We are excited to announce the completion of a thorough security audit of our "Hubble" EVM Bridge, conducted by the firm, Veridise. The audit took place from July 24 to August 13, 2023, ensuring a comprehensive review of our bridge designs security measures.
The focus of the review was on our bridge’s zero-knowledge and smart contract functions. Veridise dedicated three skilled engineers for three weeks, spanning over nine person-weeks, to scrutinize our code up to commit 848d073. The process combined tool-assisted analysis alongside meticulous manual auditing.
About Hubble Bridge
The Webb Hubble Bridge offers an intuitive interface for individuals to move assets across chains privately. This is powered by Webb's Shielded Asset Protocol, a cross-chain transaction system that maintains the privacy of your transaction history using zero-knowledge proofs and is enhanced further by our cross-chain and shared anonymity sets. Users can effortlessly deposit into shielded pools, transfer shielded assets, and withdraw from these pools, ensuring their identities and transaction details are privacy-maintained.
“The Webb team's professionalism made the audit procedure very smooth as they quickly responded to questions and issues raised by the audit team. While some significant issues were raised during the course of the audit, they were all promptly and effectively addressed. It was also clear how seriously they regard the security of their protocol as they integrated features such as sanction filters and withdraw limits.” — Jon Stephens, CTO of Veridise
Veridise's audit revealed 35 issues, with three being of high or critical severity:
- V-WBT-VUL-001: A function vulnerable to fund theft.
- V-WBT-VUL-002: A potential for overwriting commitments.
- V-WBT-VUL-003: A replay attack, possibly allowing unintended votes against user preferences.
Additionally, several medium-severity issues were identified, including potential bypassing methods for the bridge’s rate limiting and the protocol’s voting procedures.
All identified issues have been addressed, with fixes merged into the repository’s main branch at commit eeb4fc7.
The full report of the audit is available on our Github.
We are deeply committed to the security and reliability of our platform. This audit is just one milestone on continuous improvement in delivering a robust and secure EVM Bridge for our users.