---

title: [ARFC] Deploy Aave v3 on X Layer
Author: @Tokenlogic
Created: 2025-09-25

---

Summary

This ARFC proposes the deployment of an Aave v3 Instance on X Layer.

Motivation

X Layer is expected to act as both a payment-focused network and a DeFi hub, creating new avenues for user onboarding, real-world adoption, and capital efficiency. Deploying on Aave v3 on X Layer continues the strategy of taking Aave to users. X Layer has the potential to significantly grow Aave’s reach, strengthen user acquisition through OKX’s user base, and capture fresh liquidity.

X Layer’s vision is to serve as a general-purpose platform for payments and DeFi, connecting users and businesses with on-chain opportunities. The core focus will be on building infrastructure that enhances both financial accessibility and scalable DeFi applications. Aave Protocol will be a key pillar of the X Layer ecosystem.

Specification

The below values are for indicative purposes only, that will updated upon receiving feedback from both LlamaRisk and Chaos Labs.

Aave Protocol

General Configuration

eMode Category #1

eMode Category #2

eMode Category #3

eMode Category #4

CAPO Parameters sUSDe

Upon confirmation of the Aave deployment on X Layer, the X Layer team will:

• X Layer will provide a rewards budget, currently being finalised.
• OKX wallet and exchange user base will be encouraged to use X Layer
• Early discussions with partners indicate additional rewards are being provided to support the adoption of various products.
• X Layer will support the integration and assist with boosting the adoption of Aave’s GHO stablecoin within its ecosystem, targeting real-world and institutional use cases.
• Collaborate with liquidity providers, institutional capital allocators, and partners to expand supply in Aave v3 for xBTC and stablecoins.
• Entrust TokenLogic and ACI, on behalf of Aave DAO, to manage the design and distribution of liquidity mining campaign to Aave users respectively.

Disclosure

TokenLogic does not receive any payment for this proposal.

Next Steps

1. Publish an ARFC to continue gathering community and Service Providers feedback.
2. Escalate proposal to ARFC Snapshot.
3. If the ARFC snapshot outcome is YAE, publish an AIP vote for final confirmation and enforcement of the proposal.

Copyright

Copyright and related rights waived via CC0.

Full support for this proposal.
As Aave’s partner, Balancer has already proposed deploying on X Layer too.
Being live on a new chain from day one and providing liquidity into the ecosystem while also enabling that liquidity to act as Aave market depth has proven a winner.

Summary

LlamaRisk supports Aave V3 deployment on X Layer. At this stage, the network has a comparatively low DeFi TVL of around $26 million and a total stablecoin market cap at $84.1 million, with usage still concentrated in early DEX activity and incentive-driven flows. X Layer is built with Polygon’s CDK and connected to the AggLayer, which provides cross-chain interoperability and unified bridging. The design runs on a single trusted sequencer with no fallback for forced inclusion, meaning ordering and liveness are centralized.

The gas token is OKB, whose supply has been fixed at 21 million following a one-time burn and contract upgrade in August 2025. All fees on the network are paid in this asset. Current issuance of stablecoins and other key tokens is through bridged variants rather than native deployments, which places reliance on bridge operators and external issuers.

While we initially support the list of assets proposed by @TokenLogic, we’ll be providing separate, asset-specific recommendations. This is due to the proposed onboarding of entirely new assets—OKB, xBTC, and USDG—onto Aave’s markets, which necessitates in-depth individual asset assessments. We will share these evaluations in due course in this same governance thread.

1. Network Fundamental Characteristics

1.1 Network Overview

X Layer is a Zero-Knowledge (ZK) Ethereum Layer 2 (L2) and is built with the Polygon Chain Development Kit (CDK) as part of a strategic collaboration between OKX and Polygon Labs. Following the Pessimistic Proofs (PP) upgrade, completed on August 5, 2025, it offers full compatibility with the Ethereum Virtual Machine (EVM), enabling developers to deploy existing Ethereum applications.

X Layer processes transactions through an EVM, while its state and data are kept off-chain. Standard execution occurs natively on L2, while Polygon’s Pessimistic Proof mechanism is triggered only for bridging and cross-domain settlement to establish verifiable finality on Ethereum or other connected chains. This approach differs from ZK and Optimistic rollups, where data publication to L1 is embedded into the core protocol.

Source: Polygon docs, September 30, 2025

X Layer architecture

The major components of X Layer are:

• Virtual Machine: EVM‑equivalent
• Consensus: Polygon Pessimistic Consensus
• Sequencer: Trusted
• Gas token: OKB (fixed supply at 21M post-burns/upgrades; L1 OKB phased out)
• Additional Features: AggSender for AggLayer interoperability, SP1 Prover for pessimistic proofs

Technical Overview

AggLayer is the coordination and settlement fabric that sits between many CDK chains and Ethereum. Its job is to police cross-chain value flows and to provide a common bridge. It tracks deposits and withdrawals across all connected chains through a unified accounting model. It accepts certificates from chains, verifies pessimistic proofs, and updates shared state on L1 so any chain can trust that another chain has not withdrawn more than it received.

Pessimistic proofs (PP) are the core of that safety model. Instead of re-proving every state transition, a chain proves that its withdrawals are backed by actual deposits recorded in the unified bridge. The proof is built in a zkVM prover pipeline and checked on L1. This closes the “bridge accounting” risk across the multi-chain set while avoiding the cost of full state proofs. It does not by itself validate the entire L2 state. Correctness inside a given L2 remains a function of the operator’s integrity and upgrade controls.

X Layer itself runs with a throughput of up to 5,000 TPS following the PP upgrade, positioning it to handle high-concurrency activity while relying on the AggLayer framework for settlement and cross-chain consistency.

Source: AggLayer docs, September 30, 2025

On X Layer, the transaction path is straightforward. A user submits a transaction through an RPC endpoint hosted by the operator. The trusted sequencer orders transactions and executes them in an EVM-equivalent environment. The resulting batches and certificates are posted to the AggLayer through an AggSender component. The SP1 prover stack produces pessimistic proofs when cross-chain value must be settled. The AggLayer verifies these proofs and updates the unified bridge and global exit root on Ethereum. Once the L1 contracts reflect the updated state, withdrawals and cross-chain messages become claimable on destination chains.

The on-chain contract set follows the CDK pattern. A SystemConfig-style contract on L1 holds critical parameters such as the sequencer address and pointers to other L1 components. A proxy admin pattern governs upgradeability for the L1 contracts that anchor the rollup and its bridge. X Layer’s sequencer is operated by the team. Inclusion policy, fee parameters, and emergency actions are operational decisions by the operator. Data and access for public users are provided through centralized RPC and explorer infrastructure.

1.2 Decentralization and Legal Evaluation

X Layer is an EVM-compatible Layer 2 network designed to scale Ethereum applications. It operates using a single sequencer controlled by the X Layer team. Unlike validator-based models, there are no independent validators participating in block production. This design centralizes ordering power and network liveness in the sequencer. Public RPC endpoints are provided through official documentation and are hosted on AWS infrastructure, with operations based in Hong Kong.

Architecture and Control
The sequencing model places control of transaction inclusion, ordering, and censorship resistance entirely under the operator of the sequencer. If the sequencer halts or censors, users cannot force inclusion on their own. Bridge functionality and system configuration rely on smart contracts that can be upgraded through administrative multisigs held by the Polygon team.

Censorship and Policy

There are no public records of enforced blacklisting of contracts or tokens. However, the architecture allows for censorship through the sequencer or restrictions at the RPC and explorer layers. This creates the technical capacity to block or limit access to specific contracts if policy requires it.

Economic and Market Conduct

Gas on the network is paid in OKB. With the sequencer centrally operated, policies for transaction ordering and MEV handling are set by the operator. This creates potential conflicts of interest where affiliates of the operator are active in trading, routing, or liquidity provision on the network.

Slashing

X Layer does not implement slashing. The network relies on a single sequencer and doesn’t have a public validator set. Operator behavior and system reliability are managed through access controls and administrative authority.

Legal Evaluation

Our legal analysis pertains to the X Layer Terms of Service, which serve as the publicly accessible and operative contractual framework governing the network. These terms are presented as a binding legal agreement between XLAYER TECHNOLOGY COMPANY LIMITED (referred to as “X Layer Foundation “) and each individual user. Nevertheless, the Terms do not specify the jurisdiction of incorporation for the company. During our comprehensive due diligence, the X Layer team has clarified that the entity is registered in Seychelles; however, no additional corporate identification or statutory particulars have been furnished.

With respect to limitations of liability, although the relevant disclaimers are notably comprehensive, it is important to recognize that many jurisdictions restrict or prohibit the exclusion of liability for certain consumer or statutory entitlements—particularly in regions such as the European Union, the United Kingdom, Australia, and various states across the United States. While the terms provide exclusions for gross negligence and fraud, the language, as currently drafted, fails to reference critical consumer protection statutes or those rights that cannot be lawfully excluded or waived.

The indemnification provision affords X Layer Foundation unfettered and unilateral authority to direct the defense and resolution of any relevant claim or proceeding, granting it “sole and absolute discretion” in such matters. This degree of discretionary control may invite scrutiny, as it departs from the more balanced standards often expected in contractual relationships, especially where indemnity is involved.

Regarding representations and warranties, the Terms unequivocally state that X Layer is offered strictly on an “as-is” and “as available” basis, with users assuming all associated risks. No form of representation or warranty—be it express, implied, or statutory—is provided. To the fullest extent permitted by applicable laws and regulations, X Layer explicitly disclaims, and users expressly renounce, any and all warranties or assurances of any nature, whether arising from law, custom, or the course of dealing.

The Eligibility provisions articulated in the Terms of Service delineate the baseline qualifications for users seeking access to the X Layer network. Natural persons are required to be at least eighteen years of age and must not be restricted, either by law or pursuant to the Terms, from accessing the Services. For institutional or organizational users, the Terms mandate that such entities be duly constituted under the laws of their respective jurisdictions and that the individual acting on the entity’s behalf possess formal authorization to bind the entity in legal agreements.

Notably, the Terms incorporate explicit prohibitions relevant to both “Restricted Persons” and “Restricted Locations.” Persons or entities who are citizens, residents, or physically situated in jurisdictions subject to comprehensive economic sanctions—such as Cuba, Iran, North Korea, Syria, Crimea, Donetsk, and Luhansk—are expressly barred from accessing the network. This exclusion extends to any party subject to penalties administered by international or national regulatory bodies, including the U.S. Office of Foreign Assets Control (OFAC), the European Union, the United Kingdom, and other global authorities. Furthermore, users are affirmatively required to certify, upon request, compliance with these requirements. These restrictive provisions are consistent with prevailing industry standards for blockchain and fintech platforms, reflecting efforts to mitigate exposure to global sanctions risk and reinforce compliance with anti-money laundering and counter-terrorist financing frameworks.

The Terms describe X Layer as an open-source, permissionless, layer 2 blockchain ecosystem that aggregates developer tools, distributed applications (DApps), digital assets, and relevant third-party interfaces. The Foundation explicitly denies any ongoing custodial relationship or direct control over assets, DApps, or third-party material, present or future, accessible through the X Layer network or its associated website.

When evaluating the regulatory status and posture of the X Layer network, it is noteworthy that, in response to our written inquiry, the X Layer team communicated that X Layer, functioning as a permissionless and decentralized blockchain protocol, is not classified as a regulated entity under the current legal and regulatory frameworks of major jurisdictions (i.e., the United States, European Union, United Kingdom, Singapore, and Hong Kong). However, it should be noted that nothing in our correspondence references, summarizes, or makes available the substance of X Layer’s legal analyses or counsel regarding the network’s regulatory exposure.

The Terms of Service specify that the agreement is governed by, and must be interpreted under, the laws of Singapore, without regard to any principles of conflict of laws. This choice of law provision is standard for entities operating within or seeking regulatory certainty with respect to Singapore’s recognized legal environment, especially given Singapore’s status as a leading global hub for fintech and digital asset innovation. The selection of Singaporean law confers predictability and the benefit of a relatively business-friendly statutory and common law tradition; however, the global accessibility of the network means that mandatory consumer protections or public policy laws of other jurisdictions may nonetheless apply as overriding statutes, particularly for users outside Singapore.

The Terms adopt a multi-tiered dispute resolution structure. In the event of a controversy or claim, parties are first directed to pursue resolution through mediation administered by the Singapore International Mediation Centre, in accordance with its procedural rules. Should mediation fail to yield a resolution within ninety days, all disputes are to be referred to binding, confidential arbitration administered by the Singapore International Arbitration Centre under its prevailing rules. The arbitral seat is Singapore, proceedings are conducted in English, and the panel is to be composed of three arbitrators, each party appointing one and a third being selected by the SIAC President.

1.3 Activity Benchmarks

X Layer went live in April 2024. X Layer currently holds around $26.7 million in total value locked, after spending much of the year closer to the 5 to 10 million range. Activity has expanded sharply in recent months, with temporary peaks above 30 million. The sharp pickup in DEX volumes from September reflects stacked catalysts that landed in August 2025: the PP upgrade that raised throughput and cut costs, with chain-specific incentives including a 100 million dollar ecosystem fund as well as launch of a memecoin acceleration program by PotatoSwap. Alongside this growth, trading volumes accelerated to over 60 million at their highest point before easing back toward the 50 million range.

Source: DefiLlama, September 30, 2025

Daily metrics: X Layer L2

Polygon-based X Layer chain activity shows mostly steady day counts in the tens to low hundreds, with USD volume arriving in short bursts. Activity dipped through late 2024, then improved into mid and late 2025 with more consistent throughput.

Source: Dune, September 30, 2025

Daily metrics: Ethereum L1

The X Layer official bridge on Ethereum shows heavy use in early 2024, a cooling phase into late 2024 and early 2025, and then a clear pickup from mid-2025 with rising daily transactions and several sharp value spikes. That pattern fits renewed bridging and liquidity shifts, with more users moving assets and a few high-value days driving the USD peaks.

Source: Dune, September 30, 2025

1.4 Security

X Layer inherits the audited Polygon CDK (formerly zkEVM) stack and benefits from Polygon’s AggLayer, combining security from both the underlying technology and the aggregated verification layer.

Polygon CDK audits:

• Spearbit (March, 2023): 1 critical and 1 informational
• Spearbit-2 (March 27, 2023): 3 critical, 4 incompatibility, 2 low and 21 informational
• Spearbit-1 (March 27, 2023): 7 critical, 1 incompatibility, 1 high, 1 medium and 22 informational
• Spearbit (August 21, 2023): 1 low and 5 informational
• Spearbit (June 20, 2023): 2 high, 1 low and 5 informational
• Verichains (March 19, 2024): 2 critical, 1 medium, 1 low, and 15 informational
• Hexens (December 23, 2024): 2 informational
• Hexens (February 27, 2023): 4 critical, 1 high, 1 medium, 3 low and 7 informational

AggLayer audits:

• Spearbit (March, 2023): 4 mid, 16 low, and 30 informational
• Hexens (February, 2023): 4 critical, 1 high, 1 medium, 3 low and 7 informational
• Sigma Prime (January, 2024): 2 medium, 1 low and 3 informational
• Sigma Prime (February, 2024): 7 medium, 4 low and 9 informational
• Sigma Prime (June, 2024): 1 high, 1 medium, 1 low and 4 informational

Bug Bounty

X Layer participates in the OKX bug bounty program on HackerOne. Researchers can submit security findings related to the network, with rewards scaling by severity and payouts reaching up to 1,000,000 USD for critical issues.

Access Control

On Ethereum mainnet, the PolygonPessimisticConsensus contract is the consensus anchor for X Layer’s pessimistic proof mode, and it exposes an admin address. The admin can transfer and accept the admin role and can set the trusted sequencer identity and its URL.

1. The L1/L2 contracts are managed by Polygon team using Safe 5/12 PolygonAdminMultisig:

• 0xcAB31b6A7b4d2eCd562A09e2BfA46535a18862f9
• 0xAb3506507449bF1880f3337825efd19ac89E235E
• 0x54c401eD03D086fE13221E5422165f3b024265d9
• 0x21618593F7147235aC8D511d68A547C935F9d417
• 0xED7cC82235A7757702475c8f77c7830c095FB5a2
• 0xdFEd8373695a7b3DaF268CF91e71f6a7024A56Da
• 0xffbfc0c8331C5fc912DDA3C6D4A86eEB80203238
• 0xeD44D1CFfB91e163CB7126bdEeA83959f175dB37
• 0x516eEcfb38aA308c5f1878497108c7d054fd46B7
• 0x4c1665d6651ecEfa59B9B3041951608468b18891
• 0xA0B02B28920812324f1cC3255bd8840867d3f227
• 0xEad77b01ea770839F7f576Cd1516Ff6A298d9dB2

2. The Safe 6/8 PolygonSecurityCouncil multisig is used to activate an emergency state in both the manager and the shared bridge, pausing all connected projects and allowing system contracts to be upgraded immediately.

• Signers (8): 0xFe45…2e4b, 0xaF46…261D, 0xBDc2…FEFf, 0x4c16…8891, 0x3ab9…D622, 0x49c1…0E86, 0x9F7d…86A0, 0x2188…1C28

3. The Safe 3/8 PolygonCreateRollupMultisig can interact with the PolygonRollupManager to deploy new projects based on predefined rollup implementations and connect them or other AggLayer chains to the manager.

• Signers (8): 0xAb35…235E, 0x3038…D3b5, 0xa439…AE31, 0xD947…fCFC, 0xCE27…AaAc, 0x0B84…Ca77, 0x0185…22A6, 0x7316…4496

4. EOA 1

• Can interact with PolygonPessimisticConsensus
  • sole address that can force batches

5. EOA 2

• Can interact with PolygonPessimisticConsensus
  • must provide a signature for each pessimistic proof, attesting to a valid state transition

6. EOA 3

• Can interact with PolygonPessimisticConsensus and set the trusted sequencer address

Smart Contracts

1. PolygonPessimisticConsensus: Admin Address

   System contract defining the X Layer logic. It only enforces bridge accounting (pessimistic) proofs and is otherwise kept minimal as the Layer 2 state transitions are not proven.

   • Roles:
     • admin: EOA 3
     • forceBatchAddress: EOA 1
     • trustedSequencer: EOA 2

2. AggLayerGateway: Admin Address

   A verifier gateway for pessimistic proofs. Manages a map of chains and their verifier keys and is used to route proofs based on the first 4 bytes of proofBytes data in a proof submission. The SP1 verifier is used for all proofs.

   • Roles:
     • addPpRoute: Timelock; ultimately PolygonAdminMultisig
     • admin: SharedProxyAdmin; ultimately PolygonAdminMultisig
     • aggchainDefaultVKey: PolygonAdminMultisig
     • freezePpRoute: PolygonAdminMultisig

   Can be upgraded by: PolygonAdminMultisig with 3 day delay

3. PolygonSharedBridge: Admin Address

   The shared bridge contract, escrowing user funds sent to Agglayer participants. It is usually mirrored on each chain and can be used to transfer both ERC20 assets and arbitrary messages.

   • Roles:
     • admin: SharedProxyAdmin; ultimately PolygonAdminMultisig
     • proxiedTokensManager: Timelock; ultimately PolygonAdminMultisig

   Can be upgraded by: PolygonAdminMultisig with 3 day delay

4. PolygonRollupManager: Admin Address

   The central shared managing contract for Polygon Agglayer chains. This contract coordinates chain deployments and proof validation. All connected Layer 2s can be globally paused by activating the ‘Emergency State’. This can be done by the PolygonSecurityCouncil or by anyone after 1 week of inactive verifiers.

   • Roles:
     • admin: SharedProxyAdmin; ultimately PolygonAdminMultisig
     • createRollup: PolygonAdminMultisig, PolygonCreateRollupMultisig
     • defaultAdmin: Timelock; ultimately PolygonAdminMultisig
     • emergencyCouncilAdmin: PolygonSecurityCouncil
     • trustedAggregator: EOA 4, EOA 5
     • tweakParameters: PolygonAdminMultisig

   Can be upgraded by: PolygonAdminMultisig with 3 day delay

5. PolygonGlobalExitRootV: Admin Address

   A merkle tree storage contract aggregating state roots of each participating Layer 2, thus creating a single global merkle root representing the global state of the Agglayer, the ‘global exit root’. The global exit root is synchronized to all connected Layer 2s to help with their interoperability.

   • Roles:
     • admin: SharedProxyAdmin; ultimately PolygonAdminMultisig

   Can be upgraded by: PolygonAdminMultisig with 3 day delay

6. Timelock

   A timelock with access control. In the case of an activated emergency state in the PolygonRollupManager, all transactions through this timelock are immediately executable. The current minimum delay is 3d.

   • Roles:
     • timelockAdmin: PolygonAdminMultisig (no delay if in emergency state), Timelock (no delay if in emergency state); ultimately PolygonAdminMultisig (no delay if in emergency state)

7. SP1Verifier

   Verifier contract for SP1 proofs (v5.0.0).

8. SharedProxyAdmin

   • Roles:
     • owner: Timelock

Concerns arise around the use of EOAs for the admin, forceBatchAddress, and trustedSequencer roles in the PolygonPessimisticConsensus contract, given the level of influence this contract has on the chain, the absence of state validation, and the lack of any upgrade delay if one of these keys were compromised.

Sequencer

The Sequencer’s private key is managed and protected by a dedicated address owned by X Layer Asset Security Team.

The address deployed on: 0x610de9141a2c51a9a9624278aa97fbe54b27c102

2. Network Market Outlook

2.1 Market Infrastructure

Bridge

X Layer can be accessed through third-party liquidity bridges such as RetroBridge, Rhino.fi, Meson, XY Finance, Owlto, and Orbiter, along with Polygon’s portal integration. Users should confirm official interfaces and contract addresses before moving assets and limit transfer sizes to manage exposure.

DEXs

Currently, there are 10 DEX protocols on X Layer, with the overall trading volume leaning towards PotatoSwap with around $18m USD volume. The list of existing DEXs includes:

• PotatoSwap ($14.39m), Curve Finance ($5m), DyorSwap ($4.76m), OkieSwap ($874,034), AbstraDEX ($637,929), LFGSwap ($521,554), iZUMi Finance ($227,871), Quickswap ($99,276), Revoswap ($69,370), JaceSwap ($41,401)

Lending

A few lending protocols are deployed on X Layer:

• ZeroLend ($40,929)
• River ($15,070)
• Dolomite ($1,872)

Tooling

• Bridging/Interoperability Protocols: 7 bridging/interoperability protocols support X Layer
• Cross-Chain: For cross-chain communication and messaging X Layer uses LayerZero and Connext
• RPC Node Services: RPC node services on X Layer include QuickNode, Blockdaemon, ZAN and Ankr
• Oracles/Data Services: Oracles and data services include Chainlink, API3, RedStone and SupraOracles.

CEXs

Currently, OKX appears to be the only major CEX with direct, native X Layer network support for deposits and withdrawals. Other exchanges may add support as the network grows in adoption and liquidity.

2.2 Liquidity Landscape

X Layer DEX liquidity is highly fragmented across several AMMs and routing aggregators. Depth shifts with mercenary TVL, so large trades are often split across multiple pools, which increases slippage and fee drag. The current list includes:

• USDT/USD₮0 on Curve Finance ($2.958m TVL)
• USDC/USD₮0 on Curve Finance ($1.04m TVL)
• USDG/USD₮0 on Curve Finance ($1.0m TVL)
• WOKB/USDT on PotatoSwap ($348k TVL)
• USD₮0/WOKB on PotatoSwap ($241.53k TVL)
• USDT/WOKB on OkieSwap ($185.75k TVL)

The team is preparing to seed $5 million of liquidity into X Layer DEX pools, targeting execution within a 5–8% slippage tolerance, following LlamaRisk recommendations. This increase is intended to support larger trades without destabilizing pricing, with the expectation that incentive programs associated with an Aave market launch will further deepen DEX liquidity.

Incentive program

The Pay rewards program on X Layer credits yield for holding USDC or USDT in the Pay balance. Accrual is automatic with monthly distribution and the reward rate can change or stop at the platform’s discretion. Eligibility requires keeping assets inside the Pay account on X Layer.

In addition, incentive programs are active for USDG with an advertised yield of around 4.1% APY, as well as for ETH/USD and xBTC/USD DEX LP tokens.

Fee structure

X Layer uses OKB as the gas token. Transaction fees are paid in OKB and are calculated on L2 as gas used multiplied by the gas price, with execution and fee enforcement occurring on the L2 sequenced chain. State and data are kept off chain in “Pessimistic Proof” (PP) mode, so routine user transactions do not include a separate Ethereum L1 data fee component.

There is no separate per-transaction Ethereum L1 blob fee in this configuration because X Layer runs on Polygon CDK’s Pessimistic Proof mode with external data availability. Routine transaction data is not posted to Ethereum L1, and the pessimistic proof mechanism is focused on securing the bridge’s accounting. Cross-chain actions such as withdrawals are settled on Ethereum through bridge contracts, and any L1 verification costs appear as bridge fees rather than as an additional charge on every L2 transaction.

2.3 Ecosystem Resilience

Grant program

As of today, OKX has active chain-specific incentives for X Layer, most notably a $100M “X Layer Ecosystem Fund” aimed at builders, along with liquidity incentives to attract projects. The fund was announced in late August and reiterated in OKX’s upgrade notes in mid-August, which also highlighted liquidity programs connected to the X Layer rollout.

Liquidity depth

Liquidity on X Layer is not yet deep at the ecosystem level. Depth is fragmented across many long-tail tokens, with limited concentration in high-quality base assets, which increases slippage and execution risk for institutional-sized orders until larger market makers, incentives, or cross-chain liquidity connectors scale up.

Source: GeckoTerminal, September 29, 2025

2.4 Ecosystem Growth Potential

X Layer is developed by OKX as a payments-first L2 built on Polygon CDK. Its positioning centers on converting OKX exchange and wallet flows into on-chain settlement for everyday transfers and commerce. OKB functions as the gas asset, and OKX Pay routes stablecoin activity through X Layer, aligning the chain with a payments and settlements use case rather than yield-first DeFi.

This focus reflects an adoption path that connects existing OKX products with on-chain rails across retail and merchant scenarios. The emphasis is on low fees, high throughput, and tight wallet integration so that stablecoin movement and basic financial primitives can operate with minimal friction in the OKX environment.

X Layer integrates the Polygon CDK stack and connects to AggLayer for interoperability and shared verification. The OKX distribution surface, including the exchange, wallet, and Pay, provides an installed base that can seed liquidity and transactions. Ecosystem growth is expected to come from anchor integrations in payments, simple credit, and selected DeFi venues, supported by targeted funding and rewards that are builder- and utility-oriented.

2.5 Major and Native Asset Outlook

Source: X Layer docs, September 30, 2025

The list of major assets deployed on X Layer includes Wrapped OKB, Wrapped ETH, Wrapped BTC, xBTC, USDT, USD₮0, USDC, USDG, Bridged USDC.e and DAI. With USD₮0 being the biggest asset with $53.3m fully diluted market cap. The stablecoins total suppy is estimated at $84.1m, with 196k on DAI, 6.89m on USDC, 12.4m on USDT, 9m on USDG and 53.3m on USD₮0.

2.6 Tokenomics

OKB total supply is fixed at 21,000,000 following a single-instance burn of 65,256,712.097 OKB sourced from historical repurchases and treasury reserves that was executed on Aug 15, 2025, and a contract upgrade on Aug 18, 2025, that removed mint and burn functions on the L1 ERC-20 proxy. Implementation currently resolves to 0x81A4…E094 on Ethereum. X Layer uses OKB for gas via its L2 representation.

3. Onchain discoverability

Activity dashboards for X Layer are available on TokenTerminal and DefiLlama. Also there is an available subgraph for X Layer on TheGraph. DEX liquidity can be viewed through Geckoterminal. There is also available a Dune dashboard for general metrics about X Layer and Ethereum L1:

The OKX also developed and maintains a blockchain explorer for X Layer.

4. Impact of Aave Deployment

At present there is no competitive lending market on X Layer. Existing deployments such as ZeroLend, Dolomite, and Timeswap have very limited liquidity, with aggregate TVL in the tens of thousands, far below thresholds needed to support meaningful credit creation. This leaves most stablecoin and asset balances idle and constrains secondary markets.

An Aave v3 deployment would represent the first institutional-grade lending venue on the chain, setting the baseline for collateral standards, risk parameters, and market depth. Its arrival could anchor credit formation and provide the liquidity foundation for other protocols to build against.

Current activity levels on X Layer remain limited, and the chain itself is still early in its lifecycle. This raises concerns about whether liquidity, user adoption, and transaction flow will reach sustainable levels in the near term, as low activity could constrain lending demand and reduce the effectiveness of an early deployment.

Disclaimer

This review was independently prepared by LlamaRisk, a community-led decentralized organization funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.

The information provided should not be construed as legal, financial, tax, or professional advice.

In connection with the forthcoming X Layer deployment, we present our analysis for USDG onboarding.

Summary

We recommend listing USDG on Aave V3 X Layer as a deposit and borrow-enabled, non-collateral asset. The primary risk at this stage is low native liquidity on X Layer, which increases price impact and calls for conservative supply/borrow caps until market depth improves. A full USDG risk assessment has already been completed on the Core market, and the detailed methodology results are available here.

On X Layer, USDG on-chain liquidity is limited. The main venue is a USDG/USDC pool on Curve with about $1 million in TVL. Executing a swap of 545,000 USDG for USDC in that pool results in approximately 10% slippage. Outside that pool, displayed depth at tight spreads is thin, and block-size orders face slippage risk. Larger flows are presently more efficient through primary mint and redeem channels or centralized venues until additional mainnet liquidity is deployed.

Token Holder Concentration

Source: X Layer explorer, October 28, 2025

The current USDG distribution on X Layer shows a significant degree of token concentration. Out of the 9m USDG in circulation, the top five addresses collectively hold more than 80% of the total supply. This distribution indicates a very limited level of holder diversification, suggesting that liquidity and transactional activity are primarily concentrated among a few institutional or operational wallets.

Top 5 USDG holders on X Layer:

• OKX Deposit – 5,488,323.81 USDG (60.80%)
• Curve: USDG/USDT0 Pool – 508,985.95 USDG (5.64%)
• OKX – 499,090.75 USDG (5.53%)
• OKX Hot Wallet – 425,880.55 USDG (4.72%)
• OKX Hot Wallet – 330,744.03 USDG (3.66%)

Market Risk

1) Liquidity

Source: Curve Finance, October 28, 2025

On X Layer, USDG DEX liquidity is concentrated in the newly deployed Curve USDG/USDC pool launched on 24 September, with around 1 million dollars in TVL.

1.1 Liquidity Venue Concentration

Current on-chain liquidity for USDG on X Layer is concentrated in the Curve USDG/USDT0 pool. The active pool functions as the primary depth venue for swaps and routing of USDG against a stable counterpart.

On-chain traces indicate additional venues exist or are being prepared. We identified upcoming Uniswap v3 USDG/WOKB and USDG/xBTC pools in development based on the deployed factory and USDG holdings. We also verified USDG in the Pancake USDG/USDT0 pool contract on X Layer.

1.2 DEX LP Concentration

On X Layer, USDG currently exhibits limited secondary market depth. The primary onchain venue is a USDG/USDC pool on Curve, with current depth liquidity set at $1M in TVL, and the OKX address being the largest Liquidity provider.

Volatility

Source: LlamaRisk, October 28, 2025

November saw a 9.24% deviation event in the first week after USDG trading went live on Kraken and immediately after Paxos’ launch announcement. New listings commonly exhibit thin order books and fragmented price discovery; a single small trade can set the daily “low” that aggregators record.

On January 30, 2025, the “high” appears to be an isolated print rather than a broad market premium. On the core USDG/USD market on Kraken, the 52-week range shows extreme ticks (low ≈$0.91, high ≈$1.606) but day-to-day trading clusters tightly around $1; this pattern is consistent with one-off outliers that lift the aggregator’s daily high without reflecting a sustained move.

Growth

As of October 28, there is limited on-chain data to assess USDG growth on X Layer following its recent launch. The current supply on X Layer stands at 9,026,311 USDG, representing roughly 1.21% of the total USDG circulating supply across other networks.

Price Feed Risk

For USDG pricing on X Layer, we suggest using Chainlink’s USDG/USD price feed as the primary oracle source. This feed operates with 10 underlying oracles and updates every 24 hours, providing better transparency and resilience for the stablecoin valuation. The deviation threshold for this price feed is set to 0.25%.

Multisig Threshold / Signer identity

On X Layer, the USDG contract follows the same access control structure as on Ethereum. Paxos uses four role-based access controls for the USDG contract, each controlled by Paxos defaultAdmin address backed by proprietary offline HSMs that enforce multi-person approvals. The admin address, which sits at 0x3Af3e85f4f97De7AD0f000B724Fb77fE5ffc024B is operated by the Paxos team and governs all four roles, with each role’s functions ultimately controlled by the defaultAdmin address.

• DEFAULT_ADMIN_ROLE: controls governance of the token’s privileges. It can grant and revoke every other role, change role-admin relationships, rotate the IERC-5313 owner, and authorize UUPS upgrades through the contract’s authorizeUpgrade gate.
• PAUSE_ROLE: operates the emergency halt. Holders can call pause() and unpause() to toggle the token’s whenNotPaused guard, which blocks on-chain transfers and any other functions wired to that modifier.
• ASSET_PROTECTION_ROLE: enforces account-level controls. Holder can freeze and unfreeze specific addresses and invoke a post-freeze wipe that burns the frozen balance on chain to reflect lawful seizure or forfeiture.
• SUPPLY_CONTROLLER_MANAGER_ROLE: administers mint/burn operators and their limits. Holder can add and remove “supply controllers” that execute mint and burn, and configure guardrails such as per-controller permissions and rate or cap parameters.

Aave V3 Specific Parameters

Aave V3 specific risk parameters for USDG will be presented jointly with Chaos Labs prior to instance deployment.

Price Feed Recommendation

We recommend using Chainlink USDG/USD price feed as the primary oracle source. It is advisable to use a CAPO adapter to prevent misreporting on the upper side.

Disclaimer

This review was independently prepared by LlamaRisk, a DeFi risk service provider funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.

The information provided should not be construed as legal, financial, tax, or professional advice.

In connection with the forthcoming X Layer deployment, we present our analysis for xBTC onboarding.

Summary

LlamaRisk supports the onboarding of xBTC as a part of the Aave X Layer deployment, conditional on improved liquidity conditions. The current lack of onchain supply (10 xBTC/~$1.13M) and DEX liquidity would represent onboarding an asset without meaningful demand on the network; the OKX team indicated that they intend to provide an initial $10M seed liquidity to bootstrap xBTC. The BTC wrapper is managed centrally by OKX, with key access control roles assigned to MPCs.

OKX has addressed previously identified legal concerns by confirming that all BTC supporting the xBTC program is securely held in designated, segregated addresses under the exclusive control of Aux Cayes, with no commingling or unauthorized use of assets. Access to xBTC is restricted to verified users in permitted jurisdictions, following a mandatory KYC process, with eligibility currently limited to clients of OKX Seychelles and institutional users in OKX Bahamas. Aux Cayes, incorporated in Seychelles and regulated as a Virtual Asset Service Provider under the VASP Act 2024, continues to operate lawfully under transitional licensing provisions, with its status confirmed by the Seychelles Financial Services Authority. OKX’s legal memorandum concludes that the xBTC program is fully compliant with Seychelles’ regulatory framework, authorizing Aux Cayes to offer and administer all aspects of the xBTC product.

1. Asset Fundamental Characteristics

1.1 Asset

OKX Wrapped BTC (xBTC) is a Bitcoin (BTC) wrapper backed 1:1 by native BTC custodied by OKX. xBTC is minted when users withdraw BTC from their OKX account to a supported network address (currently, Sui, Aptos, Solana, and X Layer). Underlying BTC is redeemed back into user accounts when xBTC is deposited on the OKX Exchange.

Source: OKX

1.2 Architecture

The core functions of xBTC - minting, burning, transferring, and receiving - are controlled by a permissioned system. A managed deny list controls which addresses can receive and transfer xBTC.

BTC deposits are held in OKX’s Bitcoin reserve address, which consists of BTC secured for xBTC minted on other networks. Proof of reserves is made available via the OKX homepage. The OKX team indicated that the reserve is a locked address, which strictly stores segregated BTC.

An internal alert system monitors and enforces the minting and burning of 1:1 BTC from OKX exchange addresses.

Source: Bitcoin Reserve, OKX, October 28, 2025

1.3 Tokenomics

xBTC is minted on a 1:1 basis with BTC deposits via OKX, and is burned when redeemed to maintain parity. Given that minting is facilitated by OKX, the liquidity and supply of xBTC are dependent on the availability of BTC on OKX.

Redemptions through OKX are permissioned and require an OKX account; this limits potential liquidations to OKX-approved liquidators.

1.3.1 Token Holder Concentration

A total of 10 xBTC (~$1.13M) is available on X Layer, with supply almost exclusively held in an OKX EOA. 29 holders are currently registered.

Source: X Layer explorer, xBTC, October 28, 2025

2. Market Risk

2.1 Liquidity

There is currently no meaningful liquidity to swap out of xBTC. Supply is still concentrated in an OKX deposit wallet. Following a discussion with the OKX team, they indicated that they intended to provide an initial $10M seed liquidity to an xBTX/USDT0 pool.

2.1.1 Liquidity Venue Concentration

A Uniswap USDG/xBTC pool appears to be the only pool available for xBTC currently; however, no meaningful liquidity is yet available.

2.1.2 DEX LP Concentration

DEX liquidity is yet to be established on X Layer for xBTC.

2.2 Volatility

X layer markets have yet to be established; therefore, volatility data is unavailable.

2.3 Exchanges

xBTC is currently not available on Centralized exchanges.

3. Technological Risk

3.1 Smart Contract Risk

A Zellic audit was completed on xBTC’s EVM code on October 14, 2025. 1 medium severity issue was found, which the team acknowledged. The issue is related to a custom transfer-role functions implementation, which DEFAULT_ADMIN_ROLE could bypass. However, this is by design.

The final report is yet to be published, with the team sharing an initial draft with us for this review.

3.2 Bug Bounty Program

xBTC smart contracts are covered under a live OKG bug bounty program hosted on HackerOne with a max bounty of $1 000 000.

3.3 Price Feed Risk

A Chainlink BTC/USD price feed is available on X Layer. The price feed has a 0.5% deviation and a 24-hour heartbeat.

3.4 Dependency Risk

xBTC relies on OKX to effectively maintain a 1:1 custody of the underlying BTC. As shown in section 1.2, reserves across chains are held in a single reserve address, accounting for underlying BTC on Sui, Aptos, X Layer, and Solana.

4. Counterparty Risk

4.1 Governance and Regulatory Risk

We have undertaken a detailed evaluation of the xBTC User Agreement, specifically addressing the intricacies surrounding minting and redemption rights, corresponding obligations, custody arrangements and representations, assurances of bankruptcy remoteness, as well as the segregation of assets.

4.1.1. Mint/Redeem Rights and Obligations

Minting (Subscription):
The Agreement prescribes that the user initiates a ‘subscription’ to xBTC by withdrawing BTC from their OKX account to a designated blockchain-compatible wallet address. On completion of this process, the user receives xBTC, which constitutes a wrapped on-chain representation of BTC, minted by an OKX-proprietary smart contract. It is expressly stipulated that this conversion is neither guaranteed to be instantaneous nor immune from suspension, rejection, or outright failure, all of which rest wholly within OKX’s discretion. During such periods of delay or failed execution, Users may find themselves unable to access either the withdrawn BTC or the newly minted xBTC. Furthermore, OKX retains unfettered authority to deny, pause, or terminate any xBTC subscription activity at any time and without advance notice or any obligation of redress. Redemption of xBTC is strictly circumscribed—permissible exclusively via the procedures articulated in the Agreement—and any off-platform transfer, sale, or disposition results in the forfeiture of redemption privileges tied to the associated BTC. Stringent compliance obligations are imposed, including Know-Your-Customer (KYC), anti-money laundering (AML), and Travel Rule requirements. Critically, the minting and associated functionalities are customized for and managed solely by OKX, with no recourse to third-party validation or adherence to open standards.

Redemption:
The process of converting xBTC back to BTC is similarly defined and equally restrictive: redemption is only initiated by depositing xBTC into the user’s OKX account. This purportedly straightforward transaction is, however, also potentially subject to delays, outright failure, or rejection, all at the discretion of OKX. The Agreement is unequivocal that redemptions undertaken outside this process are unsupported and thus void. While OKX commits to using “best efforts” to maintain a 1:1 redemption parity between xBTC and BTC, it simultaneously disclaims responsibility for any divergences in this ratio arising on external platforms. Should the aggregate BTC reserve held by OKX fall short of the total outstanding xBTC, redemptions become available solely on a pro-rata basis; thus, users must accept the real possibility that full redemption may be unattainable, and the Agreement offers no guarantee against such shortfalls. OKX reserves the unqualified authority to halt or suspend redemptions at any juncture, further underscoring the absence of any assurance as to user convertibility rights.

As a result, the entire mint and redeem framework is characterized by broad, largely unrestrained discretion on the part of OKX. There exists neither an absolute nor an irrevocable entitlement for users to subscribe to or redeem xBTC. Users are thereby exposed to elevated risks of asset inaccessibility, whether due to technical disruptions, policy amendments, compliance barriers, or the necessity of proportionate redemption if reserve assets prove inadequate.

4.1.2. Custody Commitments and Assurances

The Agreement purports that BTC utilized for xBTC subscriptions “will be segregated”; however, it immediately qualifies this by affording OKX the latitude to “from time to time pool such BTC with other users’ assets in non-segregated omnibus accounts, at its discretion.” This flexibility is further substantiated through direct reference to Clause 4.5 of the overarching OKX Terms of Service, which explicitly provides: “By accepting these Terms, you expressly agree to the pooling of your Digital Assets with the Digital Assets of other users. Digital assets of users are not protected by deposit protection or a deposit insurance scheme. In the case of an irreconcilable shortfall, deposited assets or funds may not be fully recoverable.” Accordingly, the legal or physical segregation of user assets is not only unguaranteed but flatly superseded by provisions enabling asset pooling and collective management.

Within this framework, users are made subject to all risk factors outlined throughout this Agreement and the more comprehensive OKX Terms of Service, both of which contain numerous, explicit disclaimers of liability. OKX specifically disavows responsibility for the vast majority of losses—most notably those deriving from technical malfunctions, unauthorized access, hacking, operational errors, catastrophic events, or otherwise. Furthermore, OKX offers no guarantee regarding the value of the asset, the absolute ability to redeem it, or the efficacy and security of the custody infrastructure and underpinning digital asset networks.

It is therefore evident that OKX’s custody undertakings are minimal and extensively caveated. The Agreement permits, and indeed contemplates, the routine comingling of user assets in a non-segregated, pooled context. Any assurances of asset protection or custodial transparency are limited, placing the risk burden squarely on users’ shoulders.

4.1.3. Bankruptcy Remoteness and Segregation of Assets

The Agreement is silent with respect to bankruptcy remoteness, offering no explicit assurances that user assets will be insulated from claims by OKX’s general creditors in the event of insolvency. There are no provisions establishing a trust, instituting escrow arrangements, or designating third-party custodians to safeguard user BTC; accordingly, the Agreement fails to confer any form of statutory, contractual, or structural protection that would elevate user assets above the reach of an insolvency administrator or liquidator. The language concerning asset pool shortfalls—specifically the application of a “pro rata return” mechanism—implicitly recognizes that users hold no individualized property rights in specific BTC. Rather, their interests are limited to an undifferentiated claim against a collective asset pool. This absence of individualized entitlement means, in a liquidation scenario, user BTC may be swept into the estate available for distribution to all creditors.

While the Agreement alludes to OKX’s intention to “endeavour” to segregate BTC used in connection with xBTC subscriptions, this aspiration is immediately tempered by the express allowance that such assets “may be pooled in non-segregated omnibus accounts.” There is, therefore, no binding contractual obligation on OKX to preserve strict segregation between the BTC held for xBTC users and other assets in its custody—including those belonging to the platform itself or to other users. In practical terms, this means client BTC may be freely commingled, used to satisfy the obligations of OKX, or exposed to setoff rights held by counterparties or creditors in the ordinary course of business.

In the absence of a robust framework mandating asset segregation or a clear declaration of trust in favor of xBTC users, the legal position of customers is precarious. Users’ BTC may be swept into OKX’s general pool of assets, exposed to commingling, and therefore potentially leveraged or appropriated to meet unrelated OKX liabilities.

4.1.4. Clarification Round

The legal deficiencies identified above have been communicated to OKX representatives, with an explicit request for clarification as to how the company intends to mitigate or resolve these concerns. In response, OKX has asserted that the BTC underpinning the xBTC program is maintained in a designated, locked address, which is solely controlled by Aux Cayes. This locked address, according to OKX representatives, is subject to strict segregation protocols, ensuring it remains entirely distinct from BTC held on the OKX exchange for other client purposes or from OKX’s proprietary funds. The company maintains that there is no commingling of user assets in these reserve accounts under any circumstances.

Furthermore, OKX states that BTC held within these designated reserve (locked) addresses is not subject to staking, lending, rehypothecation, or any form of use as liquidity, collateral, or for other third-party purposes.

OKX has provided a shareable legal memorandum regarding the xBTC programme, which discloses that both subscription to, and redemption from, xBTC are presently limited to users of OKX Seychelles and OKX Bahamas, the latter being restricted exclusively to institutional clientele. All users must complete a mandatory KYC process before gaining access to restricted services such as xBTC, ensuring that services are only provided in jurisdictions where they are legally permitted.

Addressing the permissibility of Aux Cayes Fintech Co. Ltd. (the operator of xBTC program) in delivering these services, it is relevant to note that Aux Cayes is a legal entity incorporated in the Seychelles, and is subject to oversight as a Virtual Asset Service Provider (“VASP”) governed by the Virtual Asset Service Providers Act, 2024 (“VASP Act”), under the regulatory authority of the Seychelles Financial Services Authority (“FSA”).

Aux Cayes has duly submitted its licence application pursuant to the transitional framework established for pre-existing VASPs that were in operation prior to the commencement of the Act, having filed by the statutory deadline of 31 December 2024. Until the issuance of a full licence, it continues to operate lawfully under the transitional provisions as set forth in the VASP Act.

The regulatory framework enshrined in the VASP Act and its accompanying Regulations empowers licensed VASPs to engage in a variety of regulated activities, including:

• Virtual asset exchange services – exchange between virtual assets or between virtual assets and fiat currency.

• Transfer services – conducting or arranging transfers of virtual assets between wallets or accounts.

• Safekeeping or administration of virtual assets or instruments enabling control over virtual assets (i.e., wallet provider services).

• Participation in or provision of financial services related to an issuer’s offer or sale of a virtual asset.

Verification of Aux Cayes’ registration as a VASP has been independently confirmed through the FSA’s publicly accessible online registry.

Source: FSA Licensed VASPs, Date: October 28th, 2025

OKX’s legal memorandum ultimately concludes that the xBTC program, as operated by Aux Cayes, is squarely within the remit of the VASP Act. Thus, under the laws of Seychelles, Aux Cayes holds the requisite legal authority to offer the xBTC product, encompassing both the minting and burning of xBTC as well as the custodianship of the underlying BTC wallet.

4.2 Access Control Risk

xBTC is deployed behind a Transparent Upgradeable Proxy, with the current implementation contract deployed on September 18, 2025.

4.2.1 Contract Modification Options

A Role-Based Access Control system is utilized. The roles and their associated capabilities are outlined below:

• MINTER_ROLE: Can mint and burn tokens, assigned to MPC 1.
• DENY_LISTER_ROLE: Can pause/unpause transfers and manage the deny list, assigned to MPC 2.
• DEFAULT_ADMIN_ROLE: Has admin privileges, assigned to MPC 2.

Sensitive functions accessible by each role include:

• DEFAULT_ADMIN_ROLE:
  • All Deny List Role functions
  • grantRole assigns roles to addresses
  • revokeRole removes roles assigned to addresses
• MINTER_ROLE:
  • mint & burn xBTC
  • transferMinter relinquishes the role to a new account
• DENY_LISTER_ROLE:
  • pause and unpause all token transfers
  • setReceiver determines where newly minted are sent
  • addToDenyList & removeFromDenyList controls a permissioned Deny list that blocks addresses from sending/receiving tokens
  • transferDenyLister relinquishes the role to a new account

These roles highlight the highly centralized controls that roles have key contract functions, i.e,. minting, transferring, pausing, and determining where newly minted xBTC are sent (and indirectly, access to the underlying BTC redemption right).

4.2.2 Timelock Duration and Function

No timelock has been deployed on the xBTC contract, meaning sensitive actions such as upgrades, sensitive calls, or role changes can be executed without delay or public notice.

4.2.3 Multisig Threshold / Signer identity

MPCs are controlled internally by OKX; no external parties are involved in the management of control systems. Admin actions require internal review and senior management approval.

Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.

Aave V3 Specific Parameters

Aave V3 specific risk parameters for xBTC will be presented jointly with Chaos Labs prior to instance deployment.

Price feed Recommendation

We recommend using the Chainlink BTC/USD price feed available on X Layer.

Disclaimer

This review was independently prepared by LlamaRisk, a DeFi risk service provider funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.

The information provided should not be construed as legal, financial, tax, or professional advice.

In connection with the forthcoming X Layer deployment, we present our analysis for OKB onboarding.

Summary

As part of our X Layer risk review, we present this assessment of OKB covering token architecture, liquidity profile, pricing infrastructure, and regulatory context. We recommend onboarding OKB to the Aave v3 X Layer instance, provided that reliable oracle coverage and active monitoring are maintained. The main concern is low and fragmented DEX liquidity on X Layer, which increases slippage and execution risk. We expect the X Layer team to supply additional liquidity to improve market depth and ensure a stable and smooth launch.

1. Asset Fundamental Characteristics

1.1 Asset

OKB is the native utility token of the OKX ecosystem, with a fixed total supply of 21 million tokens on X Layer. It serves as an integral component of the platform’s operational and incentive structure. OKB functions as the native fee token on X Layer, where it is used to pay for gas and transaction execution within the network.

1.2 Architecture

OKB on X Layer functions as the network’s fee token. All transactions, computations, and storage on the L2 are metered in OKB and settled within X Layer’s EVM state. The protocol treats OKB as the native asset, so users must hold OKB to pay gas and execute contracts.

Wrapped OKB on X Layer uses the WETH9-style wrapper to present OKB as an ERC-20 compatible token. The wrapper accepts native OKB, issues WOKB one-to-one, and allows redemption back to native OKB. This preserves ERC-20 interfaces for DEXs, vaults, and lending protocols while keeping gas paid in the native unit.

Bridging connects Ethereum and X Layer through the AggLayer and supported third-party routers. Canonical OKB is escrowed on the origin side and released on the destination after finality. Redemptions burn the representation and unlock the escrowed amount.

Supply on the X Layer is a routing of the fixed 21 million OKB total. The L2 does not mint OKB and does not govern supply policy. Any changes to circulating supply occur at the issuer and treasury layer and then propagate to X Layer through deposits and withdrawals.

Pricing relies on oracles that consume centralized and decentralized venues. For protocol safety on X Layer, the recommended feed is Chainlink OKB/USD. Using this oracle as the primary on-chain source is consistent with standard protocol safety practices.

1.3 Tokenomics

OKB total supply was permanently fixed at 21,000,000 tokens following a one-time burn of 65,256,712.097 OKB on August 15, 2025. The burned tokens were sourced from historical buybacks and treasury reserves.

1.3.1 Token Holder Concentration

Source: OKB concentration, October 28, 2025

Source: WOKB token holdings, October 28, 2025

On X Layer, the OKB is almost entirely held under OKX native custody, with only about 0.32% of the total supply issued as wrapped tokens.

Token holdings show a concentrated distribution across liquidity pool (LP) contracts, with the top 10 addresses collectively controlling over 35% of the total supply.
Most top LP positions experienced positive daily changes, suggesting active liquidity provision and potential rebalancing activity. Overall, liquidity remains primarily pool-driven, with on-chain concentration implying dependency on a few active DeFi pools for price stability and depth.

Top 5 holders of OKB:

• Potato LP (DOGSHIT/WOKB) – 6,842.12 OKB (10.02%)
• Potato LP (KINGX/WOKB) – 2,843.27 OKB (4.17%)
• In LP (INS/WOKB) – 2,482.01 OKB (3.64%)
• Potato LP (LABUBU/WOKB) – 2,408.79 OKB (3.53%)
• DYOR LP (XDOG/WOKB) – 2,311.68 OKB (3.39%)

2. Market Risk

2.1 Liquidity

Source: OKX Swap, October 28, 2025

Current depth implies a 9.89% slippage for selling 1750 OKB. Considering OKB’s overall market capitalization and trading activity, this indicates that OKB has low DEX liquidity on X Layer. Large on-chain transactions or forced liquidations could trigger significant price fluctuations on DEXs due to limited liquidity depth.

We proposed to the X Layer team an initial liquidity target of 5 million in USD with expected slippage between 5-8% as a starting point, with additional liquidity to be provided progressively as the market matures and trading activity deepens across decentralized venues.

2.1.1 Liquidity Venue Concentration

Source: GeckoTerminal, October 28, 2025

Most liquidity sits in memecoin pairs, primarily Potato LPs and DYOR LPs. Total DEX liquidity shown here is about 50k OKB across the top 100 Liquidity Pool addresses. That is roughly 0.238% of a 21m OKB supply.

The biggest stablecoin pools include:

• OkieSwap USDT/WOKB - $233.05K TVL
• QuickSwap USDT/WOKB - 328.46k TVL
• PotatoSwap USDT/WOKB - 344.25k TVL

2.1.2 DEX LP Concentration

OKB DEX liquidity shows low concentration, with liquidity dispersed across multiple small pools, many paired with memecoins. Individual pool depth remains limited, leading to fragmented routing and higher execution costs. Almost all liquidity provision appears to come from the X Layer team and supported protocols.

2.2 Volatility

Source: OKX, October 28, 2025

Following the August token burn, volatility increased sharply, and the price surged up to a peak of 258.44 USD, marking a 472.97% increase over a period of roughly nine days with daily trading volume around 180.85K OKB (21.6M in USD).

2.3 Exchanges

Source: CoinGecko, October 28, 2025

Centralized exchange liquidity for OKB remains dominant, with OKX accounting for roughly 57.8% of total trading volume in the OKB/USDT pair. Depth within ±2% on OKX exceeds $2.05 million combined, which supports tight spreads around 0.01%. Secondary liquidity is distributed across Gate.io, LBank, XT.COM, and Bitunix, each contributing between 4% and 6% of global daily turnover.

Aggregate 24-hour volume across the top ten exchanges totals approximately $33.0 million, indicating moderate but sufficient centralized liquidity for stable price discovery and institutional execution. This depth contrasts with low on-chain liquidity on X Layer, confirming that OKB price formation remains primarily centralized, with OKX dictating benchmark pricing. Note that OKB continues to be absent from onshore regulated exchanges.

2.4 Growth

As the network’s native token, the growth of OKB is expected to correlate with the expansion of activity on X Layer and its associated applications. At the time of writing, approximately 68k WOKB has been wrapped and is circulating on X Layer out of the 21 million total OKB supply, indicating that only a small fraction of total tokens are currently active within the on-chain ecosystem.

3. Technological Risk

3.1 Smart Contract Risk

WOKB is built on the WETH contract framework. The WETH standard was created as an open-source initiative by contributors from MakerDAO, 0xLabs, and Gnosis. Its WETH9 implementation is a proven and broadly adopted model across EVM networks.

As a widely used wrapper implementation, WETH code often forms part of protocol audits that integrate it, for example:

• Sherlock - EdgeLayer (May, 2025)
• Openzeppelin - Scroll (October, 2023)
• Dedaub - Maverick Protocol (March 2023)

3.2 Bug Bounty Program

The OKB token is covered under the OKX bug bounty program on HackerOne. Researchers can report security vulnerabilities related to OKB or its supporting infrastructure through the OKX Bug Bounty Program, with rewards determined by issue severity and payouts reaching up to $1,000,000 for critical findings.

3.3 Price Feed Risk

For OKB pricing, we recommend using the Chainlink OKB/USD price feed as the primary oracle source. The feed aggregates data from 10 underlying oracles and refreshes every 24 hours, offering enhanced transparency and robustness in stablecoin valuation. Its deviation threshold is configured at 0.5%.

3.4 Dependency Risk

The primary dependency risk related to OKB stems from its direct connection to the OKX ecosystem. This dependency is amplified by the high concentration of OKB supply held in OKX custody, with only a small fraction circulating as wrapped tokens. Any negative development, such as legal restrictions, security breaches, or operational interruptions within the OKX ecosystem, would likely have an immediate and significant impact on the liquidity and overall market perception of OKB.

The core use cases of OKB are concentrated within the OKX. The long-term viability of the token, therefore, relies on the sustained global presence and strategic expansion of the OKX ecosystem.

4. Counterparty Risk

4.1 Governance and Regulatory Risk

There is no standalone “OKB Terms of Use” or token-specific contract. In practice, the legal treatment of OKB is subsumed under OKX’s platform agreements, together with any product-level terms that govern where and how the token may be held or used. The baseline instrument is the OKX global Terms of Service, which applies to use of the OKX venue and to all listed “Digital Assets,” encompassing OKB. The current page reflects an original publication date of 29 August 2023 and a last update on 12 May 2025, and it incorporates the platform risk statement, dispute-resolution and arbitration provisions, and other boilerplate that collectively structure the contractual relationship.

The global platform for “all other users” is operated by Aux Cayes FinTech Co. Ltd., a company incorporated in the Seychelles. This entity is named as a counterparty in the global Terms of Service and—critically—is the same entity that entered a U.S. guilty plea in February 2025 for operating an unlicensed money-transmitting business and for AML program failures. The resulting resolution included approximately $505 million in combined criminal fines and forfeiture, together with an obligation to retain an independent compliance consultant through February 2027, which functions as a forward-looking remediation and monitoring commitment.

Within the European Union, OKX’s operations have been consolidated under a MiCA authorization held by OKCoin Europe Limited, licensed by the Malta Financial Services Authority and passported into France. The AMF record evidences a broad scope of services—custody and administration, operation of a trading platform, exchange of crypto-assets for funds and for other crypto-assets, execution of orders, placing, reception and transmission of orders, portfolio management, and transfer services on behalf of clients—signalling a full-stack CASP profile for EU delivery. In parallel, OKX France Technology Company SAS voluntarily deregistered as a PSAN on 28 July 2025 as part of this consolidation. In the European Union (MiCA) specifically, the AMF’s CASP passport entry for OKCoin Europe Limited lists the authorized services verbatim as follows: “Providing custody and administration of crypto-assets on behalf of clients”; “Operation of a trading platform for crypto-assets”; “Exchange of crypto-assets for funds”; “Exchange of crypto-assets for other crypto-assets”; “Execution of orders for crypto-assets on behalf of clients”; “Placing of crypto-assets”; “Reception and transmission of orders for crypto-assets on behalf of clients”; “Providing portfolio management on crypto-assets”; and “Providing transfer services for crypto-assets on behalf of clients.”

In the United Arab Emirates (Dubai), OKX Middle East Fintech FZE holds a VARA VASP license (reference VL/23/12/003) that covers Exchange Services, Lending and Borrowing, and Management & Investment Services, with permission to serve institutional, qualified, and retail clients. OKX publishes Dubai-specific customer documentation aligned to these license buckets—including a trading venue Code of Conduct and product terms under the VA Lending & Borrowing permission—which, among other things, clarify that OKX Dubai does not provide investment advice.

In Singapore, OKX SG Pte. Ltd. operates as a Major Payment Institution under the Payment Services Act, authorized to provide both digital payment token services and cross-border money transfer services. The Monetary Authority of Singapore’s Financial Institutions Directory records the entity and its status.

In Australia, OKX conducts spot services through OKX Australia Pty Ltd as an AUSTRAC-registered digital currency exchange, while derivatives are restricted to “wholesale clients” and provided by OKX Australia Financial Pty Ltd, which holds an Australian Financial Services Licence. OKX’s disclaimer delineates this two-entity model and the client segmentation. In Australia’s local Terms of Service, the permitted activities are set out expressly: “Part B Digital currency exchange … Crypto to fiat, fiat to crypto, and crypto to crypto via Convert and Spot Service,” accompanied by the note that “These Services are not regulated under the Australian financial services licensing regime and [are] not subject to regulation by ASIC.” For derivatives, “Part C Derivatives … These Services are available to wholesale clients only. These are the only Services that are regulated under the Australian financial services licensing regime and subject to regulation by ASIC.” For on-chain yield, “Part D On-Chain Earn … is not regulated under the Australian financial services licensing regime and is not subject to regulation by ASIC.”

In the United States, OKCoin USA Inc. functions as the licensed counterparty. The U.S. site states that OKCoin USA Inc. is registered with FinCEN as a Money Services Business and holds state money-transmitter licences listed via NMLS, with the U.S. Terms of Service governing the platform relationship.

In the United Kingdom, OKX does not hold an MLR registration as a cryptoasset exchange or custodian. Access to the U.K. retail market proceeds under the Financial Conduct Authority’s financial promotions regime. OKX has implemented the mandated risk warning, user categorization, and appropriateness testing and has publicly indicated the use of authorized approvers to lawfully communicate promotions. These are permissions under marketing law rather than conduct or prudential authorizations, and they therefore constrain both what can be offered and the manner in which it may be described to U.K. consumers.

4.2 Access Control Risk

The Wrapped OKB contract is a permissionless, non-upgradeable contract similar to WETH9.

Aave V3 Specific Parameters

Aave V3 specific risk parameters for OKB will be presented jointly with Chaos Labs prior to instance deployment.

Price feed Recommendation

We recommend using the Chainlink OKB/USD price feed as the primary oracle source for reliable on-chain pricing.

Disclaimer

This review was independently prepared by LlamaRisk, a DeFi risk service provider funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.

The information provided should not be construed as legal, financial, tax, or professional advice.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.