Back

Guardian - USDT0 Engagements Case Study

“We very much appreciate Guardian’s approach to security and the entire audit process. Guardian goes above and beyond to not only do manual audits but also contribute to verification processes and helps for the entire development pipeline to improve.”

Core Team

USDT0

Overview


This case study highlights Guardian's extensive series of audits across USDT0, the LayerZero-enabled multichain deployment of Tether's USD-pegged stablecoin. The initiative involved securing USDT0 implementations on platforms including Arbitrum, HyperEVM, the Superchain ecosystem, and more.


With stablecoins becoming core to crypto's institutional infrastructure, cross-chain reliability, upgrade safety, and systemic risk mitigation were paramount. Guardian partnered with Tether to audit core protocol contracts, OFT upgrades, bridging layers, and orchestration components critical to the safety and liquidity of USDT0.


You can access all of our USDT0 audit reports here.


Guardian


Guardian provides institutional-grade Web3 security, redefining audits with dual independent security teams, specialized fuzzing engineers, and an aggressive vulnerability discovery methodology. This approach consistently drives maximum issue discovery, ensuring projects ship with unmatched confidence.


You can book Guardian for your next audit here, for when it has to be right the first time.


USDT0


USDT0 is the next evolution of Tether's USDT, designed for cross-chain operability via LayerZero's OFT (Omnichain Fungible Token) standard. With numerous crosschain deployments, USDT0 enables seamless asset mobility while preserving Tether's wide stablecoin liquidity depth.


With over $6 billion in volume since its launch this year, USDT0 is quickly emerging as the dominant crosschain stablecoin in Web3.


Why Guardian?


Tether's requirements demanded a security partner capable of:


• Understanding and testing OFT mechanics and LayerZero middleware

• Modeling edge cases in bridging, replay protection, reentrancy, and upgrade safety

• Auditing privileged admin flows, multisigs (OneSig), and messaging pathways

• Validating test coverage, fuzz harnesses, and gas constraints


Guardian's dual-team model, with included fuzzing methodology, proved ideal for securing complex, protocol-level infrastructure.


The Engagements


Guardian conducted 9 independent audits of USDT0 systems between January and June 2025:


Arbitrum Migration – Validated OFT transition logic, storage layout, and bridging controls

HyperEVM Deployment – Audited core Tether logic on Hyperchain's EVM

HyperLiquid Composer – Secured a bridging layer for transfers between HyperEVM and HyperLiquid L1

Superchain Deployment – Reviewed DVN config, permit invalidation risks, and fallback logic

OneSig – Audited Tether's multisig contract with reentrancy, replay, and MEV protections

Multihop Contract – Reviewed multi-leg transfer orchestration logic and gas refund paths

XAUT0 Deployment – Validated LayerZero-enabled Tether Gold deployment

Initial Core Deployment (Ink) – First security review of the OFT-based system architecture


Across all audits, Guardian applied:


• Line-by-line manual review of all critical contracts

• Stateful fuzzing against OFT send/receive, retries, bridging, and replay paths

• Chain-specific threat modeling (e.g. L2 sequencer down, HyperLiquid system calls)

• Configuration analysis of LayerZero DVNs, OFT params, and gas limits


Arbitrum Upgrade: Securing $2 Billion


The migration of USDT to the new USDT0 architecture on Arbitrum posed one of the highest-risk transitions in the stablecoin's history. At the time of Guardian's engagement, over $2 billion in USDT was circulating on Arbitrum — meaning any misstep in the migration process could result in massive user losses or systemic liquidity disruption.


Guardian's audit focused on:


• Verifying migration logic and upgrade triggers across contracts

• Ensuring the l1Address field was properly cleared post-migration to avoid bricking fund flows

• Assessing refund logic for in-flight Ethereum-to-Arbitrum gateway bridges

• Confirming safe pause/resume flows during the contract transition window

• Doing a full end to end production test of the migration with deployment parameters


Guardian identified and addressed a subtle edge case where users initiating bridge transfers from Ethereum to Arbitrum immediately prior to migration would lose access to funds. The recommended fix enabled Arbitrum's gateway contracts to trigger a safe fallback refund — restoring user funds after a 7-day period.


Through this audit, Guardian helped de-risk a complex, multi-contract upgrade with billions at stake, preserving user capital and ensuring a smooth transition to the new USDT0 standard on Arbitrum.


Findings & Key Results


Guardian identified and surfaced a wide range of subtle issues across our engagements:


Missing storage gaps and upgrade safety violations
Found in: Arbitrum Migration, Core Deployment (Ink)

Signature invalidation due to permit domain separator changes
Found in: Superchain Deployment

Replay attacks on forks without chain ID hardening
Found in: OneSig Audit

Unexpected behavior in OneSig nonce sequencing and gas forwarding
Found in: OneSig Audit

Incorrect bridging permissions and stuck fund scenarios
Found in: Arbitrum Migration, Multihop Contract


Highlighted Issues:


BridgeMint Breakage | Arbitrum Migration

As part of the Arbitrum migration, bridges initiated from Ethereum to Arbitrum via the legacy gateway could result in irretrievable funds. Once migration occurs, the Arbitrum side can no longer credit USDT using bridgeMint, and the Ethereum-side tokens remain locked in the gateway. Guardian recommended assigning l1Address to address(0) during migration to trigger refund logic in the Arbitrum gateway and mitigate loss—while also proposing a longer-term DAO-based deactivation of the Ethereum gateway to prevent recurrence.


Replay Risk on Chain Forks | OneSig Audit

In the OneSig audit, Guardian discovered that the contract's ID was not tied to the chain ID, allowing multisig transactions to be replayed across forked chains. In the rare case of a network fork this could lead to an attacker unexpectedly being able to execute actions multiple times.


Fund Trapping via Non-Standard Approve | Multihop Contract Audit

USDT's implementation on Ethereum does not return a boolean from approve(), violating the ERC-20 spec. This caused the Multihop contract to revert and trap funds. Guardian recommended an interface adjustment to align with USDT's unique behavior.


Total issues across all audits:

Critical: 0

High: 0

Medium: 1

Low: 40+

Informational: 80+


All issues have since been resolved and acknowledged by the USDT0 team.


Deployment Verification & Production Readiness


Beyond contract audits, Guardian played a critical role in verifying the safety of every USDT0 production deployment. This effort included comprehensive validation of configuration, bytecode, calldata, and multisig operations across dozens of chains.


Guardian's deployment verification process includes:


Fork Testing: Running end-to-end fork-based tests (USDT0ForkTests.t.sol) to validate contract behavior against live mainnet data

Bytecode Matching: Confirming deployed bytecode matches expected values for OUpgradeable and TetherTokenOFTExtension across all chains

Calldata Verification: Manually inspecting and simulating calldata submitted to Safe multisigs, ensuring correctness and safety of every config transaction

Safe Transaction Simulation: Using internal automation to simulate queued Safe transactions and validate them against the Safe API

Configuration Tracking: Verifying each deployment has properly updated constants and configuration values in Constants.sol

LayerZero Parameter Audits: Confirming DVNs, endpoint addresses, and confirmation windows are correct per chain


This rigorous deployment verification workflow ensured that every USDT0 deployment—no matter how complex or emergent—was correctly configured, safely deployed, and ready for production.


Impact


Guardian's work on USDT0 went beyond traditional auditing—securing one of crypto's most systemically important assets across both code and deployment layers. Our reviews and verifications:


• Prevented bridging inconsistencies and stuck message states

• Hardened the OneSig multisig against MEV, replay, and stale data attacks

• Reduced the likelihood of upgrade collisions across chains

• Surfaced composability edge cases in USDT0's orchestration layers

Validated deployment safety through bytecode matching, fork testing, and Safe transaction simulation

• Enabled Tether to confidently scale USDT0 across new chains with a comprehensive, production-ready security model


You can access Guardian's full collection of USDT0 reports here.


By securing every layer of USDT0's multichain architecture, Guardian is enabling Tether to confidently scale its stablecoin across new networks—delivering a robust, secure foundation for cross-chain liquidity in Web3.


Looking to secure your own multichain deployment? Guardian works with the best teams in Web3 to secure the most complex architectures—across smart contracts, bridging layers, and backend systems. Work with Guardian to ensure your protocol is production-ready and battle-tested.