[2602 Grant] TYKORA — Prize Vaults for DoC & USDRIF (Tropykus Yield) on Rootstock

Milestone 1 — Coinspect audit completed

As part of Milestone 1, we completed an independent security audit with Coinspect for TYKORA’s initial architecture (DoC + USDRIF vaults, with yield routed to Tropykus). Coinspect delivered findings and recommendations, we implemented all required fixes, and Coinspect completed the final verification of the remediations.

Because of the complexity of the contracts, the audit process took longer than originally expected — but it is 100% completed.

Audit report: Tykora Coinspect Audit Report

Tropykus shutdown impact

During the final audit process, Tropykus announced the shutdown of services. This had a major impact on TYKORA, since (as described in our whitepaper) Tropykus was the yield source used to generate rewards.

Strategy modularity and the Sovryn pivot

From the beginning, TYKORA was designed so that Tropykus was not the only possible yield source. The protocol architecture allows deploying a new strategy contract pointing to a different yield provider, while keeping the core TYKORA Prize Vault logic intact.

Following the Tropykus shutdown, we evaluated alternatives and found a viable path with Sovryn. We now have the new Sovryn strategy implemented and tested, and the DoC vault is already enabled in the TYKORA dApp using Sovryn as the yield source.

USDRIF temporarily unavailable

The downside is that, at the moment, Sovryn does not provide yield markets for USDRIF, so the USDRIF vault will not be available for now.

We also reviewed other potential options (e.g., LayerBank), but currently those do not support yield for both DoC and USDRIF in a way that fits TYKORA’s requirements. So, at this time, Sovryn is the only viable route.

Remaining work

At this stage, the remaining work is focused on the new Sovryn strategy. Coinspect has already completed an initial review of this strategy and is ready to proceed with the full audit once we give the go-ahead.

Before we trigger that final audit step, we’re currently waiting on Sovryn to confirm a few technical details related to underlying behavior/assumptions so we can finalize the strategy parameters and implementation with full confidence. As soon as those clarifications are resolved, we will greenlight Coinspect to complete the strategy audit.

JXLabs will cover the full cost of this additional Coinspect audit for the Sovryn strategy (beyond Milestone 1), so the community can rely on a complete and independently reviewed production stack before we proceed further.

Community feedback request

Given these changes, we’d really appreciate the community’s opinion:

• Does the Sovryn approach make sense as the best available path forward?
• Are you comfortable with TYKORA moving forward with DoC only for now (until USDRIF yield options exist)?
• Is there another ecosystem provider you believe we should evaluate as a yield source for USDRIF?

Thanks again for the support and for helping us navigate a major external dependency change mid-process. We’re happy to answer any questions and share any additional detail the community would find helpful.

JXLabs Team

Hi @jxlabs team, thanks for the update, and congratulations on the audit results!

We have a question based on this statements:

Does the statement that “at the moment” and “for now” Sovryn doen’t provide yield markets with USDRIF mean that they are considering incorporating it in the future? Have you spoken with them about this? Could you tell us what information they provided regarding the possible incorporation of yield markets with USDRIF and what the tentative timeline is for this?

This is important because, in one scenario, if Sorvyn plans to implement this in the near future, it’s worth considering whether it’s worth waiting for that improvement; however, in another scenario, if they have no plans for this (or only vague, long-term plans), it might be useful to look for other sources of yield for USDRIF.

Thanks for the thoughtful question @SEEDGov and we agree this distinction matters.

When we said “at the moment / for now,” we meant as of today Sovryn does not offer an active USDRIF yield market that TYKORA can route to. We do not have any confirmed signal or committed timeline from the Sovryn team that USDRIF yield markets will be added in the near term.

We’ve reached out to Sovryn with a few technical questions (including the USDRIF path) and we’re currently still waiting for a concrete response / point of contact. Our goal is to get direct clarity from them on whether USDRIF support is on their roadmap and, if so, what the realistic timeline would be. Once we have that information, we’ll share it transparently with the community.

From TYKORA’s side, adding USDRIF is not structurally complex if/when an appropriate Sovryn market exists: DoC and USDRIF have very similar token parameters, and the main change is typically **routing the strategy to the correct underlying + market contract.

So our decision framework is:

• If Sovryn confirms USDRIF markets are coming soon with a credible timeline, it could be reasonable to wait and re-enable the USDRIF vault once that route exists and is audited.
• If there’s no clear plan / timeline, then we should treat DoC-only as the practical near-term path and continue evaluating other USDRIF-compatible yield sources in parallel.

JXLabs Team

Thanks for the M1 closure update and the audit transparency. Congratulations on completing the Coinspect review with all required fixes implemented and final verification done.

The Sovryn pivot makes sense given the Tropykus shutdown. Coinspect’s fix-review recommends a fresh full review of the new strategy layer rather than treating the current state as a delta, and your post commits to that audit “before we proceed further,” self-funded beyond M1. To make that actionable for delegates evaluating M2 on-chain, we would ask for an explicit commitment that the published Sovryn-strategy audit is part of the M2 deliverable scope, with the audited commit hash tagged the same way M1 was. M1’s KPIs included a “final audited release tagged and publicly available”; extending that standard to what’s actually in production is what completes the milestone.

With that commitment, we support the continuation on DoC-only for now while USDRIF yield options develop.

Thanks for the careful read @Tane and for the clear ask. We agree with the principle: what’s in production must match what’s audited, with the same level of traceability (tag + commit hash) we delivered for Milestone 1.

Commitment (and how we’ll operationalize it)

• Milestone 1 is complete for the initial architecture (DoC + USDRIF vaults with Tropykus strategy): findings delivered → fixes applied → final verification completed → audited tag/commit + report published.
• Because the yield layer changed (Tropykus → Sovryn), we fully agree this cannot be treated as a “delta.”
• We commit that the Sovryn strategy audit is part of Milestone 2 deliverables, and that we will not proceed to production with the Sovryn-based vault unless:
  1. the exact commit is frozen and tagged,
  2. Coinspect completes a full review of that strategy, and
  3. the audit report + audited commit hash/tag are published and referenced from our Verified Addresses page.
• Any incremental audit scope/cost related to the Sovryn strategy beyond Milestone 1 will be covered by JXLabs.

Updated Milestone 2 (explicitly including Sovryn strategy audit)

Milestone 2 — Production mainnet launch & operational enablement
Duration: 4 weeks (Weeks 3–6)
Amount: 3,000 USDRIF (or rBTC equivalent)

Deliverables
A) Security finalization for production yield layer (Sovryn Strategy)

• Freeze the Sovryn strategy code at an exact commit hash and publish a tagged release for audit.
• Coinspect full audit/review of the Sovryn strategy (not a delta), plus fix/verify loop if needed.
• Publish: audit report + audited tag/commit hash, and link it from the Verified Addresses page.
• Production deployments will reference the audited tag (and we will only enable Production mode after that).

B) Production launch & operational enablement (DoC first)

• Transition TYKORA from Sandbox → Production on Rootstock for the DoC vault using the audited Sovryn strategy.
• USDRIF vault will remain disabled until a viable audited yield market exists.

C) Admin / Controls (Production)

• Production owner: Rootstock Safe multisig with threshold M-of-N (signer composition disclosed).
• Multisig-controlled admin surface:
  • setEmergencyMode(bool)
  • awardDrawManual(drawId, seed) (exception-only)
  • emergencyCancelDraw(drawId)
  • startFenwickRepair() / continueFenwickRepair(steps)
• Explicit note: key economics (draw period, fee bps) are immutable in deployed vaults; strategy routing is one-time set at deployment.

D) Ops SLOs (Measurable)

• Execution liveness: ≥95% of draws finalized within 24h of scheduled end when BTC header data is available.
• Manual intervention ceiling: ≤5% manual interventions over a rolling 90-day window.
• Disclosure SLAs (when manual paths are used):
  • brief public notice within 24h
  • short follow-up within 72h (reason + confirmation of integrity)

E) Runbook artifacts

• Verified Addresses page (vaults, strategies, underlying tokens, multisig owner, keeper addresses)
• Monitoring checklist (events + keeper txs + BTC header readiness + draw state transitions)
• Canonical incident log & disclosures published in TYKORA Docs, with Telegram used for fast notifications linking back to the canonical report.

Success metrics / KPIs

• Coinspect audit for Sovryn strategy completed and published (report + audited tag/commit hash).
• Production DoC vault uses the audited strategy tag (verifiable on-chain via Verified Addresses page).
• Keeper lifecycle executed end-to-end on mainnet with published runbook + monitoring checklist.

With that explicitly added to M2, we agree with your conclusion: support moving forward DoC-only for now (until USDRIF yield options exist), while keeping the production stack fully audited and verifiable.

JXLabs Team

Thanks for the update @jxlabs.

I’d like to ask if the team plans to adjust the M3 activation strategy given the current DoC only setup. The original 5000 USDRIF activation budget was designed around both DoC and USDRIF vault communities, but with the USDRIF vault now disabled, the target depositor base is meaningfully smaller.

Before M3 disbursement, it would be helpful to have a revised activation plan outlining which channels and communities the team plans to focus on and how the 5,000 USDRIF budget will be allocated under the current scope.

Thanks for flagging this @Ignas we agree the activation plan should be adjusted to reflect the current DoC-only production path (given the Tropykus shutdown and the Sovryn pivot).

Below is a revised Milestone 3 plan that keeps the original 5,000 USDRIF budget, but reallocates effort and spend toward the DoC depositor base while preserving optionality to accelerate USDRIF later if/when a viable yield market becomes available.

Milestone 3 — Liquidity & adoption activation (TVL impact) — Revised (DoC-only)

Duration: 4 weeks (Weeks 6–9)
Amount: 5,000 USDRIF (or rBTC equivalent)

Updated scope assumption (for M3)

• TYKORA will operate with the DoC vault in production (Sovryn strategy).
• USDRIF vault remains disabled until an appropriate yield source exists and the corresponding strategy is audited.

Activation budget allocation (5,000 USDRIF)

1,500 USDRIF — Sponsor principal (DoC vault, no-tickets)
Deployed as sponsor deposits to increase the yield base and weekly prize size during the DoC-only phase. Sponsor funds explicitly opt out of prize eligibility (no tickets).
If/when an USDRIF yield source becomes available, this sponsor principal can be redeployed (fully or partially) to accelerate the USDRIF vault’s cold start — without changing any deployed vault rules.

2,000 USDRIF — Paid promotion / media distribution (awareness + qualified traffic)
Focused on reaching Rootstock + DoC + Sovryn users and driving qualified onboarding traffic to TYKORA. This is aimed at measurable reach + conversion rather than broad, low-intent impressions.

1,000 USDRIF — Onboarding incentives / campaigns (no gas rebates)
Lightweight campaigns designed to improve conversion and retention (e.g., “deposit + hold” participation waves aligned with the vault’s eligibility window).
We will publish the eligibility criteria up front and provide weekly reporting with links/tx hashes so it’s transparent and auditable.

500 USDRIF — Content production
Tutorial(s) + short clips + FAQ assets to reduce onboarding friction and support distribution across ecosystem channels.

Updated channel focus (DoC-only)

• Rootstock ecosystem channels + governance community
• DoC / Money On Chain community channels
• Sovryn community channels (where appropriate)
• TYKORA-owned channels (site/docs + Telegram)

KPI reporting during the activation period (updated)

Since USDRIF is disabled in the DoC-only phase, we will report:

• DoC TVL
• # of depositors (unique wallets)
• Yield routed through Sovryn attributable to TYKORA (strategy-level reporting where possible)
• Draw participation + prize distribution transparency (draw lifecycle events, winners, prize amounts)

Success metrics / KPIs (updated)

• Public KPI report(s) with verifiable metrics (TVL, depositors, retention proxies, strategy utilization)
• Evidence of measurable post-launch growth in the DoC vault during the activation window

JXLabs Team

Thanks for the detailed M1 update @jxlabs the Coinspect audit completion and the transparency around the Tropykus situation are genuinely appreciated, and we recognize the team has responded constructively to every question raised in this thread.

That said, given the updated scope and the broader ecosystem context, we want to share some concerns that go beyond the yield source substitution.

The pivot from Tropykus to Sovryn solves the immediate dependency problem, but structurally TYKORA now operates with one asset vault (DOC) and one yield source (Sovryn). From a risk perspective, this isn’t a lateral move, it’s a step down in liquidity depth.

TYKORA migrated from the larger to the smaller Rootstock lending protocol. The concentration risk hasn’t been fully resolved and TYKORA couldn’t do much about it, because this is also a function of the broader lending ecosystem on Rootstock itself. The dependency risk remains structural: if Sovryn’s DOC pool shrinks or winds down, TYKORA faces the same situation again.

This leads to our main concern. The prize vault model is fundamentally a retention and engagement product, it gives existing stablecoin holders a better place to park funds. It doesn’t directly bring new users into the ecosystem. And for it to generate meaningful prizes, it needs sufficient depositor volume. Based on the current Sovryn DOC pool data: total liquidity is ~$753K at 6.55% APR. Even if TYKORA captured all available liquidity (~$332K not yet borrowed), the annual yield would be ~$21,700 — roughly $417/week in prizes at best. That’s unlikely to drive the depositor behavior the M3 activation plan assumes, and adding TYKORA deposits into an already 56% utilized pool (420,937 ÷ 753,000 = 0.559 × 100 = 55.9% ≈ 56%) would further compress the APR, reducing prizes further at the exact moment the product needs them to be attractive.

Rootstock’s user adoption isn’t yet at the stage where a prize vault product has a large enough base to work as intended. TYKORA is a retention product, it needs existing stablecoin holders to deposit. The two assets the protocol was built around tell that story directly: DOC has a total circulating supply of ~4.6M tokens, while USDRIF sits at ~1.84M tokens. Combined, that’s a thin base to generate prizes meaningful enough to drive the depositor behavior the product requires.

We think the concept is genuinely interesting and the team has executed with integrity under difficult circumstances. But the Tropykus wind-down surfaces a deeper question than yield source substitution, it’s a product-market fit problem. A prize vault needs a mature, liquid stablecoin ecosystem to function as intended, and Rootstock isn’t there yet. We think the community should be asking not just whether M1 was delivered or whether the rescoped milestones are reasonable, but whether continuing to fund this product serves Rootstock’s current stage and strategic direction.

Thanks @Curia - This is a very fair and thoughtful critique, and we genuinely appreciate you putting numbers behind the concern.

We broadly agree with the core point: Tropykus shutting down didn’t just change an integration detail. It reduced the available liquidity depth and the “ceiling” for how compelling prize sizes can be in the short term. Our pivot to Sovryn was primarily a survival move to keep TYKORA functional and to preserve the work already completed (including the audit), but we don’t claim that Sovryn today offers the same depth that Tropykus had.

Your analysis also highlights the real structural dependency: a prize vault is an engagement/retention primitive that performs best when the underlying stablecoin + lending ecosystem is already sufficiently mature. If the accessible supply base is thin, prize magnitude can struggle, and incentives can become self-limiting, exactly the cold-start / PMF risk you describe.

That’s why, in our M1 closure update, we explicitly asked the community whether the Sovryn path makes sense or whether waiting / re-evaluating is the more responsible choice.

From our side, we see two realistic paths forward, and we’re genuinely open to community preference:

Path A — Proceed cautiously with DoC-only (Sovryn) as an “ecosystem experiment,” not as a guaranteed growth engine.
This means being transparent about the prize ceiling under current liquidity conditions, keeping the rollout conservative, and using sponsor-mode deposits as a non-inflationary way to improve early prize salience—while accepting that near-term outcomes may be modest if broader liquidity doesn’t grow.

Path B — Pause/Delay M2/M3 until deeper markets exist (or until a stronger dual-asset setup is available).
We agree this may be the most rational choice if the community’s view is that Rootstock is not yet at the stage where a prize vault can deliver meaningful behavioral pull. In that scenario, we can keep TYKORA in a “ready state” and re-activate when conditions improve.

We also share your view that the best long-term answer is more than one viable yield venue and ideally more than one asset vault. We’re watching alternatives like LayerBank closely - if/when DoC + USDRIF markets there reach meaningful depth and stability, TYKORA’s strategy modularity makes that integration feasible without changing the core prize-vault logic.

So rather than trying to “spin” the Sovryn pivot as a full replacement, we’ll say it plainly: it’s a workable stopgap, but it may not be the optimal moment to push a full production expansion. We’re happy to align with whatever the community believes is the right call given Rootstock’s current stage.

Appreciate the candid feedback. It’s exactly the kind of ecosystem-level realism we want to incorporate before moving further.

JXLabs Team

Thanks for taking the analysis in the right spirit @jxlabs and for being upfront about the tradeoffs. That kind of honesty from a grantee makes the delegates’ job a lot easier.

Based on what we laid out, we’d lean toward Path B, the current stage of Rootstock doesn’t match what a prize vault needs to function effectively and continuing to the next milestone with only one vault and one yield source creates the same dependency risk we just saw with Tropykus. We also don’t see a clear path to meaningful return if we rush this.

In our view the best move at this stage is to pause and wait for clearer signals, whether that’s multiple lending protocols on Rootstock supporting these assets, or DOC and USDRIF reaching the kind of adoption and liquidity depth that gives the prize mechanics enough weight to stand on their own.

Thanks @Curia and thanks to the wider Rootstock Collective community and delegates for the thoughtful review and support throughout this process.

We agree with your conclusion and we’re aligned with Path B. After the Tropykus shutdown and the resulting reduction in liquidity depth, moving forward with TYKORA in a DoC-only + single-yield-source configuration would recreate the same structural dependency risk we just experienced, and it’s hard to justify pushing into the next milestones without clearer signals that the ecosystem is ready for this kind of retention product to perform as intended.

So our plan is to pause progression beyond M1 and treat this as a responsible stop point:

• M1 is completed (Coinspect audit + remediations + final verification), and we’ll keep all outputs public and accessible for transparency.
• We’ll keep monitoring the lending landscape (e.g., multiple protocols supporting DoC/USDRIF with deeper liquidity, or clearer adoption/liquidity growth for the assets).
• If/when those conditions improve, we’ll re-evaluate a production path with reduced dependency risk (multi-vault / multi-yield optionality) and bring an updated plan back to the community.

We genuinely appreciate the ecosystem’s support and the integrity of the governance process. This thread helped us make a better decision — even if it means waiting for the right timing.

JXLabs Team

@jxlabs Glad the discussion was useful, and appreciate your genuine contribution. Pausing and waiting for a clearer signal is the right call given the current state of the Rootstock lending ecosystem, we look forward to reviewing and reconsidering once the conditions we mentioned are there.

Rooting for TYKORA to find its moment, the concept is solid, the timing just needs to catch up.