EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.

GNU General Public License v3.0

131 stars 34 forks source link

Audit request

ETH-BSC Swap

Website: https://openbisea.io/ethereum-binancesmartchainbridge

Source code

https://github.com/oleksiivinogradov/eth-bsc-swap-contracts/blob/20ec6c502ba97cb530a54070d3b040ccdab76258/contracts/

These code are deployed at:

BEP20TokenImplementation https://bscscan.com/address/0xcB2052cbbf302FB6D02c6d71caD7112af45FDcaE
ERC721Implementation https://bscscan.com/address/0x05bfc49Be22D48Bd12FF27f49d5c392FD3a269E5
ERC1155Implementation https://bscscan.com/address/0x1eB05c3906C4b8D05D0F559cdA8E8B68fba8D14E
OpenBiSeaBSCSwapAgentImpl https://bscscan.com/address/0xEEE87Dad2A6Ba15c301e3f6bc2bfB0ac1051EeA9#contracts
OpenBiSeaETHSwapAgentImpl https://etherscan.io/address/0x0440e9fa9c4c4c2b60a8942c64a870b9cd8e03fe#contracts

Disclosure policy

... Do you want us to publish the report as it is or to notify you privately in case of finding critical mistakes? ...

... provide your conditions for publishing the report or leave only standard disclosure policy link ...

Standard disclosure policy.

Contact information (optional)

... Provide information to contact you or the smart contract-developer in case high severity issues will be found ...

... Provide information about the media resources of the project you want us to audit (website/ twitter account/ reddit/ telegram channel/ etc.) ...

Platform

BSC, ETH

ETH-BSC Swap Security Audit Report V.2.

1. Summary

ETH-BSC Swap smart contract security audit report performed by Callisto Security Audit Department.

Website:https://openbisea.io/ethereum-binancesmartchainbridge

2. In scope

Commit 20ec6c502ba97cb530a54070d3b040ccdab76258

These code are deployed at:

BEP20TokenImplementation https://bscscan.com/address/0xcB2052cbbf302FB6D02c6d71caD7112af45FDcaE
ERC721Implementation https://bscscan.com/address/0x05bfc49Be22D48Bd12FF27f49d5c392FD3a269E5
ERC1155Implementation https://bscscan.com/address/0x1eB05c3906C4b8D05D0F559cdA8E8B68fba8D14E
OpenBiSeaBSCSwapAgentImpl https://bscscan.com/address/0xEEE87Dad2A6Ba15c301e3f6bc2bfB0ac1051EeA9#contracts
OpenBiSeaETHSwapAgentImpl https://etherscan.io/address/0x0440e9fa9c4c4c2b60a8942c64a870b9cd8e03fe#contracts

2.1. Excluded

Folder test.

3. Findings

In total, 1 issues were reported including:

0 high severity issues.
0 medium severity issues.
0 low severity issues.
0 notes.
1 owner privileges.

3.1. The swapping process completely under the Owner's control.

Severity: owner privileges

Description

The owner can transfer tokens on the Ethereum side and mint them on the BSC side.

However, Owner provides a transaction hash as proof of the user's swap operation. Therefore anyone can check each swap operation and ensure its correctness.

4. Conclusion

The audited smart contract can be deployed. Pointed issues were fixed.

Since the swapping process completely on the owner's power, users should understand the risk of an "exit scam".

5. Previous report revealing

https://gist.github.com/yuriy77k/326fde5902e91a2ea950a537b89258bd