DESCRIPTION
Spherium Bridge utilizes LayerZero framework to bridge tokens from source chain to target chain.
The core contract covered in this audit includes BridgeV2 in the code repository. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.
In summary, we have found that the codebase contains three high-risk issues that require prompt attention. In addition, we have identified two non-critical issues as well as three security suggestions and four notes that should be considered. The Bridge team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 5 potential issues in the smart contract. We also have 3 recommendations and 4 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | High | Missing setter for the senderContractToEId mapping |
Software Security | Fixed |
| 2 | Medium | Lack of token address check in the removeTokenFromWhitelist function |
Software Security | Fixed |
| 3 | Low | Withdrawal fee is charged while not transferred to fee recipient | Software Security | Fixed |
| 4 | High | Incorrect order of magnitude | Software Security | Fixed |
| 5 | High | Potential failed bridging due to inconsistent token addresses | DeFi Security | Fixed |
| 6 | - | Remove duplicated codes | Recommendation | Fixed |
| 7 | - | Add a check on destChain |
Recommendation | Acknowledged |
| 8 | - | Revise the duplicated handling logic in the deposit function |
Recommendation | Fixed |
| 9 | - | Accidental native token transfers are not taken into consideration | Note | - |
| 10 | - | Potential centralization risks | Note | - |
| 11 | - | A token cannot have both isMinted and isPegged attributes |
Note | - |
| 12 | - | Unverified LayerZero options | Note | - |
More details are provided in the audit report.