Back to Archive
BA-2022-004

Accumulate Network Bridge

Independent Security Assessment

Network
EVM / Accumulate ADI
Date
September 29, 2022
Commit
4e074bc2
Result
Secure

01
Executive Summary

A comprehensive security evaluation of the Accumulate Network Bridge, focusing on cross-chain asset security, minting logic, and Gnosis Safe multi-sig integrations.
Findings Classification
Critical0
High1
Medium1
Low0
Informational0

02
Disclaimer

Note that as of the date of publishing, the contents of this report reflect the current understanding of known security patterns and state of the art regarding system security. You agree that your access and/or use, including but not limited to any associated services, products, protocols, platforms, content, and materials, will be at your sole risk.

The review does not extend to the compiler layer, or any other areas beyond the programming language, or other programming aspects that could present security risks. If the audited source files are smart contract files, risks or issues introduced by using data feeds from offchain sources are not extended by this review either.

Given the size of the project, the findings detailed here are not to be considered exhaustive, and further testing and audit is recommended after the issues covered are fixed.

To the fullest extent permitted by law, we disclaim all warranties, expressed or implied, in connection with this report, its content, and the related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

We do not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the report, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and we will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party providers of products or services.

FOR AVOIDANCE OF DOUBT, THE REPORT, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.

03
Audit Methodology

The above files' code was studied in detail in order to acquire a clear impression of how its specifications were implemented. The codebase was then subject to deep analysis and scrutiny, resulting in a series of observations. The problems and their potential solutions are discussed in this document and, whenever possible, we identify common sources for such problems and comment on them as well.

1. Code Review

Project Diagnosis

Understanding the size, scope and functionality of your project’s source code based on the specifications, sources, and instructions provided.

Manual Code Review

Reading your source code line-by-line to identify potential vulnerabilities.

Specification Comparison

Determining whether your project’s code successfully and efficiently accomplishes or executes its functions according to the specifications.

2. Testing and Automated Analysis

Test Coverage Analysis

Determining whether the test cases cover your code and how much of your code is exercised.

Symbolic Execution

Analyzing a program to determine the specific input that causes different parts of a program to execute its functions.

3. Best Practices Review

Reviewing the source code to improve maintainability, security, and control based on the latest established industry and academic practices, recommendations, and research.

04
Coverage of Issues

Access Control
Admin Rights
Arithmetic Precision
Code Improvement
Contract Upgrade/Migration
Delete Trap
Design Vulnerability
DoS Attack
EOA Call Trap
Fake Deposit
Function Visibility
Gas Consumption
Implementation Vulnerability
Inappropriate Callback Function
Injection Attack
Integer Overflow/Underflow
IsContract Trap
Miner's Advantage
Misc
Price Manipulation
Proxy selector clashing
Pseudo Random Number
Re-entrancy Attack
Replay Attack
Rollback Attack
Shadow Variable
Slot Conflict
Token Issuance
Tx.origin Authentication
Uninitialized Storage Pointer

05
Finding Detailed Analysis

BA-ACC-01
High

Centralized Minting Authority

Acknowledged
Description

The minting function is governed by a single owner role, which is intended to be a Gnosis Safe but remains a potential single point of failure if not properly decentralized.

Recommendation

Ensure the owner is always a high-threshold multi-sig wallet and consider implementing a minting cap.

Technical Exploit Scenario

If the single owner's private key is compromised, an attacker can mint infinite wrapped tokens and drain all liquidity on the target chain.

BA-ACC-02
Medium

Invalid Owner Provided in Gnosis API

Fixed
Description

Gnosis safe API kept returning mint tx as incomplete after it was submitted, potentially leading to operational delays or stuck transactions.

Recommendation

Store the latest safetxhash and verify it against the API returned value.

Technical Exploit Scenario

An operator might re-submit a transaction thinking it failed, leading to double-execution risks if the bridge logic doesn't strictly track nonces.

Standard of Integrity

BACKCODE ANALYTICS

Formal verification & cryptographic audit lab. We provide the mathematical certainty required for the decentralized future.

BACKCODE.ORGVERIFIED REPORT