PT Logo
← All posts

April 22, 2026 · Permissionless Technologies

crvUSD vs UPD: Curve's LLAMMA vs Pure Non-Freezability

crvUSD's LLAMMA soft-liquidates across price bands. But Curve DAO can still change debt ceilings and upgrade implementations on the ~$270M system.

crvUSDCurveLLAMMAUPDstablecoinliquidationDAO-governancesoft-liquidationcomparisonDeFi
Two stablecoin systems shown side by side, left labeled crvUSD with a flowing LLAMMA band diagram above a DAO governance chamber, right labeled UPD as a clean geometric brushed-steel vault, neither side has any freeze or blacklist signage

May 14, 2023. Curve Finance launches crvUSD on Ethereum mainnet and keeps the keys. Three years later the token sits around $270 million circulating market cap, the peg has held through two documented stress events, and the CurveOwnershipAgent still routes owner-only calls into the system on behalf of veCRV governance (crvUSD: 2 Years On).

This is a different answer from the one Liquity gave. LUSD was deploy-and-walk-away, no admin, no pause. crvUSD was deploy-and-keep-governing, with the Curve DAO empowered to add new collateral markets, adjust debt ceilings, update implementations behind the proxy, and reconfigure PegKeepers. Neither approach is obviously correct. Both are on the table, and a reader trying to pick should understand exactly what each one means.

LLAMMA, the Lending-Liquidating AMM Algorithm that powers crvUSD, is genuinely novel. Borrowers pick a number of price bands between 4 and 50, and as collateral prices move, the AMM softly converts collateral to crvUSD on the way down and buys it back on the way up (Liquidation & Bands). Liquidation isn't a cliff, it's a ramp. Worth taking seriously.

So what does UPD offer that crvUSD doesn't? The honest list: a non-governed trust model at the admin layer, stabilizer-minter role separation instead of a CDP, per-position liquidation isolation instead of a banded AMM, and integration into the Universal Private Pool for shielded transfers and ASP-based compliance. None of those invalidate LLAMMA. They're different answers to adjacent problems.

Key Takeaways

  • LLAMMA is a real innovation. Collateral gets distributed across 4-50 user-chosen price bands; the AMM continuously converts between collateral and crvUSD as price moves, smoothing liquidation losses compared to single-price cliff liquidations (Curve Resources).
  • crvUSD is non-freezable at the token layer. The ERC-20 contract has no blacklist, no freeze, no admin balance adjustment. Control lives one layer above at the CurveOwnershipAgent, which executes owner-only calls based on veCRV DAO votes (Contract Ownership).
  • The Curve DAO can materially change the system. set_debt_ceiling mints or burns crvUSD to match new market caps, market management functions add or disable collateral types, and blueprint implementations are upgradeable (Admin Controls).
  • Two documented peg disturbances. July 2023: a Curve Vyper-compiler exploit on stable pools triggered a brief 0.35% downward depeg on crvUSD (AMBCrypto). June 2024: the UwU lending exploit drove an upward depeg when PegKeepers couldn't match liquidation-driven demand fast enough (LlamaRisk incident report). Both resolved without bad debt.
  • UPD is pre-audit, Sepolia-only, stETH-only. Its architectural differentiators versus crvUSD are the stabilizer-NFT separation of collateral provider and minter, per-position direct liquidation backed by an InsuranceEscrow, and designed-in privacy plus compliance via the Universal Private Pool.

What Does Non-Freezable Mean for crvUSD?

crvUSD is a standard ERC-20 on Ethereum. The token contract at 0xf939E0A03FB07F59A73314E73794Be0E57ac1b4E exposes transfer, approve, permit. There's no blacklist function, no freeze, no admin balance adjustment (Curve Technical Docs). If you hold crvUSD in a self-custodial wallet and never interact with the borrowing or PegKeeper contracts again, nobody can take it from you.

That's the token layer. It's the same answer as LUSD at this level. Neither Circle nor Tether nor Paxos can call on either of them.

The layer above is where the architectures diverge. LUSD's borrowing contracts are immutable. Troves work in 2026 exactly as they did on April 5, 2021. Nobody can redeploy the logic, change the collateral ratio, or adjust liquidation thresholds. crvUSD's borrowing contracts aren't. The Curve Technical Docs state plainly that implementation contracts are upgradeable and direct users to "always check the most recent implementations" (Curve Technical Docs).

Your crvUSD balance can't be frozen. Your crvUSD position, meaning the controller-tracked debt against collateral sitting in LLAMMA bands, can be governed. The distinction matters.

The CurveOwnershipAgent

Curve's admin model routes owner-only calls through what it calls OwnershipAgents (Contract Ownership). These are contracts that accept instructions from the veCRV-weighted DAO and then execute the actual owner calls on target contracts. The main Ethereum OwnershipAgent is the owner of the crvUSD factory, the controllers, the PegKeeper registry, and the AMM blueprints.

What can it do? The Admin Controls page lists it explicitly. set_debt_ceiling adjusts the maximum debt for a market and mints or burns crvUSD to match the new ceiling (Admin Controls). Market management functions add or disable markets and update blueprint implementations. PegKeeper configuration functions add, remove, or reconfigure PegKeeper contracts and their target pools.

This isn't a freeze. It's discretionary authority over material parts of the system, which is a different thing and worth naming clearly.

How Does LLAMMA Actually Work?

Every CDP stablecoin has a liquidation problem. If collateral prices crash fast, traditional systems liquidate at a single price point, often a long way below the minimum collateral ratio. Large losses for the borrower, sometimes bad debt for the protocol. LLAMMA's answer is to turn each borrower's collateral into an LP position inside a specialized two-asset AMM (Nansen Research).

When a user opens a loan, they pick a number of bands between 4 and 50. These are discrete price ranges that together define the liquidation range. Collateral gets distributed across the bands. As the collateral price falls into and through a band, the AMM incrementally sells collateral into crvUSD. As price recovers, the AMM buys collateral back (Loan Concepts).

The effect is a smoothed liquidation. Instead of a cliff, you dollar-cost-average out of the position as price moves. Bad debt is limited because by the time a position hits its hard-liquidation threshold, much of the collateral has already been converted to crvUSD (CoinMarketCap Academy). That's a meaningful improvement over Maker-style single-price liquidations, particularly for assets that whipsaw.

The Trade-Off: Underexposure on Rebound

LLAMMA has a real cost that Curve documents plainly. If price drops into your liquidation range and then rebounds, you've already sold collateral into crvUSD. You get the crvUSD back but not the collateral upside on the rebound. You're effectively an LP in a concentrated range, same structural issue Uniswap v3 LPs face (Curve Risk Docs).

In a choppy market, you can end up repeatedly converting as the AMM cycles through bands. Curve's own risk documentation notes that collateral may become locked in soft-liquidation, limiting the borrower's ability to respond to market conditions (Loan Concepts). This is a feature for protocol solvency and a cost to individual borrowers, and it should be stated as both.

PegKeepers and Interest Rates

Peg maintenance runs through two mechanisms beyond LLAMMA. PegKeeper contracts watch Curve pools like crvUSD-USDC and crvUSD-USDT; when crvUSD trades above 1 USD in a pool, a PegKeeper mints crvUSD and deposits to push price down; when crvUSD trades below, the PegKeeper withdraws and burns (Binance crvUSD explainer).

Variable interest rates do the second job. The Curve DAO, through the OwnershipAgent, can raise borrowing rates to reduce crvUSD supply or lower them to encourage borrowing (GeekRunner crvUSD analysis). Monetary policy by DAO vote. It's one of the levers the governance layer actually uses.

What Can the Curve DAO Actually Change?

Side by side trust-surface diagrams, left showing Curve DAO governance routed through veCRV votes into the CurveOwnershipAgent which can modify debt ceilings, add markets, upgrade implementations, and reconfigure PegKeepers, right showing UPD with a single admin authority upgrading BeaconProxy escrow implementations and a UUPS oracle, with the UPDToken itself labeled non-upgradeable

The veCRV-weighted DAO, acting through the CurveOwnershipAgent, can modify or extend the system in several ways. This isn't hypothetical authority. The Admin Controls page documents it explicitly (Admin Controls, Factory Overview):

  • set_debt_ceiling: Raise or lower the maximum crvUSD debt allowed per collateral market. Adjusts supply directly by minting or burning crvUSD to match the new ceiling.
  • Market onboarding and deprecation: Add a new collateral type, or disable an existing market, via factory calls.
  • Blueprint implementation updates: Change the logic contract behind controllers and AMMs. Existing positions run against the new code after upgrade.
  • PegKeeper configuration: Add, remove, or reconfigure PegKeeper contracts targeting different counterparty stablecoin pools.
  • Fee receiver updates: Change where borrowing fees and liquidation surpluses accrue.

None of these calls can freeze an individual wallet. All of them can reshape the economic reality of running a position. If the DAO votes to lower a debt ceiling below current utilization, borrowers may face forced deleveraging. If the DAO swaps a PegKeeper for a new version, the peg dynamics change under you. These are material powers, and they're the structural contrast with Liquity, where the core is immutable.

The veCRV Governance Reality

The Curve DAO doesn't consist of retail crvUSD users. CRV holders lock CRV for up to four years as veCRV, receiving voting weight proportional to lock time (Nansen on veCRV). The largest veCRV holders are meta-governance protocols: Convex Finance, Yearn, and several stablecoin-issuing DAOs that accumulated veCRV for liquidity-incentive reasons (Crypto.com on Curve DAO).

This is the Curve Wars dynamic. Convex alone held enough veCRV for years to materially influence most gauge votes. Whether that reads as a feature (sophisticated voters with skin in the game) or a risk (a handful of protocols effectively running Curve governance) depends on your perspective. What isn't debatable: if you're running a crvUSD position, the parameter environment is shaped by a small number of large veCRV holders voting on proposals.

CRV Itself Faces Regulatory Uncertainty

A secondary risk lives at the governance-token layer. Curve DAO (CRV) has been flagged in analyst coverage as facing regulatory uncertainty, including the possibility of securities treatment in some jurisdictions (CoinStats investment analysis). If CRV trading or staking is restricted in a meaningful market, the voter base running crvUSD parameters contracts. DAO actions become harder to pass, or easier to capture.

How Do Liquidations Differ: LLAMMA Bands vs UPD Direct Liquidation?

Side by side liquidation flow diagrams, left showing a crvUSD borrower's collateral distributed across price bands inside an LLAMMA AMM with arbitrageurs softly converting between collateral and crvUSD as price moves through each band, right showing a UPD position being directly liquidated by a UPD holder who burns UPD and receives stETH with an InsuranceEscrow topping up any shortfall

This is where the structural difference is largest between the two systems. Both avoid creating bad debt in most conditions. The mechanism underneath is very different.

LLAMMA: Pooled Across Bands, Priced by Curve

In LLAMMA, each loan's collateral is already an LP position when the loan opens. Liquidation isn't a separate event so much as a continuous process that happens whenever collateral prices enter and cross bands. Arbitrageurs buy and sell against the AMM; their trades are themselves the liquidation events (Curve Resources on Bands).

There's also a hard-liquidation threshold, a position health score of 0 or below, that lets external liquidators fully close a position that's gone far enough underwater. By the time this triggers, most of the collateral has typically already converted to crvUSD (Nansen Research).

The design implication is that risk sits in the AMM. As a borrower, you're exposed to the AMM's path-dependent behavior. As a protocol, insolvency shows up when the AMM can't rebalance fast enough (the June 2024 UwU dynamic, discussed below).

UPD: Per-Position Direct Liquidation With Insurance

UPD has no Stability Pool and no LLAMMA. The system enforces a 125% minimum collateral ratio as a floor; stabilizers choose their own initial CR above it. Cautious operators might sit at 150-175%, leaving plenty of room above the liquidation zone. Aggressive ones might run around 130%, leaving just 5% margin before the first liquidation threshold kicks in. The liquidation threshold itself varies by liquidator NFT ID. Stabilizer NFT 1 can liquidate a position that drops to 125%, NFT 2 at 124.5%, each subsequent ID 0.5 percentage points lower, floored at 110%. Anyone with UPD (even without an NFT) can liquidate any position at or below 110%:

// StabilizerNFT.sol
function liquidatePosition(
    uint256 liquidatorTokenId,     // 0 = no NFT, uses permissionless floor
    uint256 positionTokenId,       // The position being liquidated
    uint256 updAmountToLiquidate,
    IPriceOracle.PriceAttestationQuery calldata priceQuery
) external nonReentrant onlyMainnetOrSepolia;

The liquidator transfers UPD to the contract, which burns it, and pulls stETH out of the position's PositionEscrow. Default payout is 105% of par in stETH. Excess above 105% flows to the InsuranceEscrow. If the position is too underwater to pay 105% in full, the InsuranceEscrow tops up the shortfall best-effort.

Each position lives or dies on its own collateral plus the InsuranceEscrow backstop. No banded AMM. No pro-rata redistribution across other borrowers. No protocol-owned Stability Pool.

Where the Risk Sits Differently

LLAMMA spreads risk across the AMM's band structure and the broader arbitrage layer. UPD isolates risk per position and funnels shortfalls into a single InsuranceEscrow that has to be sized to absorb them. The trade-off is fundamental. LLAMMA trades path-dependence for smoothness; UPD trades pool-capitalization dynamics for binary per-position outcomes with an insurance layer.

Neither model is objectively better. They pick different failure modes to guard against, and the right choice depends on which failure mode you're more worried about in your specific use case.

What Happened During the June 2024 UwU Incident?

crvUSD hasn't had a catastrophic failure. It's had two stress events that are worth studying, because they reveal where LLAMMA's sensitivities actually live.

June 12, 2024: The UwU-Driven Upward Depeg

UwU Lend, an unrelated Aave-fork lending protocol, was exploited on June 10-11, 2024. The attacker used over 23 million CRV as collateral in Curve Lend to borrow roughly 8.1 million crvUSD, contributing to highly inorganic market dynamics (LlamaRisk incident report).

The large liquidatable positions created heavy demand for liquidation processing. Liquidators had to acquire crvUSD to close them. PegKeepers and external arbitrageurs couldn't respond quickly enough to the sudden demand. crvUSD depeg went upward: the stablecoin traded meaningfully above $1 during the incident window, and knock-on liquidations cascaded through other Curve Lend markets as correlated positions moved together.

No permanent loss of peg, no obvious system-level bad debt. But the incident surfaced a specific structural weakness: LLAMMA-based systems depend on PegKeeper capacity and arbitrage liquidity to absorb correlated demand shocks. If attackers can manufacture large correlated positions faster than these mechanisms can react, the peg itself becomes stressed.

July 30, 2023: The Vyper Exploit Downward Depeg

An earlier incident had the opposite direction. On July 30, 2023, multiple Curve stable pools with vulnerable Vyper compiler versions were exploited, losing roughly $70 million. crvUSD's core contracts weren't directly affected, but the ecosystem shock caused a temporary downward depeg of approximately 0.35% (AMBCrypto, Crypto Briefing).

The peg recovered within hours as market panic subsided. But it's a reminder that crvUSD's peg is linked to the broader Curve ecosystem. Operational risks like front-end compromise, pool vulnerabilities, or governance issues can propagate into crvUSD's peg even without a direct contract exploit on crvUSD itself.

What This Means for UPD's Design

UPD doesn't yet have live incidents to point at. We're pre-audit and Sepolia-only. But the structural comparison is concrete. UPD's peg mechanism doesn't depend on a PegKeeper network that could be overwhelmed by manufactured demand. Mint and burn are per-position, gated by the stabilizer queue and the 105% minimum liquidation payout. An attacker can't force-borrow UPD by dumping arbitrary collateral; they'd need to sit in the stabilizer queue or acquire UPD on secondary markets.

Different mechanism, different attack surface. Whether UPD will actually hold up under analogous stress is an open question. Mechanism analysis isn't the same as live operation, and we say so plainly.

Where Does UPD's Scope Extend Beyond crvUSD?

crvUSD is a fully-public ERC-20. Every transfer, every position open, every liquidation sits permanently on-chain, visible to chain analytics firms, competing traders, MEV bots, and anyone else running a blockchain indexer. For DeFi-native users, that's a feature. For institutional desks, payroll operations, or B2B settlement flows, it's a blocker.

UPD is designed to operate inside the Universal Private Pool (UPP). Deposits produce shielded notes. Transfers inside the pool are ZK-private. Withdrawals can re-expose to public ERC-20 where needed. The pool also implements an Association Set Provider pattern: compliance teams operate as ASPs that attest to membership sets, and users prove membership in a specific ASP's set as part of their withdrawal proof without revealing the underlying transfer history (ASP vs Proof of Innocence).

crvUSD has no analog. You can deposit crvUSD into a third-party privacy tool like RAILGUN, but you inherit whatever compliance and UX constraints that tool has, and crvUSD's borrowing and liquidation logic doesn't integrate with it. UPD is built end-to-end around the assumption that dollar movements should be private by default with selective disclosure, not transparent by default with no disclosure option.

The Stabilizer-Minter Split

There's a secondary architectural difference. crvUSD is a CDP. A user opens a loan by depositing collateral and minting crvUSD against it. The same user holds both sides: they're collateral provider and stablecoin minter at once.

UPD splits those roles. A stabilizer owns an NFT and deposits stETH into a PositionEscrow. Stabilizers sit in a priority queue by NFT ID. When a minter calls mint, the contract walks the queue pulling collateral from stabilizers' escrows until the minter's requested UPD is fully overcollateralized. The stabilizer earns stETH yield via Lido rebasing and any liquidation premia. The minter gets dollar liquidity.

Why does this matter? A stabilizer is a counterparty who brings balance sheet. A minter is a user who needs the stablecoin. They can be different parties, managed by different entities, with different risk and accounting treatments. That's useful for structured products, institutional liquidity provision, and protocols that want to separate collateral management from stablecoin distribution.

A CDP like crvUSD (or Liquity, or DAI) collapses both roles into one user. Simpler in some ways. Less natural as a substrate for marketplace lending structures where the collateral provider isn't the stablecoin consumer.

Head-to-Head Comparison

DimensioncrvUSDUPD
Live sinceMay 14, 2023Pre-launch (Sepolia)
Collateral typesETH plus DAO-approved LSTs and blue-chip assetsstETH only
Min CRVaries by market, DAO-configurable125% system floor; stabilizers pick their own CR above (aggressive ~130%, cautious 150-175%); liquidation threshold varies by NFT ID from 125% down to 110%
Peg mechanismLLAMMA + variable interest rates + PegKeepersPer-position overcollateralization + mint/burn
Liquidation designContinuous soft-liquidation across price bands inside LLAMMAPer-position direct liquidation with InsuranceEscrow backstop
Bad debt handlingLLAMMA smoothing + hard-liquidation at health 0Per-position isolation + InsuranceEscrow shortfall coverage
Core upgradeabilityImplementation contracts upgradeable via OwnershipAgentUUPS oracle, BeaconProxy escrows, non-upgradeable token
Admin keys on coreCurveOwnershipAgent (acts on veCRV DAO vote)Upgrade authority on escrow beacons + oracle
Governance can changeDebt ceilings, collateral markets, implementations, PegKeepers, fee receiversOracle + escrow implementations + stabilizer params
Token freeze / blacklistNoneNone
Market cap / TVL (order)~$270-290M circulating (Q1-Q2 2026)Pre-launch
Privacy layerNone (public ERC-20)Designed for UPP shielded transfers
Compliance storyNone (fully permissionless at token layer)ASP-compatible via UPP entry control
Audit statusMultiple core and ecosystem audits over timePre-audit
Notable incidentsJuly 2023 Vyper depeg (~0.35% down); June 2024 UwU upward depegNone (no live operation yet)
Current maturityNearly 3 years mainnetSepolia tech preview

Which Risk Profile Fits Your Use Case?

When crvUSD Fits

  • You want nearly 3 years of mainnet operational history and live peg behavior you can study
  • You're comfortable with LLAMMA's path-dependent liquidation and happy to trade rebound upside for smoothed losses
  • You value multi-collateral LST and blue-chip asset support that's already live on mainnet
  • You're comfortable that parameter changes can happen via veCRV DAO vote, including debt ceiling adjustments and implementation upgrades
  • You don't need shielded transfers or an ASP-based compliance story for your specific flow

When UPD's Risk Profile Fits

  • You need shielded transfers on the dollar leg of a payment or settlement flow via UPP
  • Your team needs an ASP-compatible compliance story and token-level freezes are disqualifying
  • Your protocol architecture benefits from separating stabilizer (collateral provider) from minter (stablecoin receiver)
  • You'd rather reason about a narrow admin upgrade surface than a DAO that votes on debt ceilings and market additions
  • You accept pre-audit Sepolia-only starting-point risk in exchange for these properties

These aren't exclusive categories. Some users will hold both, treating them as complementary tools with different scopes.

Frequently Asked Questions

Is crvUSD really non-freezable?

At the token contract level, yes. There's no blacklist function, no freeze, no admin balance modification. The crvUSD ERC-20 at 0xf939E0A03FB07F59A73314E73794Be0E57ac1b4E has a clean standard surface (Curve Technical Docs). What the DAO can change is the parameter environment around the token: debt ceilings, collateral types, implementations, PegKeeper configuration. Those powers don't let anyone seize a balance, but they can reshape what it means to run a crvUSD position.

Can the Curve DAO freeze my position?

Not directly. The DAO can't zero your crvUSD balance or block your transfer. But it can lower the debt ceiling on a market, which would prevent new borrowing and could force deleveraging for existing borrowers. It can deprecate a market entirely, which affects existing positions' exit paths. It can upgrade the controller or AMM implementation. None of these are direct freezes, but collectively they constitute meaningful control over position economics.

What's the realistic risk of governance capture?

Low in absolute terms, non-trivial in tail scenarios. Curve has a sophisticated voter base dominated by protocols like Convex and Yearn that accumulated veCRV for liquidity-incentive reasons (Nansen research). Those entities are unlikely to collude against crvUSD depositors because their own businesses depend on Curve's health. The tail scenarios involve regulatory action against CRV, voter apathy, or a protocol-level exploit of a governance layer itself. Those aren't zero-probability events.

Why use UPD if crvUSD has nearly 3 years of live operation?

You probably wouldn't, if your only requirement is a non-freezable crypto-backed dollar with an operational track record. crvUSD has that. UPD is worth considering when your requirements extend to shielded transfers through UPP, to ASP-based compliance for institutional entry, to separating stabilizer-from-minter in your own protocol design, or to a narrower admin surface than DAO-driven parameter management. If none of those apply, crvUSD's maturity advantage is real.

How does UPD handle liquidation without a Stability Pool or LLAMMA?

Directly, one position at a time. A liquidator transfers UPD to the StabilizerNFT contract, which burns it and pulls stETH out of the target position at 105% of par payout. Excess above 105% flows to the InsuranceEscrow. Shortfalls below 105% get topped up best-effort from the InsuranceEscrow's balance. There's no pooled burn buffer, no banded AMM. Each position is isolated, and the InsuranceEscrow is the only shared-risk layer.

What did the UwU incident actually reveal?

That PegKeeper-based peg stabilization has a response-time envelope, and manufactured correlated positions can exceed it (LlamaRisk). The June 2024 upward depeg didn't break crvUSD, but it showed that a system relying on external arbitrage and PegKeeper capacity can get caught out when demand for the stablecoin moves faster than these mechanisms can respond. Post-incident parameter tuning can mitigate this, but the underlying sensitivity remains.

Does UPD also have upgrade authority?

Yes, and we state it plainly. The escrows are BeaconProxy instances, and an admin-controlled beacon can push new implementations. The oracle is UUPS-upgradeable. The UPDToken contract itself is not upgradeable, so balances can't be rewritten, but a malicious admin could deploy an escrow implementation that drains stETH. That's a real risk that the user should understand. The mitigation path is progressive: admin to timelock to governance, over time. We're at step one, Sepolia-only. The difference with crvUSD isn't "upgrade authority vs no upgrade authority," it's "who holds the authority and through what process they exercise it."

Conclusion

crvUSD is the DAO-governed version of a non-freezable stablecoin. LLAMMA is a genuine innovation on the liquidation side. The peg has held through two documented stress events. The token itself can't be frozen. If those properties are enough for your use case, crvUSD is a serious option with nearly 3 years of mainnet operation behind it.

UPD isn't trying to compete on operational history. We can't. Pre-audit on Sepolia. What UPD offers that crvUSD doesn't is a different set of architectural answers: a narrower admin surface than DAO-driven parameter management, stabilizer-minter role separation, per-position isolation with an insurance backstop, and integration with UPP for shielded transfers and ASP-based compliance. None of those are automatically better. They're different answers to different problems.

Pick the trust model that matches your problem. If you want multi-collateral LST borrowing with LLAMMA's liquidation smoothing and veCRV DAO-driven parameter management, crvUSD is the right choice today. If you want shielded dollar transfers, ASP-compatible compliance, and a simpler admin surface to reason about, UPD is worth watching as it moves from Sepolia toward audit and mainnet.

Read the Admin Controls page. Read the LlamaRisk incident report. Decide based on your own threat model.

UPD is pre-audit and currently deployed on Sepolia. This comparison is architectural and educational, not investment or legal advice.