who have staked (locked up) their RSR, raising the value of their staked position
Any other address governance chooses

The safety role of RSR stakers: Stakers put their RSR up as a first-loss buffer. If one of the basket's collateral tokens suffers a big, lasting price crash, enough staked RSR is taken and sold to cover the shortfall. The catch: when stakers want to unstake, they have to wait a set period (usually 7–30 days), and during that wait they earn no rewards.

Index DTFs (baskets that track market indexes)

These baskets earn revenue from two types of fees:

A management fee — a tiny percentage charged on the total value sitting in the basket (assets under management)
A mint fee — a one-time fee charged when new DTF tokens are created

After a platform fee is taken out, the remaining fees are distributed to whoever governance decides, according to set percentages.

Revenue for governance token holders: By default, people who hold RSR can vote-lock their tokens (commit them for a period to get voting power, with a one-week unlock delay). When revenue sharing is turned on, they earn a share of those fees proportional to how much they've locked.

The deflationary burn: A separate protocol contract takes a portion of all Index DTF mint fees and management fees, uses them to buy RSR on the open market, and sends that RSR to a "burn" address (permanently removing it from circulation). As more people use these baskets, more RSR gets burned — shrinking the total supply over time.

All fee rates, recipient splits, and the share sent to the burn contract can be adjusted through onchain governance votes.

Persons

Thomas Mattimore
CEO
Taylor Brent
Lead Protocol Engineer
Patrick McKelvy
Director of Engineering
LinkedIn
Akshat Mittal
Senior Protocol Engineer
LinkedIn
Ivan Camps
Head of DeFi
LinkedIn
Jan Demidov
Protocol Engineer
LinkedIn
Julian Rodriguez
Protocol Engineer
LinkedIn
Luis Camargo
Front-End Engineer
LinkedIn
Juampi Rombolá
Front-End Engineer
LinkedIn
Griffin Peer
Strategy & Operations
LinkedIn
Matt Gertler
General Counsel
LinkedIn
Soham Mishra
Business Development
LinkedIn
Jake Bouma
Brand and Content Lead
LinkedIn
Max Bettinelli
Research & Analytics
LinkedIn
Erik
Design
Iryna Prudnikava
Accountant
LinkedIn
Kristina Diatchenko
Accounting Manager
LinkedIn
Jorge Galat
Engineer

Audits

Audit / Date	Findings	Verdict
Trust Security16-12-2024 - 24-12-2024	Critical0 High2 Medium11 Low8 Info0	The audit identified two critical-path high-severity issues (both fixed), but 11 medium and 8 low severity findings remain open, indicating the protocol is mid-development with substantial unresolved risks in slippage, reentrancy, token compatibility, and trade economics before mainnet readiness.
Cantina13-01-2025 - 20-01-2025	Critical0 High0 Medium2 Low4 Info6	The competition found no critical or high-severity vulnerabilities, and the two medium-risk issues (bid DoS and unset-variable trade collision) have clear remediation guidance, indicating a reasonable security posture for the codebase as reviewed.
Trail of Bits18-04-2025	Critical0 High0 Medium4 Low2 Info3	The audit uncovered four medium-severity issues (slippage, DoS vectors, ERC-777 incompatibility), of which three were resolved and one was risk-accepted, while the remaining findings were low/informational and largely acknowledged; overall the codebase is well-structured, but residual risks around governance attacks, donation-based DoS, and stETH rounding should be considered by users.
Pashov Audit Group02-06-2025 - 11-06-2025	Critical0 High0 Medium1 Low5 Info0	The audit revealed no critical or high-severity issues; the single medium-severity finding (DoS via filler state manipulation) was resolved, and the five low-severity items were either resolved or acknowledged, indicating reasonable security posture for the protocol's intended functionality.
Trail of Bits11-08-2022	Critical0 High5 Medium2 Low3 Info5	The audit uncovered five high-severity vulnerabilities affecting core recapitalization, staking, and access-control mechanisms, but the most critical operational flaws (auction failures, StRSR deadlock) are remediable with focused fixes; the system's heavy reliance on a single owner privilege remains a residual governance risk that on-chain or multisig control is intended to mitigate.
Trail of Bits11-08-2022	Critical0 High5 Medium2 Low3 Info5	The fix review confirms Reserve sufficiently addressed nearly all original issues for the p1 release candidate, with only an accepted-risk informational item on compiler optimizations left unresolved and a high-severity ownership-change issue partially resolved, requiring the new owner to explicitly revoke the previous owner.
Solidified16-10-2022	Critical2 High0 Medium0 Low0 Info0	The audit identified critical issuance-stealing and reentrancy vulnerabilities that were addressed, but the report flags residual design risks around governance flexibility and RSR collateral dependencies that warrant ongoing attention.
Ackee Blockchain07-10-2022	Critical0 High0 Medium3 Low0 Info1	The audit found no critical or high-risk vulnerabilities that directly endangered the protocol; the three medium-severity issues were either acknowledged with reasoned justification or fixed, and the warning/informational items were largely accepted as design trade-offs. The protocol's code quality and test coverage were noted as solid, and the residual risks center on reliance on governance trust assumptions and the acknowledged design patterns.
Halborn28-08-2022 - 10-10-2022	Critical0 High0 Medium0 Low3 Info7	The Halborn audit found no critical or high-severity vulnerabilities, with all three low-risk issues and seven informational items addressed by the Reserve team, reflecting a well-secured codebase at the time of review.
Code4rena06-01-2023 - 20-01-2023	Critical0 High2 Medium25 Low0 Info0	The audit identified two High-severity and twenty-five Medium-severity findings, all confirmed and addressed in subsequent mitigations, indicating that the Reserve team took the contest output seriously and remediated the most critical attack paths (cToken manipulation, basket range inefficiency, reentrancy, and issuance DoS) before the release.
Code4rena15-06-2023 - 29-06-2023	Critical0 High2 Medium12 Low0 Info0	The audit uncovered two high-severity and twelve medium-severity vulnerabilities, nearly all of which were subsequently mitigated and confirmed, leaving a manageable residual risk from the acknowledged and disputed items. Protocol safety is materially improved but ongoing attention to the mitigation review findings is warranted.
Code4rena25-07-2023 - 04-08-2023	Critical0 High3 Medium15 Low0 Info0	The audit identified 3 high and 15 medium severity issues across Reserve's collateral plugins, with all high-severity findings and most medium-severity findings successfully mitigated in dedicated PRs, reinforcing protocol safety for the collateral release.
Trust Security01-09-2023 - 09-10-2023	Critical0 High4 Medium13 Low8 Info0	The audit revealed several critical and high-impact vulnerabilities, most of which were successfully fixed or mitigated, but a few open/acknowledged findings — particularly around unfair Morpho reward distribution and unclaimed Curve multi-reward tokens — represent residual risks that protocol users should assess before deployment.
Trust Security22-01-2024 - 27-01-2024	Critical0 High1 Medium1 Low3 Info0	The audit identified one high-severity logical flaw that was fixed and one medium-severity issue (revenue/buffer loss on basket reweighting) that remains open, representing a residual design risk for RTokens that change target amounts. Overall the codebase was rated excellent in complexity and good in documentation, but the open medium finding and systemic risks around governance and oracle reliance warrant continued caution.
Solidified25-04-2024	Critical0 High0 Medium0 Low0 Info0	The PDF conversion was too degraded to extract reliable severity counts; however, the partial text suggests no critical or high-severity vulnerabilities were identified, with multiple minor or informational issues acknowledged by the development team.
Trust Security30-04-2024 - 02-05-2024	Critical0 High0 Medium0 Low1 Info0	The single low-severity finding was fixed by the team, and no critical, high, or medium issues were discovered, indicating the MetaMorpho collateral plugins were well-constructed; however, the systemic reliance on trusted roles governing MetaMorpho vaults introduces an ongoing trust risk that RToken governance should actively monitor.
Trust Security24-05-2024	Critical0 High0 Medium1 Low7 Info0	The audit identified one Medium and seven Low severity issues in the Reserve Protocol 3.4.0 upgrade spell, all of which were either fixed or acknowledged, and the report confirms no new centralization risks are introduced. When properly simulated before execution, the spell provides a safe upgrade path for the specified RToken deployments.
Solidified06-06-2024	Critical0 High0 Medium0 Low0 Info0	The audit found no critical or high-severity vulnerabilities in Reserve Protocol 3.4.0, with only minor code-quality and documentation issues identified alongside acknowledged operational limitations. The protocol's safety posture appears sound for the audited scope, though the usual residual risks around external dependencies and gas-sensitive operations remain.
Trust Security11-07-2024	Critical0 High0 Medium0 Low4 Info0	The audit found no critical, high, or medium severity issues, with all four low-severity configuration findings addressed (three fixed, one acknowledged), indicating that the audited plugin scope presents a low security risk.
Trust Security01-06-2024 - 03-07-2024	Critical0 High1 Medium1 Low2 Info0	Both the critical read-only reentrancy and the medium collateralization-check vulnerability were fixed, and the two low-severity items were either fixed or acknowledged with documented constraints, making the plugins safe for deployment under careful configuration management.

Legal

Legal form

Limited Liability Company (LLC)

Status and notes

The websites Reserve.org and app.reserve.org are operated by ABC Labs, LLC. The Terms and Conditions (at reserve.org/terms_and_conditions) state that ABC Labs, LLC is not a bank, broker-dealer, investment adviser, or registered financial intermediary. The Terms are governed by the laws of the State of Delaware. The trademark "Reserve" is a registered trademark of Confusion Capital. Contact email: [email protected]. General Counsel is Matt Gertler (per ABC Labs about page). No separate imprint page or explicit jurisdiction of incorporation disclosed on official sources.