three sigma logo
Orange Crypto

Code Audit

Orange Crypto

A cryptocurrency project focused on privacy, security, and decentralized finance.

Audit Report

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

Introduction

Orange Bridge is a cross-chain interoperability solution connecting Bitcoin’s BRC-20 tokens and Ethereum’s ERC-20 ecosystem. Its stack includes:

  • Smart Contracts for burning/minting ERC-20 representations
  • Event Listeners on both Bitcoin and EVM chains
  • Token Sending Services for BRC-20 and ERC-20 transfers
  • Web DApp UI for user interactions

The team engaged Three Sigma to validate that no logical gaps could lead to fund loss, stuck tokens, or signature forgery in the core bridge contracts.

Scope of the Engagement

  • File audited: orange-bridge-contract
  • Team: 1 auditor - 3 days
  • Chain: Ethereum

Audit Date: 2024-07-15

Language: Solidity

Type: Code Audit

Results and Findings

Key Critical Issues

No critical issues were identified.

Notable High-Severity Issues

No high-severity issues were identified.

Notable Medium-Severity Issues

Balance check ignores reserved fees

  • Description: Vault.withdraw() only checks address(this).balance >= amount, allowing withdrawals to dip into unclaimed fees.
  • Resolution: Updated to address(this).balance - totalFees >= amount, ensuring fee reserves remain intact.

Use of address.transfer can block withdrawals

  • Description: address.transfer forwards only 2,300 gas, which can fail under changing gas costs or with contract wallets.
  • Resolution: Swapped to address.call{value: amount}("") with full gas stipends.

Fee comparisons permit overpayment

  • Description: >= fee checks in BRC20Factory.burn() and Vault.deposit() let users overpay and lose the excess, which isn’t tracked.
  • Resolution: Changed to strict == fee to prevent inadvertent overpayment.

Notable Low-Severity Issues

Two-step ownership transfer recommended

  • Description: Single-step Ownable risks accidental owner changes.
  • Resolution: Adopted Ownable2Step with pendingOwner and acceptOwnership().

Missing token validation

  • Description: Factory and Vault accept any token address, risking deposits of invalid tokens.
  • Resolution: Added isBRC20 mapping and guards to ensure only factory-created tokens are handled.

Severity Issues

critical
high

0

informational

7

medium

3

low

7

Audit Period

3 Days

Report

In conclusion

Three Sigma’s three-day review of Orange Bridge uncovered no critical or high-severity flaws. All medium-severity bugs around withdrawals, fee handling, and gas-safe transfers were fixed. Low-severity suggestions and best-practice optimizations—ranging from two-step owner handover to domain-separator resilience—were also implemented. With these updates, Orange Bridge’s contracts are robust, gas-efficient, and ready for secure cross-chain operation.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today
Follow us on