Access to real-time onchain data, audit reports, attestations, and governance files all in one place. We don't ask for trust, we prove it.
Overview of admin multisig configuration and on-chain governance activity.
All admin actions are gated by a 4-of-6 multisig and a Timelock with a 2 day minimum delay.
Every contract that touches user funds has been reviewed by at least two independent auditors. All deployed contracts are verified and bytecode checks have been done to ensure live code matches the audited versions.
| Contract | |||
|---|---|---|---|
| Ethereum | |||
thUSD1 role0xa3fE…85b3 | |||
| Role | Holder | Delay | Notes |
| Ownable.owner() | Timelock | 2 days | Single-owner contract. All admin calls flow through the Timelock above. |
Verify these roles yourselfThese commands hit Ethereum directly via a public RPC. Paste into a terminal with Foundry installed. thUSD verification # thUSD · independent verification (Foundry's cast) # Returns the current owner — should be Timelock. cast call 0xa3fE5c7596024E6811E14F029937D5bd8Ae485b3 'owner()(address)' \ --rpc-url https://ethereum-rpc.publicnode.com # Expect: 0x2bb4b7e6e83fa6b77d0143dad631843cb73dca02 | |||
sthUSD1 role0xA808…0326 | |||
| Role | Holder | Delay | Notes |
| Ownable.owner() | Timelock | 2 days | Single-owner contract. All admin calls flow through the Timelock above. |
Verify these roles yourselfThese commands hit Ethereum directly via a public RPC. Paste into a terminal with Foundry installed. sthUSD verification # sthUSD · independent verification (Foundry's cast) # Returns the current owner — should be Timelock. cast call 0xA808Bc9775cb41c52C7842f8b50427fE7A770326 'owner()(address)' \ --rpc-url https://ethereum-rpc.publicnode.com # Expect: 0x2bb4b7e6e83fa6b77d0143dad631843cb73dca02 | |||
Mint & Redeem3 roles0x2D99…696e | |||
| Role | Holder | Delay | Notes |
| DEFAULT_ADMIN_ROLE | Timelock | 2 days | Upgrade, role grants/revokes |
| EMERGENCY_ROLE | Guardian EOA (Fordefi MPC) | Instant | Pause issuance / redemptions in an incident |
| MINTER_ROLE | Minter EOA (Fordefi MPC) | Instant | Authorize mints; cannot move user funds or change roles |
Verify these roles yourselfThese commands hit Ethereum directly via a public RPC. Paste into a terminal with Foundry installed. Mint & Redeem verification # Mint & Redeem · independent verification (Foundry's cast) RPC=https://ethereum-rpc.publicnode.com ADDR=0x2D99aC801DC0edadD53f5688FeF2317932E8696e # 1. Per-(role, holder) membership check — each call returns true. # DEFAULT_ADMIN_ROLE → Timelock cast call $ADDR 'hasRole(bytes32,address)(bool)' \ 0x0000000000000000000000000000000000000000000000000000000000000000 \ 0x2bb4b7e6e83fa6b77d0143dad631843cb73dca02 \ --rpc-url $RPC # EMERGENCY_ROLE → Guardian EOA (Fordefi MPC) cast call $ADDR 'hasRole(bytes32,address)(bool)' \ 0xbf233dd2aafeb4d50879c4aa5c81e96d92f6e6945c906a58f9f2d1c1631b4b26 \ 0xf936df06d35a2f82f26083f32ff2ab72f3ebdd8f \ --rpc-url $RPC # MINTER_ROLE → Minter EOA (Fordefi MPC) cast call $ADDR 'hasRole(bytes32,address)(bool)' \ 0x9f2df0fed2c77648de5860a4cc508cd0818c85b8b8a1ab4ceeef8d981c8956a6 \ 0x09ec7c2d4955525237b843f5338dd7982b5553b6 \ --rpc-url $RPC # 2. Enumerate the complete holder set by replaying all role events # from the deploy block. Holder set = grants minus revokes, # applied in (block, logIndex) order. cast logs --address $ADDR --from-block 24837116 \ 'RoleGranted(bytes32,address,address)' --rpc-url $RPC cast logs --address $ADDR --from-block 24837116 \ 'RoleRevoked(bytes32,address,address)' --rpc-url $RPC | |||
thUSD OFT Adapter1 role0x9AA9…b065 | |||
| Role | Holder | Delay | Notes |
| Ownable.owner() | Timelock | 2 days | Wraps the thUSD ERC20 for cross-chain transfers. Owner configures DVN stack and peer adapters; no on-chain rate limit on this adapter. |
Verify these roles yourselfThese commands hit Ethereum directly via a public RPC. Paste into a terminal with Foundry installed. thUSD OFT Adapter verification # thUSD OFT Adapter · independent verification (Foundry's cast) # Returns the current owner — should be Timelock. cast call 0x9AA9Aa0530a6AF70EE7BC47cF1240100f514b065 'owner()(address)' \ --rpc-url https://ethereum-rpc.publicnode.com # Expect: 0x2bb4b7e6e83fa6b77d0143dad631843cb73dca02 | |||
sthUSD OFT Adapter1 role0xd1db…d540 | |||
| Role | Holder | Delay | Notes |
| Ownable.owner() | Timelock | 2 days | Wraps the sthUSD ERC20 for cross-chain transfers. Owner configures DVN stack, peer adapters, and rate limits (2M sthUSD/hr per outbound lane). |
Verify these roles yourselfThese commands hit Ethereum directly via a public RPC. Paste into a terminal with Foundry installed. sthUSD OFT Adapter verification # sthUSD OFT Adapter · independent verification (Foundry's cast) # Returns the current owner — should be Timelock. cast call 0xd1db209087516883ec705cfeb99e80bb6032d540 'owner()(address)' \ --rpc-url https://ethereum-rpc.publicnode.com # Expect: 0x2bb4b7e6e83fa6b77d0143dad631843cb73dca02 | |||
Timelock4 roles0x2bB4…CA02 | |||
| Role | Holder | Delay | Notes |
| DEFAULT_ADMIN_ROLE | Timelock (self) | 2 days | Grant/revoke any role on the timelock. Held only by the timelock itself — every change must flow through a delayed proposal. |
| CANCELLER_ROLE | Canceller EOA (Fordefi MPC)Operator multisig (4-of-6) | 0 | Veto a queued operation pre-execution |
| EXECUTOR_ROLE | Operator multisig (4-of-6) | 0 | Manually executes once the timer elapses |
| PROPOSER_ROLE | Operator multisig (4-of-6) | 0 | Schedules ops; delay enforced downstream |
Verify these roles yourselfThese commands hit Ethereum directly via a public RPC. Paste into a terminal with Foundry installed. Timelock verification # Timelock · independent verification (Foundry's cast) RPC=https://ethereum-rpc.publicnode.com ADDR=0x2bB4b7E6E83FA6b77d0143dad631843cB73DCA02 # 1. Per-(role, holder) membership check — each call returns true. # DEFAULT_ADMIN_ROLE → Timelock (self) cast call $ADDR 'hasRole(bytes32,address)(bool)' \ 0x0000000000000000000000000000000000000000000000000000000000000000 \ 0x2bb4b7e6e83fa6b77d0143dad631843cb73dca02 \ --rpc-url $RPC # CANCELLER_ROLE → Canceller EOA (Fordefi MPC) cast call $ADDR 'hasRole(bytes32,address)(bool)' \ 0xfd643c72710c63c0180259aba6b2d05451e3591a24e58b62239378085726f783 \ 0x7afb1d3308d22639f1ce698a2985cbf22f96d94a \ --rpc-url $RPC # CANCELLER_ROLE → Operator multisig (4-of-6) cast call $ADDR 'hasRole(bytes32,address)(bool)' \ 0xfd643c72710c63c0180259aba6b2d05451e3591a24e58b62239378085726f783 \ 0x94877640dd9e6f1e3cb56bf7b5665b7152601295 \ --rpc-url $RPC # EXECUTOR_ROLE → Operator multisig (4-of-6) cast call $ADDR 'hasRole(bytes32,address)(bool)' \ 0xd8aa0f3194971a2a116679f7c2090f6939c8d4e01a2a8d7e41d55e5351469e63 \ 0x94877640dd9e6f1e3cb56bf7b5665b7152601295 \ --rpc-url $RPC # PROPOSER_ROLE → Operator multisig (4-of-6) cast call $ADDR 'hasRole(bytes32,address)(bool)' \ 0xb09aa5aeb3702cfd50b6b62bc4532604938f21248a27a1d5ca736082b6819cc1 \ 0x94877640dd9e6f1e3cb56bf7b5665b7152601295 \ --rpc-url $RPC # 2. Enumerate the complete holder set by replaying all role events # from the deploy block. Holder set = grants minus revokes, # applied in (block, logIndex) order. cast logs --address $ADDR --from-block 25046194 \ 'RoleGranted(bytes32,address,address)' --rpc-url $RPC cast logs --address $ADDR --from-block 25046194 \ 'RoleRevoked(bytes32,address,address)' --rpc-url $RPC | |||
| Arbitrum | |||
thUSD OFT1 role0x9AA9…b065 | |||
| Role | Holder | Delay | Notes |
| Ownable.owner() | Timelock | 18 hours | Native OFT on the destination chain. Owner is the chain-local TimelockController — peer, send-library, and rate-limit changes are gated by the delay shown above. |
Verify these roles yourselfThese commands hit Arbitrum directly via a public RPC. Paste into a terminal with Foundry installed. thUSD OFT verification # thUSD OFT · independent verification (Foundry's cast) # Returns the current owner — should be Timelock. cast call 0x9AA9Aa0530a6AF70EE7BC47cF1240100f514b065 'owner()(address)' \ --rpc-url https://arbitrum-rpc.publicnode.com # Expect: 0x2bb4b7e6e83fa6b77d0143dad631843cb73dca02 | |||
sthUSD OFT1 role0xd1db…d540 | |||
| Role | Holder | Delay | Notes |
| Ownable.owner() | Timelock | 18 hours | Native OFT on the destination chain. Owner is the chain-local TimelockController — peer, send-library, and rate-limit changes are gated by the delay shown above. |
Verify these roles yourselfThese commands hit Arbitrum directly via a public RPC. Paste into a terminal with Foundry installed. sthUSD OFT verification # sthUSD OFT · independent verification (Foundry's cast) # Returns the current owner — should be Timelock. cast call 0xd1db209087516883ec705cfeb99e80bb6032d540 'owner()(address)' \ --rpc-url https://arbitrum-rpc.publicnode.com # Expect: 0x2bb4b7e6e83fa6b77d0143dad631843cb73dca02 | |||
| Stable | |||
thUSD OFT1 role0x9AA9…b065 | |||
| Role | Holder | Delay | Notes |
| Ownable.owner() | Timelock | 18 hours | Native OFT on the destination chain. Owner is the chain-local TimelockController — peer, send-library, and rate-limit changes are gated by the delay shown above. |
Verify these roles yourselfThese commands hit Stable directly via a public RPC. Paste into a terminal with Foundry installed. thUSD OFT verification # thUSD OFT · independent verification (Foundry's cast) # Returns the current owner — should be Timelock. cast call 0x9AA9Aa0530a6AF70EE7BC47cF1240100f514b065 'owner()(address)' \ --rpc-url https://rpc.stable.xyz # Expect: 0x2bb4b7e6e83fa6b77d0143dad631843cb73dca02 | |||
sthUSD OFT1 role0xd1db…d540 | |||
| Role | Holder | Delay | Notes |
| Ownable.owner() | Timelock | 18 hours | Native OFT on the destination chain. Owner is the chain-local TimelockController — peer, send-library, and rate-limit changes are gated by the delay shown above. |
Verify these roles yourselfThese commands hit Stable directly via a public RPC. Paste into a terminal with Foundry installed. sthUSD OFT verification # sthUSD OFT · independent verification (Foundry's cast) # Returns the current owner — should be Timelock. cast call 0xd1db209087516883ec705cfeb99e80bb6032d540 'owner()(address)' \ --rpc-url https://rpc.stable.xyz # Expect: 0x2bb4b7e6e83fa6b77d0143dad631843cb73dca02 | |||
Every deployed contract is verified on-chain and bytecode-matched to the audited commit via a reproducible build script.
A public bug bounty is in scoping. In the meantime, responsible disclosures go to security@theo.xyz. Please include a private git repository with a proof-of-concept or simulation that reproduces the bug.
Powered by Hypernative, we track all contract activity in real time.
Etherscan
Ethereum
Arbitrum
StablethUSDsthUSDMint & RedeemOFTTimelockControllerthUSD bridges via LayerZero v2 with a custom DVN stack and global rate limits. Required DVNs are independent; raising caps requires a 48-hour timelock.
A live pull of the most current DVN configurations, queried directly from the EndpointV2 contract.
15 block confirmations · 1 optional fallback
15 block confirmations · 1 optional fallback
These commands hit EndpointV2 directly via Foundry's cast and decode the returned UlnConfig. Paste either snippet into a terminal with Foundry installed — no auth, no API keys, no aggregator. The output is the same bytes the card above renders.
cast abi-decode 'f()((uint64,uint8,uint8,uint8,address[],address[]))' \
"$(cast call \
0x1a44076050125825900e736c501f859c50fE728c \
'getConfig(address,address,uint32,uint32)(bytes)' \
0x9AA9Aa0530a6AF70EE7BC47cF1240100f514b065 \
0xbB2Ea70C9E858123480642Cf96acbcCE1372dCe1 \
30110 2 \
--rpc-url https://ethereum-rpc.publicnode.com)"cast abi-decode 'f()((uint64,uint8,uint8,uint8,address[],address[]))' \
"$(cast call \
0x1a44076050125825900e736c501f859c50fE728c \
'getConfig(address,address,uint32,uint32)(bytes)' \
0x9AA9Aa0530a6AF70EE7BC47cF1240100f514b065 \
0xbB2Ea70C9E858123480642Cf96acbcCE1372dCe1 \
30396 2 \
--rpc-url https://ethereum-rpc.publicnode.com)"sthUSD transfers are rate-limited per destination on a rolling window enforced on-chain.
Every audit report and policy referenced on this page. All files download directly.