Polkaswap

Findings · 24

1. 1 Ethereum bridge’s failure to check transferFrom return values could facilitate illicit transfers High
2. 2 Improper use of ecrecover weakens the bridge’s security High
3. 3 Users can register assets with empty name and ticker symbol fields Informational
4. 4 Use of ERC20 tokens that could become inflationary or deflationary Medium
5. 5 Polkaswap blindly trusts upgradeable ERC20 proxy tokens Medium
6. 6 Peers are not punished for submitting invalid signatures in approve_request Undetermined
7. 7 Outdated Rust dependencies Undetermined
8. 8 Ethereum bridge cannot handle chain reorganizations High
9. 9 Ethereum bridge does not check transfer results High
10. 10 Potential reuse of peer signatures from, and in calls to, the prepareForMigration function High
11. 11 Risk of replay attacks across contract instances High
12. 12 ABI encodePacked collision Informational
13. 13 Inaccurate description of SwapSuccess event Informational
14. 14 Off-chain worker depends on a single Ethereum data source High
15. 15 Sorascan does not show asset IDs that are not present in the system Informational
16. 16 Peers’ secret keys are stored as plaintext in off-chain storage Medium
17. 17 LiquiditySourceType contains mock pools Low
18. 18 A vector in the liquidity-proxy’s swap extrinsic can be used for network spamming Medium
19. 19 Zero-weight extrinsics can be used to spam the network Medium
20. 20 Unused create_swap extrinsic in technical pallet Undetermined
21. 21 Sorascan does not accurately display large initial supply values Low
22. 22 eth-bridge Decoder.next_u8 method could panic if used Low
23. 23 Non-mintable assets can be created with no initial supply Informational
24. 24 Off-chain worker can panic if the Ethereum API returns a null block_number Low

Findings extracted from the published report PDF. See the full report below for details and remediation.