Meridion Risk Assessment: USD Coin (USDC)

1. Methodology

1.1 Rating Standard and Assessment Framework

This report is produced under the Meridion Risk Rating Standard v1. The engagement was conducted by a team combining smart contract security specialists, financial risk analysts, and formal methods engineers.

Each independent domain receives a risk rating of Low, Medium, or High:

• Low applies when no material adverse condition was identified within the assessed scope and residual risks are ordinary for the asset type.
• Medium applies when a material weakness, dependency, opacity, concentration, or stress scenario exists but is contingent, mitigated, not currently causing holder harm, or primarily a future-risk driver.
• High applies when a direct or credible path exists to material holder loss, unauthorized issuance, severe depeg, impaired transferability, asset shortfall or misrepresentation, governance or administrator capture, or operational failure.

The composite risk rating is derived from the three domain ratings using the following labels:

• Minimal: all three domain ratings are Low, with no material identified weakness beyond ordinary residual risk for the asset type.
• Low: no domain rating reaches High, and at most one reaches Medium; any Medium condition is isolated or future-oriented, with no immediate consequence for holders.
• Moderate: no domain rating reaches High, but multiple domains carry a Medium rating, or one Medium domain carries direct consequence, structural importance, or meaningful interaction with another domain.
• Elevated: at least one domain rating reaches High, but the condition remains contingent, is not actively causing holder harm, and does not currently show immediate adverse consequences.
• High: immediate adverse consequences are present, or an identified High domain condition bears directly on holders.
• Severe: multiple domains are critically compromised, or a single compromised domain produces cascading failure across the asset.

Each domain and the composite conclusion also receive a confidence rating of Low, Medium, or High. Confidence measures the reliability, completeness, independence, recency, and reproducibility of the evidence supporting the risk rating. Confidence does not reduce or soften the risk rating; instead, it tells the reader how strongly the rating is supported and whether material scope limitations reduce certainty.

1.2 Review Techniques Applied

Smart Contracts: Functionality and security

• Runtime entry-point catalogue: reconstruction of the complete externally callable runtime surface from deployed bytecode and verified source artifacts
• Manual code review: line-by-line inspection of all in-scope source files by independent security specialists
• Edge-case and exploit-negative review: targeted analysis of protocol-specific invariants, failure modes, access-control boundaries, replay protections, and upgrade assumptions
• Formal verification: direct deployed-bytecode verification of hidden calldata surface, covering selectors outside the complete runtime catalogue and malformed calldata shorter than 4 bytes
• Fork-based behavioral testing: live-chain execution of representative positive and negative behavioral tests against deployed bytecode using Foundry; test counts, entry-point coverage, and PASS/FAIL status are reported in the bytecode assurance section
• AI-assisted analysis: automated pattern detection and anomaly scanning across the full codebase to supplement human review

Operations: Key management and administrative control

• Role mapping: reconstruction of deployment and administrative authority from on-chain state and historical events
• Key management review: assessment of HSM, MPC, and key ceremony controls based on SOC reports and public disclosures
• Monitoring and alerting: assessment of on-chain event alerting coverage and anomaly detection arrangements for privileged operations and administrative actions
• Recovery assessment: review of signer loss, compromise, and administrative recovery procedures

Financials: Underlying assets and counterparties

• Reserve attestation analysis: comparison of attestation disclosures against on-chain liabilities and supply metrics
• Counterparty profiling: identification of issuer, custodian, banking, and attestation dependencies and their risk posture
• Liquidity analysis: assessment of redemption capacity and market depth across DEX and CEX venues
• Scenario analysis: review of economic stress scenarios and their implications for solvency, redemptions, and price stability.

2. Executive Summary

Subject Overview

USD Coin (USDC) is a fiat-collateralised payment stablecoin issued by Circle Internet Financial, LLC. Each USDC token is redeemable at par for one US dollar through Circle's institutional redemption platform (Circle Mint), with reserves held primarily in short-duration US Treasury securities and regulated bank deposits. USDC is natively issued across multiple blockchain networks; as of the assessment snapshot (block 24,941,472 on Ethereum Mainnet, 2026-04-23), the Ethereum on-chain total supply was approximately 54.43 billion USDC. Aggregate circulating supply across all chains, as attested by Deloitte and Touche LLP for the period ending April 30, 2026, was approximately 77.36 billion USDC. The residual approximately 22.93 billion USDC outstanding on non-Ethereum chains (Solana, Base, Arbitrum, Polygon, and others) was not independently verified in this investigation and relies on the Deloitte attestation for coverage.

KYC Gating

Secondary-market holding of USDC does not require KYC; any Ethereum address may hold, transfer, or receive USDC without identity verification. Minting (primary issuance) is KYC-gated: only addresses configured as authorised minters through the MinterAdmin contract may call mint, and access to Circle Mint (the institutional issuance channel) requires full onboarding and compliance approval. Redemption to US dollars is similarly restricted to institutional counterparties onboarded to Circle Mint with full KYC/AML verification; retail holders must exit via exchange partners or secondary markets. An on-chain blacklisting mechanism is built into the FiatTokenV2_2 implementation: the Blacklister role may freeze (blacklist) or unfreeze (unBlacklist) any Ethereum address, after which that address cannot send, receive, approve, or be approved for USDC transfers. The blacklisting mechanism is used to implement OFAC sanctions compliance and to respond to law enforcement requests. The Blacklister role is currently held by EOA 0x0a06be16275b95a7d2567fbdae118b36c7da78f9, which operates without a publicly documented approval workflow.

Overall Risk Rating: Low

Composite Confidence: Low

USDC presents a well-established risk profile characterised by a highly capable smart contract codebase with a single Low-severity finding, 100% reserve backing attested by a Big Four accounting firm, and broadly strong regulatory standing across US and EU jurisdictions. The composite risk rating is Low because only the operational security domain reaches a risk score of Medium: the concentration of the highest-privilege roles (proxy admin and implementation owner) in externally owned accounts with no publicly disclosed key management arrangement creates a contingent risk that is not currently causing holder harm and has no adverse incident record. The financial domain risk is Low, reflecting fully attested reserves composed primarily of short-duration US government instruments and regulated bank deposits, with throughput constraints rather than insolvency as the primary stress-scenario risk. Composite confidence is Low solely because operational confidence is Low: the proxy admin and implementation owner are EOAs with immediate authority, and no public evidence confirms HSM/MPC custody, second approval, emergency workflow, monitoring thresholds, or change-control procedures for those highest-privilege roles.

Smart Contract Security Summary

The review did not identify any exploitable vulnerability within the assessed scope. The single finding, SEC-01, concerns the single-step ownership transfer pattern in transferOwnership: an input error by the owner EOA could permanently and irrecoverably transfer administrative authority to an uncontrolled address. This is gated by the onlyOwner modifier and requires no external attacker involvement. The contract system implements comprehensive access-control modifiers on all privileged functions, SafeMath-based arithmetic throughout, EIP-712 typed signature verification with chain-ID binding and per-address nonce tracking, and a fully locked initializer stack (version 3). The proxy upgrade mechanism is atomic: a failed initialiser call during upgradeToAndCall reverts the entire transaction, preventing a half-upgraded state.

Smart Contract Risk Score: Low | Confidence: High

Operational Security Summary

The primary operational risk driver is the concentration of the two highest-privilege roles in externally owned accounts with no publicly disclosed key management arrangement. The proxy admin (0x807a96288a1a408dbc13de2b1d087d10356395d2) can replace the entire token implementation in a single transaction with no on-chain timelock; the implementation owner (0xfcb19e6a322b27c06842a71e8c725399f049ae3a) can reassign all four operational roles (blacklister, pauser, masterMinter, rescuer) unilaterally. Neither HSM, MPC, hardware security key arrangement, nor a second-approval requirement is publicly documented for these roles. Circle references SOC 2 Type II certification in general disclosures, but this does not constitute a public key management disclosure for specific role addresses. No known key compromise, unauthorised minting, malicious upgrade, or operational control failure has been identified in the contract's history. The on-chain administration record shows evidence of operational discipline: three paired and reversed proxy admin changes consistent with key rotation rehearsals, and routine blacklister and pauser rotations at multi-year intervals. Risk is rated Medium because the adverse condition is contingent and no operational failure is known; confidence is Low because the controls that would prevent unilateral EOA misuse or compromise are not independently verifiable.

Opsec Risk Score: Medium | Confidence: Low

Financial Summary

USDC reserves are fully backed at 100% per the most recent Deloitte attestation (April 30, 2026), composed primarily of short-duration US Treasuries (60.7%) and overnight repo (0.7%) held in the SEC-registered Circle Reserve Fund (2a-7, BlackRock managed, BNY Mellon custodied), with 38.6% in regulated bank deposits. Reserve quality is high; the primary financial risks are bank deposit counterparty concentration (partially opaque: the $11.28 billion in "other bank deposits" is not attributed to named institutions) and the absence of a bankruptcy-remote legal structure for USDC holders under current US law (holders have a contractual redemption right against Circle, not a direct claim on specific reserve assets). Redemption capacity under mass-exit conditions is constrained by banking-hour and settlement-throughput limits rather than reserve adequacy. Confidence is Medium because cross-chain supply (approximately $22.93 billion USDC on non-Ethereum chains) was not independently verified, redemption throughput is not publicly disclosed, and banking counterparties for the "other deposits" tranche are unnamed.

Financial Risk Score: Low | Confidence: Medium

Scope Limitations

• Other deployment chains (Solana, Base, Arbitrum, Polygon, Optimism, Avalanche, and others): Native USDC issuance and smart contract deployments on non-Ethereum chains were not assessed in this investigation. Cross-chain supply figures rely on the Deloitte attestation. Affects confidence in the financial and smart contract domains.
• MinterAdmin contract internal analysis: The MinterAdmin contract (0xe982615d461dd5cd06575bbea87624fda4e3de17) is the current masterMinter. Its internal entry points, key management, and operational controls were assessed at the role and structural level but not subjected to the full entry-point catalogue and formal verification analysis applied to FiatTokenProxy and FiatTokenV2_2. Affects confidence in the operational security domain.
• Off-chain operational controls: Key management arrangements, monitoring configuration, incident response procedures, and change management gates for Circle's internal operations were not independently assessed. The SOC 2 Type II reference provides a partial institutional baseline but does not verify contract-specific controls. Affects confidence in the operational security domain.
• Circle Mint redemption throughput: The maximum USD volume per hour or day that Circle's institutional redemption channel can process is not publicly disclosed. Scenario 3 estimates ($2-3 billion within 6 hours) are inferred from banking infrastructure norms. Affects confidence in the financial domain.
• Banking counterparties for "other deposits": Circle does not publicly disclose the names of banking institutions holding the $11.28 billion "other bank deposits" reserve tranche. Affects confidence in the financial domain.

3. Part I: Smart Contract Security Analysis

Smart Contract Security Rating: Low | Confidence: High

3.1 Scope and Execution Environment

Chain: Ethereum Mainnet

Assessment snapshot block: 24,941,472 (2026-04-23)

Both contracts are verified on Blockscout. The proxy was compiled without optimisation (Solidity 0.4.24). The implementation was compiled with aggressive optimisation (10,000,000 runs, Solidity 0.6.12, Istanbul EVM). The proxy uses the ZeppelinOS legacy transparent proxy pattern, storing the implementation and admin addresses in non-standard keccak256-preimage-derived slots rather than the EIP-1967 standard slots. This has no functional impact on the entry-point catalogue but affects tooling compatibility; see Section 4.3.

3.2 Entry Point Catalogue

This investigation involves a proxy and implementation split. The following two tables list only state-modifying, externally reachable entry points. View and pure functions are excluded from display but used in the formal verification runtime.

Proxy contract entry points:

The proxy contract includes 2 additional functions that are not state-modifying (view): admin() (EP-PR-005) and implementation() (EP-PR-006).

Implementation contract entry points:

The implementation contract includes 24 additional functions that are not state-modifying (view or pure): EP-IM-032 through EP-IM-055.

Overloaded functions in the table are abbreviated as name(...) [N args], where N is the total parameter count.

3.3 Bytecode Surface Attestation

As capital held in on-chain assets grows, the Solidity compiler (solc) and deployment pipeline become increasingly attractive supply-chain attack targets. A compromised compiler, build process, or deployment artifact could insert hidden trap doors that are not visible in source-level review but are present in deployed bytecode. Meridion therefore separates bytecode assurance into two complementary controls: formal verification of hidden calldata surface and fork-based behavioral tests of intended entry-point behavior on deployed bytecode.

Input artifact hashes (Keccak-256 of deployed bytecode):

Verification engine: The Meridion Formal Verification Engine v1 is a custom-built symbolic execution environment executing EVM bytecode that supports JUMPI-tracing and SMT solving to verify the absence of trapdoors.

3.3.1 Hidden-Surface Formal Verification

The complete runtime catalogue of entrypoints (6 proxy entries, 55 implementation entries) serves as the exclusion set for hidden-surface verification. The report table in Section 3.2 is abridged for the implementation to state-modifying functions only; all 55 runtime selectors were used in the FV exclusion set.

FiatTokenProxy: Bytecode Surface Cases

Formal verification of the deployed FiatTokenProxy bytecode produced CONFIRMED results for both hidden-surface cases. The FiatTokenProxy uses the ZeppelinOS legacy transparent proxy pattern, storing the implementation address in a non-standard keccak256-preimage-derived storage slot keccak256("org.zeppelinos.proxy.implementation") rather than the EIP-1967 standard slot. The FV engine seeded this slot with the expected implementation address as a concrete initial storage state before symbolic execution, allowing the symbolic executor to confirm that all feasible delegatecall paths route exclusively to the fixed implementation address.

For unknown 4-byte selectors, 2 feasible paths were found: one REVERT path (non-admin call with unknown selector reverts via the admin gate) and one DELEGATECALL path routing to the fixed implementation address. 6 candidate branches were pruned as infeasible by the SMT solver. For short calldata, the same classification holds: 2 paths, one REVERT and one DELEGATECALL to the fixed implementation.

FiatTokenV2_2: Bytecode Surface Cases

Formal verification of the deployed FiatTokenV2_2 bytecode produced CONFIRMED results for both hidden-surface cases.

For short calldata (calldata_size < 4), a single path was found and it always reverts. This is confirmed: the implementation's Solidity-generated dispatcher reverts immediately when the input is too short to contain a valid 4-byte selector.

For unknown 4-byte selectors, 16 revert paths were found exhaustively and 57 candidate branches were pruned as infeasible. No non-reverting path was found. The implementation's dispatcher exhaustively rejects all calldata whose 4-byte selector is not among the 55 known selectors, confirming the absence of hidden callable surface.

Overall verdict: CONFIRMED

All four hidden-surface absence and proxy-routing cases are fully classified. No unexpected non-reverting hidden selector path was found in either contract. The proxy confirms that all delegatecall paths route exclusively to the expected implementation address 0x43506849D7C04F9138D1A2050bbF3A0c054402dd. The implementation confirms that all unknown-selector paths revert.

3.3.2 Fork-Based Behavioral Tests

Fork-based behavioral tests were executed against the deployed FiatTokenProxy 0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48 and FiatTokenV2_2 implementation 0x43506849D7C04F9138D1A2050bbF3A0c054402dd on an Ethereum mainnet Foundry fork at block 24,941,472.

The proxy fallback (EP-PR-004) was not counted as a separate required case because it is not a named selector. It was exercised implicitly by every implementation entry-point test, since those calls were sent through the deployed proxy and therefore traversed the fallback delegatecall path.

An optional fork smoke test for a selector outside the runtime catalogue was not run and was not counted as a required case; formal verification remains the authoritative hidden-surface control.

Fork-test overall result: PASS (64/64 required cases passed; 30 positive cases, 34 negative cases, all 34 named state-modifying entry points exercised)

3.3.3 Bytecode Assurance Conclusion

Formal verification and fork testing answer different questions. Formal verification provides exhaustive assurance over hidden calldata surface within its modelled constraints: unknown selectors and malformed short calldata. Fork tests provide sampled behavioral assurance that the deployed bytecode performs representative intended operations and rejects representative invalid operations.

The combined bytecode assurance evidence for this assessment is as follows. FV of the proxy is CONFIRMED for both cases: all feasible delegatecall paths route exclusively to the expected implementation address 0x43506849D7C04F9138D1A2050bbF3A0c054402dd, and non-admin calls with unknown selectors or short calldata revert. FV of the implementation is CONFIRMED for both cases: unknown selectors always revert (16 revert paths; 57 infeasible branches pruned), and short calldata always reverts. Fork tests are PASS (64/64 required cases). The combined evidence provides complete bytecode assurance: formal verification exhaustively confirms the hidden-surface absence claims and proxy routing integrity, while fork tests confirm representative intended-operation and invalid-operation behaviour across all 34 named state-modifying entry points. This evidence supports a high-confidence bytecode-assurance claim and the smart contract confidence rating is High.

3.4 Edge-Case Analysis

Edge-case analysis was conducted independently by a human security researcher and advanced AI tooling for all Critical and High entry points using line-by-line source code review. Key findings are summarised below.

3.5 Common Exploit Negatives

Based on line-by-line source code review by human security researchers and LLM-based reasoning, the following exploit negatives were identified:

3.6 Security Findings Register

SEC-01: Single-step ownership transfer with no pending-owner confirmation

4. Part II: Operational Security

Operational Security Rating: Medium | Confidence: Low

4.1 Privileged Roles

Role holders at assessment snapshot:

Proxy Admin (0x807a96288a1a408dbc13de2b1d087d10356395d2): This is the highest-privilege role in the system. A single transaction from this key can replace the entire FiatTokenV2_2 implementation with arbitrary bytecode via upgradeTo or upgradeToAndCall. The proxy admin can also transfer the admin role itself via changeAdmin. The holder is an EOA confirmed not to be a Gnosis Safe (verified via Blockscout and Safe API). No HSM, MPC, hardware security key, or second-approval requirement is publicly documented for this role. The address has been stable since September 2018 (block 6278324), with three transient rehearsal-pattern changes (blocks 10743406, 12317806, 18963710) each reversed within 72-91 seconds. No public disclosure of a key management policy exists.

Implementation Owner (0xfcb19e6a322b27c06842a71e8c725399f049ae3a): Controls four role-reassignment functions (updateBlacklister, updateMasterMinter, updatePauser, updateRescuer) and transferOwnership. A single transaction from this key can reassign any operational role to an attacker-controlled address. The holder is an EOA confirmed not to be a Gnosis Safe. Unchanged since deployment (block 6282629, September 2018). No key management disclosure exists.

MasterMinter: MinterAdmin Contract (0xe982615d461dd5cd06575bbea87624fda4e3de17): The masterMinter role is held by a verified contract, not a direct EOA. The MinterAdmin implements an owner-controller-worker model: the MinterAdmin owner (0xc1d9fe41d19dd52cb3ae5d1d3b0030b5d498c704, an EOA) configures controllers; each controller manages one worker minter; workers call configureMinter on FiatToken through MinterAdmin. This structure adds meaningful separation: the MinterAdmin owner cannot mint directly. However, if the MinterAdmin owner key is compromised, an attacker can reconfigure the controller-worker assignments and ultimately redirect the entire mint pathway. The implementation owner can mitigate this by calling updateMasterMinter to replace the compromised MinterAdmin contract.

Blacklister (0x0a06be16275b95a7d2567fbdae118b36c7da78f9): Can freeze or unfreeze any Ethereum address in a single transaction (blacklist, unBlacklist). This is a compliance-critical, operationally active role: the key must remain accessible for ongoing sanctions enforcement, meaning it is likely a hot or warm key. No HSM or MPC disclosure exists. The role has been rotated three times since 2019, suggesting active key management practices. The owner can reassign via updateBlacklister.

Pauser (0x4914f61d25e5c567143774b76edbf4d5109a8566): Can halt all token operations in a single transaction (pause) or restore them (unpause). Single-key control is a deliberate design choice enabling fast incident response; requiring multi-party approval would slow emergency interventions. No key management disclosure exists. Last assigned at block 17965526 (August 2023). The owner can reassign via updatePauser.

Rescuer (unset, zero address): The rescuer role would allow recovery of ERC-20 tokens accidentally sent to the USDC proxy address via rescueERC20. Because the role holder is the zero address, rescueERC20 is permanently inoperable in the current state: no caller can satisfy the onlyRescuer modifier. Any ERC-20 tokens sent to 0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48 are irrecoverable until the owner calls updateRescuer. This has no impact on normal token operations or supply.

Key management transparency: No HSM, MPC, hardware security key, or equivalent arrangement has been publicly disclosed for any of the EOA role holders (proxy admin, implementation owner, MinterAdmin owner, blacklister, pauser). Circle references SOC 2 Type II certification in general disclosures, but this does not constitute a public disclosure of key management arrangements for specific on-chain role addresses. The transparency gap is documented. It does not establish that key management controls are absent; it establishes that they cannot be independently verified. Because the highest-privilege roles are EOAs with immediate upgrade and role-reassignment authority, this evidence gap lowers Operational Security confidence to Low.

4.2 Administration History

The following is a chronological reconstruction of material administrative events derived from on-chain event data.

2018-08-03: AdminChanged event at block 6082473. Proxy admin set from the initial deployer address to 0x69005ff7... during initial deployment setup.

2018-09-05: AdminChanged at block 6278324. Proxy admin changed to 0x807a9628..., the stable admin address held to the assessment date.

2018-09-06: Batch of initial role-configuration events. PauserChanged (block 6282401) sets first pauser. MasterMinterChanged (block 6282558) sets initial master minter as an EOA. OwnershipTransferred (block 6282629) from deployer to 0xfcb19e6a..., the current implementation owner, unchanged to the assessment date.

2018-09-06: MinterRemoved at block 6283968, removing a deployment-time test minter.

2019-01-28: MinterRemoved at block 7140662.

2019-06-12: MasterMinterChanged at block 7944634. The initial EOA masterMinter is replaced by the MinterAdmin contract (0xe982615d...). This is a meaningful operational improvement: direct EOA minting is replaced by the owner-controller-worker contract governance model.

2019-06-27: PauserChanged and BlacklisterChanged at blocks 8041875 and 8041867.

2020-08-27: Paired AdminChanged events at blocks 10743406 and 10743414 (within 79 seconds). Proxy admin transiently changed to 0xed24bd79... and immediately returned to 0x807a9628.... Pattern is consistent with a key rotation rehearsal or administrative access verification.

2021-04-06: Two MinterRemoved events at blocks 12187552 and 12187586.

2021-04-26: Paired AdminChanged events at blocks 12317806 and 12317814 (within 91 seconds). Same transient-change-and-return pattern, this time via 0xd13689e8.... Second rehearsal event.

2023-03-10 to 2023-03-13 (SVB depeg): USDC temporarily depegged from USD following Circle's disclosure that approximately $3.3 billion of USDC reserves were held at Silicon Valley Bank (SVB) at the time of its FDIC receivership. USDC traded as low as approximately $0.87 before recovering to $1.00 after the FDIC guaranteed SVB deposits. No privileged contract functions were invoked, no emergency pause was triggered, and no key compromise or unauthorised minting occurred. This was a reserve and financial event, not an operational security event; see Section 5.

2023-08-21: PauserChanged at block 17965526 and BlacklisterChanged at block 17965524. Two role changes within two blocks, consistent with a coordinated role handover. Pauser assigned to 0x4914f61d... (current holder); blacklister assigned to 0x10df6b6f....

2024-01-08: Paired AdminChanged events at blocks 18963710 and 18963716 (within 72 seconds). Third rehearsal-pattern event, transient change to 0x9999fa87... and return to 0x807a9628....

2025-03-18: MinterRemoved at block 22075183.

2025-05-06: MinterRemoved at block 22427208.

2025-05-29: MinterRemoved at block 22590579.

2025-06-30: BlacklisterChanged at block 22818122. Blacklister rotated to 0x0a06be16..., the current holder. Most recent role change at assessment date.

Pattern assessment: The administration history reflects routine operational hygiene: role rotations at multi-year intervals, three proxy admin rotation rehearsals with a consistent return-to-stable pattern, and minter lifecycle management through the MinterAdmin contract. No emergency pause events, unexpected role transfers, unauthorised admin changes, or anomalous minting events appear in the on-chain record. No operational incidents beyond the March 2023 SVB-related reserve event have been identified.

4.3 Upgrade Risk Analysis

Proxy standard: FiatTokenProxy uses the ZeppelinOS (zos-lib v2.x) legacy transparent proxy pattern. The implementation and admin addresses are stored in non-standard storage slots derived from keccak256("org.zeppelinos.proxy.implementation") and keccak256("org.zeppelinos.proxy.admin") respectively. These are not EIP-1967 standard slots. Blockscout labels this proxy as eip1967_oz, which is technically inaccurate: any tool that reads the EIP-1967 slots (0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc and 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103) will read zero values rather than the actual implementation and admin addresses.

What upgrade capability grants: The proxy admin can call upgradeTo(newImplementation) to atomically replace the implementation address in the ZeppelinOS slot. upgradeToAndCall(newImplementation, data) additionally executes an arbitrary call through the proxy fallback immediately after setting the new implementation. The effect is total: a new implementation can redefine all token logic, storage interpretation, balances, supply, minting, blacklisting, and ownership structure in a single transaction.

Atomicity and initialisation: Upgrades via upgradeToAndCall are atomic. The new implementation is set first, then the initialiser call is made. If the initialiser reverts, require(success) causes the entire transaction to revert; no half-upgraded state is possible. The current version counter is _initializedVersion == 3, set by initializeV2_2. A future upgrade to a new version would require a new initialiser guarded by a version check of 4 or higher.

Storage layout compatibility: Storage layout compatibility is not enforced on-chain. FiatTokenV2_2 introduced a packed balanceAndBlacklistStates mapping that merges balance and blacklist state into a single uint256 per address. Any future upgrade must preserve this layout exactly; a mismatch would silently corrupt balances or blacklist states. This risk is managed by process only: correct layout is the responsibility of Circle's engineering and audit workflow.

No on-chain timelock: No timelock is implemented at the proxy level. Once the proxy admin submits an upgradeTo transaction, the upgrade takes effect in the same block. Token holders have no advance notice window on-chain. The absence of a timelock enables faster incident response: a critical vulnerability could be patched in a single block. The tradeoff is that holders have no exit window before a non-emergency upgrade takes effect.

Tooling and monitoring consideration: Because FiatTokenProxy uses ZeppelinOS legacy slots rather than EIP-1967, upgrade management tooling that defaults to EIP-1967 slot reads (Hardhat upgrades plugin, OpenZeppelin Defender, Tenderly upgrade tracking) must be explicitly configured with the ZeppelinOS preimage scheme. Tools that read EIP-1967 slots will silently show null values for admin and implementation, which could lead to incorrect operational decisions.

4.4 Recovery Scenarios

Scenario 1: Proxy admin key lost or permanently inaccessible

Scenario 2: Proxy admin key compromised

Scenario 3: Implementation owner key compromised

Scenario 4: Accidental protocol pause

Scenario 5: Failed or storage-corrupting implementation upgrade

Scenario 6: MinterAdmin owner key compromised

Recovery design assessment: Recovery capability is centralised around two EOA keys: the proxy admin and the implementation owner. These two addresses are single points of failure in complementary roles: the proxy admin is the only path to upgrade-based recovery, and the implementation owner is the only path to role-reassignment-based recovery. If both keys are simultaneously compromised or inaccessible, the protocol has no on-chain recovery path. The three paired proxy admin rehearsal events in the administration history suggest Circle has tested administrative key access procedures on-chain, but no public documentation of a formal recovery runbook exists.

4.5 Multisig Security Analysis

This section is not applicable. No privileged role is held by a multisig wallet. All EOA role holders (proxy admin, implementation owner, MinterAdmin owner, blacklister, pauser) are externally owned accounts confirmed not to be Gnosis Safe contracts (verified via Blockscout and the Safe API). The MasterMinter role is held by the MinterAdmin contract, which provides structural separation for mint authorisation within its owner-controller-worker model but is itself not a multisig and is owned by an EOA. The implications of EOA role holders and the absence of on-chain multi-party approval are addressed in Sections 4.1 and 4.4.

5. Part III: Financial Analysis

Financial Risk Rating: Low | Confidence: Medium

5.1 Underlying Asset Attestation

Circle publishes monthly reserve attestation reports on its public transparency page. Attestations are conducted by Deloitte and Touche LLP, a Big Four accounting firm, under attestation standards issued by the American Institute of Certified Public Accountants (AICPA). Reports are published approximately 2-4 weeks after the end of each calendar month. The Circle Reserve Fund (USDXX), the primary reserve vehicle holding the Treasury and repo tranche, additionally publishes daily independent third-party portfolio reporting via BlackRock, providing intra-month visibility into the largest reserve component.

Attestation programme: Deloitte and Touche LLP, monthly

Most recent attestation report: April 30, 2026

Reserve composition (April 30, 2026):

Supply reconciliation: The Ethereum on-chain supply (54.43 billion USDC) is approximately $22.93 billion lower than the attested aggregate circulating supply (77.36 billion USDC). This gap is consistent with USDC's extensive multi-chain deployment. USDC is natively issued by Circle on Solana, Base, Arbitrum, Polygon, Avalanche, Optimism, and other networks. The gap represents USDC outstanding on non-Ethereum chains. Cross-chain supply was not independently verified in this investigation (status: manual or external verification required). The Deloitte attestation covers aggregate circulating supply across all chains and is treated as the authoritative total-supply figure. The approximately $0.44 billion difference between the attested supply at April 30, 2026 and the CoinGecko-reported supply at May 5, 2026 is consistent with normal issuance activity over the 5-day intervening period.

Reserve adequacy: Reserves are fully backed at 100% per attestation. Reserve assets are concentrated in short-duration, high-quality liquid assets (HQLA): US Treasuries and overnight repo account for approximately 61.4% of reserves, providing high liquidity and negligible credit risk. The bank deposit component (38.6%) introduces counterparty concentration risk at individual institutions, partially mitigated by SIFI designation of the primary deposit counterparties and post-2023 diversification following the SVB event. Reserve adequacy is assessed as sufficient.

5.2 Counterparty Risk Profile

Circle Internet Financial, LLC: Circle is the sole issuer of USDC since the dissolution of the Centre Consortium in 2023. Circle is a Delaware-incorporated, privately held fintech company with significant institutional backing, holding money transmitter licences across all 50 US states and DC, a FinCEN MSB registration, a NYDFS BitLicence, and an Electronic Money Institution (EMI) licence from the ACPR (France) enabling MiCA-compliant issuance across the EEA. No material adverse credit events are known as of the assessment date. USDC holders have a contractual redemption right against Circle at 1:1 USD, subject to onboarding and AML/KYC compliance. Reserves are held in segregated accounts and the Circle Reserve Fund, but the legal structure does not create a trust or direct beneficial ownership arrangement for USDC holders under current US law. If Circle were to enter insolvency, holders would be unsecured creditors or potentially beneficiaries depending on the applicable state law and insolvency proceeding. Pending US federal stablecoin legislation would, if enacted in current proposed form, mandate stronger bankruptcy-remote structures. The March 2023 SVB incident (approximately $3.3 billion in USDC reserves at SVB at the time of FDIC receivership) caused a temporary depeg; Circle confirmed full recovery after FDIC depositor guarantee. Post-2023, Circle disclosed increased diversification of banking counterparties.

BlackRock Advisors, LLC: Manager of the Circle Reserve Fund (ticker: USDXX), an SEC-registered 2a-7 government money market fund. BlackRock is the world's largest asset manager by AUM; reputational and operational risk is low. USDXX assets are legally segregated from BlackRock's corporate estate; fund investors (Circle on behalf of USDC holders) hold beneficial interests in the fund's portfolio. No known adverse regulatory actions relevant to USDC reserve management.

The Bank of New York Mellon Corporation: BNY Mellon is the custodian for the Circle Reserve Fund and USDC reserves held in US government securities. It is a US SIFI and globally systemically important bank (G-SIB), subject to enhanced regulatory supervision including Federal Reserve stress testing. As a G-SIB, BNY Mellon benefits from an implicit public backstop; credit risk for custody purposes is low. Various regulatory engagements typical of a G-SIB institution have occurred over the years; none are known to be directly relevant to USDC custody.

Unnamed banking counterparties: The $11.28 billion in "other bank deposits" and $18.56 billion in "SIFI deposits" are held at institutions not all publicly named by Circle. The SIFI designation of the primary deposit bank(s) partially mitigates concentration risk, but the concentration at unnamed "other" banks cannot be independently assessed. A repetition of the SVB scenario at a named "other bank deposits" counterparty represents a residual risk that cannot be quantified without counterparty disclosure.

Deloitte and Touche LLP: The attestation programme provides monthly point-in-time confirmation that reserve assets meet or exceed circulating liabilities. Attestation under AICPA standards provides meaningful but bounded assurance: it is not a continuous audit, does not verify individual asset title beyond the attestation point, and does not provide assurance over operational controls between attestation dates. Deloitte is a Big Four firm with low reputational and operational risk.

5.3 Liquidity Risks and Scenario Analysis

5.3.1 Liquidity Profile

Issuer redemption: USDC redemption to US dollars is processed exclusively through Circle Mint, accessible to institutional counterparties only. Individual holders must exit via exchange partners or secondary markets. Institutional direct redemption operates at T+0 or T+1 during US banking hours, with settlement depending on USD wire infrastructure. KYC/AML onboarding is required. No contractual redemption gate is disclosed, but settlement infrastructure creates practical throughput limits not publicly quantified by Circle. Weekend and bank holiday delays are possible.

On-chain liquidity: Conservative executable DEX liquidity (swap pools only, excluding lending and restricted pools) is approximately $803.6 million. Reported DEX TVL across all pool types is approximately $8.19 billion, but the majority of this (approximately $7.38 billion) is illiquid for exit purposes: USDC deposited in lending protocols (Maple Finance approximately $3.07 billion, Morpho approximately $1.3 billion, Spark approximately $946 million) cannot be immediately withdrawn by a third party seeking to reduce USDC exposure.

Exchange liquidity: Binance reports approximately $2.27 billion per day in USDC volume; Kraken approximately $98.5 million per day; Coinbase Exchange approximately $33.5 million per day. These are reported turnover figures, not confirmed order-book depth. In stressed conditions, CEX bid-side depth can compress materially.

The $803.6 million in conservative DEX liquidity is the reliable lower bound for on-chain exit capacity in a stressed scenario. Stress scenarios involving multi-billion USD exits within short windows would exceed on-chain DEX capacity and push demand to the Circle direct-redemption channel, which is constrained by banking-hour settlement throughput.

5.3.2 Scenario Analysis

Starting reserve position (Ethereum on-chain USDC outstanding, USD): $54,419,270,369. This is the USD value of the 54,429,775,315.94 USDC Ethereum on-chain token supply at the snapshot market price, not a separate token-quantity figure. Full attested reserve position (all chains, April 30, 2026): ~$77,360,000,000

Scenario 1: Base Case

Scenario 2: Market Stress (Rate Shock)

Scenario 3: Bank Run (25% of circulating supply redeemed within 6 hours)

Scenario 4: Oracle Failure / Price Feed Manipulation

Scenario 5: Custodian Failure (BNY Mellon 48-hour outage)

5.4 Regulatory and Legal Jurisdiction

Issuer jurisdiction: Delaware, USA (primary); France (EU operations)

Governing law: New York State law (per Circle Terms of Service); EU law for USDC issued as an electronic money token under MiCA by Circle Internet Financial Europe SAS

Circle is among the most broadly licensed stablecoin issuers globally. The ACPR EMI licence, obtained in 2024, enables Circle to issue USDC as an electronic money token across the EEA under MiCA, one of the first major stablecoin issuers to achieve MiCA authorisation. In April 2025, the US SEC issued a Statement on Stablecoins concluding that fully-backed payment stablecoins such as USDC do not constitute securities under applicable federal securities laws, removing USDC from SEC registration requirements.

The on-chain blacklisting mechanism (Section 2, KYC Gating) provides the primary protocol-level enforcement channel for OFAC sanctions compliance. Circle has blacklisted hundreds of addresses in response to OFAC designations and law enforcement requests, including Tornado Cash-related addresses in August 2022. The blacklisting mechanism is among the strongest on-chain AML enforcement tools available in the stablecoin space.

Regulatory risk assessment: The most significant regulatory risk for USDC is the enactment of US federal stablecoin legislation. Bills progressing through Congress as of mid-2026 (including the GENIUS Act and competing proposals) would impose federal licensing requirements, enhanced reserve segregation, direct redemption right mandates, and potential limitations on eligible reserve assets. Circle is well-positioned to comply with most proposed frameworks; the regulatory trajectory is broadly supportive of regulated, bank-supervised stablecoin issuers. If enacted with strong bankruptcy-remote requirements, pending legislation would close the current gap in direct holder claims on reserve assets and could improve the financial risk rating.

Under MiCA, ongoing obligations include redemption within one business day at par, reserve asset restrictions (HQLA only), and operational resilience requirements. Circle's current reserve composition is permissible under MiCA rules for significant EMTs. If USDC is designated as a significant EMT, enhanced EBA supervision applies.

The legal nature of USDC holder claims is the primary residual regulatory risk: holders have a contractual redemption right against Circle, not a direct legal claim on specific reserve assets. In a Circle insolvency, holders would likely be unsecured creditors under current US law, subject to applicable state insolvency proceedings. The concentration of issuer risk on Circle as the sole post-2023 issuer (after dissolution of the Centre Consortium) amplifies this point.

6. Conclusion

6.1 Composite Risk Rating: Low

Composite Confidence: Low

The composite risk rating is Low, derived from the three domain ratings: two Low (smart contract security, financial integrity) and one Medium (operational security). The Medium operational security condition reflects the concentration of the highest-privilege roles (proxy admin and implementation owner) in EOAs with no publicly disclosed key management arrangements, and the absence of any on-chain timelock or second-approval requirement for upgrades or role reassignments. This condition is calibrated as Medium rather than High because no known key compromise, unauthorised minting, malicious upgrade, or operational control failure has been identified in USDC's history, and the operational risk is contingent rather than actively causing holder harm. At most one domain reaches Medium, and the Medium condition is future-oriented (it concerns what would happen if a key were compromised, not an active compromise): this places the composite at Low per the rating standard.

Composite confidence is Low. Smart contract confidence is High: formal verification returned CONFIRMED results for all four hidden-surface cases (proxy routing to fixed implementation confirmed; unknown selectors and short calldata always revert at the implementation), and fork-based behavioral tests passed 64/64 required cases. Financial confidence is Medium because cross-chain supply data and some banking counterparty identities are not independently verified. Operational security confidence is Low because the highest-privilege roles are EOAs with immediate upgrade and role-reassignment authority, and the report lacks independently verifiable evidence for HSM/MPC custody, second approval, emergency procedure, monitoring thresholds, or change-control workflow. This Low-confidence operational domain is material to the composite conclusion and prevents the composite confidence from rising above Low.

6.2 Improvement Suggestions

• Operational transparency disclosure: Circle does not publicly disclose the key management policy for its on-chain privileged role holders (proxy admin, implementation owner, MinterAdmin owner, blacklister, pauser), its recovery and incident response playbook for privileged contract roles (covering key loss, key compromise, and emergency contract intervention scenarios), or its monitoring policy for on-chain privileged events (mints, burns, role changes, upgrades, pauses, and associated detection thresholds). Publishing these three disclosures would allow independent verification of operational controls, improve confidence in the operational security domain, and represent meaningful transparency for USDC holders at scale. Disclosure of the banking counterparties for the "other bank deposits" reserve tranche would similarly improve financial confidence.

6.3 Report Validity Timeline

This report is valid as of its publication date. It should be treated as superseded upon any of the following events, whichever occurs first:

• A smart contract upgrade that modifies the in-scope bytecode at 0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48 (proxy) or 0x43506849D7C04F9138D1A2050bbF3A0c054402dd (implementation)
• A change to any privileged role holder identified in Section 4.1
• A material change to the custodian, redemption model, or reserve composition identified in Sections 5.1 and 5.4
• 12 months from the date of publication

Disclaimer

This report is produced by Meridion Risk for informational purposes only and does not constitute financial, legal, or investment advice. The findings, ratings, and conclusions expressed herein reflect the state of the assessed system at the snapshot date and may not remain accurate after that date. Meridion Risk makes no representation or warranty, express or implied, as to the accuracy, completeness, or fitness for any particular purpose of the information contained in this report. To the maximum extent permitted by applicable law, Meridion Risk and its contributors shall not be liable for any direct, indirect, incidental, consequential, or other damages arising from reliance on this report or from any errors or omissions therein. Security assessments are inherently limited in scope and cannot guarantee the absence of undiscovered vulnerabilities. Users of this report should conduct their own due diligence before making any financial or operational decisions.