Skip to content

Comments on L2 integration#1772

Open
claravanstaden wants to merge 2 commits intomainfrom
clara/l2-bug-bounty-comment
Open

Comments on L2 integration#1772
claravanstaden wants to merge 2 commits intomainfrom
clara/l2-bug-bounty-comment

Conversation

@claravanstaden
Copy link
Copy Markdown
Contributor

@claravanstaden claravanstaden commented Apr 21, 2026

To hopefully reduce invalid bug bounty reports.

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 21, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.90%. Comparing base (d9107c5) to head (40c7672).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1772   +/-   ##
=======================================
  Coverage   76.90%   76.90%           
=======================================
  Files          24       24           
  Lines         983      983           
  Branches      186      186           
=======================================
  Hits          756      756           
  Misses        203      203           
  Partials       24       24
Flag Coverage Δ
solidity 76.90% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

yrong
yrong reviewed Apr 23, 2026
View reviewed changes
Comment thread contracts/src/l2-integration/SnowbridgeL1Adaptor.sol
/// the same `Gateway.v2_submit` transaction that issues the preceding
/// `UnlockNativeToken(recipient = L1Adaptor, amount = X)` command. The paired
/// unlock funds this contract; the paired CallContract consumes the funds and
/// sweeps any residual back to the BEEFY-signed `recipient`. Both commands execute
Copy link
Copy Markdown
Contributor

@yrong yrong Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should add a note about the recipient: it’s typically an EOA, but if it’s a contract, it must be able to receive ETH. Otherwise, the ETH could become trapped in the adapter and potentially be exploited. Some kind of disclaimer—perhaps surfaced in the UI—would be helpful.

yrong
yrong approved these changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@yrong yrong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@yrong
Copy link
Copy Markdown
Contributor

yrong commented Apr 23, 2026

Once this is merged, we should update the scope of the HackenProof reports.

There’s been some confusion—for example:
https://dashboard.hackenproof.com/manager/companies/snowbridge/snowbridge-on-chain-code/reports/SNOWBSC-454 — reporters are reviewing outdated code and raising issues based on it.

yrong
yrong reviewed Apr 23, 2026
View reviewed changes
Comment thread contracts/src/l2-integration/SnowbridgeL2Adaptor.sol
Comment on lines +13 to +18
/// @dev End users on the L2 call `sendTokenAndCall` and `sendEtherAndCall` directly to
/// bridge ERC20 / native ETH back to Ethereum and onward to Polkadot. These
/// functions pull funds from the caller in the same call — via
/// `safeTransferFrom(msg.sender, address(this), inputAmount)` for ERC20 or
/// `require(msg.value == inputAmount)` for native ETH — and forward the pulled
/// amount straight to the SpokePool deposit. No function in this contract moves
Copy link
Copy Markdown
Contributor

@yrong yrong Apr 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might also be worth adding a note about the recipient. This address is used to receive any funds that may be trapped if a call fails on mainnet. Additionally, if fees are not profitable, assets will be returned to this address on the original L2.

It’s usually an EOA, but if it’s a contract, it must be able to receive assets on both L2 and mainnet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yrong yrong yrong approved these changes

@vgeddes vgeddes Awaiting requested review from vgeddes

@alistair-singh alistair-singh Awaiting requested review from alistair-singh

Assignees

No one assigned

Labels

Component: Ethereum

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@claravanstaden @yrong