Assessment reportsPublic findings
Back to Zellic site
Assessment reports>IBC Eureka>Discussion>Centralization risks and trust assumptions
GeneralOverview
Findings
Critical (3)
High (1)
Informational (1)
DiscussionCentralization risks and trust assumptionsOne app could be registered with multiple ports
Threat ModelComponent: cs-ics08-wasm-ethComponent: sp1-programsComponent: SP1ICS07TendermintComponent: ICS20TransferComponent: ICS26RouterComponent: EurekaHandler
Audit ResultsAssessment Results

Centralization risks and trust assumptions

When a router calls an app with the message, the apps should not blindly trust the message because any user could verify the membership by creating a fake light client.

Similarly, there is a centralization risk involved as the light client could be migrated to a new address. This could lead to a malicious/hacked migrator migrating the light-client address to a fake address such that it could prove fake membership. Or a malicious/hacked migrator could intentionally revert the calls to the light client, which might lead to the tokens of users being stuck.

As per the Interchain Labs team, this is the accepted behavior and the apps should perform their due diligence before trusting the migrator.

Zellic © 2025Back to top ↑