ava-labs / avalanche-bridge-resources Goto Github PK
View Code? Open in Web Editor NEWToken List for the Avalanche Bridge
License: BSD 3-Clause "New" or "Revised" License
Token List for the Avalanche Bridge
License: BSD 3-Clause "New" or "Revised" License
I was redirected here from Discord, not sure if that's the right place.
I see the official Avalanche bridge (https://debank.com/profile/0x8EB8a3b98659Cce290402893d0123abb75E3ab28) has currently $742k worth of tokens on Pulsechain, a chain forked from Ethereum, so the Avalanche bridge received the forked tokens "for free" when the fork happened.
Given those assets are all depegged, it would be a waste not to sell and bridge them to a proper chain. The bridge would be unaffected by selling those assets.
If selling them is possible, I would like to claim a "bounty" for myself, even if it's not a vulnerability.
When we recently used the fuzz testing tool, we scanned the contract BridgeToken.sol. We found some issues and wanted to confirm with you.
function swap(address token, uint256 amount) public {
require(isContract(token), "Token is not a contract.");
require(
swapTokens[token].tokenContract != address(0),
"Swap token is not a contract."
);
require(
amount <= swapTokens[token].supply,
"Swap amount is more than supply."
);
// Update the allowed swap amount.
swapTokens[token].supply = swapTokens[token].supply - amount;
// Burn the old token.
ERC20Burnable swapToken = ERC20Burnable(
swapTokens[token].tokenContract
);
swapToken.burnFrom(msg.sender, amount);
// Mint the new token.
_mint(msg.sender, amount);
emit Swap(token, amount);
}
As you can see, token is used as input and is controllable by the user. If there is malicious input later and implement the ERC20Burnable interface standard, it calls burnFrom without checking the token address. Are there any problems?
In discord "bridging-support" channel, several users enquired about late/missing bridging transactions from avalanche C chain to Bitcoin network.
It appears that a bridging delay was introduced to answer regulatory concerns.
Can this delay be reflected in the core UI so the bridge users can knowingly engage in locking their BTC for 12+ hours when bridging ?
The current Avalanche Bridge (https://core.app/bridge) only supports asset bridging between identical addresses on Ethereum and C-chain controlled by the user. It does not permit bridging to a different address, even if owned by the same user.
This limitation poses an issue. For instance, if I use a new "Account Abstraction" wallet or an embedded (MPC) wallet for an app, and I want to bridge assets from Ethereum directly to this wallet, the platform doesn't allow it in a single step. However, allowing asset bridging to another address controlled by the user doesn't significantly elevate the risk.
Therefore, it would be beneficial if Avalanche Bridge could enable asset bridging to different addresses on the receiving chain, provided they are owned by the user.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.