BridgeX Info
This bridge was developed by the ChainChangers team with the support of the OpenGPU Foundation.
TrustNet Score
The TrustNet Score evaluates crypto projects based on audit results, security, KYC verification, and social media presence. This score offers a quick, transparent view of a project's credibility, helping users make informed decisions in the Web3 space.
Real-Time Threat Detection
Real-time threat detection, powered by Cyvers.io,
is currently not
activated
for this project.
This advanced feature provides continuous monitoring and instant alerts to safeguard your assets from potential security threats. Real-time detection enhances your project's security by proactively identifying and mitigating risks.
For more information, click here.
Security Assessments
Summary and Final Words
No crucial issues found
The contract does not contain issues of high or medium criticality. This means that no known vulnerabilities were found in the source code.
Contract owner cannot mint
It is not possible to mint new tokens.
Contract owner cannot blacklist addresses.
It is not possible to lock user funds by blacklisting addresses.
Contract owner can set high fees
Contract owner is able to set fees above 25%. Very high fees can also prevent token transfer.
Token transfer can be locked
Owner can lock user funds with owner functions.
Token cannot be burned
There is no burning within the contract without any allowances
Ownership is not renounced
The owner retains significant control, which could potentially be used to modify key contract parameters.
Contract is upgradeable
The contract uses a proxy pattern or similar mechanism, enabling future upgrades. This can introduce risks if the upgrade mechanism is not securely managed.
Scope of Work
This audit encompasses the evaluation of the files listed below, each verified with a SHA-1 Hash. The team referenced above has provided the necessary files for assessment.
The auditing process consists of the following systematic steps:
- Specification Review: Analyze the provided specifications, source code, and instructions to fully understand the smart contract's size, scope, and functionality.
- Manual Code Examination: Conduct a thorough line-by-line review of the source code to identify potential vulnerabilities and areas for improvement.
- Specification Alignment: Ensure that the code accurately implements the provided specifications and intended functionalities.
- Test Coverage Assessment: Evaluate the extent and effectiveness of test cases in covering the codebase, identifying any gaps in testing.
- Symbolic Execution: Analyze the smart contract to determine how various inputs affect execution paths, identifying potential edge cases and vulnerabilities.
- Best Practices Evaluation: Assess the smart contracts against established industry and academic best practices to enhance efficiency, maintainability, and security.
- Actionable Recommendations: Provide detailed, specific, and actionable steps to secure and optimize the smart contracts.
A file with a different Hash has been intentionally or otherwise modified after the security review. A different Hash may indicate a changed condition or potential vulnerability that was not within the scope of this review.
Final Words
The following provides a concise summary of the audit report, accompanied by insightful comments from the auditor. This overview captures the key findings and observations, offering valuable context and clarity.
Ownership Privileges
BridgeETH.sol
- The owner can pause and unpause all contract operations.
BridgeOGPU.sol
- The owner can pause and unpause all contract operations.
FeeManager.sol
- The owner can set arbitrary fee amounts and fee receivers.
TaxManagerETH.sol
- The owner can set tax percentages, maximum tax amounts, and tax receivers.
- The owner can exempt specific addresses from taxes.
TaxManagerOGPU.sol
- The owner can set tax percentages, maximum tax amounts, and tax receivers.
- The owner can exempt specific addresses from taxes.
TokenManager.sol
- The owner can add/remove supported tokens and configure their properties.
RequestValidator.sol
- The owner can add/remove validators who sign cross-chain transfer requests.
RequestValidator.sol
- The owner can add/remove validators who sign cross-chain transfer requests.
Operator.sol
- The owner can add/remove operators.
- The owner can update the autosendgas limit value.
- The operator can execute the auto-send operations.
TokenRescuer.sol
- The owner can withdraw any tokens stored in the contract.
Note - This Audit report consists of a security analysis of the BridgeX smart contract. This analysis did not include functional testing (or unit testing) of the contract’s logic. Moreover, we only audited the mentioned contract for the BridgeX team. Other contracts associated with the project were not audited by our team. We recommend investors do their own research before investing.
Files and details
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Functions
public
/
State variables
public
/
Total lines
of code
/
Capabilities
Hover on items
/
Findings and Audit result
medium Issues | 7 findings
Pending
#1 medium Issue
Uncapped Fee Setting Authority
The FeeManager contract allows the owner to set arbitrary bridge fees without any maximum limit or validation controls, creating a significant centralization risk. The setFee function permits setting fees to potentially excessive values with no upper bound, while the fee receiver address lacks zero-address validation. This design gives the owner unlimited authority to extract value from users through legitimate bridge transactions without any safeguards or transparency mechanisms. Users have no protection against sudden, extreme fee increases that could make bridge transactions prohibitively expensive or drain their funds. To mitigate this vulnerability, the contract should implement: 1) a reasonable maximum fee cap (e.g., MAX_FEE constant), 2) zero-address validation for the fee receiver, 3) a timelock mechanism requiring a delay between fee change proposal and implementation, and 4) emitting events for all fee changes to enhance transparency and allow users to monitor fee adjustments.
Pending
#2 medium Issue
Uncapped Tax Control in TaxManagerETH
The TaxManagerETH contract presents significant centralization risks through its unrestricted tax management functions. The owner can set arbitrary tax percentages through setTax() without any maximum cap, potentially allowing a malicious or compromised owner to configure a 100% tax rate that would confiscate users' entire bridge amounts. Similarly, the stableMaxTaxAmount can be set to excessive values for stable coins, while the taxReceiver address can be changed to any address without zero-address validation. The contract also enables selective preferential treatment through the setTaxExempt() function, creating fairness concerns. Most concerning, for non-stable tokens, taxes are implemented by minting new tokens to the taxReceiver rather than transferring existing ones, potentially inflating token supplies. To mitigate these risks, the contract should implement: 1) a reasonable maximum tax percentage cap (e.g., 5% or 500 basis points), 2) validation checks for the taxReceiver address, 3) transparent logging of all tax exemptions through events, 4) a timelock mechanism for tax parameter changes, and 5) a governance or multi-signature requirement for changing critical tax parameters to prevent unilateral exploitation.
Pending
#3 medium Issue
Missing threshold for autoSendGasLimit.
The Operator contract lacks an upper threshold when setting autoSendGasLimit, creating a centralization risk where the owner could set an excessively high value, causing most bridged funds to go to operators instead of users. Since the cost calculation is gasPrice * autoSendGasLimit, an unreasonably high limit could drain user funds under the guise of operator compensation. To mitigate this vulnerability, implement a reasonable maximum threshold with a constant like MAX_AUTO_SEND_GAS_LIMIT (e.g., 1,000,000) and add a require statement in the setAutoSendGasLimit function to enforce this boundary, ensuring that users receive the majority of their bridged funds regardless of owner actions.
Pending
#4 medium Issue
Privileged Owner Access to Withdraw Any Funds from the Bridge Contract.
The TokenRescuer contract, which is inherited by the BridgeETH contract, implements functions rescueTokens() and rescueEther() that allow the contract owner to withdraw any amount of any ERC20 token or ETH from the contract to any address. While these functions are common in bridge implementations to recover accidentally sent tokens or resolve emergency situations, they present a significant centralization risk since they have no limitations or safeguards. The TokenRescuer contract allows the owner to withdraw any tokens or ETH without restrictions, creating centralization risk. While common in bridges for emergency recovery, implementing timelocks, multi-signature requirements, and token allowlists would better protect user funds while maintaining recovery capabilities.
Pending
#5 medium Issue
Uncapped Tax Control in TaxManagerOGPU
The TaxManagerOGPU contract presents significant centralization risks through its unrestricted tax management functions. The owner can set arbitrary tax percentages through setTax() without any maximum cap, potentially allowing a malicious or compromised owner to configure a 100% tax rate that would confiscate users' entire bridge amounts. Similarly, the stableMaxTaxAmount can be set to excessive values for stable coins, while the taxReceiver address can be changed to any address without zero-address validation. The contract also enables selective preferential treatment through the setTaxExempt() function, creating fairness concerns. Most concerning, for non-stable tokens, taxes are implemented by minting new tokens to the taxReceiver rather than transferring existing ones, potentially inflating token supplies. To mitigate these risks, the contract should implement: 1) a reasonable maximum tax percentage cap (e.g., 5% or 500 basis points), 2) validation checks for the taxReceiver address, 3) transparent logging of all tax exemptions through events, 4) a timelock mechanism for tax parameter changes, and 5) a governance or multi-signature requirement for changing critical tax parameters to prevent unilateral exploitation.
Pending
#6 medium Issue
Centralized Contract Pausing Mechanism
The BridgeETH contract's pause functionality introduces centralization risks by allowing a single owner to halt all bridge operations indefinitely. This creates vulnerability to regulatory pressure, potential fund locking during cross-chain transfers, and lacks emergency fund retrieval mechanisms. To mitigate these risks, implement: (1) multi-signature or DAO governance for pause decisions, (2) time-limited pauses that automatically expire, (3) tiered pausing to keep basic fund retrieval operational, (4) emergency withdrawal mechanisms for extended pauses, and (5) advance warning periods before non-emergency pauses. These changes would preserve emergency protection while reducing centralization and better safeguarding user funds.
Pending
#7 medium Issue
Centralized Contract Pausing Mechanism
The BridgeOGPU contract's pause functionality introduces centralization risks by allowing a single owner to halt all bridge operations indefinitely. This creates vulnerability to regulatory pressure, potential fund locking during cross-chain transfers, and lacks emergency fund retrieval mechanisms. To mitigate these risks, implement: (1) multi-signature or DAO governance for pause decisions, (2) time-limited pauses that automatically expire, (3) tiered pausing to keep basic fund retrieval operational, (4) emergency withdrawal mechanisms for extended pauses, and (5) advance warning periods before non-emergency pauses. These changes would preserve emergency protection while reducing centralization and better safeguarding user funds.
low Issues | 14 findings
Pending
#1 low Issue
Missing zero or dead address validation in Initialization
The initialize function does not validate if critical address parameters like _feeReceiver and _taxReceiver are non-zero addresses. Setting these to zero addresses could lead to fund loss. Implement zero address checks for all address parameters in the initialization function.
Pending
#2 low Issue
Local variables shadowing (shadowing-local)
Rename the component that shadows another component.
Pending
#3 low Issue
Missing Input Validation
The bridge function lacks critical validation checks for several parameters, introducing security vulnerabilities. The receiver address is not verified as non-zero, potentially allowing tokens to be permanently lost if set to address(0). Similarly, there's no validation that the amount parameter is greater than zero, which could permit meaningless zero-value transfers consuming gas for no benefit. Additionally, the function doesn't verify that the destination chain ID differs from the current chain, potentially causing confusion and unnecessary transactions. To mitigate these issues, the contract should implement three explicit validation checks: 1) require(receiver != address(0), "Zero address not allowed"); 2) require(amount > 0, "Amount must be positive"); and 3) require(toChainId != block.chainid, "Cannot bridge to same chain"). These simple validations would significantly enhance the contract's security posture and prevent accidental misuse that could lead to asset loss.
Pending
#4 low Issue
Salt Replay Protection Weakness
The salt parameter is user-provided without validation of uniqueness per user. If a user reuses a salt value, the function would still accept it as the hash checks are global, not per-user.
Pending
#5 low Issue
Missing zero or dead address check
It is recommended to check that the address cannot be set to zero or dead address.
Pending
#6 low Issue
Missing events arithmetic.
It is recommended to emit all the critical parameter changes.
Pending
#7 low Issue
Missing events arithmetic.
It is recommended to emit all the critical parameter changes.
Pending
#8 low Issue
Missing zero or dead address check
It is recommended to check that the address cannot be set to zero or dead address.
Pending
#9 low Issue
Missing zero or dead address check
It is recommended to check that the address cannot be set to zero or dead address.
Pending
#10 low Issue
Missing events arithmetic.
It is recommended to emit all the critical parameter changes.
Pending
#11 low Issue
Missing zero or dead address check
It is recommended to check that the address cannot be set to zero or dead address.
Pending
#12 low Issue
Local variables shadowing (shadowing-local)
Rename the component that shadows another component.
Pending
#13 low Issue
Missing events arithmetic.
It is recommended to emit all the critical parameter changes.
Pending
#14 low Issue
Missing zero or dead address check
It is recommended to check that the address cannot be set to zero or dead address.
informational Issues | 2 findings
Pending
#1 informational Issue
Spelling Error in Variable Name
The variable name for the operator list is misspelled as _opreators instead of _operators. While not directly a security vulnerability, this is a code quality issue that could lead to confusion during maintenance.
Pending
#2 informational Issue
No Token Update Functionality
The contract lacks a function to update token properties or supported chain configurations. To modify a token's properties, it would need to be removed and re-added, which could disrupt operations and lead to inconsistent states.