Report realeased on Sep 23, 2022
About Meter.io System
Meter Bridge is a bridge which is used to transfer various assets across different blockchains. It can transfer native tokens, and tokens in various token standards like ERC20, ERC721, ERC1155. The GenericHandler, which allows any function calls that the admin has allowed, makes it possible to do much more generic operations over blockchains, as its name suggests.
The system works as follows. If a user wants to transfer some tokens from chainA to chainB, it first deposits the token into the bridge contract of chainA. The contract will then lock the tokens in chainA, then emit an event which implies a deposit was created. The relayers, off-chain operators of the system, will listen to these events and either sign their approval of the messages or directly call the bridge contract of chainB to notify them that they agree with the proposal.
To execute each deposit proposal, a threshold number of signatures or approvals must be sent to the blockchain. This threshold, along with the relayer configuration, is controlled by the admin.
To gather the signatures more efficiently, a Signature contract is deployed on the relay chain. Most relayers will submit their signatures on the relay chain, and the final relayer will collect all the signatures and send them to the chains where the bridge process actually takes place.
The ERCHandlers and GenericHandler will handle the deposit requests and proposal execution requests. The bridge contract will receive these requests by users and relayers, and send them to the appropriate handler contracts. It should be noted that ERC20Handler also deals native tokens.
There is also a fee handler, which deals with the fee logic, fee collection, and fee transfers. A fee oracle could be utilized to get the required information to calculate the fees as well.
To support contract upgrades, the Transparent Proxy Pattern is used. Our audit assumed that the system admin uses the Transparent Proxy Pattern with best practices in a safe manner.
Our audit covers the smart contracts that are used in the Meter Bridge system. Our audit does not cover the relayer network, and does not cover the fee oracle system if there is one.
Purpose of this report
This report was prepared to audit the security of the Meter bridge and related contracts developed by the Meter team. HAECHI AUDIT conducted the audit focusing on whether the system created by the Meter team is soundly implemented and designed as specified in the published materials, in addition to the safety and security of the bridge.
•
Upgradeable Contract Issues
•
Signature Replay
•
Relayers Logic
•
Native Token Bridging
*The audited code can be non-disclosure as the client requests.
About KALOS
KALOS is a flagship service of HAECHI LABS, the leader of the global blockchain industry. We bring together the best Web2 and Web3 experts. Security Researchers with expertise in cryptography, leaders of the global best hacker team, and blockchain/smart contract experts are responsible for securing your Web3 service.
We have secured over $60b worth of crypto assets across 400+ global crypto projects — L1/L2 projects, defi protocols, P2E games, and bridges — notably 1inch, SushiSwap, Badger DAO, SuperRare, Klaytn and Chainsafe.
KALOS is the only blockchain technology company selected for the Samsung Electronics Startup Incubation Program in recognition of our expertise. We have also received technology grants from the Ethereum Foundation and Ethereum Community Fund.
Secure your smart contracts with KALOS.
•
Email: audit@kalos.xyz
•
•
Twitter: https://twitter.com/kalos_security