Assessment reportsPublic findings
Back to Zellic site
Assessment reports>N1 Bridge>Threat Model>Instruction: withdraw
GeneralOverview
Findings
High (1)
Informational (2)
DiscussionBlock validationUnused accountsTest suite
Threat ModelWhat are threat models?
bridgeInstruction: deposit_splInstruction: finalize_blockInstruction: deposit_splInstruction: initializeInstruction: propose_blockInstruction: set_min_depositInstruction: whitelist_assetInstruction: withdrawModule: merkle
Audit ResultsAssessment Results

Instruction: withdraw

This instruction allows a user to withdraw tokens from the bridge.

Input parameters

pub struct WithdrawalClaim { pub user: Pubkey, // The user that withdraws. pub amount: u64, // The amount of tokens to withdraw. pub block_id: u64, // The block ID of the withdrawal. pub proof: Vec<[u8; 32]>, // The Merkle proof of the withdraw event. pub leaf_index: LeafIdx, // The index of the withdrawal in the Merkle tree. pub leaves_count: LeafIdx, // The number of leaves in the Merkle tree. }

Accounts

  • payer: The account that will pay for the creation of the nullifier.

    • Signer: Yes.

    • Init: No.

    • PDA: No.

    • Mutable: Yes.

    • Constraints: Must have enough lamports to pay for account-creation costs.

  • state_update: The finalized block that contains the withdrawal event.

    • Signer: No.

    • Init: No.

    • PDA: Yes (derived from BLOCK_STORAGE_SEED and claim.block_id with bump).

    • Mutable: No.

    • Constraints: Must be a Block that is finalized.

  • withdrawal_nullifier: The account to store the nullifier to ensure that a withdrawal cannot happen twice.

    • Signer: No.

    • Init: Yes.

    • PDA: Yes (derived from WITHDRAWAL_NULLIFIER_SEED, claim.block_id, and claim.leaf_index with bump).

    • Mutable: Yes.

    • Constraints: Must be a new account initialized with space 8 (discriminator).

  • from_account: The bridge SPL token account where tokens are taken from.

    • Signer: No.

    • Init: No.

    • PDA: No.

    • Mutable: Yes.

    • Constraints: Must be an ATA for the authority account, with the same mint as to_account.

  • to_account: The user SPL token account where tokens are sent to.

    • Signer: No.

    • Init: No.

    • PDA: No.

    • Mutable: Yes.

    • Constraints: Must be a valid SPL token account owned by claim.user.

  • authority: The authority account that owns tokens held by the bridge.

    • Signer: No.

    • Init: No.

    • PDA: Yes (derived from AUTHORITY_SEED).

    • Mutable: No.

    • Constraints: None.

Additional checks and behavior

  • Takes the withdrawal_root from the state_update block provided and verifies that the user's withdrawal exists in the root.

  • Transfers claim.amount tokens from from_account to to_account.

  • Logs a Withdraw event.

CPI

  • transfer: Transfers the specified tokens from from_account to to_account, signed by authority.

Zellic © 2025Back to top ↑