> ## Documentation Index > Fetch the complete documentation index at: https://docs.layerzero.network/llms.txt > Use this file to discover all available pages before exploring further. # Security and Compliance > Threat model, operational security, and compliance controls for Tokenized RWAs OFT multi-token hub deployments. Tokenized RWAs OFT shares the same security foundations as [Stablecoin OFT](/v2/developers/evm/stablecoin-oft/security-compliance) — OpenZeppelin audited upgradeable libraries, EIP-7201 namespaced storage, two-step admin transfer, and push-based fee settlement. Tokenized RWAs OFT contracts are [independently audited](/v2/resources/audits). This page focuses on threats and mitigations **specific to the Tokenized RWAs OFT architecture**. ## Tokenized RWAs OFT Threat Model | Threat | Impact | Mitigation | | --------------------------------------------- | ----------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Module swap to malicious contract** | Attacker-controlled module could disable pause, zero out fees, or remove rate limits | Only `DEFAULT_ADMIN_ROLE` can call `setPauseModule` / `setFeeConfigModule` / `setRateLimiterModule`. Use governance multisig for admin. | | **Shared rate limit exhaustion** | One high-volume token could exhaust the rate limit bucket for all tokens on a destination | Token scales convert amounts to a common unit. Set scales appropriately. Monitor bucket utilization per EID. | | **Token registration of malicious OFT** | Rogue OFT could execute mint calls for its token in different chains | Token registration is the Tokenized RWAs OFT equivalent of peer setting in OFTs — a critical trust boundary. `TOKEN_REGISTRAR_ROLE` should be held by a trusted operator, not a hot wallet. | | **Deregistered token with inflight messages** | Inbound messages for a deregistered token will revert, blocking the channel | Pause outbound transfers for the token via the NexusPauseModule, wait until all inflight messages have been delivered and processed, then deregister. | ## Shared Threat Model The following threats and mitigations are shared with Stablecoin OFT: * **Pauser / Unpauser key compromise** — Same split-role mitigation. See [Stablecoin OFT Security](/v2/developers/evm/stablecoin-oft/security-compliance). * **Fee deposit address compromise** — Same push-based model. Attacker controlling `feeDeposit` can only receive fees, not extract principal. * **Supply inflation via misconfigured deployment** — Ensure each `NexusERC20` grants `MINTER_ROLE`/`BURNER_ROLE` only to the intended burner-minter address. * **Fund recovery abuse** — Same `recoverFunds` restriction: only from non-allowlisted addresses. * **Non-atomic proxy deployment** — Same risk. Deploy proxy and call `initialize` atomically. ## Compliance Controls ### Allowlist (via NexusERC20Guard) The shared guard enforces allowlist checks on `transfer`, `transferFrom`, and `burn` for all registered `NexusERC20` tokens. Mode switches (Open → Blacklist → Whitelist) are instant and do not clear existing lists. ### Per-Token Pause (via NexusERC20Guard) Each `NexusERC20` can be paused independently using `uint160(tokenAddress)` as the pause ID. This allows freezing a specific token's local transfers without affecting other tokens. ### Per-Pathway Pause (via NexusPauseModule) Cross-chain sends can be paused at four levels: globally, per destination, per token, or per (token, destination) pair. Priority resolution determines the effective state. ### Fund Recovery Same mechanism as Stablecoin OFT — admin can transfer tokens from non-allowlisted addresses for compliance seizures. ## Monitoring Events to monitor across the Tokenized RWAs OFT deployment: | Event | Source | Indicates | | ---------------------------------------------------------------- | ------------------- | ---------------------------------------------- | | `RoleGranted` / `RoleRevoked` | All contracts | Permission changes | | `DefaultAdminTransferScheduled` | All with 2-step | Admin transfer initiated | | `PauseModuleSet` / `FeeConfigModuleSet` / `RateLimiterModuleSet` | Nexus | Module swap (high severity) | | `TokenRegistered` / `TokenDeregistered` | Nexus | Token registry changes | | `FeeConfigSet` | Fee Module | Fee rate changes | | `PauseConfigSet` | Pause Module | Pathway pause state changes | | `RateLimitConfigSet` / `RateLimitStateSet` | Rate Limiter Module | Rate limit config changes | | `OFTSent` / `OFTReceived` | `NexusOFT` | Cross-chain transfers (alert on large amounts) | | `GuardSet` | `NexusERC20` | Guard contract swap (high severity) | | `AllowlistModeChanged` | Guard | Allowlist mode transitions | | `BlacklistUpdated` / `WhitelistUpdated` | Guard | Address list changes | ## Next Steps * [RBAC Reference](/v2/developers/evm/tokenized-rwas-oft/rbac-reference) for the complete role-to-function matrix * [Architecture](/v2/developers/evm/tokenized-rwas-oft/architecture) for the system design overview