Search for projects by name or address
X Layer is an OP Stack Layer 2 by OKX with seamless integration with OKX products. It is connected to the Agglayer shared bridge.
X Layer is an OP Stack Layer 2 by OKX with seamless integration with OKX products. It is connected to the Agglayer shared bridge.
Consequence: projects without a sufficiently decentralized set of challengers rely on few entities to safely update the state. A small set of challengers can collude with the proposer to finalize an invalid state, which can cause loss of funds.
Learn more about the recategorisation here.
2025 Jul 05 — 2026 Jul 05
The section shows the operating costs that L2s pay to Ethereum.
2025 Oct 27 — 2026 Jul 05
This section shows how much data the project publishes to its data-availability (DA) layer over time. The project currently posts data to; previously it posted to
Ethereum.
2025 Oct 27 — 2026 Jul 05
This section shows how "live" the project's operators are by displaying how frequently they submit transactions of the selected type. It also highlights anomalies - significant deviations from their typical schedule.
2026 Jun 05 — Jul 05
All liveness anomalies detected for this project in the last 30 days, helping you review recent downtime and availability issues.
No State updates were performed for 27h 52m (from 2026 Jul 02, 03:16 UTC until 2026 Jul 03, 07:08 UTC). These typically occur every 29min 11s on average.
No Tx data submissions were performed for 27h 33m 36s (from 2026 Jul 02, 03:29 UTC until 2026 Jul 03, 07:03 UTC). These typically occur every 3min 55s on average.
No Tx data submissions were performed for 1h 7m (from 2026 Jun 30, 13:52 UTC until 2026 Jun 30, 14:59 UTC). These typically occur every 3min 55s on average.
No Tx data submissions were performed for 1h 38m 48s (from 2026 Jun 25, 07:23 UTC until 2026 Jun 25, 09:02 UTC). These typically occur every 3min 55s on average.
No State updates were performed for 8h 2m (from 2026 Jun 05, 13:02 UTC until 2026 Jun 05, 21:04 UTC). These typically occur every 29min 11s on average.
OP Succinct Lite dispute game activated
2026 Jun 30th
X Layer activates OP Succinct Lite to resolve challenged OP Stack state proposals with ZK proofs.
Fraud proofs allow actors watching the chain to prove that the state is incorrect. Single round proofs (1R) only require a single transaction to resolve. ZK proofs are used to prove the correctness of the state transition. Challenges are currently restricted to 1 whitelisted challenger and proposals are restricted to 1 whitelisted proposer.
All of the data needed for proof construction is published on Ethereum L1.
There is no window for users to exit in case of an unwanted upgrade since contracts are instantly upgradable.
Only whitelisted proposers can publish state roots. Permissionless proposing becomes available only after 1000y of proposer inactivity, which is not a practical recovery path.
State roots are proposed by whitelisted proposers who create dispute games via the DisputeGameFactory by posting a bond of 0.00000001 ETH. Once created, the game enters a challenge period of 1h during which whitelisted challengers can dispute the proposal by posting a bond of 0.00000001 ETH. If challenged, anyone can submit a ZK proof to prove the correct state within the proving period of 7d. After the challenge period passes without a successful challenge, or after a valid proof is submitted, anyone can resolve the game and finalize the state root.
Funds can be stolen if the validity proof cryptography is broken or implemented incorrectly.
Funds can be stolen if no whitelisted challenger disputes an invalid state root before the challenge window expires.
Funds can be stolen if the SP1 verifier gateway owner routes proof verification through a malicious or faulty verifier.
Funds can be frozen if the permissioned proposer fails to publish state roots to L1.
Onchain verifier
Onchain verifier
Onchain verifier
Onchain verifier | ||
Onchain verifier | ||
Onchain verifier |

The regular upgrade process for shared system contracts and L2-specific validium contracts starts at the PolygonAdminMultisig. For the shared contracts, they schedule a transaction that targets the ProxyAdmin via the Timelock, wait for 3d and then execute the upgrade. An upgrade of the Layer 2 specific validium contract requires first adding a new rollupType through the Timelock and the AgglayerManager (defining the new implementation and verifier contracts). Now that the rollupType is created, either the local admin or the PolygonAdminMultisig can immediately upgrade the local system contracts to it. Chains using pessimistic proofs often have completely sovereign upgrade paths from the ones described here, but the shared contracts still remain relevant to them because they use them as escrow.
The PolygonSecurityCouncil can expedite the upgrade process by declaring an emergency state. This state pauses both the shared bridge and the AgglayerManager and allows for instant upgrades through the timelock. Accordingly, instant upgrades for all system contracts are possible with the cooperation of the SecurityCouncil. The emergency state has been activated 1 time(s) since inception.
Furthermore, the PolygonAdminMultisig is permissioned to manage the shared trusted aggregator (proposer and prover) for all participating Layer 2s, deactivate the emergency state, obsolete rollupTypes and manage operational parameters and fees in the AgglayerManager directly. The local admin of a specific Aggchain can manage their chain by choosing the trusted sequencer, manage forced batches and set the data availability config. For sovereign chains using pessimistic proofs they can manage any proof logic that might be used on top of the minimal pessimistic one. Creating new Layer 2s (of existing rollupType) is outsourced to the PolygonCreateRollupMultisig but can also be done by the PolygonAdminMultisig. Custom non-shared bridge escrows have their custom upgrade admins listed in the permissions section.
The metrics include upgrades on the currently used proxy contracts. Historical proxy contracts and changes of such are not included.
X Layer switched the respected OP Stack dispute game from the PermissionedDisputeGame to OP Succinct Lite (game type 42). The new setup uses an OPSuccinctFaultDisputeGame deployed on 2026-06-30, an AccessManager for proposer/challenger allowlists, and SP1 verifier gateways for zk proof verification during challenged games.
X Layer switched the respected OP Stack dispute game from the PermissionedDisputeGame to OP Succinct Lite (game type 42). The new setup uses an OPSuccinctFaultDisputeGame deployed on 2026-06-30, an AccessManager for proposer/challenger allowlists, and SP1 verifier gateways for zk proof verification during challenged games.
| contract AnchorStateRegistry (eth:0x000590BB65ab1864a7AD46d6B957cC9a4F2C149d) [opstack/AnchorStateRegistry_post13_opsuccinct] { | |
| +++ description: Contains the latest confirmed state root that can be used as a starting point in a dispute game. It specifies which game type can be used for withdrawals, which currently is the OPSuccinctFaultDisputeGame. Variant for chains using OPSuccinct (SP1) games instead of Cannon, which omits Cannon-specific cross-contract fields (vm, oracle, weth, challengePeriod, absolutePrestate from game). | |
| description: | |
| - | "Contains the latest confirmed state root that can be used as a starting point in a dispute game. It specifies which game type can be used for withdrawals, which currently is the PermissionedDisputeGame. Variant for chains using OPSuccinct (SP1) games instead of Cannon, which omits Cannon-specific cross-contract fields (vm, oracle, weth, challengePeriod, absolutePrestate from game)." |
| + | "Contains the latest confirmed state root that can be used as a starting point in a dispute game. It specifies which game type can be used for withdrawals, which currently is the OPSuccinctFaultDisputeGame. Variant for chains using OPSuccinct (SP1) games instead of Cannon, which omits Cannon-specific cross-contract fields (vm, oracle, weth, challengePeriod, absolutePrestate from game)." |
| values.RespectedGameString: | |
| - | "PermissionedDisputeGame" |
| + | "OPSuccinctFaultDisputeGame" |
| +++ severity: HIGH | |
| values.respectedGameType: | |
| - | 1 |
| + | 42 |
| } |
| contract OptimismPortal2 (eth:0x64057ad1DdAc804d0D26A7275b193D9DACa19993) [opstack/OptimismPortal2] { | |
| +++ description: Central message and gas token (dOKB) bridge of the OP stack part of this deployment. It finalizes withdrawals against the currently respected OP Succinct Lite dispute game and allows forced transactions. | |
| values.RespectedGameString: | |
| - | "PermissionedDisputeGame" |
| + | "OPSuccinctFaultDisputeGame" |
| +++ severity: HIGH | |
| values.respectedGameType: | |
| - | 1 |
| + | 42 |
| } |
| EOA (eth:0x6eE7BDa7AF04F61ccf93aB4b8DB2289aBe76C6aA) { | |
| +++ description: None | |
| receivedPermissions.1: | |
| + | {"permission":"interact","from":"eth:0x98BA64d8c8Dd33bD75F2154214BFd849d0D5c17B","description":"Allowed to add or remove proposers and challengers, and transfer ownership of the AccessManager.","role":".owner"} |
| } |
| EOA (eth:0x736E68Af2CbF2aB0E46E4310fE5Ae568b3642FF6) { | |
| +++ description: None | |
| receivedPermissions.0: | |
| + | {"permission":"interact","from":"eth:0x98BA64d8c8Dd33bD75F2154214BFd849d0D5c17B","description":"Allowed to challenge or delete state roots proposed by a Proposer.","role":".challengers"} |
| } |
| contract DisputeGameFactory (eth:0x9D4c8FAEadDdDeeE1Ed0c92dAbAD815c2484f675) [opstack/DisputeGameFactory] { | |
| +++ description: The dispute game factory allows the creation of dispute games, used to propose state roots and eventually challenge them. | |
| +++ severity: HIGH | |
| values.game42: | |
| - | "eth:0x0000000000000000000000000000000000000000" |
| + | "eth:0x8841FA06099FEdfE7DB6962926C6A281e9E1e607" |
| values.initBondGame42: | |
| - | 0 |
| + | 10000000000 |
| } |
| EOA (eth:0xE43944421681170648E10007f73816e04F74394F) { | |
| +++ description: None | |
| receivedPermissions.0: | |
| + | {"permission":"interact","from":"eth:0x98BA64d8c8Dd33bD75F2154214BFd849d0D5c17B","description":"Allowed to post new state roots of the current layer to the host chain.","role":".proposers"} |
| } |
| + | Status: CREATED |
| contract SP1VerifierGateway (eth:0x397A5f7f3dBd538f23DE225B51f532c34448dA9B) [succinct/SP1VerifierGateway] | |
| +++ description: This contract is the router for zk proof verification. It stores the mapping between identifiers and the address of onchain verifier contracts, routing each identifier to the corresponding verifier contract. |
| + | Status: CREATED |
| contract SP1Verifier (eth:0x50ACFBEdecf4cbe350E1a86fC6f03a821772f1e5) [succinct/SP1Verifier] | |
| +++ description: Verifier contract for SP1 proofs (v5.0.0). |
| + | Status: CREATED |
| contract OPSuccinctFaultDisputeGame (eth:0x8841FA06099FEdfE7DB6962926C6A281e9E1e607) [succinct/OPSuccinct/OPSuccinctFaultDisputeGame] | |
| +++ description: Logic of the dispute game. When a state root is proposed, a dispute game contract is deployed. Challengers can use such contracts to challenge the proposed state root. |
| + | Status: CREATED |
| contract AccessManager (eth:0x98BA64d8c8Dd33bD75F2154214BFd849d0D5c17B) [succinct/OPSuccinct/AccessManager] | |
| +++ description: Contract managing access control for proposers and challengers in OPSuccinct. |
| + | Status: CREATED |
| contract SP1Verifier (eth:0x99A74A05a0FaBEB217C1A329b0dac59a1FA52508) [succinct/SP1Verifier] | |
| +++ description: Verifier contract for SP1 proofs (v6.0.0). |
| + | Status: CREATED |
| contract SP1Verifier (eth:0xb69f2584CBcFf99a58C4e7002E8b89Af54a6f4e2) [succinct/SP1Verifier] | |
| +++ description: Verifier contract for SP1 proofs (v6.1.0). |
| + | Status: CREATED |
| contract SP1VerifierGatewayMultisig (eth:0xCafEf00d348Adbd57c37d1B77e0619C6244C6878) [GnosisSafe] | |
| +++ description: None |
Raised gas limit.
Raised gas limit.
| contract SystemConfig (eth:0x5065809Af286321a05fBF85713B5D5De7C8f0433) { | |
| +++ description: Contains configuration parameters such as the Sequencer address, gas limit on this chain and the unsafe block signer address. | |
| +++ description: Gas limit for blocks on L2. | |
| +++ severity: LOW | |
| values.gasLimit: | |
| - | 50000000 |
| + | 210000000 |
| } |
fee config changes.
fee config changes.
| contract SystemConfig (eth:0x5065809Af286321a05fBF85713B5D5De7C8f0433) { | |
| +++ description: Contains configuration parameters such as the Sequencer address, gas limit on this chain and the unsafe block signer address. | |
| +++ description: volatility param: lower denominator -> quicker fee changes on L2 | |
| values.eip1559Denominator: | |
| - | 100000000 |
| + | 50 |
| values.minBaseFee: | |
| - | 0 |
| + | 20000000 |
| } |
move to new multisig owner.
move to new multisig owner.
| contract AnchorStateRegistry (eth:0x000590BB65ab1864a7AD46d6B957cC9a4F2C149d) { | |
| +++ description: Contains the latest confirmed state root that can be used as a starting point in a dispute game. It specifies which game type can be used for withdrawals, which currently is the PermissionedDisputeGame. | |
| values.proxyAdminOwner: | |
| - | "eth:0xe58C365Da30c746204022e61482bBE828cAA9091" |
| + | "eth:0xC290bE56089BCC83c6993583ce2cF51a7951D45A" |
| } |
| contract DelayedWETH (eth:0x1B8A252A71bC8997d3871aF420895B5845212fC6) { | |
| +++ description: Contract designed to hold the bonded ETH for each game. It is designed as a wrapper around WETH to allow an owner to function as a backstop if a game would incorrectly distribute funds. | |
| values.proxyAdminOwner: | |
| - | "eth:0xe58C365Da30c746204022e61482bBE828cAA9091" |
| + | "eth:0xC290bE56089BCC83c6993583ce2cF51a7951D45A" |
| } |
| contract ProxyAdmin (eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6) { | |
| +++ description: None | |
| values.owner: | |
| - | "eth:0xe58C365Da30c746204022e61482bBE828cAA9091" |
| + | "eth:0xC290bE56089BCC83c6993583ce2cF51a7951D45A" |
| } |
| contract SystemConfig (eth:0x5065809Af286321a05fBF85713B5D5De7C8f0433) { | |
| +++ description: Contains configuration parameters such as the Sequencer address, gas limit on this chain and the unsafe block signer address. | |
| values.proxyAdminOwner: | |
| - | "eth:0xe58C365Da30c746204022e61482bBE828cAA9091" |
| + | "eth:0xC290bE56089BCC83c6993583ce2cF51a7951D45A" |
| } |
| contract OptimismPortal2 (eth:0x64057ad1DdAc804d0D26A7275b193D9DACa19993) { | |
| +++ description: Central message and gas token (dOKB) bridge of the OP stack part of this deployment. It allows for permissioned state proposals without public challenges, and forced transactions. | |
| values.proxyAdminOwner: | |
| - | "eth:0xe58C365Da30c746204022e61482bBE828cAA9091" |
| + | "eth:0xC290bE56089BCC83c6993583ce2cF51a7951D45A" |
| } |
| contract L1ERC721Bridge_neutered (eth:0x85d37236f063C687d056b3604CBEe4B60d124858) { | |
| +++ description: Used to bridge ERC-721 tokens from host chain to this chain. | |
| values.proxyAdminOwner: | |
| - | "eth:0xe58C365Da30c746204022e61482bBE828cAA9091" |
| + | "eth:0xC290bE56089BCC83c6993583ce2cF51a7951D45A" |
| } |
| contract DisputeGameFactory (eth:0x9D4c8FAEadDdDeeE1Ed0c92dAbAD815c2484f675) { | |
| +++ description: The dispute game factory allows the creation of dispute games, used to propose state roots and eventually challenge them. | |
| values.proxyAdminOwner: | |
| - | "eth:0xe58C365Da30c746204022e61482bBE828cAA9091" |
| + | "eth:0xC290bE56089BCC83c6993583ce2cF51a7951D45A" |
| } |
| contract L1StandardBridge_neutered (eth:0xAecF995ABf9E7eDE7ae0CE65E60622C9eD84823a) { | |
| +++ description: This OP stack bridge contract has been modified to disallow ETH and ERC-20 bridging. | |
| values.proxyAdminOwner: | |
| - | "eth:0xe58C365Da30c746204022e61482bBE828cAA9091" |
| + | "eth:0xC290bE56089BCC83c6993583ce2cF51a7951D45A" |
| } |
| contract OwnerContract (eth:0xe58C365Da30c746204022e61482bBE828cAA9091) { | |
| +++ description: None | |
| receivedPermissions.0: | |
| - | {"permission":"interact","from":"eth:0xE88CfA9D4a4fae1413914baD9796A72D13d035b9","description":"set and change address mappings.","role":".owner","via":[{"address":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6"}]} |
| receivedPermissions.1: | |
| - | {"permission":"upgrade","from":"eth:0x000590BB65ab1864a7AD46d6B957cC9a4F2C149d","role":"admin","via":[{"address":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6"}]} |
| receivedPermissions.2: | |
| - | {"permission":"upgrade","from":"eth:0x1B8A252A71bC8997d3871aF420895B5845212fC6","role":"admin","via":[{"address":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6"}]} |
| receivedPermissions.3: | |
| - | {"permission":"upgrade","from":"eth:0x5065809Af286321a05fBF85713B5D5De7C8f0433","role":"admin","via":[{"address":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6"}]} |
| receivedPermissions.4: | |
| - | {"permission":"upgrade","from":"eth:0x62e1Aaeba9A8AA4654980653dB4B21FC82C61c15","role":"admin","via":[{"address":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6"}]} |
| receivedPermissions.5: | |
| - | {"permission":"upgrade","from":"eth:0x64057ad1DdAc804d0D26A7275b193D9DACa19993","role":"admin","via":[{"address":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6"}]} |
| receivedPermissions.7: | |
| - | {"permission":"upgrade","from":"eth:0x85d37236f063C687d056b3604CBEe4B60d124858","role":"admin","via":[{"address":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6"}]} |
| receivedPermissions.8: | |
| - | {"permission":"upgrade","from":"eth:0x9D4c8FAEadDdDeeE1Ed0c92dAbAD815c2484f675","role":"admin","via":[{"address":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6"}]} |
| receivedPermissions.9: | |
| - | {"permission":"upgrade","from":"eth:0xAecF995ABf9E7eDE7ae0CE65E60622C9eD84823a","description":"upgrading the bridge implementation can give access to all funds escrowed therein.","role":".$admin","via":[{"address":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6"}]} |
| receivedPermissions.10: | |
| - | {"permission":"upgrade","from":"eth:0xF94B553F3602a03931e5D10CaB343C0968D793e3","role":"admin","via":[{"address":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6"}]} |
| directlyReceivedPermissions.0: | |
| - | {"permission":"act","from":"eth:0x313ce9Cec2070B519f13BDaFe07eabb4f215FEE6","role":".owner"} |
| } |
| contract L1CrossDomainMessenger (eth:0xF94B553F3602a03931e5D10CaB343C0968D793e3) { | |
| +++ description: Sends messages from host chain to this chain, and relays messages back onto host chain. In the event that a message sent from host chain to this chain is rejected for exceeding this chain's epoch gas limit, it can be resubmitted via this contract's replay function. | |
| values.proxyAdminOwner: | |
| - | "eth:0xe58C365Da30c746204022e61482bBE828cAA9091" |
| + | "eth:0xC290bE56089BCC83c6993583ce2cF51a7951D45A" |
| } |
| + | Status: CREATED |
| contract Xlayer Multisig (eth:0xC290bE56089BCC83c6993583ce2cF51a7951D45A) | |
| +++ description: None |
Rotated batcher address.
Rotated batcher address.
| contract SystemConfig (eth:0x5065809Af286321a05fBF85713B5D5De7C8f0433) { | |
| +++ description: Contains configuration parameters such as the Sequencer address, gas limit on this chain and the unsafe block signer address. | |
| values.batcherHash: | |
| - | "eth:0xdfd6C636Dcb5a013c2431316c4A0762B84e70a5d" |
| + | "eth:0x98245d0ADF4595C66F0a9Db8E13c44CBFF6be459" |
| } |
Because the state of the system is based on transactions submitted on the underlying host chain and anyone can submit their transactions there it allows the users to circumvent censorship by interacting with the smart contract on the host chain directly.
Funds can be lost if the Agglayer pessimistic proof system for shared bridge accounting is implemented incorrectly.
Funds can be frozen if the OP Succinct Lite proof system or verifier gateway cannot accept valid proofs during a challenge.

A Multisig with 5/9 threshold.
Participants (9):
0xEB5E…EA720xAb35…235E0xED7c…B5a20xdFEd…56Da0xffbf…32380xeD44…dB370x516e…46B70x2161…d4170x8B9F…782BA Multisig with 2/3 threshold.
A Multisig with 6/8 threshold.
Participants (8):
0xFe45…2e4b0xaF46…261D0xBDc2…FEFf0x4c16…88910x3ab9…D6220x49c1…0E860x9F7d…86A00x2188…1C28A Multisig with 3/5 threshold.
Member of Xlayer Multisig.


System contract defining the X Layer Aggchain logic. It only enforces bridge accounting (pessimistic) proofs to protect the shared bridge while the Aggchain state transitions are not proven. They must instead be signed by 1 aggchainSigner(s).
The dispute game factory allows the creation of dispute games, used to propose state roots and eventually challenge them.
A verifier gateway for pessimistic proofs. Manages a map of chains and their verifier keys and is used to route proofs based on the first 4 bytes of proofBytes data in a proof submission. The SP1 verifier is used for all proofs.
The shared bridge contract, escrowing user funds sent to Agglayer chains. It is usually mirrored on each chain and can be used to transfer both ERC20 assets and arbitrary messages.
All supported tokens in this escrow are included in the value secured calculation.
The central shared managing contract for Polygon Agglayer chains. This contract coordinates chain deployments and proof validation. All connected Layer 2s can be globally paused by activating the ‘Emergency State’. This can be done by the PolygonSecurityCouncil or by anyone after 1 week of inactive verifiers.
A merkle tree storage contract aggregating state roots of each participating Layer 2, thus creating a single global merkle root representing the global state of the Agglayer, the ‘global exit root’. The global exit root is synchronized to all connected Layer 2s to help with their interoperability.
A timelock with access control. In the case of an activated emergency state in the AgglayerManager, all transactions through this timelock are immediately executable. The current minimum delay is 3d.
Sends messages from host chain to this chain, and relays messages back onto host chain. In the event that a message sent from host chain to this chain is rejected for exceeding this chain’s epoch gas limit, it can be resubmitted via this contract’s replay function.
Contains the latest confirmed state root that can be used as a starting point in a dispute game. It specifies which game type can be used for withdrawals, which currently is the OPSuccinctFaultDisputeGame. Variant for chains using OPSuccinct (SP1) games instead of Cannon, which omits Cannon-specific cross-contract fields (vm, oracle, weth, challengePeriod, absolutePrestate from game).
Contract designed to hold the bonded ETH for each game. It is designed as a wrapper around WETH to allow an owner to function as a backstop if a game would incorrectly distribute funds.
The PreimageOracle contract is used to load the required data from L1 for a dispute game.
The MIPS contract is used to execute the final step of the dispute game which objectively determines the winner of the dispute.
A helper contract that generates OptimismMintableERC20 contracts on the network it’s deployed to. OptimismMintableERC20 is a standard extension of the base ERC20 token contract designed to allow the L1StandardBridge contracts to mint and burn tokens. This makes it possible to use an OptimismMintableERC20 as this chain’s representation of a token on the host chain, or vice-versa.
Used to bridge ERC-721 tokens from host chain to this chain.
Logic of the dispute game. When a state root is proposed, a dispute game contract is deployed. Challengers can use such contracts to challenge the proposed state root.
Contract managing access control for proposers and challengers in OPSuccinct.
This OP stack bridge contract has been modified to disallow ETH and ERC-20 bridging.
Extension contract of the AgglayerBridge for asset metadata…
The current deployment carries some associated risks:
Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).
Funds can be stolen if the source code of unverified contracts contains malicious code (CRITICAL).