Token Architecture — Technical Specification

01

Token Standard — ERC-3643 (T-REX Protocol)

What is ERC-3643?

ERC-3643, also known as the T-REX (Token for Regulated EXchanges) Protocol, is a permissioned ERC-20 token standard with a built-in identity layer. It extends the standard ERC-20 interface to enforce transfer restrictions at the protocol level — every token transfer is validated against an on-chain compliance module before execution.

The standard was developed by Tokeny Solutions and became the first security token standard to receive ISO recognition. It is formally referenced in the ISO/TR 23455:2024 framework for blockchain-based securities.

Why ERC-3643 over alternatives?

On-chain identity (ONCHAINID) — unique among token standards, ERC-3643 integrates identity attestations directly into the protocol. Wallets are mapped to verified identities, enabling regulatory-grade KYC enforcement on-chain.
DeFi composability — unlike ERC-1400, which breaks standard ERC-20 interfaces, ERC-3643 tokens remain compatible with Uniswap, Aave, Curve, and other DeFi protocols (within compliance bounds).
Multi-chain native — the standard is chain-agnostic and deployed on Ethereum, Polygon, Avalanche, and Base with identical contract interfaces.
Institutional adoption — BlackRock's BUIDL fund (via Securitize), the world's largest tokenised Treasury fund, uses infrastructure compatible with ERC-3643 identity standards. Securitize's ATS platform leverages this for compliant secondary trading.

Standard Comparison

Standard	Permissioned	On-Chain ID	DeFi Compatible	Multi-Chain	Institutional Adoption
ERC-20	No	No	Yes	Yes	Low
ERC-1400	Yes	No	Limited	Limited	Medium
ERC-3643	Yes	Yes (ONCHAINID)	Yes	Yes	High (BlackRock, Securitize)
ERC-3525	No	No	Yes	Limited	Low

Key Components

Core

Token Contract

ERC-20 compliant token with transfer() and transferFrom() hooks that check the compliance module before every transfer executes.

Identity

Identity Registry

Maps wallet addresses to on-chain identity contracts (ONCHAINID). Stores verification status and links to claim attestations.

Compliance

Compliance Module

Modular rule engine evaluated on every transfer. Enforces jurisdiction restrictions, investor caps, lock-up periods, and accreditation checks.

Trust

Claim Topics Registry

Defines what claims (KYC, accreditation, jurisdiction) are required for a wallet to hold or transfer tokens.

02

Smart Contract Architecture

Each AQ segregated portfolio deploys its own token contract with shared identity infrastructure. The contract hierarchy below represents a complete deployment for a single fund token (e.g. AQ-YIELD).

Core Token Layer

Token (ERC-3643)

Per segregated portfolio. The investor-facing ERC-20 token with built-in compliance hooks.

Key Functions: transfer(), mint(), burn(), pause(), setCompliance(), setIdentityRegistry()
Admin Roles: Owner TransferAgent
Upgrade: UUPS proxy — 48h timelock, 3-of-5 multi-sig

Identity Layer

IdentityRegistry

Maps wallet addresses to verified ONCHAINID identity contracts. Queried on every token transfer to validate sender/receiver.

Key Functions: registerIdentity(), removeIdentity(), updateIdentity(), isVerified(), identity()
Admin Roles: ComplianceAgent TransferAgent
Upgrade: UUPS proxy — shared across all fund tokens

IdentityRegistryStorage

Persistent storage for identity attestations. Separates storage from logic to enable registry upgrades without data migration.

Key Functions: addIdentityToStorage(), modifyStoredIdentity(), removeIdentityFromStorage()
Admin Roles: Owner
Upgrade: Non-upgradeable (pure storage)

TrustedIssuersRegistry

Maintains the list of approved claim issuers (KYC providers like Sumsub/Jumio). Only claims from trusted issuers are accepted.

Key Functions: addTrustedIssuer(), removeTrustedIssuer(), isTrustedIssuer(), getTrustedIssuers()
Admin Roles: Owner
Upgrade: UUPS proxy — 48h timelock

ClaimTopicsRegistry

Defines which claim topics (KYC, accredited investor, jurisdiction) are required for token holders.

Key Functions: addClaimTopic(), removeClaimTopic(), getClaimTopics()
Admin Roles: Owner
Upgrade: UUPS proxy

Compliance Layer

ComplianceModule

Modular compliance engine attached to the token contract. Evaluates transfer rules: country restrictions, investor limits, lock-up periods.

Key Functions: canTransfer(), transferred(), addModule(), removeModule(), callModuleFunction()
Admin Roles: ComplianceAgent Owner
Upgrade: Modular — individual modules can be swapped without touching the token contract

Oracle & Controller Layer

NAVOracle

Receives daily NAV per token from fund admin. Published via Chainlink Custom Feed or Pyth Network push oracle.

Key Functions: publishNAV(), getLatestNAV(), getTimestamp(), isStale(), verifySignature()
Admin Roles: NAVUpdater (2-of-3 multi-sig: fund admin, AQ ops, trustee)
Upgrade: UUPS proxy — 48h timelock

MintRedeemController

Handles subscription (mint) and redemption (burn) at NAV. Enforces gate provisions, minimum amounts, and staleness checks.

Key Functions: subscribe(), requestRedemption(), processRedemption(), setGateLimit(), pause()
Admin Roles: TransferAgent Owner
Upgrade: UUPS proxy — 48h timelock

YieldDistributor

Optional USDC drip for retail-oriented tokens. Distributes yield pro-rata to token holders on a configurable schedule.

Key Functions: distributeYield(), claimYield(), setSchedule(), getUnclaimedYield()
Admin Roles: Owner
Upgrade: UUPS proxy

03

Identity & Compliance Layer

ONCHAINID Standard

ONCHAINID is the on-chain identity standard used by ERC-3643. Each investor deploys a lightweight identity proxy contract (ERC-735/ERC-734) that stores cryptographic attestations (claims) about their identity. Claims are signed by trusted issuers — the investor never reveals raw PII on-chain, only cryptographic proofs that they passed verification.

KYC Verification Flow

Investor Onboarding — KYC to Wallet Whitelist

1Investor Signup

AQ Portal registration form

→

2Sumsub / Jumio

ID verification, liveness, document check

→

3Off-Chain Verification

AML/sanctions screening, accreditation

→

4Claim Issuance

Trusted issuer signs on-chain claim

→

5Identity Registry

Wallet mapped to ONCHAINID contract

→

6Wallet Whitelisted

Can hold/transfer AQ tokens

Compliance Rules — Enforced on Every Transfer

The ComplianceModule evaluates every transfer() and transferFrom() call. If any rule fails, the transaction reverts.

Rule	Description	Enforcement
KYC Verification	Both sender and receiver must have valid KYC claims in the Identity Registry	On-chain — IdentityRegistry.isVerified()
Jurisdiction Whitelist	Transfers blocked to/from wallets linked to OFAC-sanctioned or restricted jurisdictions	On-chain — CountryModule
Accreditation Check	US investors must hold accredited investor claim (Reg D 506(c)). Non-US investors exempt under Reg S.	On-chain — ClaimTopics verification
Max Holder Count	Configurable limit on total unique holders per token (e.g. 99 for Reg D, 2000 for Reg A+)	On-chain — MaxHolderModule
Lock-Up Period	Tokens cannot be transferred within the lock-up window post-mint (e.g. 12 months for Reg D)	On-chain — TimeLockModule
AML Monitoring	Ongoing transaction monitoring with Chainalysis/Elliptic. Suspicious wallets can be frozen by ComplianceAgent.	Hybrid — off-chain monitoring, on-chain freeze

Claim Expiry: KYC claims have a configurable expiry (typically 12 months). Expired claims must be renewed before the wallet can transact. The compliance module checks claim validity timestamps on every transfer.

04

NAV Oracle Architecture

Design Overview

The NAV Oracle bridges the fund's off-chain valuation process to on-chain token pricing. It provides the authoritative NAV per token that determines subscription and redemption prices.

NAV Publication Flow

1Fund Admin Calculates NAV

Citco / NAV Consulting — daily EOD

→

2Multi-Sig Approval

2-of-3: fund admin, AQ ops, trustee

→

3Oracle Push

Chainlink Custom Feed or Pyth Network

→

4NAVOracle Contract

Stores: NAV/token, timestamp, signature

→

5Mint / Redeem Enabled

MintRedeemController reads latest NAV

Oracle Contract Specification

Field	Type	Description
navPerToken	uint256	NAV per token in USDC base units (6 decimals). E.g. 1,052,300 = $1.0523
timestamp	uint256	Unix timestamp of the NAV calculation (EOD UTC)
fundAdminSig	bytes	ECDSA signature from the fund admin's authorized key
roundId	uint256	Monotonically increasing NAV publication counter

Safety Mechanisms

Staleness

48h Max Age

If the latest NAV publication is older than 48 hours, the MintRedeemController automatically pauses all subscriptions and redemptions until a fresh NAV is published.

Anomaly

±5% Circuit Breaker

If the new NAV deviates more than 5% from the previous publication, the contract flags an anomaly and requires manual 3-of-5 multi-sig override to proceed.

Governance

2-of-3 Multi-Sig

NAV updates require signatures from at least 2 of 3 parties: fund administrator, AQ Capital operations, and an independent trustee.

05

Mint / Redeem Flow

Subscription (Mint)

Subscription Flow — Investor to Token

1KYC Complete

Investor verified on AQ Portal

→

2Identity Attested

ONCHAINID claim issued to wallet

→

3Deposit Sent

BTC / USDC / USD to deposit address

→

4Receipt Confirmed

Fund admin confirms, calculates NAV

→

5Tokens Minted

AQ tokens at NAV rate

→

6Wallet Credited

Tokens appear in investor wallet

Post-Subscription: Underlying BTC is posted as collateral on Deribit/AAVE, USDC is borrowed against it, and USD proceeds are deployed into the fund's yield strategies (covered calls, basis trades, DeFi lending).

Redemption (Burn)

Redemption Flow — Token to Investor

1Request Redemption

Investor calls requestRedemption()

→

2Queue Entry

T+1 to T+3 settlement window

→

3NAV Calculated

Fund admin determines redemption NAV

→

4Position Unwinding

Trading engine frees liquidity

→

5Tokens Burned

Smart contract burns token supply

→

6USDC Released

Funds sent to investor wallet

Gate Provision: Redemptions exceeding 5% of total fund AUM per quarter may be subject to a gate mechanism — maximum 25% of outstanding redemption requests processed per quarter. This protects remaining investors from forced liquidation in stressed market conditions.

06

Multi-Chain Deployment

Ethereum Mainnet

PRIMARY

Gas Cost~$10–$50 / tx

DeFi DepthDeepest

CredibilityHighest

Primary deployment for institutional credibility. Deepest DeFi composability (Aave, Compound, Curve). Highest gas costs — suitable for large-value transactions.

AQ-YIELD AQ-TBASIS AQ-STABLE

Base (Coinbase L2)

L2

Gas Cost~$0.01 / tx

DistributionCoinbase Native

USDCNative Circle USDC

Ultra-low gas, native Coinbase distribution channel, USDC-native ecosystem. Fastest path to CeFi exchange integration and retail accessibility.

AQ-YIELD AQ-TBASIS AQ-STABLE AQ-BTC

Avalanche C-Chain

RWA ECOSYSTEM

Gas Cost~$0.02 / tx

RWA PartnersSecuritize, Ondo

IncentivesAVAX Foundation RWA

Established RWA ecosystem with Securitize and Ondo deployments. Avalanche Foundation provides RWA-specific incentive programs. Low cost, fast finality.

AQ-YIELD AQ-STABLE

Polygon PoS

BROAD REACH

Gas Cost~$0.005 / tx

Exchange IntegrationsBroadest

User BaseLarge

Broad exchange integration, ultra-low cost, largest user base. Ideal for maximum accessibility and secondary market liquidity.

AQ-YIELD AQ-TBASIS AQ-STABLE AQ-BTC

Cross-Chain Mechanics

Canonical Bridge: Chainlink CCIP or LayerZero OFT standard for token transfers between chains. Tokens are locked on source chain and minted on destination.
NAV Oracle Sync: NAV oracle deployed independently on each chain. Oracle updates pushed to all chains via cross-chain messaging (CCIP) within the same multi-sig publication transaction.
Identity Registry Sync: Identity attestations replicated across chains via cross-chain messaging. New KYC verifications propagated to all chain deployments within one block confirmation.
Single Source of Truth: Ethereum mainnet is the canonical deployment. All other chains reference Ethereum state for conflict resolution.

07

Technology Stack

Component	Technology	Role
Smart Contracts	Solidity 0.8.x, ERC-3643	Token issuance, compliance enforcement, NAV-based mint/redeem
Security Audit	Trail of Bits + Consensys Diligence	Dual audit — manual review (ToB) + automated + manual (Consensys)
Frontend	React / Next.js, wagmi, RainbowKit	AQ Portal — investor dashboard, KYC flow, subscription/redemption UI
Backend	Python (FastAPI) + Node.js	Subscription management, reporting, NAV ingestion, webhook handlers
KYC / AML	Sumsub	Identity verification, document checks, liveness detection, ongoing monitoring
On-Chain Identity	ONCHAINID (ERC-735 / ERC-734)	Wallet-level identity attestations, claim storage, trusted issuer verification
NAV Oracle	Chainlink Custom Feed	On-chain NAV publication, staleness protection, anomaly detection
Custody	Fireblocks / BitGo	Institutional-grade asset custody, MPC wallet infrastructure, policy engine
Transfer Agent	Securitize	Record keeping, ATS (Alternative Trading System) for secondary market, cap table
Fund Admin	Citco / NAV Consulting	Daily NAV calculation, investor record keeping, regulatory reporting
Monitoring	OpenZeppelin Defender	Contract monitoring, automated incident response, admin action proposals
Deployment	Hardhat + Safe (multi-sig)	Deterministic deployment, upgrade proposals, multi-sig admin operations

08

Security Model

Upgrade & Access Control

Upgrades

UUPS Proxy + 48h Timelock

All upgradeable contracts use the UUPS (Universal Upgradeable Proxy Standard) pattern. Upgrade proposals require a 48-hour timelock, giving stakeholders time to review and veto. Timelock is enforced by a TimelockController contract with 3-of-5 multi-sig proposer.

Admin

3-of-5 Multi-Sig

Critical operations (pause all contracts, upgrade logic, override NAV) require 3 of 5 signers via Safe multi-sig. Signers: AQ CEO, AQ CTO, legal counsel, fund administrator, independent director.

Role-Based Access Control

Role	Permissions	Holder
Owner	Upgrade contracts, grant/revoke roles, pause system, update registries	3-of-5 Safe multi-sig
ComplianceAgent	Freeze wallets, update compliance modules, manage country lists, force transfers (recovery)	AQ Compliance Officer + Legal
NAVUpdater	Publish NAV updates (requires 2-of-3 multi-sig within the role)	Fund Admin + AQ Ops + Trustee
TransferAgent	Mint/burn tokens, process subscriptions/redemptions, manage investor records	Securitize platform + AQ Ops

Audit & Bug Bounty

Primary Audit

Trail of Bits

Manual security review by one of the industry's top-tier audit firms. Focus on logic bugs, access control, upgrade safety, and cross-contract interaction risks.

Secondary Audit

Consensys Diligence

Automated analysis (Mythril, Slither) plus manual review. Coverage of ERC-3643-specific compliance logic, identity registry edge cases, and oracle manipulation vectors.

Bug Bounty

$100K–$500K via Immunefi

Tiered bounty program on Immunefi. Critical vulnerabilities (fund loss, unauthorized mint) eligible for up to $500K. Medium/low severity on a sliding scale.

Protective Mechanisms

Mechanism	Trigger	Action
NAV Circuit Breaker	NAV change exceeds ±5% from previous publication	Auto-pause mints/redeems. Require 3-of-5 override to resume.
Oracle Staleness	Latest NAV publication older than 48 hours	Auto-pause mints/redeems until fresh NAV published.
Rate Limiting	Single address exceeds mint/redeem threshold per period	Queue excess requests. ComplianceAgent manually reviews.
Emergency Pause	Any 1-of-5 multi-sig signer triggers emergency pause	All token transfers, mints, and redeems halted immediately.
Wallet Freeze	AML alert or sanctions match on a specific wallet	ComplianceAgent freezes wallet. Frozen tokens cannot be transferred.

09

Integration Points

DeFi Lending

AQ tokens listed as collateral on Aave v3 and Compound v3. Requires governance proposal on each protocol. Collateral factor determined by liquidity depth and NAV oracle reliability. Permissioned pool option for institutional-only lending.

Aave v3 / Compound v3 — Governance Proposal

DEX Liquidity

AQ-STABLE paired with USDC in Curve stable pools and Uniswap v3 concentrated liquidity. LP positions restricted to KYC'd addresses via compliance module. Yield from LP fees accrues to the fund.

Curve / Uniswap v3 — Permissioned LP

Cross-Chain Bridging

LayerZero OFT or Chainlink CCIP for canonical token bridging between Ethereum, Base, Avalanche, and Polygon. Lock-and-mint architecture preserves total supply invariant across chains.

LayerZero / Chainlink CCIP

CeFi Distribution

Coinbase listing requires Base deployment plus BD/ATS (Broker-Dealer / Alternative Trading System) registration via Securitize. Target: Coinbase Institutional and retail platform access.

Coinbase + Securitize ATS

Fund Platforms

Calastone DLT integration for tokenised fund share settlement with traditional fund platforms. Enables discovery by wealth managers and IFAs using existing fund distribution rails.

Calastone DLT

Data Feeds

Chainlink price feed for AQ token NAV. Enables downstream integrations — portfolio trackers (Zapper, DeBank), aggregators, and automated yield strategies that reference AQ token pricing.

Chainlink Price Feed