Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
1d163f7
feat(web): segment bridge rows by mint/lock/transport model
spalen0 Jul 15, 2026
943f72f
fix(web): resolve 4 unknown bridge models to 'lock' (verified onchain)
spalen0 Jul 15, 2026
7e518e6
reassess(fx-fxusd, infinifi): drop unverified bridge dependencies; re…
spalen0 Jul 15, 2026
dd7b559
fix: restore Cap stcUSD and InfiniFi as live LayerZero lock dependencies
spalen0 Jul 15, 2026
9d2ccf2
feat(web): add AggLayer (LxLy) bridge; document adapter-discovery method
spalen0 Jul 15, 2026
61a5238
fix bridge risk model claims
spalen0 Jul 15, 2026
89b27df
Merge remote-tracking branch 'origin/master' into bridge-model
spalen0 Jul 16, 2026
82da907
feat(web): add LayerZero DVN quorum column to bridges page
spalen0 Jul 16, 2026
dbc57ee
fix(web): Sky USDS primary bridge is native rollup bridges, not Layer…
spalen0 Jul 16, 2026
bec45fc
refactor(web): rename DVN column to reusable Security; Model legend; …
spalen0 Jul 16, 2026
9ac3f97
docs(web): clearer Model legend wording; drop legend title
spalen0 Jul 16, 2026
3555bdf
feat(web): add CCTP attester quorum to the Security column
spalen0 Jul 16, 2026
afadcc9
feat(web): move Security column from CCTP to Chainlink CCIP
spalen0 Jul 16, 2026
b720048
docs(web): explain CCIP security in its description, drop the badge c…
spalen0 Jul 16, 2026
6f8623f
docs(web): refine bridge descriptions
spalen0 Jul 16, 2026
d1c85e1
fix route-specific bridge security metadata
spalen0 Jul 16, 2026
959da00
resolve remaining bridge security TODOs
spalen0 Jul 16, 2026
9ccaa1e
style(web): uniform-width model badges in table and legend
spalen0 Jul 17, 2026
2006d68
style: bridge table alignments
spalen0 Jul 17, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
scripts/check_bridges.mjs text diff
1 change: 1 addition & 0 deletions reports/report/across-protocol.md
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@ So fund delegation risk is limited to (a) the HubPool's own custody and (b) ever

- **UMA Optimistic Oracle V3:** [`0xfb55F43fB9F48F63f9269DB7Dde3BbBe1ebDC0dE`](https://etherscan.io/address/0xfb55F43fB9F48F63f9269DB7Dde3BbBe1ebDC0dE). Disputes route through UMA's DVM. The OO uses identifier `"ACROSS-V2"` (verified onchain via `HubPool.identifier()`). UMA itself is governed by a separate UMA-holder DAO, which is also Risk Labs–affiliated.
- **Canonical L1↔L2 bridges (Arbitrum, Optimism, Base, Polygon, zkSync, Linea, Blast, World Chain, etc.):** Critical for repatriating `utilizedReserves` to the HubPool. Failure of any of these (a frozen rollup, a halted canonical bridge) isolates that chain's SpokePool inventory until the underlying issue resolves — or until the multisig writes down the loss via `haircutReserves`.
- **LayerZero V2 / USDT0 OFT:** The deployed Ethereum Arbitrum adapter (`0x5eC9…B57C`) uses AdapterStore `0x42df…D63b`; its live `(OFT_MESSENGER, eid 30110, USDT)` entry resolves to USDT0 messenger `0x6C96…1dee`. That route moves USDT from the HubPool to the Arbitrum SpokePool through the peer Arbitrum OApp [`0x14E4…8D92`](https://arbiscan.io/address/0x14E4A1B13bf7F943c8ff7C51fb60FA964A298D92). The Ethereum→Arbitrum receive config was verified onchain at **3-of-3** (USDT0, LayerZero Labs, Canary), 65 confirmations. This is a per-asset transport dependency; it does not describe other Across assets or routes.
- **Ethereum mainnet:** Full L1 dependency.
- **No oracle pricing dependency for LP NAV:** Unlike Reserve/RSR, Across does NOT need Chainlink or any price oracle to value LP reserves; the underlying token itself is what's owed.
- **Fallback mechanisms:** If UMA DVM fails to resolve, root bundle execution is blocked until the proposal is replaced. Liquidity remains in the HubPool / SpokePools but cannot be rebalanced. The multisig can `emergencyDeleteProposal` to clear the queue.
Expand Down
6 changes: 4 additions & 2 deletions reports/report/cap-stcusd.md
Original file line number Diff line number Diff line change
Expand Up @@ -299,6 +299,7 @@ Cap's governance flows through a **3-of-5 Gnosis Safe multisig** → **24-hour T
| **RedStone** | High | cUSD price oracle (0.05% deviation threshold). Stale prices disable minting/burning |
| **wWTGXX (WisdomTree)** | Low | ~$5.08M tokenized gov money market fund. Minimal DeFi adoption and few holders |
| **USDC (Circle)** | High | Primary reserve asset (~95% of cUSD backing) |
| **LayerZero V2** | High | The Ethereum OFT Adapter [`0x983a…4137`](https://etherscan.io/address/0x983aeaaa0d0426839158435c43725ea7f45d4137) escrows 25,311,191 stcUSD, **51.99% of the 48.68M supply**, backing the native Katana OFT. The adapter cannot mint canonical stcUSD, so compromise risk is bounded by the remote supply and locked collateral, but the integration affects a majority of current supply |
| **USDT, pyUSD, BENJI, BUIDL** | Low | Listed in docs as potential reserve assets but **not currently whitelisted onchain** (`Vault.assets()` returns only USDC and wWTGXX) |
| **Institutional Operators** | High | IMC Trading, Edge Capital, Susquehanna Crypto generate yield via offchain strategies. Counterparty risk mitigated by Symbiotic restaking |

Expand Down Expand Up @@ -426,12 +427,13 @@ Cap's governance flows through a **3-of-5 Gnosis Safe multisig** → **24-hour T

| Factor | Assessment |
|--------|-----------|
| Protocol count | Morpho (critical), Symbiotic (critical), RedStone (high), USDC/Circle (high), wWTGXX/WisdomTree (low). Aave V3 is wired in but no longer holds reserves |
| Protocol count | Morpho (critical), Symbiotic (critical), RedStone (high), USDC/Circle (high), LayerZero V2 (high), wWTGXX/WisdomTree (low). Aave V3 is wired in but no longer holds reserves |
| Morpho concentration | ~$48.9M USDC — **100%** of deployed USDC reserves are in Morpho (Steakhouse Prime + Gauntlet Prime). Concentration on a single underlying lending protocol increased materially vs. March's 67/33 Morpho/Aave split |
| Symbiotic | Novel restaking infrastructure, less battle-tested than established alternatives |
| LayerZero concentration | The OFT Adapter escrows 25.31M stcUSD (**51.99% of supply**) for Katana. This is a lock-and-mint representation, not a canonical-token mint authority, but bridge failure or compromise can affect the majority escrowed share |
| Operator counterparties | Institutional firms (IMC, Susquehanna, Edge) — blue-chip but opaque |

**Dependencies Score: 3.0/5** — The total dependency count is similar, but reserve concentration has shifted: 100% of the deployed USDC reserve now sits in Morpho (across two MetaMorpho curators), removing the Aave V3 diversification leg. This raises Morpho-specific risk while keeping cross-protocol risk count flat. Symbiotic integration adds complexity. Multiple oracle dependencies (RedStone). The operator model introduces counterparty risk with institutional firms. Score remains 3.0 — diversification across two curators (Steakhouse, Gauntlet) partially offsets the loss of the Aave leg, and Morpho Blue itself is battle-tested.
**Dependencies Score: 3.0/5** — Reserve concentration has shifted: 100% of the deployed USDC reserve now sits in Morpho (across two MetaMorpho curators), removing the Aave V3 diversification leg. The live LayerZero integration also escrows 51.99% of stcUSD supply for Katana. Its lock-and-mint model cannot dilute canonical stcUSD, but it adds a material availability and escrow dependency that must be monitored. Symbiotic integration, RedStone oracles, and opaque institutional operator strategies add further complexity. Score remains 3.0 because the bridge blast radius is bounded by its locked collateral and the category already reflects several high-impact dependencies; the newly documented LayerZero concentration reinforces rather than changes that assessment.

**Centralization Score = (2.0 + 2.5 + 3.0) / 3 = 2.5**

Expand Down
4 changes: 2 additions & 2 deletions reports/report/centrifuge-jaaa.md
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ Other governance / infra addresses checked and confirmed **not wards** on the JA

### External Dependencies

- **Cross-chain messaging — 2/2 threshold with LayerZero V2 + Chainlink CCIP.** The `MultiAdapter` ([`0x35C8…73BE`](https://etherscan.io/address/0x35C837F0A54B715a23D193E1476BFC9BC30073BE)) is now configured with two adapters for JAAA across destination chains: `0xD517BC7b…` (LayerZero V2, confirmed by `endpoint() = 0x1a44…`, the canonical Ethereum LayerZero V2 Endpoint) and `0x34e9…` (Chainlink CCIP per Centrifuge attestation). `quorum() = 2` verified onchain — **both** adapters must sign any non-Ethereum-chain message. Wormhole is no longer in the active adapter array for JAAA. LayerZero side reportedly uses 5 DVNs.
- **Cross-chain messaging — 2/2 threshold with LayerZero V2 + Chainlink CCIP.** The `MultiAdapter` ([`0x35C8…73BE`](https://etherscan.io/address/0x35C837F0A54B715a23D193E1476BFC9BC30073BE)) is now configured with two adapters for JAAA across destination chains: [`0xD517BC7b…`](https://etherscan.io/address/0xD517BC7ba17271A8D87bE7355B2523bf5c750295) (LayerZero V2, confirmed by `endpoint() = 0x1a44…`, the canonical Ethereum LayerZero V2 Endpoint) and `0x34e9…` (Chainlink CCIP per Centrifuge attestation). `quorum() = 2` verified onchain — **both** adapters must sign any non-Ethereum-chain message. Wormhole is no longer in the active adapter array for JAAA. The LayerZero adapter's six live inbound routes all use the same 15-confirmation ULN policy: Deutsche Telekom and Canary are required, plus 2-of-3 optional P2P, Nansen, and Nethermind DVNs (**4-of-5 effective quorum**).
- **Stablecoin settlement (USDC, USDT, USDS)** — JAAA accepts multiple subscription / redemption assets per Centrifuge. USDC inherits Circle's freeze list and reserve risk; USDT inherits Tether's; USDS inherits Sky's. Multi-asset settlement reduces single-issuer concentration.
- **Anemoy Capital SPC Limited (BVI)** — fund issuer of record. The legal wrapper that holds the underlying CLOs. BVI insolvency or regulatory action against Anemoy would constitute an existential risk for token holders.
- **Janus Henderson** — sub-advisor; selects and manages the CLO portfolio.
Expand Down Expand Up @@ -643,7 +643,7 @@ MADISON PARK FUNDING — three separate tranches (2018-30A 6.95%, 2025-65A 4.52%

**Subcategory C: External Dependencies**

- **Cross-chain:** **2-of-2 MultiAdapter quorum** — LayerZero V2 + Chainlink CCIP. Verified onchain via `MultiAdapter.adapters(...)` and `quorum() = 2`; LayerZero adapter `0xD517BC7b…` confirmed by `endpoint() = 0x1a44…` (canonical LayerZero V2 Endpoint), second adapter `0x34e9…` is per Centrifuge attestation Chainlink CCIP. Both must sign any non-Ethereum-chain message materially stronger than the prior single-Wormhole setup.
- **Cross-chain:** **2-of-2 MultiAdapter quorum** — LayerZero V2 + Chainlink CCIP. Verified onchain via `MultiAdapter.adapters(...)` and `quorum() = 2`; LayerZero adapter [`0xD517BC7b…`](https://etherscan.io/address/0xD517BC7ba17271A8D87bE7355B2523bf5c750295) confirmed by `endpoint() = 0x1a44…` (canonical LayerZero V2 Endpoint), second adapter `0x34e9…` is per Centrifuge attestation Chainlink CCIP. Both must sign any non-Ethereum-chain message. All six live LayerZero inbound routes use 15 confirmations and require Deutsche Telekom + Canary plus 2-of-3 P2P/Nansen/Nethermind (4-of-5 effective), materially stronger than the prior single-Wormhole setup.
- **Stablecoin settlement:** USDC, USDT and USDS are all supported subscription / redemption assets (per Centrifuge team).
- **Offchain stack:** Janus Henderson sub-advisor, Anemoy issuer, StoneX custody, Trident Trust admin+KYC (dual role), MHA Cayman audit. StoneX and Janus Henderson are battle-tested TradFi entities.

Expand Down
4 changes: 3 additions & 1 deletion reports/report/fx-fxusd.md
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,9 @@ In V2, all fxUSD position collateral is custodied by the PoolManager contract ([
- **Curve:** stETH/ETH EMA oracle + fxUSD/USDC pool for peg monitoring
- **Aave:** Stability Pool deploys USDC to Aave Core (up to 80% cap) and wstETH to Aave Prime (up to 80%)
- **Lido:** wstETH is the primary ETH collateral in V2 (~$12.38M)
- **LayerZero:** Used for omnichain fxUSD bridging (cross-chain OFT)
- **LayerZero:** **Not a fxUSD dependency** (corrected July 15, 2026). f(x) uses LayerZero `ProxyOFT` for *other* tokens (fETH, xETH, FXN, arUSD), but **fxUSD itself is not bridged**: the docs list fxUSD with a single Ethereum address and no bridging entry, [DeFiLlama](https://api.llama.fi/protocol/fx-protocol) reports f(x) Protocol on Ethereum only, fxUSD is not a native OFT (`endpoint()` and `oftVersion()` revert on [`0x0857…d8f6`](https://etherscan.io/address/0x085780639CC2cACd35E474e71f4d000e2405d8f6)), it is absent from [LayerZero's OFT registry](https://metadata.layerzero-api.com/v1/metadata/experiment/ofts/list), and it has no Chainlink CCIP token pool (`TokenAdminRegistry.getPool` returns the zero address). An earlier revision of this report described fxUSD as omnichain-bridged; that claim was unverified and is withdrawn.

- **Katana deployments are locally issued, not identified bridge representations.** Two `fxUSD` / "f(x) USD" ERC-20s exist on Katana ([`0x4c03…FDF9`](https://explorer.katanarpc.com/address/0x4c03ff0f44A55e7098a09016E02a01d3cdC2FDF9), supply ~12,008; [`0x1364…9f86`](https://explorer.katanarpc.com/address/0x1364b238C668A2dec1294174e4798E8c09979f86), supply ~1,000,018). Each token exposes a local `poolManager()` (`0x27b3…f96a` and `0xFae3…3C68`, respectively), and each PoolManager's `fxUSD()` points back to its corresponding token. The verified `0x1364…9f86` implementation restricts minting to its PoolManager; local mint events, including a 10,000-token genesis mint for `0x4c03…FDF9`, corroborate local issuance. Neither token is a LayerZero OFT (`endpoint()` reverts), and neither is the canonical AggLayer/LxLy wrapper of mainnet fxUSD (`PolygonZkEVMBridgeV2.getTokenWrappedAddress(0, fxUSD)` returns the zero address on Katana). This positive architecture evidence does not reveal a bridge path from Ethereum fxUSD to either Katana deployment. Because the `0x4c03…FDF9` implementation is not source-verified, a separate custom conversion path cannot be ruled out absolutely; reassess if one is identified rather than inferring a bridge from the shared name and symbol.

The protocol depends on multiple well-established DeFi protocols. Chainlink is the most critical dependency — oracle failure would impair pricing and liquidations. Aave exposure is capped and non-critical to core fxUSD backing.

Expand Down
8 changes: 8 additions & 0 deletions reports/report/infinifi.md
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,14 @@ The governance system is split into three branches to check and balance power:

- **Top dependencies (by deployed value)**: **Midas** (mGLOBAL tokenization layer over Fasanara Capital) ~47%, **Unidentified RWA escrow counterparties** (three separate escrows; one routes to the team multisig, two to external EOAs — TODO identify) ~31%, **PYUSD / Paxos + Sentora PRIME** (via maturing CoW-swap basket) ~7%, **Cap Protocol** (stcUSD) ~6%, **Aave (V4) / Global Dollar (USDG)** ~5%, **Steakhouse-curated Morpho MetaMorpho** ~3%. The Spark/MakerDAO, Aave Horizon, Maple Finance, and f(x) Protocol farms currently hold $0. The CoW-Protocol solver set is a settlement dependency for the maturing swap baskets.
- **Stablecoin dependencies**: USDC and USDT enabled as deposit assets (verified onchain). The protocol also takes indirect exposure to PYUSD (via the maturing swap basket), USDG / Global Dollar (via the Aave V4 market), cUSD/stcUSD (Cap), and to T-Bill-backed / hedge-fund RWAs (via Midas mGLOBAL and the three RWA escrow counterparties). USDe and sUSDe remain not enabled as deposit assets on FarmRegistry.
- **Cross-chain / bridge dependency (verified July 15, 2026): LayerZero, lock-and-mint.** Both receipt tokens bridge to **Katana** via LayerZero V2 OFT Adapters that **escrow the canonical token on Ethereum** — they hold no mint authority, so a bridge compromise cannot mint native iUSD/siUSD:
| Token | Ethereum OFT Adapter | Escrowed | Katana native OFT |
|---|---|---:|---|
| siUSD | [`0x5f21…c3c0`](https://etherscan.io/address/0x5f2106bb2a5aba6a783dbf29c8d3b09c175bc3c0) | 29,340.24 siUSD | [`0x6894…F92D`](https://explorer.katanarpc.com/address/0x68943c066747690ecDAEB027fa722B090ee6F92D) |
| iUSD | [`0xdd1c…3005`](https://etherscan.io/address/0xdd1cb2e1aa483e1d94e3e22e70cfbb634fcb3005) | 4.33 iUSD | [`0x9Fa1…1C10`](https://explorer.katanarpc.com/address/0x9Fa1202516916534Ade66962Ee91410d559f1C10) |

Each adapter's `token()` returns the corresponding mainnet token and its `endpoint()` is the canonical LayerZero V2 `EndpointV2` [`0x1a44…728c`](https://etherscan.io/address/0x1a44076050125825900e736c501f859c50fE728c); the Katana side exposes `oftVersion()` and the LZ V2 Katana endpoint `0x6F47…DD5B`. Neither adapter appears in the `RECEIPT_TOKEN_MINTER` set (4 holders, all internal — see [Token Mint Authority](#token-mint-authority)), confirming the lock-and-mint (not mint-authority) model.
- **Chainlink CCIP: not currently live.** The `OUTLAND_CONNECTOR_CCIP` [`0x4119…dd24`](https://etherscan.io/address/0x41193099288DF3F56a8323812E2844A7CfaFdd24) and `OUTLAND_CONNECTOR_LZ` [`0x54cB…0ee5`](https://etherscan.io/address/0x54cB6634BE99dDF4c7502f8E8f3b8D3f27Ba0ee5) from PR 224 are deployed but hold no iUSD/siUSD, and neither iUSD nor siUSD is registered in the CCIP `TokenAdminRegistry` (`getPool` returns the zero address). **Reassessment trigger:** re-check if a CCIP token pool is registered for iUSD/siUSD or the Outland CCIP connector begins holding value.

## Operational Risk

Expand Down
Loading
Loading