L2BEAT Bridges is a work in progress. You might find incomplete research or inconsistent naming. Join our discord to suggest improvements!

Hyphen logoHyphen




Hyphen Bridge is a part of the Biconomy chain and ecosystem. It's a cross-chain bridge that uses liquidity pools to perform token swaps.

If you find something wrong on this page you can submit an issue or edit the information.

Risk summary

Note: This project's overview requires more research and might not present accurate information. If you want to contribute you can edit the information on Github. Alternatively you contact the project team on Twitter and encourage them to contribute a PR.


Principle of Operation

Hyphen Bridge has LiquidityPool contracts deployed on supported chains and allows anyone to become liquidity provider within predefined limits. Cross-chain token transfer starts by a user depositing tokens to a LiquidityPool contract on the source chain with information of the requested destination chain. Funds (minus fees) are released to the user from a LiquidityPool on the destination chain via a call by an Executor, currently one of four EOAs. Separate off-chain entities called Watch Towers are responsible for watching for user deposits and notifying Executors.

Validation Method

Note: This section requires more research and might not present accurate information.

Funds can be released from LiquidityPool to any user by any Executor (currently 1 of 4 EOAs on Ethereum). User needs to trust that Executor performs this action only after validating deposit on the source chain. There are token- and blockchain-dependent limits on maximal single withdrawals.

  • Users can be censored if the Watch Towers ignore deposits from selected users (CRITICAL).

  • Users can be censored if the Executors don't act on deposits from selected users (CRITICAL).

  • Funds can be stolen if an Executor asks LiquidityPool to release funds to a user that hasn't made any corresponding deposit on other chain (CRITICAL).

  • Funds can be frozen if there's insufficient liquidity of requested token in the destination LiquidityPool.

  • Funds can be frozen if one of the contracts is paused by it's owner.

Permissioned Addresses

The system uses the following set of permissioned addresses:

ProxyAdmin 0x13a4…f472

EIP1967 admin of LiquidityPool, TokenManager and LiquidityProviders.

Owner of ProxyAdmin 0x1294…aCC7

Can upgrade implementation of LiquidityPool, TokenManager and LiquidityProviders.

Owner of LiquidityPool, TokenManager, LiquidityProviders and ExecutorManager 0xD76b…D5E6

Can pause contracts, change configuration and change proxy admin or update Executor list.

Executor is able to release funds from LiquidityPool.

Smart Contracts

The system consists of the following smart contracts:

This contract stores the following tokens: ETH, USDC, USDT, MATIC, BICO.

Configures limits and other aspects of supported assets.

ExecutorManager 0xbd76…1399

Manages a list of addresses with Executor role.

Liquidity pool logic (not escrow - funds are sent to LiquitityPool).

The current deployment carries some associated risks:

  • Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).