Tokenized RWAs OFT Threat Model
| Threat | Impact | Mitigation |
|---|---|---|
| Module swap to malicious contract | Attacker-controlled module could disable pause, zero out fees, or remove rate limits | Only DEFAULT_ADMIN_ROLE can call setPauseModule / setFeeConfigModule / setRateLimiterModule. Use governance multisig for admin. |
| Shared rate limit exhaustion | One high-volume token could exhaust the rate limit bucket for all tokens on a destination | Token scales convert amounts to a common unit. Set scales appropriately. Monitor bucket utilization per EID. |
| Token registration of malicious OFT | Rogue OFT could execute mint calls for its token in different chains | Token registration is the Tokenized RWAs OFT equivalent of peer setting in OFTs — a critical trust boundary. TOKEN_REGISTRAR_ROLE should be held by a trusted operator, not a hot wallet. |
| Deregistered token with inflight messages | Inbound messages for a deregistered token will revert, blocking the channel | Pause outbound transfers for the token via the NexusPauseModule, wait until all inflight messages have been delivered and processed, then deregister. |
Shared Threat Model
The following threats and mitigations are shared with Stablecoin OFT:- Pauser / Unpauser key compromise — Same split-role mitigation. See Stablecoin OFT Security.
- Fee deposit address compromise — Same push-based model. Attacker controlling
feeDepositcan only receive fees, not extract principal. - Supply inflation via misconfigured deployment — Ensure each
NexusERC20grantsMINTER_ROLE/BURNER_ROLEonly to the intended burner-minter address. - Fund recovery abuse — Same
recoverFundsrestriction: only from non-allowlisted addresses. - Non-atomic proxy deployment — Same risk. Deploy proxy and call
initializeatomically.
Compliance Controls
Allowlist (via NexusERC20Guard)
The shared guard enforces allowlist checks ontransfer, transferFrom, and burn for all registered NexusERC20 tokens. Mode switches (Open → Blacklist → Whitelist) are instant and do not clear existing lists.
Per-Token Pause (via NexusERC20Guard)
EachNexusERC20 can be paused independently using uint160(tokenAddress) as the pause ID. This allows freezing a specific token’s local transfers without affecting other tokens.
Per-Pathway Pause (via NexusPauseModule)
Cross-chain sends can be paused at four levels: globally, per destination, per token, or per (token, destination) pair. Priority resolution determines the effective state.Fund Recovery
Same mechanism as Stablecoin OFT — admin can transfer tokens from non-allowlisted addresses for compliance seizures.Monitoring
Events to monitor across the Tokenized RWAs OFT deployment:| Event | Source | Indicates |
|---|---|---|
RoleGranted / RoleRevoked | All contracts | Permission changes |
DefaultAdminTransferScheduled | All with 2-step | Admin transfer initiated |
PauseModuleSet / FeeConfigModuleSet / RateLimiterModuleSet | Nexus | Module swap (high severity) |
TokenRegistered / TokenDeregistered | Nexus | Token registry changes |
FeeConfigSet | Fee Module | Fee rate changes |
PauseConfigSet | Pause Module | Pathway pause state changes |
RateLimitConfigSet / RateLimitStateSet | Rate Limiter Module | Rate limit config changes |
OFTSent / OFTReceived | NexusOFT | Cross-chain transfers (alert on large amounts) |
GuardSet | NexusERC20 | Guard contract swap (high severity) |
AllowlistModeChanged | Guard | Allowlist mode transitions |
BlacklistUpdated / WhitelistUpdated | Guard | Address list changes |
Next Steps
- RBAC Reference for the complete role-to-function matrix
- Architecture for the system design overview