GHOCrypto-backedRank #9

GHO

Aave DAO

Market cap: $583M

EIP standards (ERC-20, permit, proxies…)

Overview

Aave-native decentralised stablecoin launched July 2023. GHO is minted by borrowers on Aave V3 against over-collateralised positions — it is never supplied, only created. Supply is governed by a facilitator model: each approved facilitator (Aave V3, FlashMinter, GSM) has a governance-set bucket capacity controlling the maximum GHO it can mint. Cross-chain via Chainlink CCIP (lock-and-mint from Ethereum, burn-and-mint between L2s). Peg stability maintained by GSM (1:1 USDC/USDT swaps), borrow rate tuning, and arbitrage incentives.

Features

Engineering-oriented breakdown of capabilities: standards, who they matter for, integration rationale, per-feature risks, and vetted external references (specs, docs, verified source).

Protocol repo: github.com/aave/gho-corePrimary Ethereum verified source: Etherscan

Feature	Standards	Audience	Why it matters	Risk / caveat	References
Facilitator model — mint/burn governance	AccessControl (OZ)	Both	Understand facilitator bucket caps before integration — available mint capacity is not unlimited. Query getFacilitatorBucket() to check remaining capacity.	Governance can add/remove facilitators and adjust caps. A governance attack could dramatically expand supply.	GHO docs GhoToken source (GitHub) Verified contract (Etherscan)
EIP-2612 permit() authorization	EIP-2612 EIP-712	User	Standard permit for gasless approvals. Aave V3 offers supplyWithPermit/repayWithPermit that batch permit + pool action atomically.	permit() returns void (Solmate pattern) — callers checking for bool return will break. No EIP-1271 support — smart contract wallets need Permit2.	EIP-2612 ERC20 source (Solmate-derived)
ERC-3156 FlashMint facilitator authorization	ERC-3156	User	Flash minting creates new GHO (not from liquidity pool) — limited by facilitator bucket capacity, not existing supply. Ideal for peg arbitrage and liquidations.	Fee can be updated by pool admin — always check getFee() at execution time. Flash borrower must approve FlashMinter for repayment.	ERC-3156 spec GhoFlashMinter source GhoFlashMinter (Etherscan)
GHO Stability Module (GSM) stability	Custom (Aave)	Both	Primary peg defence mechanism. 1:1 swaps between GHO and USDC/USDT with fee strategies and exposure caps — integrators can use GSM for peg arbitrage.	GSM can be frozen by OracleSwapFreezer if exogenous token price deviates. Last Resort Liquidation can forcibly liquidate GSM holdings. Fee strategy changes affect arbitrage profitability.	GSM docs GSM USDC (Etherscan) GSM USDT (Etherscan)
CCIP cross-chain bridging cross chain	Chainlink CCIP	Both	Lock-and-mint from Ethereum, burn-and-mint between L2s. Uses Chainlink CCIP messaging — not a generic bridge interface. Rate-limited by governance-controlled CCIP parameters.	CCIP bridge risk — Chainlink infrastructure dependency. Rate limits can cause delays during high-volume periods.	GHO CCIP directory GhoCCIPTokenPoolEthereum (Etherscan)
stkGHO staking yield	Custom StakeToken (bgd-labs)	User	Staking GHO earns AAVE rewards and contributes to Aave safety module. Not ERC-4626 — uses custom stake/redeem/previewStake/previewRedeem interface with cooldown/unstake window.	Cooldown period before unstaking. Exchange rate can change from slashing events. Not compatible with ERC-4626 aggregators.	stkGHO proxy (Etherscan) StakeToken source (GitHub)
stkAAVE discount rate yield	—	User	stkAAVE holders get a discounted GHO borrow rate on Aave V3 — dual incentive for AAVE staking and GHO minting.	Discount rate is governance-adjustable. Must be actively staking AAVE (stkAAVE) at time of borrow to receive discount.	—
Governance-controlled parameters governance	Aave Governance v3	Corporate	All key parameters (borrow rate, facilitator caps, GSM fees, CCIP rate limits) are adjustable by governance. GHO Stewards (3-of-4 multisig) can make time-sensitive adjustments within pre-approved bounds.	Governance attack vector: malicious proposals could dramatically change GHO economics. GHO Stewards add operational agility but introduce multisig trust assumptions.	GHO Stewards source

EIP / ERC support matrix

Standards & compliance support for GHO. Click an EIP to jump to the global deep-dive section.

Verified contract: 0x40D1…6C2f Source: aave/gho-core

Standard	Status	Notes
Core
ERC-20 Fungible token standard	Implemented	Standard ERC-20 integration — no SafeERC20 needed (returns bool). The facilitator-gated mint/burn is transparent to token holders; transfers are fully permissionless with no freeze or pause checks.
Signatures & typed data
EIP-712 Typed structured data signing	Implemented	Prerequisite for EIP-2612 permit. Signatures are bound to chain ID and contract address — correctly handles chain forks. Use the contract address (not any proxy) as verifyingContract on Ethereum mainnet.
EIP-2612 Permit — gasless ERC-20 approval	Implemented	Enables gasless approval flows. Aave V3 natively supports permit-based interactions (supplyWithPermit, repayWithPermit). Third-party protocols can use permit() for single-tx approve+action patterns.
EIP-3009 transferWithAuthorization	Not implemented	No single-transaction gasless transfer capability. Payment flows requiring atomic transfers must use permit() + transferFrom() in two steps (or batched via multicall). For payment use cases, consider wrapping in a helper contract.
EIP-1271 Signature validation for smart contracts	Not implemented	Smart contract wallets need Permit2 or EOA co-signer workarounds for gasless approval flows with GHO. This is a notable gap compared to USDC v2.2 which added EIP-1271 support.
Upgradeability & proxies
EIP-1967 Standard proxy storage slots	Not implemented	On Ethereum mainnet, interact directly with 0x40D16FC0… — there is no proxy indirection. On L2s, use the proxy address and be aware of upgradeability. The split architecture (immutable L1, upgradeable L2) is unique among stablecoins.
EIP-1822 UUPS — universal upgradeable proxy	Not implemented	No UUPS-specific concerns. On L2s, standard TransparentUpgradeableProxy patterns apply.
Vaults & yield
ERC-4626 Tokenized yield vault standard	Not implemented	Do not expect ERC-4626 interfaces on GHO or stkGHO. For vault-compatible GHO yield, external protocols must wrap GHO. The stkGHO exchange rate mechanism (previewStake/previewRedeem) is custom — do not assume ERC-4626 naming or semantics.
Compliance
Freeze Address freezing / blacklisting	Not implemented	GHO transfers are fully permissionless — no transfer will revert due to address restrictions. Integrators do not need to handle freeze/blacklist edge cases. However, this means GHO cannot comply with OFAC sanctions at the token level — enforcement happens at the protocol/frontend layer (Aave app geo-blocking, CEX KYC).
Seize Fund seizure / clawback	Not implemented	GHO supply is deterministic from facilitator mint/burn events. No surprise supply changes from seizure. totalSupply() accurately reflects all circulating GHO.
Pause Global transfer pause	Not implemented	GHO is always transferable — DeFi protocols can rely on GHO transfers never being globally paused. This is advantageous for collateral and liquidation flows. However, Aave V3 pool pause would block new GHO creation.
Cross-chain
ERC-7802 Crosschain token interface	Alternative	Via Chainlink CCIP: Lock-and-mint from Ethereum, burn-and-mint between L2s. GhoCCIPTokenPool contracts are facilitators with governance-controlled bucket capacities. Rate-limited by CCIP lane configuration.
Flash Loans
ERC-3156 Flash loans	Implemented	Standard ERC-3156 integration — implement IERC3156FlashBorrower.onFlashLoan() and return CALLBACK_SUCCESS. GHO flash minting creates new supply temporarily (unlike pool-based flash loans that use existing liquidity). Ideal for GHO peg arbitrage, liquidations, and debt refinancing.
Data sourced from verified Etherscan contract source code. Implementations may differ across networks — always verify on the specific chain you integrate with.

Technical notes

18 decimals.
Ethereum mainnet GHO is a non-proxied immutable contract (Solmate-derived ERC20 + OZ AccessControl).
L2 deployments use UpgradeableGhoToken (proxy-based, Initializable).
Custom ERC20 base from Solmate — gas-optimised with built-in EIP-2612 permit() and EIP-712 DOMAIN_SEPARATOR.
No EIP-3009 transferWithAuthorization.
No freeze, seize, or pause on the GHO token itself — fully permissionless transfers.
Flash mints via separate GhoFlashMinter facilitator (ERC-3156).
GSM4626 variant supports ERC-4626 vault shares as exogenous token.
CCIP cross-chain uses GhoCCIPTokenPoolEthereum (lock/release on L1) and GhoCCIPTokenPool (burn/mint on L2s).
AccessControl roles: DEFAULT_ADMIN_ROLE (Aave Governance), FACILITATOR_MANAGER_ROLE, BUCKET_MANAGER_ROLE.

Reserves & peg

Reserves: Over-collateralised via Aave V3 (ETH, WBTC, wstETH, USDC, etc.) plus GSM holdings (USDC, USDT). No off-chain reserves — fully on-chain collateral.
Collateral: On-chain crypto (Aave V3 collateral pool)
Peg mechanism: Borrow rate adjustment + GSM 1:1 swaps + arbitrage incentives. GHO Stewards can adjust borrow rate ±500bps per 2-day period if 30-day average price deviates from $0.995–$1.005.
Auditor: SigmaPrime, OpenZeppelin (CCIP integration)

Ecosystem

DeFi integration: Deep Aave V3 integration (borrow, repay, liquidation), Curve, Balancer, Uniswap GHO pools
Yield: stkGHO staking rewards (AAVE), stkAAVE discount on borrow rate

Risk factors

mediumSmart contract risk (multi-contract architecture)mediumCollateral volatilitymediumGovernance attack vectormediumPeg stability (new mechanism)lowCross-chain bridge risk (CCIP)

Official documentation Official GitHub

Networks & contracts

Deployments by chain — primary rows are highlighted. Always verify addresses against issuer docs before mainnet integrations.

Network	Standard	Contract	Explorer
EthereumPrimary	ERC-20	`0x40D16FC0246aD3160Ccc09B8D0D3A2cD28aE6C2f` Non-proxied immutable contract, 18 decimals	View
ArbitrumSecondary	ERC-20	`0x7dfF72693f6A4149b17e7C6314655f6A9F7c8B33` UpgradeableGhoToken via CCIP burn-and-mint	View
BaseSecondary	ERC-20	`0x6Bb7a212910682DCFdbd5BCBb3e28FB4E8da10Ee` UpgradeableGhoToken via CCIP burn-and-mint	View
AvalancheSecondary	ERC-20	`0xfc421aD3C883Bf9E7C4f42dE845C4e4405799e73` UpgradeableGhoToken via CCIP burn-and-mint	View
GnosisSecondary	ERC-20	`0xfc421aD3C883Bf9E7C4f42dE845C4e4405799e73` UpgradeableGhoToken via CCIP burn-and-mint	View
MantleSecondary	ERC-20	`0xfc421aD3C883Bf9E7C4f42dE845C4e4405799e73` UpgradeableGhoToken via CCIP burn-and-mint	View