Across Protocol

Audits and Due Diligence Disclosures

All formal audits to date have been performed by a single firm — OpenZeppelin. No public Code4rena, Spearbit, Trail of Bits, or Cantina contests for Across were located.

Date	Scope	Findings (notable)	Source
Jul 2023	V2 zkSync Era integration (ZkSync_SpokePool, ZkSync_Adapter)	1 medium (resolved), 6 notes	OZ — Across V2 Incremental Audit
Jan 8 – 30, 2024	V3 incremental	4 med, 7 low, 16 notes (25/27 resolved)	OZ — Across V3 Incremental Audit
May 20 – Jun 7, 2024	V3 + Oval (Blast L2, EIP-7683, MulticallHandler)	4 med, 7 low, 14 notes (all resolved)	OZ — Across V3 and Oval Incremental Audit
Oct 7 – 30, 2024	L3 / ZkStack / Predictable Relay Hash / ERC-7683 / World Chain	1 critical, 2 high, 8 med, 3 low, 14 notes — critical/high resolved	OZ — Across Audit (Oct 2024)
Nov 26 – Dec 18, 2024	SVM Spoke (Solana)	2 high (1 partial, 1 unresolved), 1 med unresolved, 9 low, 7 notes	OZ — SVM Spoke Audit
May 15 – 26, 2025	Periphery Changes Audit (SpokePoolPeriphery.sol, MulticallHandler.sol, PeripherySigningLib.sol)	0 critical, 1 high, 3 med, 3 low, 6 notes — all resolved	OZ — Periphery Changes Audit
May 19 – 23, 2025	OFT Integration Differential Audit (LayerZero OFT support, PRs #1031/#1032)	0 critical, 1 high (unresolved), 7 med (4 resolved, 1 partial), 13 low (1 resolved, 3 partial), 11 notes	OZ — Across OFT Integration Differential Audit

Smart contract complexity: Moderate-to-high. The HubPool is a single non-upgradeable contract (~1k lines) on L1, but the broader system spans many UUPS-upgradeable SpokePools across every supported chain, many ChainAdapters, the BondToken, an UMA Optimistic Oracle dependency, a HubPoolStore, an AcrossConfigStore, and a MulticallHandler. Cross-chain orchestration via relaySpokePoolAdminFunction is a meaningful additional attack surface.

Unresolved findings:

• The October 2024 audit found a critical issue (resolved).
• The Nov–Dec 2024 SVM Spoke audit lists unresolved high and medium findings (scoped to the Solana SpokePool — does not affect Ethereum mainnet LP tokens directly, but remains open in the same codebase).
• The May 2025 OFT Integration Differential audit has one unresolved high-severity finding ("failed messengers rendering canonical methods useless"); per OpenZeppelin's writeup the team chose not to implement try/catch logic and plans manual intervention if such a situation arises.

Sole-auditor concentration: The exclusive use of OpenZeppelin over the protocol's lifetime is a concentration risk. Across has not published any non-OZ external review.

Bug Bounty

• Platform: Self-hosted by Across at docs.across.to/introduction/bug-bounty. Submissions go to bugs@across.to.
• Severity tiers (from primary docs): Low $250, Medium $1,000, High $10,000, Critical up to $1,000,000. Severity uses the OWASP risk-rating model.
• Scope: All smart contracts and off-chain code within the across-protocol repository, including bots and front-end code.
• Immunefi: Not listed. immunefi.com/bug-bounty/acrossprotocol/ returned 404 at research time. Across does not have an Immunefi program — the bounty is fully self-hosted.
• Safe Harbor (SEAL): TODO — could not access safeharbor.securityalliance.org/adopters (404). Confirm with team whether Across has adopted Safe Harbor.

Historical Track Record

• HubPool deployment: May 2022 (Ethereum block 14,819,537) — ~4 years in production.
• V3 (intents-based) launch: February 22, 2024, per the official Medium announcement.
• Cumulative bridge volume / fees (DefiLlama, May 12, 2026): $59.566B cumulative bridged, $18.53M cumulative fees.
• TVL (DefiLlama, May 12, 2026): $27.98M (confirmed via reports/scripts/fetch_defillama_tvl.py across).
• Peak TVL: $248.88M on December 9, 2024 (DefiLlama).
• TVL trajectory: 89% drawdown from Dec 2024 peak to May 2026; ~30× peak-to-min volatility ratio. The protocol now sits well below the "$50M sustained" threshold.

Past security incidents (bridge contracts):

• No direct exploits of Across bridge contracts since the May 2022 launch, corroborated by the Across blog "Why Across Has Never Been Hacked", the DefiLlama bridge incident database (no entry for Across), and the absence of any postmortem in the Across forum or GitHub.

Operational / governance incident (June 2025, NOT a smart-contract exploit):

• On June 26 – 27, 2025, researcher "Ogle" (Glue founder) publicly alleged that Across leadership manipulated DAO votes to transfer 150M ACX (~$23M) from the DAO treasury to Risk Labs Foundation. The allegation centers on Across treasurer Kevin Chan reportedly voting "yes" on the second proposal via undisclosed wallet maxodds.eth, which provided a material share of the yes-votes on a 50M ACX retrospective proposal.
• ACX price reaction: ~10% drop in 24h, ~40% drop month-over-month, ~91% drawdown from Dec 2024 ATH.
• Across CEO Hart Lambur publicly denied: "The allegations in here are categorically untrue and I will vigorously defend our protocol and our team."
• Sources: crypto.news, The Block, Bitget News.
• Impact on LPs: Direct LP claims (liquidReserves + utilizedReserves) are not affected by ACX governance events. Indirect impact: the same multisig signers (Risk Labs representatives, per the Across Governance Operating Manual) that allegedly directed treasury votes also control the HubPool, BondToken, and every SpokePool with no timelock — i.e., reputational concerns about governance integrity translate directly into custody risk for LP funds.

Peg deviations: Not applicable — LP tokens are not pegged; they represent a pro-rata share of an asset pool and accrue value through fee accrual.

Concentration risk among depositors: TODO — top-holder analysis of each LP token contract was not run during this assessment. The small total TVL (~$28M) implies a small number of LPs may dominate any given pool — review the top-holder list for the relevant LP token on Etherscan (e.g. Av2-USDC-LP holders) before sizing a Yearn position.

Funds Management

Fund delegation: Across does not redelegate LP funds to external yield protocols. LP capital sits in two states only:

1. liquidReserves — held in the HubPool's own balance on Ethereum.
2. utilizedReserves — fronted by relayers on destination SpokePools, returning to the HubPool via canonical bridges (Arbitrum, Optimism, Base, etc.) as part of each ~1.5-hour root-bundle settlement cycle.

So fund delegation risk is limited to (a) the HubPool's own custody and (b) every connected canonical bridge and SpokePool. There is no rehypothecation into Aave/Morpho/etc.

Monitoring fund delegation: Use HubPool.pooledTokens(l1Token) to read (lpToken, isEnabled, lastLpFeeUpdate, utilizedReserves, liquidReserves, undistributedLpFees) per pool. See Monitoring section.

Accessibility

• Minting (LP entry): Permissionless via HubPool.addLiquidity(l1Token, l1TokenAmount) or addLiquidityETH (for the WETH pool with msg.value). Atomic in a single transaction. Mints l1TokenAmount * 1e18 / exchangeRateCurrent LP tokens to the caller.
• Redeeming (LP exit): Permissionless via HubPool.removeLiquidity(l1Token, lpAmount, sendEth). Atomic. Burns LP tokens and transfers lpAmount * exchangeRateCurrent / 1e18 of the underlying — provided liquidReserves is sufficient.
• Pause: Both addLiquidity and removeLiquidity carry the unpaused modifier, so the 3-of-5 HubPool owner multisig can suspend deposits and withdrawals atomically via setPaused(true).
• Fees: No mint/redeem fee charged by the contract; LPs only realize the protocol's value through exchange-rate appreciation.
• Rate limits / cooldown: No cooldown. The de-facto rate limit is the pool's liquidReserves balance — if redemption demand exceeds idle inventory, the call reverts and the LP must wait for the next root-bundle settlement to repatriate utilizedReserves.

Collateralization

• Onchain collateral: Yes. Each LP token is a pro-rata claim on the underlying L1 token held in the HubPool plus the matching utilizedReserves that are inflight on SpokePools.

• Collateral quality: The five canonical pools (WETH, USDC, USDT, DAI, WBTC) are all blue-chip. Across also enables long-tail pools (ACX, POOL, SNX, BAL, UMA, LSK) which are out of scope for this assessment.

• Over-collateralization / maintenance: None. LP backing target is 1:1 — there is no safety buffer like RSR or insurance fund.

• Liquidations / peg mechanism: N/A — LP tokens are not pegged; redemption is at exchange rate, not a market price.

• EOA / multisig / custodian control: The HubPool itself is immutable Solidity (no proxy) but a 3-of-5 Gnosis Safe (0xB524735356985D2f267FA010D681f061DfF03715, confirmed via cast call HubPool.owner()) holds powerful admin keys with no timelock between signing and execution. The Safe can:

  • setPaused(bool) — freeze LP entry/exit.
  • haircutReserves(address,int256) — directly write down utilizedReserves, pro-rata loss to LPs. This is intended for the case where a connected L2 fails and inflight utilizedReserves become unrecoverable, but the function itself has no onchain economic guardrail.
  • relaySpokePoolAdminFunction(uint256,bytes) — execute any function on any SpokePool, including UUPS upgrades, via ChainAdapters.
  • setBond, setLiveness, setIdentifier — change the parameters of the Optimistic Oracle dispute machinery, including the bond currency.
  • disableL1TokenForLiquidityProvision(token) — close a pool to new deposits.
  • setProtocolFeeCapture(address,uint256) — set the protocol fee share (capped at 50%) and recipient.

  These powers are not documented in a public on-chain governance manual that constrains the multisig (the Across Governance Operating Manual describes an off-chain Snapshot process, but the multisig retains the ability to act without it onchain).

• Risk curation: Pool enablement and parameters are governance-controlled. Bridge LP fee rate parameters live in AcrossConfigStore (0x3B03509645713718B78951126E0A6de6f10043f5) and are governance-mutable.

Provability

• Reserve verifiability: Excellent. Anyone can call HubPool.pooledTokens(l1Token) to read liquidReserves, utilizedReserves, undistributedLpFees and HubPool.exchangeRateCurrent(l1Token) to compute LP NAV. All data is onchain.
• Yield calculation: Onchain. The exchange rate is computed in _exchangeRateCurrent (contracts/hub-pool/HubPool.sol) as (liquidReserves + utilizedReserves - undistributedLpFees + accumulatedLpFees) * 1e18 / totalSupply. There is no admin-set rate.
• Off-chain reserves: None. The protocol does not custody assets off-chain.
• Third-party verification: No Chainlink PoR or custodian attestation is required — reserves are directly visible onchain. Optimistic Oracle disputes route through UMA's DVM, which is governed by UMA token holders.
• Mint without backing: No. LP tokens can only be minted via addLiquidity, which transfers the underlying L1 token first. There is no admin mint role on the LP token (verified by reading the LP token contracts, which are deployed by LpTokenFactory (0x7dB69eb9F52eD773E9b03f5068A1ea0275b2fD9d) with the HubPool as the sole minter).
• Caveat — haircutReserves: While LP tokens cannot be created out of thin air, the multisig CAN reduce LP NAV by calling haircutReserves, which reduces utilizedReserves without burning LP tokens. This is the closest analog to an "admin write-down" power.

Liquidity Risk

• Exit mechanism: Direct 1:1 redemption from the HubPool via removeLiquidity. No queue, no cooldown.
• Constraint: Bound by the pool's liquidReserves at redemption time. If liquidReserves is too low (because inventory is currently fronted on a SpokePool awaiting repatriation), the redemption reverts. The LP must either redeem a smaller amount, wait for the next root-bundle settlement, or sell the LP token OTC.
• DEX liquidity for LP tokens themselves: Minimal — Av2-*-LP tokens are not widely listed on DEXes. LPs should plan to exit via the HubPool, not via swap.
• Slippage: None on redemption (exchange rate, not market price).
• Withdrawal queues / delays: Officially none, but practically the per-pool liquidReserves ceiling acts as a soft throttle. Verified on May 12, 2026 onchain:
  • WETH pool: liquidReserves ≈ 2,202.5 WETH vs utilizedReserves ≈ 2,141.3 WETH — roughly half of total claims sit in flight.
  • USDT pool: liquidReserves ≈ 73,605 USDT vs utilizedReserves ≈ 1,648,932 USDT — 22× more capital in flight than liquid at snapshot, meaning a large USDT-LP exit would revert.
  • USDC pool: liquidReserves ≈ 783,118 USDC vs utilizedReserves ≈ 598,273 USDC — moderately liquid.
  • DAI pool: liquidReserves ≈ 679,840 DAI vs utilizedReserves ≈ 449,376 DAI — moderately liquid.
• Historical liquidity during stress: Across continued to allow withdrawals during the Dec 2024 → Feb 2025 TVL collapse ($249M → $28M) without imposing a queue, per the DefiLlama TVL series; individual pools may still have been temporarily unredeemable.
• Large holder impact: A holder of >liquidReserves worth of any LP token cannot exit in a single transaction. They must wait for inflight inventory to return via canonical bridges (~1.5 hour settlement cadence; longer for chains with slow native bridges like Optimistic Rollup 7-day exits — though Across uses fast canonical messaging not the full L2 challenge period).

Centralization & Control Risks

Governance

• HubPool upgradability: Immutable. The HubPool contract has no proxy (EIP-1967 implementation slot is zero); it is fixed Solidity bytecode deployed in May 2022.

• SpokePool upgradability: UUPS upgradable, with the HubPool as the admin. The 3-of-5 multisig can deploy a new SpokePool implementation on any connected chain by calling relaySpokePoolAdminFunction() through the appropriate ChainAdapter — atomically, with no timelock.

• HubPool owner: 0xB524735356985D2f267FA010D681f061DfF03715 ("Across Protocol: Hub Pool Owner MultiSig" per Etherscan label). Gnosis Safe v1.3.0.

• Multisig threshold: 3 of 5 (verified via cast call getThreshold()).

• Multisig signers (verified via cast call getOwners()):

  1. 0x72b32C1a6A75CBAfAe36c0CA8e763946d370E766
  2. 0x837219D7a9C666F5542c4559Bf17D7B804E5c5fe
  3. 0x996267d7d1B7f5046543feDe2c2Db473Ed4f65e9
  4. 0xcc400c09ecBAC3e0033e4587BdFAABB26223e37d
  5. 0x868CF19464e17F76D6419ACC802B122c22D2FD34

  Per the Across Governance Operating Manual, the council that holds these keys is composed of Risk Labs representatives. The natural-person mapping of each signer address is not publicly disclosed — TODO: confirm signer identities with the Across team if required for integration approval.

• Timelock: None. No timelock contract is deployed between the multisig and the HubPool (confirmed by reading HubPool.owner() directly returning the Safe address with no intermediate proxy). The protocol's deployed-addresses.json on GitHub does not list a Timelock for chain 1. Snapshot governance is off-chain and does not gate signer actions.

• Privileged roles capable of harm: Yes — the multisig can pause LP redemption, write down LP NAV via haircutReserves, upgrade any SpokePool implementation, change the bond token, and disable any pool. All these are atomic and not constrained by any onchain delay.

• Fund seizure: The multisig cannot directly transfer LP-owned underlying tokens out of the HubPool — there is no sweep or withdrawTo function on the HubPool admin surface. But it can effectively seize value via (a) haircutReserves to write down NAV, (b) deploying a malicious SpokePool implementation to drain SpokePool inventory, or (c) setBond plus a malicious bundle proposal during the 30-minute liveness window. The latter two routes are non-trivial and depend on UMA dispute resolution, but the multisig has the unilateral ability to attempt them.

Programmability

• System operations: Bundle execution, refund, and rebalance are fully onchain and callable by any actor. Dispute is permissionless. Bundle proposal is not permissionless — the BondToken (ABT) overrides transferFrom to require either proposers[src] == true or that src is not the current root-bundle proposer; tracing HubPool.proposeRootBundle(), the contract sets rootBundleProposal.proposer = msg.sender before the bond transfer, so the proposer-side require collapses to require(proposers[src]). setProposer(address,bool) is onlyOwner on the BondToken, and the BondToken owner is the same 3-of-5 Hub Pool Owner Safe (0xB524735356985D2f267FA010D681f061DfF03715, verified via cast call BondToken.owner()). In effect, the dataworker is admin-gated. Source: BondToken.sol on Etherscan.
• Bond size: bondAmount() = 0.45 ABT (verified onchain). ABT is issued 1:1 against deposited WETH.
• Off-chain components:
  • Dataworker / bundler: Off-chain bot that aggregates fills into a root bundle and posts it onchain. In practice, Risk Labs runs the canonical dataworker and is on the proposer allowlist; new proposers would need to be added by the multisig. Liveness is only 30 minutes (HubPool.liveness() = 1800, verified onchain), so honest disputers must be online to catch invalid bundles.
  • Relayers: Off-chain capital providers that fill destination intents. Permissionless — anyone can run a relayer.
  • LP fee parameters: lpFeeRatePerSecond lives in AcrossConfigStore and is governance-controlled.
• PPS / exchange rate: Defined onchain by a deterministic formula; no admin update path (other than haircutReserves, which writes down the inputs but does not redefine the formula).

External Dependencies

• UMA Optimistic Oracle V3: 0xfb55F43fB9F48F63f9269DB7Dde3BbBe1ebDC0dE. Disputes route through UMA's DVM. The OO uses identifier "ACROSS-V2" (verified onchain via HubPool.identifier()). UMA itself is governed by a separate UMA-holder DAO, which is also Risk Labs–affiliated.
• Canonical L1↔L2 bridges (Arbitrum, Optimism, Base, Polygon, zkSync, Linea, Blast, World Chain, etc.): Critical for repatriating utilizedReserves to the HubPool. Failure of any of these (a frozen rollup, a halted canonical bridge) isolates that chain's SpokePool inventory until the underlying issue resolves — or until the multisig writes down the loss via haircutReserves.
• Ethereum mainnet: Full L1 dependency.
• No oracle pricing dependency for LP NAV: Unlike Reserve/RSR, Across does NOT need Chainlink or any price oracle to value LP reserves; the underlying token itself is what's owed.
• Fallback mechanisms: If UMA DVM fails to resolve, root bundle execution is blocked until the proposal is replaced. Liquidity remains in the HubPool / SpokePools but cannot be rebalanced. The multisig can emergencyDeleteProposal to clear the queue.

Operational Risk

• Team transparency: Public. Risk Labs leadership is disclosed on risklabs.foundation/#team — Hart Lambur (CEO), Matt Rice (CTO), Melissa Quinn (COO), Kevin Chan (Treasurer), Ryan Carman (Head of Product), James Richard Fry (Head of Marketing). Hart Lambur is publicly known from UMA.
• Legal structure: Risk Labs is a Cayman Islands Exempted Foundation Company, registered with the Cayman Islands General Registry (RA000086) under registry ID 339077 (GLEIF LEI 984500B2DE6O0F0P5071). Registered address: 23 Lime Tree Bay Avenue, PO Box 10176, c/o ZEDRA Trust Company (Cayman) Limited, Grand Cayman, KY1-1002. Entity status: ACTIVE; LEI registration status: ISSUED; next renewal due 2026-11-21. Risk Labs' own website does not disclose jurisdiction; this citation is sourced from the GLEIF registry, not the foundation's website.
• Documentation: Good. docs.across.to is comprehensive and current; concept docs explain the intents architecture clearly. Contract address and bug-bounty pages are reachable at the URLs cited above.
• Incident response: No public, documented incident-response runbook surfaced during research. The multisig can call setPaused(true) to freeze entry/exit in an emergency. The protocol has not had a smart-contract incident to test response capability.
• Reputational concern: The unresolved June 2025 ACX governance / treasury controversy weighs on operational risk because the parties involved are the same parties who hold the HubPool keys. While the alleged misconduct is not a contract-level loss event for LPs, it speaks directly to governance integrity — see Historical Track Record above.

Monitoring

Critical contracts to monitor

Contract	Address	Purpose
HubPool	0xc186fA914353c44b2E33eBE05f21846F1048bEda	Pool state, paused flag, admin events
Hub Pool Owner Multisig	0xB524735356985D2f267FA010D681f061DfF03715	Signer / threshold changes
Ethereum SpokePool	0x5c7BCd6E7De5423a257D81B442095A1a6ced35C5	UUPS upgrades, admin events
BondToken (ABT)	0xee1DC6BCF1Ee967a350e9aC6CaaAA236109002ea	Bond currency parameters
AcrossConfigStore	0x3B03509645713718B78951126E0A6de6f10043f5	LP fee rate config
Av2-WETH-LP	0x28F77208728B0A45cAb24c4868334581Fe86F95B	LP supply (only if Yearn holds this)
Av2-USDC-LP	0xC9b09405959f63F72725828b5d449488b02be1cA	LP supply (only if Yearn holds this)
Av2-USDT-LP	0xC2faB88f215f62244d2E32c8a65E8F58DA8415a5	LP supply (only if Yearn holds this)
Av2-DAI-LP	0x4FaBacAC8C41466117D6A38F46d08ddD4948A0cB	LP supply (only if Yearn holds this)
Av2-WBTC-LP	0x59C1427c658E97a7d568541DaC780b2E5c8affb4	LP supply (only if Yearn holds this)

Critical values / events to watch

Item	Method	Threshold / Trigger	Frequency
HubPool paused state	HubPool.paused()	Any true → page oncall	Hourly
Per-pool reserves & exchange rate	HubPool.pooledTokens(l1Token) and HubPool.exchangeRateCurrent(l1Token)	Track liquidReserves vs Yearn position size; alert when liquidReserves < Yearn LP size × 1.5	Hourly
HaircutReserves event	HubPool event filter	Any emission → page oncall and assess impairment	On event
SpokePoolAdminFunctionTriggered event	HubPool event filter	Any emission → investigate (potential SpokePool upgrade)	On event
BondSet, LivenessSet, IdentifierSet events	HubPool event filter	Any emission → assess implications	On event
RootBundleDisputed event	HubPool event filter	Any emission → halt risk window, monitor UMA DVM outcome	On event
Safe owner / threshold changes	Watch AddedOwner, RemovedOwner, ChangedThreshold on the 3-of-5 Safe	Any change	On event
Liveness parameter	HubPool.liveness()	Alert if reduced below current 1800 (30 min)	Daily
Bond amount / token	HubPool.bondAmount(), HubPool.bondToken()	Alert if changed to a less-liquid token or reduced amount	Daily
TVL	DefiLlama across slug	Alert if 30-day change > ±50%	Daily
ACX governance controversy follow-up	Across forum, X	Material updates	Weekly

Monitoring implementation:

1. Open a PR in yearn/monitoring adding the Hub Pool Owner Safe to the safe-monitoring list.
2. Add a workflow that polls HubPool.paused() and the relevant pooledTokens() reserves hourly.
3. Add Tenderly alerts for the HubPool events listed above.
4. Configure a Telegram group with the SAM bot (@sam_alerter_bot) for paged events.

If on-chain queries are insufficient, fall back to DefiLlama for TVL and the Across forum / X for governance signals.

Appendix: Contract Architecture

                        Yearn LP Position
                                │
                                ▼
              ┌──────────────────────────────────────┐
              │   Av2-*-LP tokens (ERC20)            │  ← deployed by LpTokenFactory
              │   WETH / USDC / USDT / DAI / WBTC    │     0x7dB6...fD9d (sole minter = HubPool)
              └──────────────────────────────────────┘
                                │ minted / burned 1:1
                                ▼
        ╔════════════════════════════════════════════════════╗
        ║  PROTOCOL LAYER (Ethereum L1)                      ║
        ║                                                    ║
        ║  HubPool (IMMUTABLE, NON-UPGRADEABLE)              ║
        ║  0xc186fA9143...8bEda                              ║
        ║    • addLiquidity / removeLiquidity                ║
        ║    • exchangeRateCurrent / pooledTokens            ║
        ║    • proposeRootBundle / executeRootBundleLeaves   ║
        ║    • haircutReserves      ← admin loss-write-down  ║
        ║    • relaySpokePoolAdminFunction ← cross-chain     ║
        ║                              admin to SpokePools   ║
        ║                                                    ║
        ║   ┌──────────────┐   ┌──────────────┐              ║
        ║   │ BondToken    │   │ ConfigStore  │              ║
        ║   │ (ABT)        │   │ (LP fees)    │              ║
        ║   │ 0xee1DC6...  │   │ 0x3B0350...  │              ║
        ║   └──────────────┘   └──────────────┘              ║
        ╚════════════════════════════════════════════════════╝
                  │                       │
                  ▼                       ▼
        ┌──────────────────┐    ┌──────────────────────────┐
        │ UMA Optimistic   │    │ Ethereum_SpokePool       │
        │ Oracle V3        │    │ 0x5c7BCd6E... (UUPS proxy)│
        │ 0xfb55F43f...    │    │ admin = HubPool          │
        │ identifier:      │    └──────────────────────────┘
        │ "ACROSS-V2"      │              │
        │ liveness: 1800s  │              │ relay via
        └──────────────────┘              │ ChainAdapters
                  │                       ▼
                  │              ┌─────────────────────────┐
                  │              │ SpokePools on Arbitrum, │
                  ▼              │ Optimism, Base, Polygon,│
        ┌──────────────────┐     │ zkSync, Linea, Blast,   │
        │ UMA DVM          │     │ World Chain, etc.       │
        │ (UMA tokenholder │     │ (all UUPS, admin=HubPool│
        │  vote)           │     │  via relaySpokePool-    │
        └──────────────────┘     │  AdminFunction)         │
                                 └─────────────────────────┘

        ╔════════════════════════════════════════════════════╗
        ║  GOVERNANCE LAYER                                  ║
        ║                                                    ║
        ║  Hub Pool Owner Gnosis Safe v1.3.0                 ║
        ║  0xB524735356985D2f267FA010D681f061DfF03715        ║
        ║  Threshold: 3-of-5    ← NO TIMELOCK                ║
        ║                                                    ║
        ║  Powers (all unilateral, no delay):                ║
        ║   • setPaused                                      ║
        ║   • haircutReserves                                ║
        ║   • relaySpokePoolAdminFunction (incl. upgrades)   ║
        ║   • disable pools / set bond / set liveness        ║
        ╚════════════════════════════════════════════════════╝

Trust boundaries:

• LP holders trust the 3-of-5 multisig to refrain from haircutReserves abuse and to refrain from upgrading SpokePools maliciously.
• LP holders trust UMA OOv3 + DVM to correctly resolve disputed bundles within the 30-minute liveness window (assisted by honest disputers always being online).
• LP holders trust the canonical L1↔L2 bridges of every connected chain to repatriate utilizedReserves.

---

Reassessment Triggers

• Time-based: Reassess in 6 months (by November 12, 2026).
• TVL-based: Reassess if Across protocol TVL crosses $100M upward or $10M downward.
• Incident-based: Reassess after any of:
  • Any HaircutReserves event on the HubPool.
  • Any SpokePool UUPS upgrade (watch for SpokePoolAdminFunctionTriggered).
  • Any change to the Hub Pool Owner Safe owners or threshold.
  • Any reduction in liveness() below 1800 seconds (30 min).
  • Any change in bondToken() or bondAmount().
  • Any new postmortem in the Across forum or GitHub.
  • Material development in the June 2025 ACX governance controversy (legal action, external audit/review, or settlement).
• Audit-based: Reassess after any new external audit by a non-OpenZeppelin firm, or after any unresolved high/critical finding is closed.