Gravity Bridge contest

An open and decentralized Eth–Cosmos bridge.

Twitter

General Information

Platform: Code4rena

Start Date: 26/08/2021

End Date: 08/09/2021

Period: 14 days

Status: Completed

Reporters: moneylegobatman, ninek

Pot Size: $100,000 USDC

Participants: 13

Reporters: moneylegobatman, ninek

Judge: Albert Chon

Id: 27

League: COSMOS

Findings Distribution

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository

Leaderboard


nascent	1/13	$59,925.99	6	3	3	2	2	-	0
jmak	2/13	$15,658.74	1	1	1	0	0	0	0
pauliax	3/13	$8,712.02	3	0	0	1	0	-	-
shw	4/13	$6,956.00	3	0	0	2	1	-	0
hrkrshnn	5/13	$3,410.36	3	0	0	1	0	-	-
tensors	6/13	$1,565.87	1	0	0	0	0	-	0
0xito	7/13	$1,694.66	1	0	0	0	0	-	0
ElliotFriedman	8/13	$940.76	2	0	0	0	0	-	-
hack3r-0m	9/13	$422.79	1	0	0	0	0	-	0
JMukesh	10/13	$381.01	2	0	0	0	0	-	-

13 auditor(s).

Auditor per page

Page 1 of 2

Althea Gravity Bridge Contest

$100,000 USDC (+ tokens) main award pot
Join C4 Discord to register
Submit findings using the C4 form
Read our guidelines for more details
Starts August 26 00:00 UTC
Ends September 8 23:59 UTC

Glossary
Gravity bridge	a cross chain bridge between Cosmos-SDK and EVM based blockchains
Gravity Contract	The Gravity Bridge Solidity contract that holds bridge funds on Ethereum
Gravity module	The Cosmos-SDK module which makes up the SDK chain side of the bridge
Orchestrator	A special process run only by the validators of the Cosmos-SDK chain. Performing Oracle functions and producing Ethereum signatures
Relayer	A permissionless role that submits signatures from the validators to Ethereum as transactions

Contest Scope

Gravity Bridge is a cross chain bridge between Cosmos-SDK and EVM based chains.

The Gravity Bridge offers the ability to send funds from Ethereum to Cosmos and back, as well as the ability to deploy ERC20 representations of Cosmos based assets on Ethereum and transfer them bi-directionally as well.

Gravity is a complete system, made up of the Cosmos SDK 'module', a Solidity contract, and associated relaying/oracle code. This means the scope of this audit is quite large, covering the complete system across three programming languages.

Code

The commit hash 92d0e12cea813305e6472851beeb80bd2eaf858d of the repo github.com/althea-net/cosmos-gravity-bridge describes the exact code under audit.

This helpful link allows you to browse code specifically from this hash and you may find it useful when linking or otherwise referring to findings.

In addition to the code above, there is a smart contract for the Ethereum side of the bridge:

Gravity.sol (611 sloc)

The purpose of this contract is to store a representation of the Cosmos validator set and allow updates to that validator set, as well as deposits and withdraws to and from the contract. The events emitted by this contract are used by the oracle component of the bridge to perform actions on the Cosmos side of the bridge.

As part of a storage optimization the full validator set and voting power is not stored, only it's hash. The client submitting transactions must provide this data when it submits a transaction, this is a dramatic reduction in cost that makes updating validator sets with hundreds of thousands of frequently changing members cost feasible.

Docs

The Gravity Bridge developer guide covers:

how to setup your development environment
a detailed walkthrough of how the bridge works
a useful list of hotspots or key areas in the code where problems can be found

All contributions are welcome! Gravity bridge is a complex system but you don't need to understand the entire flow and all three languages to contribute. Using the hotspots list as a guide anyone with Go and Rust know-how can get started.