Audit & Risk
Bwick Labs has not yet engaged a third-party security firm for a formal audit of the bwickchain bridge module, oracle contract, AMM, or launchpad. A qualified third-party audit is on the future-milestones roadmap and will precede any production-scale token bridging or launch activity.
| Single-relayer trust | The bridge currently relies on a single relayer key. A compromised key would allow unauthorised mints up to the per-transaction cap or unauthorised withdrawals from the Solana program vault. Mitigation: migration to a multi-signature or threshold scheme is on the near-term roadmap. In the interim, both keys are held on a hardened host with restricted file permissions. |
|---|---|
| Oracle manipulation | The price oracle reads from the pump.fun bonding curve on Solana. A flash-loan attacker could move the spot price for a single block. Mitigation: contracts that price-sensitive actions (graduation thresholds, USD-denominated checks) read the 60-second TWAP rather than spot, raising manipulation cost. |
| Validator concentration | Three equal-stake validators means the chain halts on any single failure (the bwickchain consensus protocol requires >2/3 voting power for liveness). Mitigation: validator set expansion to 7+ independently-operated nodes is on the roadmap. |
| Public Solana RPC rate limits | The relayer currently uses the public Solana mainnet endpoint and is subject to 429 rate-limit responses under load. Mitigation: migration to a paid RPC provider before any meaningful bridge volume. |
| Smart-contract VM constraints | The bwickchain WebAssembly runtime does not yet support certain post-MVP WebAssembly features. Contracts must be compiled with restricted feature flags, and tooling that emits unsupported instructions will fail to deploy. Mitigation: documented build procedure using rustc 1.79 and the in-tree .cargo/config.toml flags. |
| Forward-looking statements | Statements concerning future events, roadmap milestones, or anticipated outcomes are projections subject to risk and uncertainty. Actual results may differ materially. |