Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Mina Token Bridge>Informational findings>No token whitelist
GeneralOverview
Findings
Critical (4)
High (2)
Medium (1)
Informational (4)Fixed number of validatorsInvalid threshold can halt the protocolNo token whitelistLack of parameter validation in initialization
DiscussionUpgradability of Mina contractsSimplifications in validateValidatorMisleading function name
Threat ModelWhat are threat models?Bridge.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

No token whitelist

Informational Severity
Informational Impact
N/A Likelihood

Description

The bridge is intended to have some whitelisted tokens, but the Mina contract has no whitelist for the tokens.

@method async lock(amount: UInt64, address: Field, tokenAddr: PublicKey) {
  // Check if the amount is within the allowed range
  const minAmount = this.minAmount.getAndRequireEquals();
  const maxAmount = this.maxAmount.getAndRequireEquals();

  amount.assertGreaterThanOrEqual(minAmount, "Amount is less than minimum allowed");
  amount.assertLessThanOrEqual(maxAmount, "Amount exceeds maximum allowed");
  const token = new FungibleToken(tokenAddr);
  await token.burn(this.sender.getAndRequireSignature(), amount);
  this.emitEvent("Lock", new LockEvent(this.sender.getAndRequireSignature(), address, amount, tokenAddr));

}
@method async unlock(
  amount: UInt64,
  receiver: PublicKey,
  id: UInt64,
  tokenAddr: PublicKey,
  useSig1: Bool,
  validator1: PublicKey,
  sig1: Signature,
  useSig2: Bool,
  validator2: PublicKey,
  sig2: Signature,
  useSig3: Bool,
  validator3: PublicKey,
  sig3: Signature,
) {
  const managerZkapp = new Manager(this.manager.getAndRequireEquals());
  managerZkapp.isMinter(this.sender.getAndRequireSignature());
  const msg = [
    ...receiver.toFields(),
    ...amount.toFields(),
    ...tokenAddr.toFields(),
  ]
  this.validateValidator(
    useSig1,
    validator1,
    useSig2,
    validator2,
    useSig3,
    validator3,
  );

  this.validateSig(msg, sig1, validator1, useSig1);
  this.validateSig(msg, sig2, validator2, useSig2);
  this.validateSig(msg, sig3, validator3, useSig3);
  const token = new FungibleToken(tokenAddr)
  await token.mint(receiver, amount)
  this.emitEvent("Unlock", new UnlockEvent(receiver, tokenAddr, amount, id));
}

Impact

The function caller can lock/unlock arbitrary tokens.

Recommendations

We recommend adding a whitelist on the functions.

Remediation

Sotatek acknowledged the finding and provided the following comment:

Because Mina contracts have storage limitations, we can only store 8 slots in global storage. Therefore, we are hardcoding the validators and don't have enough space for whitelisted tokens. However, we are handling the filtering at the backend level.

Zellic © 2025Back to top ↑