Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Mina Token Bridge>Design>Component: Admin front end
GeneralOverview
Findings
High (1)
DiscussionLack of documentationInsufficient Test Coverage
DesignComponent: Admin front endComponent: User front endComponent: Multichain bridge backend
Audit ResultsAssessment Results

Component: Admin front end

Description

The admin front end is responsible for changing various configuration options for the bridge. An admin is able to log in with their wallet, which lets them edit options like the daily quota limit as well as view the bridging history of all users.

Invariants

  • An unauthorized user should not be able to change options on the bridge via the admin API endpoints.

  • A non-admin user should not be able to log in and obtain an admin JSON Web Token (JWT).

Test coverage

Cases covered

  • Log in with an admin Mina wallet.

  • Log in with an admin Ethereum wallet.

Cases not covered

  • Log in with an invalid admin wallet.

  • Call admin API endpoints with an admin JWT, no JWT, or forged JWT.

Attack surface

The attack surface itself is limited in the log-in and config-update API endpoints. Admin wallets are in the environment file, and users trying to log in are compared to the values from the environment file; if they are not a match, the user is unable to log in. Admin API endpoints check that a valid admin JWT is present, making sure that no regular users are able to interact with them.

Zellic © 2025Back to top ↑