Soroban Source Code Audit - Tricorn Bridge

We’re excited to publish the first results of our recent collaboration with the Stellar Development Foundation. As part of this partnership, our experts conducted comprehensive security reviews of multiple projects built on Soroban, Stellar’s new smart contracts platform. The first detailed security audit report we publish today includes specific findings already addressed by the development teams and insights about Soroban security characteristics that contribute to the broader Soroban security community knowledge.

In April 2024, Coinspect started working with Boosty Labs to review the security of the Stellar Soroban integration for the Tricorn Bridge. Specifically, Coinspect reviewed the security of the smart contract’s Rust source code and their integration with Tricorn’s Golang backend.

The Tricorn bridge contract reviewed facilitates token transfers between Soroban and any destination chain supported by Tricorn. It supports both Tricorn-managed tokens (minted/burned by the contract) and tokens not managed by Tricorn, which are held in the contract’s balance.

Coinspect’s analysis identified 3 high-risk, 6 medium-risk, and 1 low-risk vulnerabilities. The most critical findings could have allowed an adversary to arbitrarily modify the commission collector’s address or steal funds via Bridge Out operations. Additionally, Coinspect reported a vulnerability that could have rendered the bridge unusable due to storage exhaustion.

Download the Tricorn Bridge Source Code Audit Report