Tensorplex Labs

Summary

In this audit, we reviewed the smart contracts for Tensorplex's Crosschain Bridge. It is intended to be used to send TAO from the Finney network to Ethereum, or vice versa. The smart contracts we reviewed include a simple ERC20 Token with privileged mint and burn functionality, a `BridgeWrapper` contract which allows users to deposit their `wTAO` on Ethereum for bridging, and a `ConsensusBridge` contract which allows relayers to invoke functions that will mint `wTAO` to the destination user. Minting and burning of `wTAO` is limited by a `RateLimiter`, which mitigates the potential for infinite minting in the case of a compromised Relayer. During the audit, we identified several low-severity issues that primarily exist due to insufficient input validation. The overall architecture of the bridge consists of Relayers that shall be responsible for listening to events on one chain and sending the amount to another chain. The security of this bridge is heavily reliant on off-chain components, such as proper functioning of the Relayers responsible for listening to the events emitted and invoking the associated functions in the smart contracts. This was not considered in the scope of this audit. We appreciate the Tensorplex team for providing us with thorough documentation, and including a test suite with high code coverage. Additionally, the team was helpful and communicative throughout the audit. **Fix Review Update** The fix review reviewed the commmit `97eb7262c835433156012627135f1b1ca126820b`. All issues were either fixed or acknowledged with sufficient reason. The team could benefit from further input validation around the `baseFee`. Input validation around the minimum and maximum token amount can still be implemented while incorporating a token's decimals.