Yada Coin · Smart Contract Security AssessmentYada Coin Client Hub

YadaCoin Bridge Infrastructure

Zealynx audited the YadaCoin bridge, a BNB ↔ YadaCoin cross-chain bridge with a KERI-inspired key registry, native and ERC-20 wrapped tokens via beacon proxies, and an ERC-2612 permit-driven operation flow. The 1-week review identified 28 issues including 3 Criticals (zero-cost native drain, broken post-upgrade onboarding, and a permanent key pair registration revert) and 2 Highs (cross-permit msg.value reuse and unvalidated wrapped-token binding). All findings were fixed before mainnet deployment.

BnbYadacoinSoliditySmart Contract Code Review2026-03-05github.com/pdxwebdev/yadakeyeventwalletZealynx methodology
Total findings
28
28 fixed
Critical
03
High
02
Medium
04
Low + Info
19
02

Scope

7 files · 1,159 SLOC
Repository
github.com/pdxwebdev/yadakeyeventwallet
Initial commit
72bee2627de9
Platform
Bnb · Yadacoin · Solidity
Methodology
Zealynx audit methodology
File
Bridge.sol
KeyLogRegistry.sol
MockERC20.sol
WrappedToken.sol
WrappedTokenBeacon.sol
WrappedTokenFactory.sol
WrappedTokenProxy.sol
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
criticalF-2026-0001New users cannot onboard after upgrade due to registerKeyLog regressionFixedcriticalF-2026-0002confirmingPublicKeyHash derived from wrong public key causes all key pair registrations to revert after inceptionFixedcriticalF-2026-0003Missing msg.value validation in transferOnly remainder path enables zero-cost drain of entire bridge native balanceFixedhighF-2026-0004Transaction-level msg.value reused across multiple native wrap permits enables minting unbacked wrapped tokensFixedhighF-2026-0005Unvalidated user-provided wrapped token address in pair registration enables binding legitimate tokens to malicious contractsFixedmediumF-2026-0006ERC-2612 permit frontrunning allows griefing DoS on all permit-dependent Bridge operationsFixedmediumF-2026-0007rotateToPublicKey only transfers Bridge ownership, leaving KeyLogRegistry desynchronized and old owner privilegedFixedmediumF-2026-0008Forced feeCollector update during ownership transfer leads to potential fee misdirectionFixedmediumF-2026-0009Gas DoS via Key Chain TraversalFixedlowF-2026-0010No refund of excess msg.value in native BNB operations leads to permanent absorption of overpaid fundsFixedlowF-2026-0011Absence of emergency pause mechanism across all contracts leads to inability to halt operations during active exploitsFixedlowF-2026-0012Hardcoded 18-decimal wrapped tokens break unwrap fees and wallet displaysFixedlowF-2026-0013No mechanism to deregister or disable token pairs leads to permanent persistence of compromised or deprecated pairsFixedlowF-2026-0014Silent chain truncation at 1000 entries causes getLatestChainEntry to return stale data with no error indicationFixedlowF-2026-0015Missing _disableInitializers() in constructor allows initialization of implementation contractsFixedlowF-2026-0016Early loop break in _executePermits causes order-dependent revert on valid owner transactionsFixedlowF-2026-0017_handleMint fee is computed but never collectedFixedlowF-2026-0018Mandatory native permit check bypassable with zero valueFixedlowF-2026-0019Broken logic in Bridge::getLatestEntryByPrerotatedKeyHashFixedlowF-2026-0020Owner can drain bridge via emergencyWithdrawBNBFixedlowF-2026-0022Fixed 30,000 gas stipend in _transferNative leads to potential incompatibility with contract recipientsFixedlowF-2026-0023Missing enforcement of Bridge::MAX_TOKEN_PAIRSFixedinfoF-2026-0026Duplicate public key length validation in Bridge::registerKeyPairWithTransferFixedinfoF-2026-0027Redundant zero address check in Bridge::registerKeyPairWithTransfer and Bridge::rotateToPublicKeyFixedinfoF-2026-0028Dead code in _handleWrap and _handleUnwrapFixed
04

Key Findings

  • Zero-cost bridge drain via missing msg.value validation. The transferOnly remainder path in the Bridge contract does not validate msg.value, allowing any caller to drain the entire native balance of the bridge at zero cost.
  • Complete key pair registration failure post-upgrade. The confirmingPublicKeyHash is derived from the wrong public key, causing every key pair registration to revert after the inception key.
  • New user onboarding regression in registerKeyLog. A regression introduced during an upgrade broke the registerKeyLog function for new users, preventing them from onboarding entirely.
  • Unbacked wrapped token minting via msg.value reuse. In permit-based batch operations, the same msg.value is accepted as valid collateral for multiple native wrap permits within a single transaction, enabling unbounded inflation of the wrapped token supply.
05

Architectural Security Observations

  • KERI-based key event chain integrity. KeyLogRegistry enforces strict chain integrity across key events, with uniqueness enforcement across all four index mappings.
  • Dual-signature key pair registration. Both unconfirmed and confirming keys must produce valid signatures with paired nonces.
  • Atomic state transitions. registerKeyPairWithTransfer combines key registration, token pair setup, permit execution, and ownership transfer in a single transaction.
  • Key-rotation-gated upgrades. The UUPS upgrade path (upgradeWithKeyRotation) is tied to the key rotation system rather than a simple owner call.
  • Beacon proxy pattern for wrapped tokens. Wrapped tokens are deployed via UpgradeableBeacon, enabling uniform upgrades across all deployed wrapped tokens.
  • Defense-in-depth on external calls. SafeERC20, ReentrancyGuardUpgradeable, and the checks-effects-interactions pattern are applied consistently.
06

Security Strengths Observed

  • Sound core key management design. The KERI-inspired key event log functions correctly. No critical vulnerabilities were found in this subsystem.
  • Modern Solidity practices. Custom errors over require strings, SafeERC20 for token interactions, upgradeable contract patterns with initializers, and explicit reentrancy guards.
  • Findings concentrated in edge cases. The majority of issues relate to input validation gaps, inconsistent error handling, and edge cases around non-18-decimal tokens and native token handling.
  • Controlled privilege model. Ownership transfer is gated by KeyLogRegistry validation rather than a simple transferOwnership call.
  • Clear separation of concerns. Modular design across KeyLogRegistry, Bridge, and WrappedToken.
07

Team & approval

Lead Auditor
Carlos (Bloqarl)
@TheBlockChainer
Auditor
Bobby_Petrov
@0x_bob_0x
Auditor
derastephh
@derastephh
08

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (80p)
ZEALYNX SECURITY · published 2026-03-05
28 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx