← Back to Audits

Bridge Contracts - Tea-Fi

Prepared by:

Halborn Logo

HALBORN

Last Updated 10/29/2025

Date of Engagement: October 1st, 2025 - October 9th, 2025

Summary

100% of all REPORTED Findings have been addressed

All findings

11

Critical

0

High

0

Medium

1

Low

4

Informational

6

Table of Contents

1. INTRODUCTION

Tea-Fi engaged Halborn to conduct a security assessment of their smart contracts between October 1, 2025 and October 11, 2025. The engagement focused on the protocol’s core components responsible for custody (Vault), cross‑chain transfers (Bridge Adapter), and yield generation (Aave Strategy), with an emphasis on correctness, robustness to edge cases, and protection of user and treasury value.


The review was performed against the codebase provided by Tea-Fi (see Engagement Details and Scope) and included a comprehensive, self‑contained Foundry test suite authored during the assessment. The suite combines unit tests, property/invariant tests, and fuzzing to validate expected behavior and adversarial scenarios locally (no external networks required).

2. ASSESSMENT SUMMARY

A full‑time Halborn security engineer with deep smart‑contract security expertise performed the assessment, combining manual code review with automated testing to maximize coverage and realism.


Objectives:

    • Verify contract behavior and state transitions match intention under normal and adverse conditions.

    • Identify vulnerabilities, economic inconsistencies, and unsafe assumptions.

    • Validate access control, accounting (1:1 shares, principal vs. yield), and cross‑component interactions (bridge fees, strategy divest/harvest semantics).


Highlights and recommendations:

    • Bridge Adapter: Add a caller‑provided maxFee and select native fees by token type (not array index). Sanitize empty/misaligned quotes; emit messageId events for observability.

    • Aave Strategy: Clamp divest requests to booked principal to prevent yield leakage; consider allowance hygiene (exact approvals or emergency revoke).

    • Vault (ERC‑4626, 1:1): Enforce runtime balance‑delta checks to reject fee‑on‑transfer tokens; forbid rebasing assets; consider an emergency withdrawal mode (on‑hand only) if the strategy misbehaves.


Overall, the codebase demonstrates clear security intent. The recommendations above reduce both likelihood and blast radius of operational risks while strengthening user and treasury safety.

3. CAVEATS

    • Scope limits: Only the contracts and files listed in Scope were reviewed. External systems (e.g., Hyperlane router internals, Aave protocol), off‑chain infrastructure, and out‑of‑scope directories were treated as black boxes.

    • Assumptions: Standard token behavior is assumed unless explicitly tested (e.g., fee‑on‑transfer and rebasing tokens were explored via mocks). Economic conditions beyond contract‑level invariants (market liquidity, MEV dynamics) were out of scope.

    • Differential context: Findings are referenced against the scoped commit; external changes not visible in scope are excluded.


A full end‑to‑end assessment—covering off‑chain services, cross‑chain ops, and production deployment posture—is recommended for a complete security picture.

4. SCOPE

REPOSITORY
(a) Repository: contracts
(b) Assessed Commit ID: f1b5aab
(c) Items in scope:
  • contracts/bridge/SteamFiBridgeVault.sol
  • contracts/bridge/SteamFiBridgeAdapter.sol
  • contracts/bridge/strategies/AaveYieldStrategy.sol
↓ Expand ↓
Out-of-Scope: contracts/pre-vaults/*, contracts/synths/*, contracts/liquidator-proxy/*, contracts/test/*, ignition/modules/*, scripts/*, third party dependencies and economic attacks.
Remediation Commit ID:
  • 65ba721
  • 4cf79b1
  • f07fce6
  • 2cfd788
  • 9327392
  • d1e42c6
  • 9211c8a
  • be77967
  • 2c6bc82
Out-of-Scope: New features/implementations after the remediation commit IDs.

5. Findings Overview

Security analysisRisk levelRemediation
Possible Yield Leakage When Requested Amount Exceeds Booked PrincipalMediumSolved - 10/14/2025
Unlimited Allowance to Aave PoolLowSolved - 10/14/2025
No Emergency Exit From StrategyLowSolved - 10/14/2025
No Validation of Divested Amounts in withdraw() / redeem()LowSolved - 10/15/2025
No maxFee Bound Allows Fee SpikesLowSolved - 10/15/2025
Fee Token Mis-Selection Leads to Wrong ETH Fee PaymentInformationalSolved - 10/15/2025
Lenient Strategy Validation Can Allow MisconfigurationInformationalSolved - 10/15/2025
RotalAssets Excludes Unharvested YieldInformationalAcknowledged - 10/15/2025
Fee-on-Transfer Tokens Cause Under-CollateralizationInformationalSolved - 10/15/2025
Rebasing Tokens Break Withdrawals (1:1 Model)InformationalAcknowledged - 10/15/2025
Strategy Migration Can Strand Funds When totalPrincipal Under ReportsInformationalSolved - 10/15/2025

Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

// Download the full report

Bridge Contracts

* Use Google Chrome for best results

** Check "Background Graphics" in the print settings if needed