Mantle Network (Bridge Contracts)
Summary
Quantstamp performed an audit for the Mantle Network bridge contracts based on the code present in the listed repositories. The code is forked off from optimism at commit hash [afdd020](https://github.com/ethereum-optimism/optimism/tree/afdd0201c620d84a4f9d9d3f0d26c2b032279f6b). <br><br> During the audit, we found some issues that pose a risk to users of the Mantle bridge when bridging non-compatible tokens. In particular, MANB-1 describes the possibility of locking funds if the users interact with the bridge contracts by sending the wrong parameters or non-compatible ERC-20 tokens. <br><br> Lower severity issues were found in the auditing process also. All of them are discussed in this report, including some best practices recommendations. We recommend addressing all of them. <br><br> Regarding testing, the reader is referred to MANB-2. No test suite was provided to perform unit testing of the contracts in scope. Although the Mantle team states that functional testing is ongoing in testnet deployments, we recommend implementing unit tests as well to get code coverage metrics. This will help to cover all possible paths in the codebase. <br><br> The audited contracts integrate with Mantle Network cross-chain messaging system. This system is out of scope. **After fix review:** The developers addressed all issues by either fixing or acknowledging them. Issue MANB-2 (Missing Test Suite) was acknowledged by the Mantle team. We still recommend implementing a proper test suite and code coverage metrics.
Issues (5)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 2 | 1 | 1 | - | 4 |
Fixed | 1 | - | - | - | 1 |
| Total | 3 | 1 | 1 | 0 | 5 |