Hyphen Bridge is a part of the Biconomy chain and ecosystem. It's a cross-chain bridge that uses liquidity pools to perform token swaps.
If you find something wrong on this page you can submit an issue or edit the information.
Funds can be stolen if
Funds can be frozen if
Principle of Operation
Hyphen Bridge has LiquidityPool contracts deployed on supported chains and allows anyone to become liquidity provider within predefined limits. Cross-chain token transfer starts by a user depositing tokens to a LiquidityPool contract on the source chain with information of the requested destination chain. Funds (minus fees) are released to the user from a LiquidityPool on the destination chain via a call by an Executor, currently one of four EOAs. Separate off-chain entities called Watch Towers are responsible for watching for user deposits and notifying Executors.
Funds can be released from LiquidityPool to any user by any Executor (currently 1 of 4 EOAs on Ethereum). User needs to trust that Executor performs this action only after validating deposit on the source chain. There are token- and blockchain-dependent limits on maximal single withdrawals.
Users can be censored if the Watch Towers ignore deposits from selected users (CRITICAL).
Users can be censored if the Executors don't act on deposits from selected users (CRITICAL).
Funds can be stolen if an Executor asks LiquidityPool to release funds to a user that hasn't made any corresponding deposit on other chain (CRITICAL).
Funds can be frozen if there's insufficient liquidity of requested token in the destination LiquidityPool.
Funds can be frozen if one of the contracts is paused by it's owner.
The system uses the following set of permissioned addresses:
EIP1967 admin of LiquidityPool, TokenManager and LiquidityProviders.
Can upgrade implementation of LiquidityPool, TokenManager and LiquidityProviders.
Can pause contracts, change configuration and change proxy admin or update Executor list.
Executor is able to release funds from LiquidityPool.
The system consists of the following smart contracts:
This contract stores the following tokens: ETH, USDC, USDT, MATIC, BICO.
Configures limits and other aspects of supported assets.
Manages a list of addresses with Executor role.
Liquidity pool logic (not escrow - funds are sent to LiquitityPool).
The current deployment carries some associated risks:
Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).