ZAI: Oracle-Free CDP Flatcoin — Simulation Results & What ZSAs Enable for Coinholders

There’s been a lot of discussion about whether ZSAs justify the complexity they add to Zcash. This is my contribution to that conversation — not an opinion, but working code with transparent research.
What I built: A block-level simulator for ZAI, an oracle-free CDP flatcoin on Zcash. No Chainlink, no external price feeds. The AMM’s TWAP is the only oracle. Fully compatible with shielded transactions. Every CDP locks ZEC as collateral, creating direct demand for ZEC.
Why it matters for coinholders: ZAI lets you hold stable value without leaving the shielded pool. Today, if you want to hedge ZEC volatility, you have to deshield, move to an exchange, and buy USDC losing your privacy. With ZSAs + ZAI, you open a vault, lock your ZEC, mint ZAI, and stay shielded the entire time.

The Key Finding

The conventional wisdom in stablecoin design is that better price accuracy equals better stability. MakerDAO uses Chainlink to get the “true” price. Liquity uses Chainlink + Tellor. Everyone assumes knowing the real collateral price is necessary for maintaining the peg.
The simulation discovered the opposite: price inaccuracy is the stability mechanism.
When ZEC crashes 60%, arbers try to reprice the AMM to match the external market. They exhaust their capital trying. When they’re depleted, the AMM freezes — it doesn’t know ZEC crashed. Vaults can’t be liquidated at fire-sale prices. No death spiral forms. The peg holds precisely because the system is blind to the crash.
I tested this directly by sweeping arber capital replenishment during a 43-day sustained bear:
∙ $0 replenished (arber exhausts) → 11.8% mean peg deviation (best result)
∙ $250K replenished → 16.3% (worse)
∙ $5M replenished → 32.6% (much worse)
∙ $50M replenished → 34.8% (worst result)
Every dollar of arber replenishment makes the peg worse. The system works because arbers run out of money, not despite it.

How ZAI Compares to Existing Stablecoins Under Stress

DAI, Black Thursday 2020: 12% peak depeg, $6M+ bad debt
∙ USDC, SVB Crisis 2023: 12.2% peak depeg, $0 bad debt
∙ UST, Luna Collapse 2022: 100% depeg (total collapse), total loss
∙ ZAI (simulated), Black Thursday equivalent: 4.2% peak depeg, $0 bad debt
Zero bad debt across all 13 stress scenarios. Zero liquidation cascades. The tradeoff is “zombie vaults” — positions that look healthy to the protocol but are underwater by external market price. These self-heal when price recovers (tested: 5/5 zombies resolved after V-shaped recovery, 0.43% residual gap).

The Honest Weaknesses (All Documented)
I’m not selling anything. Every weakness is in the repo:
Zombie vaults are real and inherent. During a sustained crash, TWAP says vaults are healthy while external price says they’re insolvent. This cannot be fixed without reintroducing an oracle, which defeats the purpose. (Findings F-017, F-023)
LP incentives are broken. Fee income is $3-$9 per $100K LP position. No rational LP stays. The system requires $2.5M in protocol-owned liquidity from the Coinholder-Controlled Fund — private LP liquidity drains to $77K in 2.5 days under stress. (F-025, F-027)
Demand shocks from large agents still overwhelm. A $1M agent against a $5M pool causes 19% peg deviation. The rule is: pool must be 10x the largest expected agent. (F-013, F-015)
CDP parameters don’t matter yet. With zero liquidations firing, collateral ratio and TWAP window have no effect on outcomes. The AMM layer does all the work. (F-019)

Deployment Prerequisites
∙ Minimum AMM liquidity: $5M (12/13 scenarios pass)
∙ Recommended AMM liquidity: $10M (all scenarios pass)
∙ Protocol-owned liquidity: $2.5M from Coinholder Fund
∙ Infrastructure needed: ZSAs (ZIP 226/227)
∙ Conservative parameters: 200% collateral ratio, Tick controller, 5-hour TWAP window

The Numbers
∙ 124 passing tests, 0 failures
∙ 31 documented findings (F-001 through F-031)
∙ 13 stress scenarios + 3 historical price proxies
∙ 7 agent types (arbers, demand, miners, CDP holders, LPs, IL-aware LPs, attackers)
∙ Stochastic Monte Carlo validation (50 seeds, stable verdicts)
∙ Full CSV data export on every HTML report for independent verification
∙ Death spiral defense confirmed robust at all tested liquidity levels up to $50M (F-031)
∙ System self-heals during V-shaped recoveries — all zombie vaults resolve (F-029)
Repo: GitHub - lamb356/zai-sim: Oracle-free CDP flatcoin simulator for Zcash — 124 tests, 31 findings, 13 stress scenarios
Run cargo test to verify all 124 tests. Run cargo test --test final_reports_test to generate interactive HTML reports with charts and CSV data download.
RESEARCH_SUMMARY.md has the full analysis. FINDINGS.md has every finding with methodology and implications.

What This Means for the ZSA Debate
ZAI answers Nate’s three criteria directly:

1. Value funnels to ZEC — every CDP locks ZEC as collateral, every AMM pool pairs ZEC, stability fees are denominated in ZEC
2. Censorship resistant — oracle-free, fully shielded, no external dependencies
3. Fees proportional to balance — 2% annual stability fee on outstanding debt
   ZSAs are the prerequisite infrastructure. Without them, there’s no way to represent a dollar-pegged asset in the shielded pool. This simulator is the demand signal — not “people say they want it” but “here’s the math showing it works, here’s where it breaks, and here’s what it costs.”
   The simulation provides the data. The community decides the policy. I’m here to answer questions about the findings.

Update: Historical replay + oracle comparison mode added.

Fed real ZEC price data through the simulator — Black Thursday 2020 (49% crash), FTX collapse 2022 (36% crash), and the Nov 2024 rally (67% up).

Results across all 3 real-world events: zero bad debt, zero death spirals. SOFT FAIL on peg deviation during the crashes (expected you can’t maintain a perfect peg during a 49% crash), but the system stays solvent throughout.

Also added an oracle comparison mode that runs the same 5 stress scenarios twice — once with the oracle-free TWAP design, once with a traditional external oracle feeding liquidation decisions. Oracle-free wins 5/5. The bank run scenario goes from SOFT FAIL (oracle-free) to HARD FAIL (oracle-based) — cascading liquidations destroy the system when the oracle tells it to liquidate during a crash.

This is the core thesis in data: same collateral, same crash, different oracle → different outcome.

33 findings, 137 tests. Repo updated: https://github.com/lamb356/zai-sim

Next up on the research roadmap:

1. LP incentive sweep — testing whether any fee/penalty configuration makes private LPs profitable through crashes without needing protocol-owned liquidity
2. Graduated liquidation — partial deleveraging instead of binary liquidation to address zombie vaults
3. Multi-arber competition — what happens when 3-10 arbers compete instead of 1, does it help or hurt stability
   Results with numbers when each is done

Three more findings from today’s session — all tested potential improvements to see if they could eliminate documented weaknesses.

F-034: LP Incentive Sweep (64 configurations tested) Swept 4 stability fee rates (2-15%) × 4 liquidation penalty LP shares (0-100%) × 4 scenarios. Result: zero crash scenarios produce profitable LPs at any configuration. Best crash result still loses $200K on a $10M entry. Maximum fee income is ~$23K against $1.6M-$3.9M crash losses — fees cover less than 1.5% of the loss. Protocol-owned liquidity is confirmed as non-negotiable.

F-035: Graduated Liquidation (partial deleveraging) Tested 10% per-block partial liquidation instead of binary liquidate/don’t-liquidate. At production liquidity ($5M): zero activations. TWAP inertia keeps vault CRs above the graduated zone — the mechanism never triggers. At low liquidity ($500K): 1,100 activations but outcomes are universally worse — bad debt increases 31%, zombie counts increase. TWAP already provides natural graduation. Binary liquidation is the correct design.

F-036: Multi-Arber Competition Tested 1, 3, 5, and 10 competing arbers with different capital and aggressiveness. More arbers = worse stability. Solo arber (18.6% mean deviation) outperforms swarm of 10 (23-27%). Multiple arbers create price overshoot/undershoot oscillation cycles that drain capital without improving price discovery. Monopolistic arbitrage is optimal for constant-product AMMs.

All three tested “obvious improvements” and proved they don’t work — which validates the existing design choices. 36 findings, 225 tests. Repo updated: https://github.com/lamb356/zai-sim

Next up on the research roadmap:

1. TWAP window sensitivity sweep — mapping the exact failure boundary of the core stability mechanism (240 blocks works, but what’s the minimum?)

2. More historical replay events — May 2021 crash, Luna/UST week May 2022

3. AMM fee and collateral ratio sensitivity sweeps — finding exact parameter boundaries for deployers

ZAI Simulator: 40 Findings, 228 Tests — Full Research Summary

After several iterations of systematic testing, here’s the complete picture of what we know, how we know it, and what’s next.

The Core Math

ZAI uses a constant-product AMM (x × y = k) as its sole price oracle via TWAP. The key equation: when an arber trades Δx ZEC into a pool of x ZEC and y ZAI, they receive Δy = y × Δx / (x + Δx) ZAI. At $5M depth (100K ZEC × 5M ZAI at $50/ZEC), a 1,000 ZEC sell only moves spot price from $50.00 to $49.01 — a 2% impact. At $500K depth (10K ZEC × 500K ZAI), the same trade moves price from $50.00 to $40.91 — an 18% impact.

This is why AMM depth dominates everything. The constant-product formula’s price impact scales as Δx/(x + Δx). At $5M, trades that would cause cascading liquidations in MakerDAO barely move the AMM price. The TWAP then averages over these already-smoothed prices, providing a double layer of inertia.

The TWAP Oracle

The simulator computes TWAP as a cumulative sum: each block adds the current AMM spot price, and the TWAP over N blocks is (cumulative[now] - cumulative[now-N]) / N. This is purely block-count weighted — no timestamps. We tested whether this breaks under irregular block timing (bursty mining, slow blocks) and found it doesn’t matter: the AMM’s constant-product inertia smooths the price signal before TWAP even sees it.

The Liquidation Mechanism

Vaults are liquidated when TWAP collateral ratio falls below min_ratio. Because TWAP lags spot price during crashes, liquidation is naturally delayed. A 50% crash in spot price takes ~240 blocks (~5 hours) to fully propagate through a 240-block TWAP window. This delay is the system’s core defense: by the time TWAP says “liquidate,” the crash may have partially recovered, or the sell pressure from liquidation is spread over hours instead of concentrated in minutes.

We tested graduated liquidation (partial 10% per block instead of binary) and found it’s either redundant at $5M (never activates because TWAP keeps CRs above the warning zone) or counterproductive at $500K (extends zombie duration and increases bad debt by 31%).

The Arber Economics

Arbitrageurs are the only agents that connect the AMM price to external reality. When ZEC crashes externally, the AMM still shows the old price. Arbers sell ZEC on the AMM to profit from the discrepancy, pushing AMM price toward the new reality. Their profit per trade is: (amm_price - external_price) × trade_size - swap_fee.

At $5M depth with a 30-60% crash, even a 5% swap fee is negligible compared to the arbitrage spread. This is why AMM fee level doesn’t affect crash behavior (F-038). Arbers trade until they run out of capital or the spread closes.

We tested multi-arber competition and found that solo arbers outperform swarms. Multiple arbers create overshoot/undershoot oscillation: arber A pushes price below fair value, arber B pushes it back above, arber C pushes it below again. Each round trip burns capital on swap fees without improving price discovery. Mean peg deviation goes from 18.6% (solo) to 23-27% (swarm of 10).

The LP Problem

Genesis LPs provide $5M ZEC + $5M ZAI. When ZEC crashes 50%, the ZEC half loses ~$2.5M. We swept 64 configurations of stability fees (2-15%) and liquidation penalty sharing (0-100%) and found max fee income of ~$23K — less than 1% of the crash loss. No fee structure can compensate LPs for directional ZEC exposure during crashes. Protocol-owned liquidity is required.

Parameter Hierarchy (from 5 sweeps totaling 228+ configurations)

We swept every major parameter and found a strict hierarchy:

1. AMM depth — the ONLY parameter that determines solvency. At $5M, zero bad debt at every CR from 125-300%, every TWAP window from 12-720 blocks, every fee from 0.1-5%, every block timing pattern.

2. TWAP window — second-order. At $500K the relationship is non-monotonic (longer windows are worse for Black Thursday because they trap TWAP in pre-crash territory). At $5M it’s completely irrelevant.

3. Everything else (CR, fee, block timing, LP incentives, liquidation mode, arber count) — third-order or irrelevant to solvency at $5M.

Historical Validation

Replayed 6 real ZEC crash events with actual hourly price data from CryptoCompare:

The Fundamental Tradeoff

Oracle-free design eliminates external dependencies but creates “zombie vaults” — positions that appear solvent to the protocol (TWAP CR > min_ratio) while being underwater by external market price. This is mathematically inherent: if the oracle can’t see the crash in real-time, it can’t liquidate underwater positions in real-time. The tradeoff is: death spiral immunity in exchange for temporary insolvency that resolves as TWAP catches up.

What’s Next

Current research uses a single random seed (seed=42) for all simulations. This means every finding is a single data point — “seed 42 produces zero bad debt” is not the same as “the system produces zero bad debt.” Next phase:

1. Monte Carlo analysis — Run each crash scenario with 100+ random seeds to get statistical distributions. Transform single-point findings into confidence intervals: “mean bad debt across 100 runs is $X with 95th percentile of $Y.”

2. LP withdrawal stress testing — The $5M assumption assumes LPs stay put during crashes. In reality, LPs withdraw to avoid impermanent loss. Test what happens when 50% of liquidity disappears during a crash.

3. Economic attack profitability — Can a whale profit by shorting ZEC externally, manipulating the AMM to trigger liquidations, and buying liquidated collateral cheap? If this attack is unprofitable at $5M, that’s a strong defense.

4. Formal specification toward ZIP draft — Define mathematical invariants and move from simulation results to a Zcash Improvement Proposal.

40 findings, 228 tests, all open source: https://github.com/lamb356/zai-sim

ZAI Simulator: 46 Findings, 238 Tests, Mathematical Specification — Full Research Summary

After a while of systematic testing, here’s the complete picture of what I know, how I know it, and what’s next.

The Core Math

ZAI uses a constant-product AMM (x · y = k) as its sole price oracle via TWAP. The key equation: when an arber trades Δx ZEC into a pool of x ZEC and y ZAI, they receive Δy = y - k/(x + Δx(1-f)) ZAI. At $5M depth (100K ZEC × 5M ZAI at $50/ZEC), a 1,000 ZEC sell only moves spot price by ~2%. At $500K depth, the same trade moves price by ~18%. Price impact scales quadratically with trade size relative to pool depth — this is why AMM depth dominates everything.

The TWAP oracle uses a Uniswap v2-style cumulative accumulator: T(n,w) = (C(n) - C(n-w)) / w. A single-block price shock of magnitude δ moves TWAP by only δ/w. For the TWAP to drop by fraction f, spot must be depressed for at least w·f blocks. The cost of sustained manipulation scales as O(w · depth · f²) — quadratic in the target deviation. Full derivations are in the mathematical specification: https://github.com/lamb356/zai-sim/blob/main/docs/mathematical_specification.md

What Works (confirmed across 46 findings)

• Zero bad debt across 6 real ZEC crash events (Black Thursday 2020, FTX 2022, May 2021, Luna/UST 2022, COVID 2020, Rally 2024)

• 400/400 Monte Carlo stochastic runs produce zero bad debt (100 seeds × 4 crash scenarios)

• 12/13 synthetic stress scenarios pass at $5M

• Zero bad debt even under 90% price decline ($50→$5 over 43 days) — peg quality degrades but system never becomes insolvent

• Zero bad debt even with 90% LP withdrawal during a crash — LP flight is a peg quality concern, not a solvency concern

• Block-count TWAP is safe for Zcash’s variable block times

What Doesn’t Work

• LP incentives: max fee income is $23K against $1.6M-$3.9M crash losses (F-034)

• Graduated liquidation: redundant at $5M, counterproductive at $500K (F-035)

• Multiple arbers: solo arber outperforms a swarm of 10 (F-036)

• Higher CR for griefing defense: 300% CR actually makes attacks profitable for the whale because they buy cheap liquidated collateral (F-046)

Security Analysis

All 4 tested attack strategies are unprofitable the whale loses $17K-$164K. But a sustained manipulation attack (100K ZEC dumped at 1K/block for 100 blocks) can trigger liquidations and create $3,145 in bad debt at $5M/200%CR, with a 5.4:1 griefing ratio.

Mitigation: $10M AMM eliminates griefing entirely — zero bad debt, whale loses $25K, only 9 liquidations vs 16 at $5M. The shorter 48-block TWAP also eliminates bad debt but at significant peg quality cost. The optimal anti-griefing config is $10M / 200% CR / 240-block TWAP.

Parameter Hierarchy (from 7 parameter sweeps)

1. AMM depth — the ONLY parameter that determines solvency

2. Everything else — determines capital efficiency, peg quality, and griefing resistance, but NOT solvency

Bootstrap Roadmap

The Fundamental Tradeoff

Oracle-free design eliminates external dependencies but creates “zombie vaults” — positions that appear solvent to the protocol while being underwater by external market price. This is mathematically inherent: if the oracle can’t see the crash in real-time, it can’t liquidate underwater positions in real-time. The tradeoff is: death spiral immunity in exchange for temporary insolvency that resolves as TWAP catches up.

What’s Next

Looking for community feedback on the research.

Specific questions:

1. Are there attack vectors we haven’t tested?

2. Is $10M protocol-owned liquidity realistic for Zcash?

3. Is the zombie vault tradeoff acceptable?

4. What additional scenarios should I stress test?

Full mathematical specification, 46 findings, 238 tests, all open source: https://github.com/lamb356/zai-sim

woah this is crazy. gonna have to review this soon

btw, i meant to propose ZAI as an alternative to ZSAs, but there’s no reason they can’t coexist if that’s the direction the community wants to go.

Thanks for the kind words! Happy to answer any questions as you dig into it. The math spec (docs/mathematical_specification.md) is probably the best starting point — it derives everything from first principles.

On ZAI vs ZSAs — they’re actually complementary, not alternatives. ZSAs give Zcash custom token types (the infrastructure). ZAI would be a specific application built on that infrastructure — a stablecoin that could be issued as a ZSA. Think of ZSAs as the plumbing and ZAI as a specific faucet. ZAI actually needs something like ZSAs to exist on-chain as a shielded token.

The research proves the mechanism works. ZSAs would be how you’d actually deploy it on Zcash.

Yes, but IMO it’s better not to conflate the two proposals. We can explore the merits of a flatcoin/ZAI without prescribing a particular technical approach to building it (e.g. ZSAs). Let each proposal stand on its own merit.