F-2026-0023·missing-bound-enforcement

Missing enforcement of Bridge::MAX_TOKEN_PAIRS

Fixedbridgecross-chainkey-registrygithub.com/pdxwebdev/yadakeyeventwallet
TL;DR

MAX_TOKEN_PAIRS is defined but never enforced; supportedOriginalTokens grows unboundedly across registrations.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The Bridge.sol contract defines a MAX_TOKEN_PAIRS constant but does not enforce it when new token pairs are registered. In Bridge::registerKeyPairWithTransfer the code pushes tokens into the Bridge::supportedOriginalTokens array without checking length limits or duplicates. This allows unbounded growth of the array.

03Section · Recommendation

Recommendation

Enforce the MAX_TOKEN_PAIRS limit when registering new pairs:

solidity
require(
    supportedOriginalTokens.length < MAX_TOKEN_PAIRS,
    "max token pairs reached"
);
04Section · Resolution

Resolution

YadaCoin, Confirmed.

Zealynx, Fixed.

Status
Fixed
ZEALYNX SECURITY · published 2026-03-05
F-2026-0023

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx