Search

Search for projects by name

L2BEAT Bridges is a work in progress. You might find incomplete research or inconsistent naming. Join our Discord to suggest improvements!
SummaryValue SecuredDetailed descriptionRisk summaryTechnologyPermissionsSmart contracts

Allbridge logoAllbridge

About

Allbridge Core enables the transfer of value between blockchains by offering cross-chain swaps of native stablecoins using liquidity pools.

  • Total value secured
  • Destination
  • Validated by
    Various AMBs
  • Type
    Hybrid

    • About

    Allbridge Core enables the transfer of value between blockchains by offering cross-chain swaps of native stablecoins using liquidity pools.

    Value Secured

    2024 May 08 — 2025 May 08

    Detailed description

    Allbridge Core enables the transfer of value between blockchains by offering cross-chain swaps of native stablecoins using liquidity pools.

    For its stablecoin liquidity network it is using either of its own AMB, Circle CCTP or Wormhole to pass messages. Allbridge TokenBridge is a token bridge implemented as a separate contract. Core system parameters can be changed by an EOA, risking the loss of all funds stored in the system contracts.

    Risk summary
    This project includes unverified contracts. (CRITICAL)

    Users can be censored if

    1. the circle oracle network fails to facilitate a transfer via the Circle CCTP,
    2. the Wormhole guardians and / or Allbridge validators decide to stop processing certain transactions.
    Technology

    Principle of operation

    For USDC and USDT, Allbridge ‘Core’ offers three message protocols (AMBs) to choose from: Allbridge, Wormhole and Circle CCTP (USDC only). These two token classes can also simultaneously be swapped while bridging, tapping into the Allbridges multichain liquidity pools.

    For other supported tokens, Allbridge offers a token bridge mode that locks tokens in the escrow on Ethereum and mints them at the destination. The crosschain messages in this case are passed via either Allbridge AMB or Wormhole.

    1. Docs: Wormhole architecture

    Transfers are externally verified

    Validation process takes place in external network called the Guardian Network. Nodes in the network, called Guardians, observe the Core Contract on each supported chain and produce VAAs (Verified Action Approvals, essentially signed messages) when those contracts receive an interaction. Based on the VAA user can withdraw funds on the other end of the bridge.

    • Users can be censored if the circle oracle network fails to facilitate a transfer via the Circle CCTP.

    • Users can be censored if the Wormhole guardians and / or Allbridge validators decide to stop processing certain transactions.

    • Funds can be stolen if the Wormhole guardians and / or Allbridge validators allow to mint more tokens than there are locked on Ethereum thus preventing some existing holders from being able to bring their funds back to Ethereum.

    • Funds can be stolen if the Wormhole guardians and / or Allbridge validators sign a fraudulent message allowing themselves to withdraw all locked funds.

    1. AllbridgeMessenger contract: function receiveMessage()
    2. WormholeCore contract: function verifyVM()
    3. CCTP Risk Management Network
    Permissions

    Ethereum

    Actors:

    TokenBridge Admin (2) 0x4BE5…20740xF62e…918A

    Allowed to grant and revoke all roles in the TokenBridge (Can steal all funds).

    TokenBridge Manager 0x4BE5…2074

    Allowed to set Validators, unlockSigners and unpause in the TokenBridge (Can steal all funds).

    TokenBridge Token Manager 0x4BE5…2074

    Allowed add and remove token support in the TokenBridge.

    TokenBridge Stop Manager 0x83f5…0c5E

    Can pause the TokenBridge.

    Allbridge Owner EOA. 0x01a4…A4D0

    Owner of all system contracts except TokenBridge, privileged to update messengers and other bridge parameters. As a result this account can drain all funds from the pools.

    AllbridgeMessenger EOA. 0x7234…35BA

    EOA delivering crosschain messages to the AllbridgeMessenger contract.

    WormholeMessenger EOA. 0x26f9…40D5

    EOA delivering crosschain messages to the WormholeMessenger contract.

    CctpBridge messenger EOA. 0xb7C5…3414

    EOA delivering crosschain messages to the WormholeMessenger contract.

    Smart contracts

    Ethereum

    LPBridge 0x609c…0c9e

    The main contract for the Allbridge liquidity network.

    TokenBridge 0xBBbD…E884

    The main contract for the Allbridge token bridge. This contract can store any token.

    Validator 0x9374…d74b

    This contract is responsible for validating incoming messages to the token bridge. The source code of this contract is not verified on Etherscan.

    FeeOracle 0xba6d…E1f6

    This contract is responsible for calculating bridge fees. The source code of this contract is not verified on Etherscan.

    GasOracle 0x0BdF…96e0

    This contract is responsible for calculating crosschain gas fees.

    AllbridgeMessenger 0x203e…86dA

    Contract used to receive messages via allbridge AMB.

    WormholeMessenger 0x7f02…da74

    Contract used to receive messages via Wormhole AMB.

    CctpBridge 0xC513…10d6

    Contract used to receive messages via Circle CCTP.

    Value Secured is calculated based on these smart contracts and tokens:

    Generic escrow 0xBBbD…E884

    Lock-Mint token bridge

    Escrow for USDT 0x7DBF…135D

    USDT liquidity pool on Ethereum

    Escrow for USDC 0xa706…7C4d

    USDC liquidity pool on Ethereum

    The current deployment carries some associated risks:

    • Funds can be stolen if the source code of unverified contracts contains malicious code (CRITICAL).