How Does Mountain Protocol Work?
Mountain Protocol issued USDM, a yield-bearing stablecoin backed 1:1 by short-term US Treasury bills, operating from September 2023 until August 2025 when it was acquired by Anchorage Digital and wound down. USDM was the first regulated permissionless yield-bearing stablecoin: holders automatically accrued T-Bill yield (~5% APY at peak) via daily rebasing without needing to stake or lock tokens. The protocol was regulated by the Bermuda Monetary Authority (Class M license), required KYC only for primary users (minting/redemption), and held reserves in bankruptcy-remote segregated accounts with monthly third-party attestations. At its peak in early 2024, USDM reached ~$155M in circulating supply and was integrated into Curve, Morpho, and Balancer as yield-bearing collateral. Despite strong regulatory compliance and a clean security record (zero exploits, two OpenZeppelin audits), USDM's fundamental risk was complete dependence on Mountain Protocol as a single regulated entity — a risk that materialized when Anchorage Digital's acquisition triggered the orderly wind-down. The protocol is no longer active.
TVL
—
Sector
RWA
Risk Grade
C-
Value Grade
B
Core Mechanisms
Token Supply/Rebasing/Daily Rebasing Token
NovelUSDM uses a shares-based rebasing mechanism inspired by Lido's stETH model — user balances increase daily via a rewardMultiplier updated by a single ORACLE_ROLE address to pass through T-Bill yield
First regulated permissionless yield-bearing stablecoin using rebasing to pass T-Bill yield directly to ERC-20 holders. The stETH rebasing model is well-established, but applying it to a fully-backed regulated stablecoin (rather than liquid staking) was novel at launch in Sep 2023. By 2024, similar approaches emerged (Superstate, Ondo USDY), eroding the novelty.
Lending/Collateral Models/Real-World Asset Backing
USDM is fully backed 1:1 by short-term U.S. Treasury bills (avg duration <60 days) held in bankruptcy-remote segregated accounts with E.Q. Capital as investment manager and Steakhouse Financial as external signer for transactions >$10M
Real-world asset backing creates an irreducible off-chain counterparty risk surface: custodians, brokers, banks, and the investment manager all sit between the on-chain token and the underlying collateral. The 60-day maximum duration requirement limits interest rate risk but cannot eliminate it.
Staking/Liquid Staking/Wrapped Non-Rebasing Vault
NovelwUSDM is an ERC-4626 tokenized vault wrapping USDM into a non-rebasing form for DeFi composability — depositing USDM yields wUSDM shares whose exchange rate appreciates over time, analogous to wstETH
The USDM/wUSDM dual-token architecture mirrors the stETH/wstETH model and enables DeFi integrations (Uniswap, Morpho, Curve) that cannot handle rebasing tokens. This composability layer multiplies the protocol's DeFi exposure surface and creates additional interaction risks.
Governance/Regulatory/BMA-Licensed Digital Asset Business
Mountain Protocol operated under a Class M Digital Asset Business Act license from the Bermuda Monetary Authority, requiring KYC for primary users, Regulation S compliance for non-U.S. persons only, and monthly independent attestations from Nephos Group
Regulatory licensing provided legitimacy and institutional adoption confidence, but made the entire protocol dependent on the continued existence and compliance of a single regulated entity. When Anchorage Digital acquired Mountain Protocol, the BMA-licensed operating entity was absorbed, necessitating the wind-down of USDM.
Governance/Access Control/Role-Based Multisig with Fireblocks MPC
Smart contract access control uses a 3-of-5 DEFAULT_ADMIN_ROLE multisig managed via Fireblocks MPC, with separate ORACLE_ROLE, MINTER_ROLE, BURNER_ROLE, BLOCKLIST_ROLE, and PAUSE_ROLE addresses controlling specific privileged operations
The BLOCKLIST_ROLE can freeze any address, the PAUSE_ROLE can halt all transfers, and the ORACLE_ROLE controls the reward multiplier that determines all user balances. The multisig architecture reduces single-key risk but the protocol remains fundamentally centralized — a compromised or malicious ORACLE_ROLE can silently drain value from all holders via a manipulated reward multiplier.
How the Pieces Interact
The ORACLE_ROLE address unilaterally sets the rewardMultiplier that determines all USDM balances. If the oracle is compromised or manipulates the multiplier downward (only the admin multisig can force negative rebase), wUSDM valuations collapse, triggering cascade liquidations across all Morpho lending markets using wUSDM as collateral. A single off-chain key compromise cascades into on-chain DeFi insolvency.
Mountain Protocol operates as a single regulated entity with unilateral power to freeze any address, pause all transfers, and stop new minting. Regulatory action (sanctions enforcement, license revocation) or internal decision could simultaneously freeze tokens for thousands of DeFi users with no on-chain recourse. This is not theoretical — the wind-down demonstrated that a single corporate decision can terminate the entire protocol.
USDM's on-chain liquidity via Curve pools and a Wintermute credit line could not absorb large coordinated redemptions if T-Bill settlement delays (T+2) prevented Mountain Protocol from delivering USDC. A bank-run-like scenario — triggered by market panic or negative USDM news — could exhaust secondary market liquidity before the primary redemption queue clears, temporarily depegging USDM and triggering DeFi liquidations.
Mountain Protocol's Regulation S compliance restricted primary minting/redemption to non-U.S. persons. Evolving U.S. stablecoin legislation (cited as a reason for the wind-down) could have forced product restructuring or complete cessation. This interaction ultimately materialized — new U.S. regulatory requirements contributed to the decision to wind down USDM and accept acquisition by federally chartered Anchorage Digital.
What Could Go Wrong
- Protocol fully wound down (Aug 2025) following Anchorage Digital acquisition — USDM no longer operational, all holdings required to redeem via secondary markets
- Single regulated entity dependency: Mountain Protocol IS the stablecoin — BMA license revocation or entity insolvency would collapse the peg with no on-chain fallback
- Centralized manual oracle (ORACLE_ROLE) controlled daily reward multiplier — single address could manipulate all USDM balances globally if compromised
Oracle Key Compromise and Silent Balance Drain
TailTrigger: The ORACLE_ROLE private key (held via Fireblocks MPC) is compromised, or a malicious insider with access to the Fireblocks workspace manipulates the addRewardMultiplier() call to set an absurdly high reward multiplier, temporarily inflating all USDM balances beyond the T-Bill backing.
- 1.ORACLE_ROLE calls addRewardMultiplier() with an anomalously large multiplier (e.g., 100x normal daily rate) — All USDM balances instantly inflate — a holder of 100 USDM now shows 10,000 USDM on-chain, but only $100 of T-Bill backing exists per original 100 USDM
- 2.Sophisticated bots detect the anomalous rewardMultiplier event on-chain and immediately swap inflated USDM for USDC on Curve — Curve USDM/USDC pool is drained within seconds as bots arbitrage the artificial inflation, extracting real USDC backed by nothing
- 3.Morpho wUSDM collateral valuations temporarily spike, enabling over-borrowing against inflated collateral before price oracles update — Attackers borrow maximum USDC/ETH against inflated wUSDM collateral, then allow position to collapse, leaving Morpho with undercollateralized bad debt
- 4.Mountain Protocol team detects anomaly and activates PAUSE_ROLE to halt all USDM transfers — Protocol is frozen, trapping all remaining USDM holders — legitimate holders cannot redeem while the exploit is investigated
- 5.T-Bill backing insufficient to cover inflated USDM obligations; Mountain Protocol declares insolvency — Remaining USDM holders receive fractional redemption after bankruptcy proceedings with the BMA
Risk Profile at a Glance
Overall: C- (52/100)
Lower score = safer