As mandated, we submit the analysis we prepared for openUSDT, SolvBTC, and xSolvBTC for the BOB instance. We echo @MarcZeller’s comment about focusing the DAO’s resources on opportunities that present sufficient upside, and remaining mindful of the overhead of managing an increasing number of instances. Therefore, we will not recommend any parameters or oracle at this time, but may revisit this in the future should the DAO express such a desire.
Detailed assessments
openUSDT assessment
1. Asset Fundamental Characteristics
1.1 Asset
OpenUSDT (oUSDT) is an interoperable USDT token that is purpose-built for cross-chain DeFi. It is backed 1:1 with native USDT locked on Ethereum and Celo, and leverages Hyperlane for interchain operability and Chainlink CCIP for securing oUSDT transfers. It is deployed at the address 0x1217BfE6c773EEC6cc4A38b5Dc45B92292B6E189
on BOB Network. As of July 14, 2025, oUSDT has a circulating supply 4.765 on BOB.
1.2 Architecture
oUSDT is implemented using the XERC20 and SuperchainERC20 token formats, which allow swaps to be initiated outside the Superchain by both EVM and non-EVM users.
Velodrome has built Superswaps, an on-chain infrastructure that enables seamless cross-chain token swaps across the entire Superchain. This eliminates the need for users to interact with traditional bridges, wrapped tokens, or external liquidity pools. Superswaps utilize Hyperlane for interchain messaging, leveraging its modular message transport layer that supports any virtual bridge provider. In this system, oUSDT acts as the intermediary token used by Routers, which serve as the entry point for token swaps transferring value across chains.
Superswaps also include built-in MEV protection through the use of Submarine Sends, which allow swap commitments (details about what is being swapped) to be separated and privately relayed from the rest of the transaction.
Chainlink CCIP secures both the messaging and value transfer for oUSDT, with defined risk parameters: a bufferCap of $2M (limiting mint/burn to $1M at a time) and a replenishingPerSecond rate of $500/s for the BOB chain. These limits help reduce cross-chain risk by capping the value that can be moved at once or within a short time window, minimizing potential impact in case of a failure or exploit. By combining Hyperlane and CCIP, oUSDT can be extended to new chains and is positioned to upgrade to native Superchain interop via ERC-7802 seamlessly.
Minting/Redemption
Source: Hyperlane Warp Route (HWR) Architecture, Hyperlane Docs
Warp Routes is Hyperlane’s token bridging framework that utilizes a lock-and-mint mechanism for oUSDT transfers. oUSDT is backed 1:1 with native USDT on the collateral chains (or origin chains), Ethereum, and Celo. Users can lock their USDT in the XERC20Lockbox
contract, which handles the wrapping of USDT to oUSDT and escrows the USDT as collateral, to mint oUSDT on a synthetic chain (or destination chain), in this case, BOB. The lockboxes on Ethereum and Celo securely hold the USDT collateral. Users can redeem oUSDT for USDT at any time by initiating the redemption process on the collateral chain, which results in the corresponding oUSDT being burned on the synthetic chain (i.e., BOB).
Using the OpenUSDT interface, users can mint oUSDT on BOB by sending USDT from Ethereum or Celo. No other chain currently supports oUSDT minting; only direct oUSDT-to-oUSDT transfers are supported on those chains.
1.3 Tokenomics
The supply of oUSDT on BOB is not fixed; it dynamically adjusts based on the token amount bridged to or from the chain. As of July 11, 2025, the total market supply of oUSDT across EVM chains is 2.1M, backed 1:1 by USDT locked on Ethereum and Celo. However, the circulating supply on BOB is only 4.65 oUSDT, indicating that the token is still in the very early stages of adoption on this chain.
2. Market Risk
Currently, there are no liquidity pools available for oUSDT on BOB. However, the OpenUSDT team has confirmed that oUSDT is intended to become the primary USDT representation on BOB. Although a bridged USDT token with ~1M supply already exists, BOB will be pre-funding a migration contract to enable users to swap from the existing USDT to oUSDT. The collected USDT will then be bridged to Ethereum, as the collateral backing for newly issued oUSDT on BOB. Regarding liquidity, the team has assured us that LP commitments have already been secured to support oUSDT adoption.
As oUSDT adoption on BOB matures, we will be better positioned to assess liquidity, LP concentration, and volatility risks, all of which remain premature to evaluate at this stage.
3. Technological Risk
3.1 Smart Contract Risk
The most recent audit of Hyperlane Warp Routes, ICA, CCTP, and OP contracts was conducted by ChainLight on June 26, 2025. The audit identified 2 critical and 5 informational findings. All critical issues and one informational finding were patched, while the team addressed the remaining four informational findings with utility-based justifications. The presence of two critical vulnerabilities, despite being fixed, raises concerns and suggests the need for a follow-up audit to ensure continued security.
The Hyperlane Superchain USDT smart contracts, which oUSDT uses on BOB, were audited by ChainSecurity. Their February 14, 2025, report reported 2 resolved informational findings.
Separately, the Hyperlane CCIP Warp Route underwent an audit by ChainLight on February 20, 2025, which uncovered 1 high, 1 low, and 2 informational findings, all of which were either acknowledged or resolved.
3.2 Bug Bounty Program
OpenUSDT currently does not have a dedicated bug bounty program. However, its security benefits from the long-standing bounty programs of its underlying components, Hyperlane, Chainlink CCIP, and Velodrome, all of which maintain active Immunefi programs with coverage of $2.5M, $3M, and $100K, respectively. This cumulative coverage reflects industry-standard, battle-tested security practices. To further strengthen assurance, we recommend launching a dedicated OpenUSDT-specific bounty under Hyperlane’s existing Immunefi program.
3.3 Price Feed Risk
Since oUSDT is a wrapped version of USDT for Superchains, it is designed to track the USDT price 1:1. The collateral backing oUSDT is held in XERC20Lockbox
contracts on Celo and Ethereum, and is publicly verifiable. The team has indicated that a dashboard will provide real-time visibility into the oUSDT supply and corresponding USDT reserves across chains. A Proof of Reserves feed to track total USDT backing for oUSDT is also planned for future implementation.
In the meantime, Chainlink data feeds are not yet available on the BOB Network. However, the team has confirmed that integration is in its final stages, with feeds expected to go live within the next two weeks. Once live, the USDT BOB price feed can accurately price oUSDT in Aave markets.
3.4 Dependency Risk
Hyperlane
oUSDT’s cross-chain functionality is entirely dependent on the Hyperlane protocol. Any vulnerability, exploit, or operational failure of Hyperlane’s smart contracts could lead to a permanent freeze or theft of oUSDT assets. While Hyperlane’s security is modular, allowing for customizable risk parameters, the core smart contracts represent a central point of failure. The security of oUSDT is therefore directly tied to the ongoing security and auditing of the Hyperlane infrastructure.
Tether (USDT)
The fundamental value of oUSDT is directly pegged to the value and stability of the underlying native Tether (USDT). Therefore, oUSDT inherits all of the risks associated with Tether itself. These include custodian risk, as the reserves backing USDT are held by financial institutions, and regulatory risk, with changing global regulations potentially impacting Tether’s operations. Any de-pegging of USDT from the US dollar, due to a lack of confidence in its reserves or other market factors, would be directly mirrored in the value of oUSDT.
Chainlink CCIP
For high-value transfers, oUSDT relies on Chainlink’s Cross-Chain Interoperability Protocol (CCIP) for additional security. This introduces a dependency on the correct functioning of Chainlink’s Decentralized Oracle Networks (DONs) and the independent Risk Management Network. While CCIP is designed with a defense-in-depth approach, any unforeseen vulnerability or collusion within the oracle networks could compromise the security of large oUSDT transfers. The system is designed to halt activity upon detecting anomalies, which could temporarily freeze funds during a security event.
4. Counterparty Risk
4.1 Governance and Regulatory Risk
The web interface through which users engage with the decentralised protocol built on Hyperlane’s inter-chain messaging layer is maintained by Abacus Skunkworks Limited (“Abacus”), as expressly acknowledged in the Terms of Use. Under those Terms, Abacus and its affiliates reserve all intellectual property and related proprietary rights in the site and all underlying content, including software, text, graphics, trade and service marks, copyrights, patents, and design rights. The Terms also confirm that Abacus is not registered with the U.S. Financial Crimes Enforcement Network (FinCEN) as a money-services business, nor does it hold any comparable regulatory authorisation elsewhere.
Abacus’s practical influence is underscored by its position as a co-signatory on the Nested Safe architecture and its administrative control over the Abacus Works Safes that govern certain extension chains. Because any exercise of signing authority may constitute “control” for regulatory purposes, the scope of Abacus’s involvement—particularly in evaluating oUSDT on the BOB network—merits continued scrutiny.
Access to the interface is conditioned on the user’s explicit representation that they are not (a) listed on any sanctions roster maintained by a competent governmental authority—including, without limitation, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons List—or (b) organised, resident or located in a jurisdiction subject to comprehensive U.S. embargoes.
Operationally, the protocol inherits the restraint mechanics embedded in Tether-issued USDT: frozen USDT cannot be supplied to mint oUSDT, and addresses blacklisted by Tether are effectively barred from sourcing the requisite USDT for that purpose. While Tether lacks unilateral power to immobilise oUSDT directly, the oUSDT collective has indicated it will honour any freeze or blacklist directives issued by Tether. Complementing this framework, the primary Hyperlane relayer software implements sanctions-screening logic focused chiefly on identifying OFAC-listed wallet addresses.
4.2 Access Control Risk
The oUSDT deployment model leverages a multi-layered access control structure, combining Nested Safes and Abacus Works (AW) Safes to enhance security, enable shared governance, and ensure on-chain transparency.
However, a Nested Safe has not yet been deployed on BOB for oUSDT. Instead, ownership is managed through an Interchain Account (ICA) on BOB, which is controlled by the Abacus Works (AW) Safe on Ethereum.
4.2.1 Contract Modification Options
Here are the controlling wallets:
- AW Safe: A 4/9 threshold Safe multisig, controlling its ICA on BOB. It has full administrative control over sensitive functions, including setting buffer caps, rate limits per second, adding or removing bridges, and deploying new instances via the factory.
The following contracts power the OpenUSDT architecture on BOB:
- oUSDT: ERC-20 contract for oUSDT token on BOB. It is deployed behind an ERC1967Proxy that is controlled by the AW Safe.
- Superchain ERC20 Bridge: Hardcoded contract responsible for initiating cross-chain oUSDT minting and burning operations. It is fully trusted and controlled by Superchain governance.
- HypXERC20: Handles wrapping of oUSDT. It is controlled by the AW Safe.
4.2.2 Timelock Duration and Function
OpenUSDT has not configured any timelock on oUSDT contract upgrades. However, the team has confirmed adding an OpenZeppelin timelock, already in testing and planned for deployment within the next two weeks.
4.2.3 Multisig Threshold / Signer Identity
Abacus Skunkworks Limited controls the 4/9 threshold AW Safe multisig.
Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.
Disclaimer
This review was independently prepared by LlamaRisk, a community-led decentralized organization funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.
The information provided should not be construed as legal, financial, tax, or professional advice.