THORWallet Mitigation Review

• Total Prize Pool: $3,000 in USDC
  • Warden awards: $2,000 in USDC
  • Judge awards: $750 in USDC
  • Scout awards: $250 in USDC
• Warden guidelines for C4 mitigation reviews
• Starts March 20, 2025 20:00 UTC
• Ends March 25, 2025 20:00 UTC

Important note

Each warden must submit a mitigation review for every individual PR listed in the Scope section below. Incomplete mitigation reviews will not be eligible for awards.

Findings being mitigated

Mitigations of all High and Medium issues will be considered in-scope and listed here.

• F-9: The user can send tokens to any address by using two bridge transfers, even when transfers are restricted.
• F-6 MergeTgt has no handling if TGT_TO_EXCHANGE is exceeded during the exchange period

Mitigations of these additional issues will also be considered in-scope:

• F-3: User funds can get locked due to > instead of >= for Merge end time
• F-4: TITN tokens transferred to the LayerZero endpoint address will be lost

Scope

Branch

• https://github.com/THORWallet/TGT-TITN-merge-contracts/tree/audit-1 for F-3
• https://github.com/THORWallet/TGT-TITN-merge-contracts/tree/audit-2 for F-6
• https://github.com/THORWallet/TGT-TITN-merge-contracts/tree/audit-3 for F-4
• https://github.com/THORWallet/TGT-TITN-merge-contracts/tree/audit-4 for F-9

Mitigation of High & Medium Severity Issues

Additional scope to be reviewed

These are additional changes that will be in scope.

Out of Scope

• F-7: Improper Transfer Restrictions on Non-Bridged Tokens Due to Boolean Bridged Token Tracking, Allowing a DoS Attack Vector