Pheasant Network

Summary

**Initial Audit:**</br>The audited code is not fully prepared for production due to several design aspects that need attention. A primary concern is a reliance on a single relayer's trustworthiness, which could impact the protocol's security. To ensure the robustness of the bridge concept, it's crucial to address all edge cases within a trustless setting. We believe that further consideration in this area will significantly improve the project's overall quality. We also observed that the end-user documentation might not accurately represent the codebase's capabilities. Clear and precise documentation is essential to foster external auditing and boost confidence in the project. We recommend enhancing the project by investing in detailed code documentation and aligning it with the actual implementation. This will aid in external auditing and improve overall confidence in the optimistic bridge protocol. </br>**Fix review:**</br> After two rounds of fixes, issues have been fixed, mitigated or acknowledged. Please note that acknowledging certain issues comes with risks, such as PHE-3. In this scenario, users can transfer the maximum amount on L1 to the relayer's EOA (without using any UI that would limit the amount and only executing direct transfers through a client). As a result, the relayer may be subject to slashing for each trade, causing the relayer to lose more than 100% of the trade's value in the default setting, without the ability to cancel the trade. One major concern is that the project heavily relies on off-chain behavior to minimize the risks associated with the code implementation. As a result, we still consider that the project is not production-ready, even if a lot of progress has been made between the initial codebase and the current one. It is essential for the project team to ensure that all vulnerabilities are adequately mitigated before considering deployment. Additionally, relying on off-chain measures for risk reduction may not provide sufficient protection, and more robust on-chain solutions should be considered to enhance the protocol's overall security and reliability. We strongly recommend further reviewing and testing the codebase to ensure a higher level of readiness for production use. For instance, the team could aim for an overall test coverage of >90%.