How trUST Avoids Arbitrage Risk

Broad access is what gives a stablecoin liquidity. For a settlement instrument with a fixed set of verified counterparties, that same openness creates four specific attack surfaces. Below is each one, and what permissioned minting eliminates.

What "Permissionless" Would Look Like

Imagine a version of trUST (call it trUST-P) where anyone can mint by depositing USDC.e at a 1:1 rate, no approval required. The vault is public. The token trades on a Berachain DEX.

This is how most DeFi stablecoins work, and how most of the major exploits started.

Exploit 1: Premium Arbitrage Drain

If trUST-P trades at $1.002 on a DEX (a 0.2% premium, within normal AMM slippage), the following loop becomes profitable on every block:

1. Borrow $10M USDC.e via flash loan (cost: ~$3,000 in fees)
2. Mint $10M trUST-P from the public vault at $1.00
3. Sell $10M trUST-P on the DEX at $1.002, receiving $10,002,000 USDC.e
4. Repay flash loan + fees
5. Net profit: ~$17,000 per iteration

The DEX premium exists because organic demand for trUST-P outpaces supply at that moment. The arbitrageur satisfies that demand by minting, which is exactly what arbitrage is supposed to do. The vault continuously mints at $1.00 into a market that prices the token at $1.002, and the arbitrageur extracts the spread. Any carrier trying to buy trUST-P for legitimate settlement purposes subsidises MEV bots.

Exploit 2: Discount Death Spiral

If trUST-P trades at $0.996 (a 0.4% discount), the loop reverses:

1. Buy $10M trUST-P on the DEX at $0.996 (cost: $9,960,000 USDC.e)
2. Redeem $10M trUST-P from the vault at $1.00, receiving $10,000,000 USDC.e
3. Net profit: $40,000 per iteration, no flash loan needed

As the DEX price dips below $1.00 for any reason (a large sell, a liquidity withdrawal, market panic), arbitrageurs race to redeem from the vault, draining its backing faster than it can be replenished. The more they redeem, the less liquidity remains, and the further the price falls. LUNA/UST died this way at a $40B scale. trUST-P would follow.

Exploit 3: Flash Loan Vault Drain

No DEX required. With permissionless minting, a single transaction can:

1. Flash loan $50M USDC.e
2. Mint $50M trUST-P
3. Use trUST-P as collateral in a lending protocol that priced it at $1.00
4. Borrow $45M of another asset against the trUST-P collateral
5. Repay the flash loan with the borrowed $45M
6. Walk away with the remaining assets, leaving $50M of trUST-P collateral backing a $45M loan the attacker has no intention of repaying

This requires trUST-P to be listed as collateral on a lending protocol, which any sufficiently liquid stablecoin would attract. The attack extracts value from the lending protocol, not the trUST vault directly, but the trUST-P supply expansion leaves the token permanently impaired.

Exploit 4: Wash Volume and False Legitimacy

Bots minting and redeeming permissionless trUST-P in rapid cycles generate volume statistics, create the appearance of a liquid market, and qualify the token for DEX incentive programs or lending protocol listings. Wash volume costs almost nothing on a low-fee chain, and it produces false signals that mislead both users and protocols that rely on volume metrics for listing decisions.

How Permissioned Minting Eliminates Each Exploit

trUST closes all four attack surfaces through one mechanism: the SukukFi operator reviews every mint request.

Against premium arbitrage: trUST is not listed on public DEXs. The only parties holding trUST are verified CommTrade participants with legitimate settlement obligations. No market price exists to diverge from the vault price.

Against discount spirals: A discount requires a secondary market. Without one, there is no price to fall below $1.00. Redemptions are permissionless — any holder can redeem at $1.00 — but the absence of a public float means no mechanism for a discount to form. The peg holds by construction.

Against flash loan attacks: Flash loan attacks exploit permissionless access at scale. An operator review requirement means no $50M flash loan can mint $50M trUST in a single transaction. Minting is a two-step async process: deposit, then approval. The time between deposit and approval eliminates any flash loan's atomic arbitrage window.

Against wash volume: Permissioned participants have real settlement obligations and pay real transaction costs. Wash volume requires permissionless access. The approval requirement makes it economically irrational.

What the Permissioned Model Does Not Prevent

Permissioning closes external attack surfaces. Three internal risks remain:

• Operator error or compromise: If the SukukFi operator approves a fraudulent minting request, trUST supply expands without legitimate backing. CommTrade KYB requirements and the operator's economic incentive to maintain the peg mitigate this.
• Vault smart contract risk: A vulnerability in the vault contracts could allow unauthorised withdrawals. Contracts are audited; see Security Audits.
• Stablecoin backing risk: trUST is backed by USDC.e, USD₮0, and HONEY. A depeg in any of those assets weakens trUST's backing. Diversification across three independent assets reduces the concentration.

Every stablecoin design carries some version of these. Permissioning removes the arbitrage and MEV risks; these three stay.

The Right Tool for the Right Job

trUST serves one purpose: B2B settlement between verified CommTrade participants. The permissioned model fits that scope.

A general-purpose stablecoin derives its value from breadth. trUST derives its value from reliability: it redeems at exactly $1.00 and no MEV bot can drain the vault.

Carriers settling $10M in monthly traffic invoices need a token that redeems at $1.00, resists draining, and records every transaction on-chain. Permissioning gives them that.

For the full technical specification of trUST, see trUST Settlement Dollar in the documentation. To explore trUST minting and redemption, visit app.sukuk.fi.