ava-labs / avalanche-bridge-resources Goto Github PK

I was redirected here from Discord, not sure if that's the right place.

I see the official Avalanche bridge (https://debank.com/profile/0x8EB8a3b98659Cce290402893d0123abb75E3ab28) has currently $742k worth of tokens on Pulsechain, a chain forked from Ethereum, so the Avalanche bridge received the forked tokens "for free" when the fork happened.

Given those assets are all depegged, it would be a waste not to sell and bridge them to a proper chain. The bridge would be unaffected by selling those assets.

If selling them is possible, I would like to claim a "bounty" for myself, even if it's not a vulnerability.

Description

When we recently used the fuzz testing tool, we scanned the contract BridgeToken.sol. We found some issues and wanted to confirm with you.

function swap(address token, uint256 amount) public {
        require(isContract(token), "Token is not a contract.");
        require(
            swapTokens[token].tokenContract != address(0),
            "Swap token is not a contract."
        );
        require(
            amount <= swapTokens[token].supply,
            "Swap amount is more than supply."
        );

        // Update the allowed swap amount.
        swapTokens[token].supply = swapTokens[token].supply - amount;

        // Burn the old token.
        ERC20Burnable swapToken = ERC20Burnable(
            swapTokens[token].tokenContract
        );
        swapToken.burnFrom(msg.sender, amount);

        // Mint the new token.
        _mint(msg.sender, amount);

        emit Swap(token, amount);
    }

As you can see, token is used as input and is controllable by the user. If there is malicious input later and implement the ERC20Burnable interface standard, it calls burnFrom without checking the token address. Are there any problems?

In discord "bridging-support" channel, several users enquired about late/missing bridging transactions from avalanche C chain to Bitcoin network.
It appears that a bridging delay was introduced to answer regulatory concerns.
Can this delay be reflected in the core UI so the bridge users can knowingly engage in locking their BTC for 12+ hours when bridging ?

The current Avalanche Bridge (https://core.app/bridge) only supports asset bridging between identical addresses on Ethereum and C-chain controlled by the user. It does not permit bridging to a different address, even if owned by the same user.

This limitation poses an issue. For instance, if I use a new "Account Abstraction" wallet or an embedded (MPC) wallet for an app, and I want to bridge assets from Ethereum directly to this wallet, the platform doesn't allow it in a single step. However, allowing asset bridging to another address controlled by the user doesn't significantly elevate the risk.

Therefore, it would be beneficial if Avalanche Bridge could enable asset bridging to different addresses on the receiving chain, provided they are owned by the user.