Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Bracket Fi Escrow>Threat Model>bridgeTokenConnext
GeneralOverview
Findings
Critical (1)
Medium (3)
Low (1)
DiscussionMultiple Merkle tree leaves
Threat ModelWhat are threat models?
BridgeEscrow.solbridgeTokenArbbridgeTokenConnext
EscrowBase.solMainEscrow.sol
Audit ResultsSummary

Function: bridgeTokenConnext(address token, address arbEscrow, uint256 amount, uint256 slippage, uint256 relayerFee)

The function is called by the owner after the break timestamp to bridge Renzo restaked ETH tokens to the L2.

Inputs

  • token

    • Control: Fully controlled by the caller.

    • Constraints: No constraints.

    • Impact: Address of the token contract.

  • arbEscrow

    • Control: Fully controlled by the caller.

    • Constraints: No constraints.

    • Impact: Address receiving the funds on the destination.

  • amount

    • Control: Fully controlled by the caller.

    • Constraints: No constraints.

    • Impact: Amount of tokens to transfer.

  • slippage

    • Control: Fully controlled by the caller.

    • Constraints: No constraints.

    • Impact: The maximum amount of slippage the user will accept in BPS (e.g., 30 = 0.3%).

  • relayerFee

    • Control: Fully controlled by the caller.

    • Constraints: No constraints.

    • Impact: The fee payed to the relayer.

Branches and code coverage

Intended branches

  • Increases the allowance for the token of the renzoLockbox contract and deposits the token amount to that contract.

  • Increases the allowance for the xtoken of the connext contract and calls connext.xcall to start the bridging.

Negative behavior

  • N/A.

Function call analysis

  • SafeERC20.safeIncreaseAllowance(IERC20(token), address(this.renzoLockbox), amount)

    • What is controllable? token and amount.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire transaction would revert — no reentrancy scenario.

  • this.renzoLockbox.deposit(amount)

    • What is controllable? amount.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire transaction would revert — no reentrancy scenario.

  • SafeERC20.safeIncreaseAllowance(IERC20(address(xToken)), address(this.connext), amount)

    • What is controllable? amount.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire transaction would revert — no reentrancy scenario.

  • this.connext.xcall{value: relayerFee}(1634886255,arbEscrow,address(xToken),msg.sender,amount,slippage,bytes(""))

    • What is controllable? arbEscrow, msg.sender, amount, and slippage.

    • If the return value is controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters or does other unusual control flow? If it reverts, the entire transaction would revert — no reentrancy scenario.

Zellic © 2025Back to top ↑