Risk Assessment: Origin Protocol eETH ARM
Date: June 1, 2026
RFC: SIP2.52 Onboard Origin Protocol’s eETH ARM to ETH Higher Risk Strategy
Summary
The eETH ARM is an Automated Redemption Manager that buys EtherFi’s eETH below its ETH redemption value and redeems it 1:1 through EtherFi’s withdrawal process, capturing the discount as yield, with idle WETH routed to a Morpho lending vault when no arbitrage is available (Origin docs).
Structurally this ark is the same mechanism as the Lido stETH ARM already onboarded to the ETH Higher Risk (HR) fleet under SIP2.21. It shares the same AbstractARM core, the same LP-token accounting, and the same redemption-arbitrage yield source. The one material difference is the redemption backend: this ark redeems through EtherFi rather than Lido, and EtherFi’s unstaking queue is disclosed at 7 to 15 days for large withdrawals (Origin docs).
That redemption backend is the defining dependency. Lazy Summer holds the ARM-WETH-eETH LP token and exits by withdrawing from the ARM. Withdrawals settle on-demand only while the vault holds an ETH buffer or receives offsetting deposits; once the buffer is exhausted the LP waits on the underlying EtherFi queue, so a full exit under stress is a 7 to 15 day liquidity event rather than an instant one. This is primarily a timing and liquidity risk in the base case, because the underlying eETH is expected to be recoverable 1:1 from EtherFi. It can become principal-loss risk if EtherFi redemptions are impaired, if eETH no longer converges to ETH, or if the ARM or idle-WETH integrations suffer a contract, governance, or market failure.
The protocol is mature: Origin’s ARM codebase has operated through the stETH and OETH ARMs and has been audited repeatedly, most recently by yAudit in December 2025. The eETH variant itself has only operated since October 2025 and opened to external depositors recently, so vault-level history is short, but this does not introduce untested core contracts beyond the EtherFi-specific withdrawal path. At approximately $5.29M total vault TVL, the ark is also small, which itself argues for a conservative initial cap.
BA Labs recommends onboarding the eETH ARM to the ETH Higher Risk fleet with a conservative initial allocation cap that reflects the 7 to 15 day EtherFi redemption queue, the small vault size, and the short external-deposit history, to be revisited as TVL and operating data accrue.
At a Glance
| Parameter |
Value |
| Protocol |
Origin Protocol (Automated Redemption Manager) |
| Vault / Product |
eETH ARM |
| Deposit token |
ETH / WETH |
| Receipt token |
ARM-WETH-eETH (0xfB0A3CF9B019BFd8827443d131b235B3E0FC58d2) |
| Network |
Ethereum Mainnet |
| TVL |
Ξ 2.648K / $5.29M, per Origin ARM page as of June 1, 2026; verifiable against eETH ARM contract state |
| Trading volume |
Ξ 51.92K / $114.22M cumulative, per Origin ARM page |
| Base yield |
eETH/ETH redemption-discount arbitrage, variable and episodic, plus Morpho WETH lending yield on idle balances |
| Reported APY |
4.91% 30-day moving average, per Origin ARM page; proposer-reported 7d / 14d / 30d APYs were 14.661%, 10.189%, and 6.108% at the time of the SIP |
| Withdrawal terms |
On-demand when ARM buffer liquidity is available; otherwise dependent on EtherFi’s 7 to 15 day withdrawal queue |
| Fees |
20% performance fee on yield; no fee on principal (Origin docs) |
| Audits |
yAudit, Dec 2025; OpenZeppelin, Jun 2025; OpenZeppelin, Nov 2024 |
Protocol Mechanism
The ARM holds an ETH/WETH buffer and uses it to purchase eETH from AMMs and DEX aggregators, including KyberSwap, 1inch, CoWSwap, Velora, OpenOcean, and Fly, whenever eETH trades below its 1:1 ETH redemption value. Acquired eETH is then redeemed through EtherFi’s withdrawal process for ETH, and the spread between the discounted purchase price and the 1:1 redemption accrues to LPs (Origin docs). When no profitable arbitrage exists, idle WETH is deposited into the Morpho WETH ARM Vault (0x3Dfe70B05657949A5dB340754aD664810ac63b21) to earn lending yield, so capital remains productive between arbitrage events.
Depositors receive the ARM-WETH-eETH LP token, whose price reflects the vault’s net asset value per share. The codebase is the audited AbstractARM contract plus an EtherFiARM implementation that adds the EtherFi-specific withdrawal calls; per the proposer the EtherFi withdrawal logic is the only material code delta from the existing stETH ARM.
Backing and Collateral
The ark’s economic exposure is to eETH and to ETH held in the buffer or lent on Morpho. eETH is EtherFi’s liquid restaking token, so the 1:1 redemption path carries EtherFi’s restaking and validator risk, not merely staking risk: a slashing or restaking loss at EtherFi would reduce the ETH recoverable per eETH and could open or widen a discount that the ARM cannot close at par.
The idle-WETH leg is exposure to the Morpho WETH ARM Vault, a shared vault pooling ARM WETH across Origin’s ARMs rather than an eETH-only deployment, consistent with the January 2026 Origin governance proposal to consolidate ARM WETH into a single vault. As of June 1, 2026 it held about $8M (4,029.81 WETH), roughly 96% liquid, at a 1.56% net APY, and was allocated entirely to wstETH/WETH markets, with the weETH/WETH and ETH+/WETH markets whitelisted but unfunded (see allocation table below). The practical consequence is that the eETH ARM’s idle WETH currently carries wstETH (Lido) market exposure on the Morpho leg, not eETH exposure, and both the curator and the funded-market set are governance-mutable.
Redemptions and Liquidity
Withdrawals from the ARM are processed on-demand when the vault holds sufficient ETH buffer or when incoming deposits offset the outflow. When buffer liquidity is insufficient, the underlying eETH must be redeemed through EtherFi’s queue, disclosed at 7 to 15 days for large withdrawals (Origin docs). Worst case, a full Lazy Summer exit during a period when the ARM is fully deployed into eETH inventory and the EtherFi queue is congested would take on the order of two weeks to settle in full, with partial liquidity available sooner from the buffer.
For HR-fleet rebalancing the ark therefore cannot be treated as instant liquidity; rebalances out of this ark should assume buffer-limited immediacy with a multi-day tail. The redemption delay does not crystallize a loss in the base case, since ETH is expected to be recovered at par from EtherFi, but it does mean that if a depeg or EtherFi-specific stress is the trigger for exit, the same event may slow the exit, creating a mild spiral dynamic.
Vault size compounds this. At approximately $5.29M total TVL (June 1, 2026), a meaningful HR allocation could represent a large fraction of the entire vault, and the larger Lazy Summer’s share of vault TVL, the more likely a full exit exhausts the buffer and falls into the 7 to 15 day EtherFi queue. The initial cap should therefore keep the fleet’s position a minority of vault TVL so that buffer-funded near-instant exit remains plausible. The exact split between buffer, eETH inventory, pending EtherFi withdrawals, and the Morpho vault, which sets how much can be exited instantly versus through the queue, will be used for final cap recommendations.
Fees
Origin charges a 20% performance fee on yield generated by the ARM, deducted from gross yield before distribution and not applied to principal (Origin docs). There is no management fee on TVL and no entry or exit penalty disclosed. The trailing yield figures circulated for this ark reflect net-of-fee returns per Origin’s analytics; because arbitrage yield is episodic and peg-dependent rather than a fixed rate, realized APR will vary materially with eETH discount frequency and depth and should not be modeled as a stable coupon.
Governance and Roles
Origin’s protocol is governed by xOGN token holders through onchain proposals that execute via a Timelock enforcing a 2-day (172,800 second) delay between approval and execution (Origin governance docs). A separate, lower-threshold Guardian multisig can execute a limited, time-sensitive function set without a vote or Timelock delay, including depositing to and withdrawing from strategies, adjusting the vault buffer, pausing capital (mints and redeems) and rebasing, and swapping collateral.
| Role |
Configuration |
Address |
Capability |
| Timelock |
2-day delay |
0x35918cDE7233F2dD33fA41ae3Cb6aE0e42E0e69F |
Executes all approved upgrades and parameter changes after the delay |
| Proposer / governance multisig |
5-of-8 Safe |
0xbe2AB3d3d8F6a32b96414ebbd865dBD276d3d899 |
Queues onchain proposals approved by xOGN governance |
| Guardian |
2-of-8 Safe |
0xF14BBdf064E3F67f51cd9BD646aE3716aD938FDC |
Time-sensitive actions without delay: strategy deposit/withdraw, vault buffer, pause capital/rebase, swap collateral |
A safe.yaudit.dev review of the two Ethereum Safes returns materially different profiles. The Proposer/governance Safe scores Low Risk (89/100), supported by a 5-of-8 threshold, recent activity, and a longer average signing duration. The Guardian Safe scores Medium Risk (54/100), mainly due to its lower 2-of-8 threshold and no-delay operational permissions. Both reviewed Safes use legacy Safe versions, no transaction guard, no recovery module, and EOA-only signer sets; the Guardian also shows cross-chain signer reuse.
The Guardian configuration is the most relevant governance finding for this onboarding. A 2-of-8 multisig can, without any Timelock delay or governance vote, move funds between strategies, swap vault collateral, and pause capital. That is a meaningful trusted-operator dependency: a 2-key compromise could disrupt the ARM’s operation or its idle-WETH deployment ahead of the delay that protects against upgrade-path risk. This does not by itself argue against onboarding, since the Guardian function set is operational rather than able to redirect LP redemptions away from EtherFi’s 1:1 process, but it is a reason to keep the initial cap conservative and to weigh aggregate Origin exposure across the fleet.
Beyond protocol governance, the ARM contract itself carries owner and Operator roles, read directly from the eETH ARM contract:
| Role |
Address |
Note |
| Owner |
0xbe2AB3d3d8F6a32b96414ebbd865dBD276d3d899 |
Same address as the Proposer / governance multisig (5-of-8 Safe), confirmed via safe.yaudit.dev |
| Operator |
0x39878253374355DBcc15C86458F084fb6f2d6DE7 |
Single EOA, not a multisig contract |
The owner being the 5-of-8 governance Safe rather than a standalone key is a positive: ownership-level actions on the ARM inherit the same threshold and Timelock-backed governance path described above. The Operator, by contrast, is a single EOA rather than a multisig, and it manages pricing and buffer parameters within the contract’s constraints. This is the sharpest single-key dependency in the setup: a compromise of that one key could move the ARM’s buffer pricing within the bounds the contract allows. Two factors bound the damage. First, the redemption value is anchored to EtherFi’s 1:1 process rather than to an Operator-posted NAV, so the Operator cannot settle LP withdrawals at an arbitrary off-market price. Second, the Operator acts only within contract-enforced parameter limits rather than holding ownership or upgrade power, which remain with the governance Safe. The single-key Operator is nonetheless a real operational risk worth pricing into a conservative initial cap.
Risk Assessment and Conclusions
The primary risk is redemption timing, set out in the Redemptions section above: once the buffer is drawn down, exit depends on the 7 to 15 day EtherFi queue, and the conditions that prompt an exit (an eETH discount or EtherFi-specific concern) are partially correlated with the conditions that lengthen it. This is a liquidity and timing risk rather than a structural principal risk, and it is the main reason to size the cap conservatively rather than to decline.
The secondary risk is the EtherFi credit and restaking layer. Because eETH is a restaking token, the 1:1 redemption assumes EtherFi remains solvent and its withdrawal process functions; a slashing event or sustained, non-converging eETH discount would turn timing risk into realized loss. This risk is sharpened by the ARM’s design: it buys eETH when it trades below par, so it is structurally a buyer of eETH weakness. The mechanism cannot by itself distinguish a temporary liquidity discount from the early stage of a fundamental depeg. In the first case the ARM accumulates discounted eETH to redeem at par; in the second, it converts buffer ETH into impaired eETH during stress. The finite buffer and operator-managed pricing parameters limit this risk, but the backstop depends on timely and correct operator action, which is relevant given the single-EOA Operator noted above.
As ecosystem context, the April 18, 2026 KelpDAO/rsETH exploit was a bridge-infrastructure failure rather than a restaking-core failure, involving approximately 116,500 rsETH / $292M (Crypto Briefing, OpenZeppelin). EtherFi stated that it had no direct rsETH exposure or system compromise, that its OFT pathways require at least two DVNs, and that it hardened weETH infrastructure after the incident (EtherFi X, EtherFi LinkedIn). This is positive sector context, but not a direct mitigant for the ARM’s mainnet redemption queue.
A related dependency is EtherFi’s cross-chain weETH infrastructure. EtherFi documentation states that weETH is available across multiple chains via LayerZero, and EtherFi’s weETH-cross-chain repository describes contracts that enable weETH to be bridged and minted cross-chain. Since OFT-style mint/burn adapters require strong access controls, bridge configuration and minting permissions remain relevant dependency risks for the broader EtherFi system. EtherFi’s post-KelpDAO response, including multi-DVN requirements and weETH infrastructure hardening, is therefore a positive mitigant, but not a substitute for treating cross-chain minting and bridge infrastructure as part of the broader eETH/weETH dependency surface.
A third, smaller risk sits in the idle-WETH leg detailed under Backing: the shared Morpho WETH ARM Vault currently lends entirely into wstETH/WETH markets, so the ARM’s idle capital carries wstETH (Lido) market exposure rather than eETH, with the curator able to fund the whitelisted weETH/WETH and alter that mix. At roughly 96% vault liquidity idle WETH is readily recallable in normal conditions, though high utilization in the underlying markets could slow recall under stress. This is a more familiar and smaller risk than the EtherFi queue, but it remains a secondary, governance-mutable dependency.
Positive mitigants are meaningful: the mechanism is identical to an ark already running in the HR fleet, the core AbstractARM codebase has a multi-deployment and third-party audit track record, the LP redemption value is anchored to EtherFi’s on-chain 1:1 process rather than a manager-posted NAV, EtherFi’s post-KelpDAO response indicates proactive bridge-security hardening across the weETH deployment, and the strategy uses no leverage, no liquidations, and no direct cross-chain bridging in the ARM strategy. BA Labs does not treat audit coverage as proof of security and is not providing a smart-contract audit opinion; the assessment relies on the existence of third-party audit coverage only as one input into the broader operational and liquidity risk review.
| Fleet |
Recommendation |
| ETH Higher Risk (HR) |
Recommend onboarding with conservative initial caps reflecting the EtherFi redemption queue, small vault size, short external-deposit history, and aggregate protocol-level exposure to Origin across the fleet |
According to the baseline criteria, the eETH ARM classifies as Higher Risk on two counts. First, liquidity is non-instant once the ARM buffer is drawn down, because full exit then depends on EtherFi’s 7 to 15 day redemption queue. Second, the strategy is actively operated: the ARM relies on market execution through DEX aggregators and operator-managed pricing and buffer parameters to acquire eETH below its 1:1 redemption value. Execution is bounded by parameters such as amountOutMin and amountInMax, so this is not unconstrained slippage exposure; the relevant risk is that yield depends on correct pricing, executable market discounts, routing availability, and operational parameter management. The designation therefore reflects liquidity timing and active execution dependency, and it is what justifies the conservative caps recommended.
Final caps should account for protocol-level concentration. The eETH ARM cap should be calibrated together with existing Origin-related exposure, including the already-onboarded stETH ARM and any residual Origin OETH exposure in the WETH HR fleet, so the fleet does not become overly dependent on a single protocol, operator set, or governance stack.
The existing Origin OETH ark in the WETH HR fleet still has residual exposure despite caps being set to zero, due to the withdrawal queue process. BA Labs will account for this when setting aggregate Origin exposure limits and will wait for those residual positions to be fully withdrawn before finalizing combined exposure-aware caps. Since caps for other existing arks are also being reassessed, final parameters for the eETH ARM may be provided after that.
This assessment reflects publicly available data as of June 1, 2026. The recommendation may be revised if market conditions change, the active strategy allocation shifts materially, new audit reports become available, or additional on-chain data alters the risk profile.
