POA Network’s TokenBridge, the interoperability protocol used for coordinated token transfer between EVM chains, recently finished a security audit with SmartDec, a blockchain and smart contract security firm. This comprehensive audit was conducted in response to the ERC20 <-> Native implementation, a new bridge mode designed for the xDai Stable Chain. TokenBridge has garnered a lot of interest from the blockchain community - many projects are developing use cases for cross-chain functionality and are exploring TokenBridge as a solution. To ensure the bridge is a safe, sound and secure mechanism for token conversion, POA Network took the initiative to engage with SmartDec.
The audit was primarily concerned with POA Network smart contract functionality, and the auditors found 0 critical issues. Their process is exhaustive, employing automated scanning, manual analysis of all code and documentation, and thorough reporting of all issues. In addition, the SmartDec team checks for specific vulnerabilities related to a long list of attack vectors.
The audit did find 2 medium severity issues, which can influence operations but do not put the project at risk. The first issue was related to bridge imbalances that could occur if a user tries to bridge too many tokens using a fee-based bridge. In this scenario, potential discrepancies could be created (different amounts of tokens on each side of the bridge) due to differences in fees related to returning the overage. This issue was addressed by the team and fixed in the latest version of TokenBridge v2.3.3. The second issue was related to the bridge design itself and the potential power of the bridge contract owner to modify contracts (which may be required for needed contract fixes or to remove a malicious validator). We highlighted the importance that all accounts with management and/or modification ability should always be controlled by multisig wallets. Thus no single entity has the ability to make changes to the bridge functionality (although the TokenBridge does require a trusted group or DAO to operate).
There were a number of low severity issues related to code refactoring (limiting gas consumption, eliminating redundant code, and ensuring proper naming conventions). These have been fixed in the latest release. Overall, the latest release includes 24 fixed issues related to the audit, as well as a small number of enhancements to the codebase. We feel the audit successfully confirmed there are no major security issues with the bridge, and also pointed out a number of quick improvements and upgrades we could make to the code.
At POA Network, we realize the importance of transparency and security in order to prevent malicious actors and attacks. By conducting a full security audit of the TokenBridge, we aim to guard against any and all potential security issues.
POA Network would like to thank the Ocean Protocol and Energy Web Foundation, both of whom helped sponsor the security audit for the TokenBridge. Ocean Protocol will be deploying the TokenBridge to their POA based network and using the most current version of the TokenBridge in production.
“The TokenBridge interoperability protocol developed by the POA Network team is an extremely useful technology. We use it in Ocean Protocol for users to transfer Ocean tokens between the Ocean mainnet and the Ethereum mainnet. The successful completion of this audit gives the community and ecosystem projects like Ocean even further confidence in the TokenBridge technology.” Trent McConaghy - Founder of Ocean Protocol
Going forward, the TokenBridge is an essential component of the POA development roadmap, and will feature prominently in the xDai Stable Chain upgrade to POSDAO consensus.