Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.layerzero.network/llms.txt

Use this file to discover all available pages before exploring further.

Tokenized RWAs OFT shares the same security foundations as Stablecoin OFT — OpenZeppelin audited upgradeable libraries, EIP-7201 namespaced storage, two-step admin transfer, and push-based fee settlement. Tokenized RWAs OFT contracts are independently audited. This page focuses on threats and mitigations specific to the Tokenized RWAs OFT architecture.

Tokenized RWAs OFT Threat Model

ThreatImpactMitigation
Module swap to malicious contractAttacker-controlled module could disable pause, zero out fees, or remove rate limitsOnly DEFAULT_ADMIN_ROLE can call setPauseModule / setFeeConfigModule / setRateLimiterModule. Use governance multisig for admin.
Shared rate limit exhaustionOne high-volume token could exhaust the rate limit bucket for all tokens on a destinationToken scales convert amounts to a common unit. Set scales appropriately. Monitor bucket utilization per EID.
Token registration of malicious OFTRogue OFT could execute mint calls for its token in different chainsToken registration is the Tokenized RWAs OFT equivalent of peer setting in OFTs — a critical trust boundary. TOKEN_REGISTRAR_ROLE should be held by a trusted operator, not a hot wallet.
Deregistered token with inflight messagesInbound messages for a deregistered token will revert, blocking the channelPause outbound transfers for the token via the NexusPauseModule, wait until all inflight messages have been delivered and processed, then deregister.

Shared Threat Model

The following threats and mitigations are shared with Stablecoin OFT:
  • Pauser / Unpauser key compromise — Same split-role mitigation. See Stablecoin OFT Security.
  • Fee deposit address compromise — Same push-based model. Attacker controlling feeDeposit can only receive fees, not extract principal.
  • Supply inflation via misconfigured deployment — Ensure each NexusERC20 grants MINTER_ROLE/BURNER_ROLE only to the intended burner-minter address.
  • Fund recovery abuse — Same recoverFunds restriction: only from non-allowlisted addresses.
  • Non-atomic proxy deployment — Same risk. Deploy proxy and call initialize atomically.

Compliance Controls

Allowlist (via NexusERC20Guard)

The shared guard enforces allowlist checks on transfer, transferFrom, and burn for all registered NexusERC20 tokens. Mode switches (Open → Blacklist → Whitelist) are instant and do not clear existing lists.

Per-Token Pause (via NexusERC20Guard)

Each NexusERC20 can be paused independently using uint160(tokenAddress) as the pause ID. This allows freezing a specific token’s local transfers without affecting other tokens.

Per-Pathway Pause (via NexusPauseModule)

Cross-chain sends can be paused at four levels: globally, per destination, per token, or per (token, destination) pair. Priority resolution determines the effective state.

Fund Recovery

Same mechanism as Stablecoin OFT — admin can transfer tokens from non-allowlisted addresses for compliance seizures.

Monitoring

Events to monitor across the Tokenized RWAs OFT deployment:
EventSourceIndicates
RoleGranted / RoleRevokedAll contractsPermission changes
DefaultAdminTransferScheduledAll with 2-stepAdmin transfer initiated
PauseModuleSet / FeeConfigModuleSet / RateLimiterModuleSetNexusModule swap (high severity)
TokenRegistered / TokenDeregisteredNexusToken registry changes
FeeConfigSetFee ModuleFee rate changes
PauseConfigSetPause ModulePathway pause state changes
RateLimitConfigSet / RateLimitStateSetRate Limiter ModuleRate limit config changes
OFTSent / OFTReceivedNexusOFTCross-chain transfers (alert on large amounts)
GuardSetNexusERC20Guard contract swap (high severity)
AllowlistModeChangedGuardAllowlist mode transitions
BlacklistUpdated / WhitelistUpdatedGuardAddress list changes

Next Steps