Aurora · Smart Contract Security AssessmentAurora Client Hub

Near Connector (Rainbow Bridge)

Co-audit with AuditOne of the Aurora Near Connector, a generic ERC-20 / NEP-141 connector for the Rainbow Bridge that enables trustless transfer of ETH and ERC-20 tokens between Ethereum and the NEAR protocol. The two-week manual review covered 4 Solidity contracts and 14 Rust modules spanning the forwarder, factory, controller, and proof-consumer layers. 13 issues were identified (1 Medium, 4 Low, 8 Informational); 4 were fixed and 9 acknowledged.

NearEthereumSolidity + RustSmart Contract Code Review2024-06-03github.com/Near-One/rainbow-token-connectorZealynx methodology
Total findings
13
4 fixed · 9 acknowledged
Critical
00
High
00
Medium
01
Low + Info
12
02

Scope

20 files
Repository
github.com/Near-One/rainbow-token-connector
Initial commit
0b989fa2d252
Final commit
b600af24e2b5
Platform
Near · Ethereum · Solidity + Rust
Methodology
Zealynx audit methodology
File
forwarder/src/error.rs
forwarder/src/lib.rs
forwarder/src/params.rs
forwarder/src/types/address.rs
forwarder/src/types/promise.rs
forwarder/src/types/mod.rs
forwarder/src/types/account_id.rs
forwarder/src/runtime/io.rs
forwarder/src/runtime/handler.rs
forwarder/src/runtime/env.rs
forwarder/src/runtime/mod.rs
forwarder/src/runtime/sys.rs
fees/src/lib.rs
tests/src/lib.rs
factory/src/lib.rs
controller/src/lib.rs
contracts/BridgeTokenFactory.sol
contracts/BridgeToken.sol
contracts/SelectivePausableUpgradable.sol
contracts/ProofConsumer.sol
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
mediumF-2024-0001Lack of critical check on nearTokenId in newBridgeToken functionFixedlowF-2024-0002Inconsistent amount type in withdraw functionFixedlowF-2024-0003Lack of storage gaps in SelectivePausableUpgradable contract for future upgradesAcklowF-2024-0004Single-step ownership transfer in BridgeToken contractFixedlowF-2024-0005Silent failure in add_account_to_whitelist methodAckinfoF-2024-0006Unused private variable _pausedFlags in SelectivePausableUpgradable contractFixedinfoF-2024-0007Deposit function lacks whitelisted token checkAckinfoF-2024-0008Uninitialized variables in ProofConsumer contractAckinfoF-2024-0009Unused Ownable library import in ProofConsumer contractAckinfoF-2024-0010Missing parameter validation in initialize function of BridgeTokenFactoryAckinfoF-2024-0011Unnecessary gas consumption in _authorizeUpgrade functionAckinfoF-2024-0012Unutilized memo field in fungible token transfer methodsAckinfoF-2024-0013Solidity version 0.8.20+ may not work on other chains due to PUSH0Ack
04

Key Findings

  • Lack of critical check on nearTokenId in newBridgeToken. The newBridgeToken function does not validate that the nearTokenId argument equals result.token, allowing an attacker to submit a metadata proof with an incorrect nearTokenId and cause deposit and withdraw to always revert for that token (Denial of Service against the bridge's token functionalities).
  • Inconsistent amount type in withdraw. The withdraw function declares amount as uint256 but the value is handled as uint128 on the NEAR side, creating a risk of integer overflow if the supplied amount exceeds type(uint128).max.
  • Missing storage gaps on SelectivePausableUpgradable. The upgradeable contract does not reserve storage gaps for future state variables, which can lead to storage collisions with derived contracts when new variables are added in future upgrades.
  • Single-step ownership transfer in BridgeToken. BridgeToken extends OwnableUpgradeable and uses single-step ownership transfer; an incorrect address passed to transferOwnership would irretrievably lose control over all onlyOwner protocol functions.
  • Silent failure in add_account_to_whitelist. The Rust add_account_to_whitelist method on the token-locker whitelist module does not check the return value of insert, so callers are not informed whether an account was newly added or was already present.
  • Uninitialized state in ProofConsumer. The ProofConsumer contract lacks a constructor or initializer, leaving prover, nearTokenLocker and minBlockAcceptanceHeight as their default zero values; this causes every _parseAndConsumeProof call to revert and renders the contract unusable in that state.
05

Team & approval

Auditor
Carlos (Vendrell46)
@TheBlockChainer
Auditor
Defec
Auditor
Ubermensch3dot0
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (28p)
ZEALYNX SECURITY · published 2024-06-03
13 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx