F-2026-0020·centralization-risk

Owner can drain bridge via emergencyWithdrawBNB

Fixedbridgecross-chainkey-registrygithub.com/pdxwebdev/yadakeyeventwallet
TL;DR

Centralization Risk. The owner can unilaterally withdraw all native BNB from the bridge, including BNB escrowed to back wrapped tokens, with no solvency check, timelock, or multisig.

Severity
LOW
Impact
HIGH
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

Centralization Risk. The owner can unilaterally withdraw all native BNB from the bridge via emergencyWithdrawBNB, including BNB escrowed to back wrapped tokens. No solvency check, timelock, or multisig exists.

03Section · Recommendation

Recommendation

Consider adding a timelock, e.g. 48-hour delay publicly visible on-chain, giving users time to unwrap and exit if they disagree with the withdrawal. Alternatively, add a solvency check (address(this).balance - wrappedBNBToken.totalSupply()) to limit withdrawals to excess BNB only.

04Section · Resolution

Resolution

YadaCoin, Confirmed.

Zealynx, Fixed.

Status
Fixed
ZEALYNX SECURITY · published 2026-03-05
F-2026-0020