Omniscia Avant Protocol Audit
Cross Chain ERC20 Token Bridge Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 8b006fa4d4 | March 24th 2025 | f8077269e6 |
| c5b31e01e4 | March 31st 2025 | 0f9263c542 |
| cac155665a | April 1st 2025 | a494a96e37 |
Audit Overview
We were tasked with performing an audit of the Avant Protocol codebase and in particular their Cross Chain ERC20 Token Bridge implementing both Chainlink CCIP and LayerZero OFT based bridge operations.
The system combines the functionality of both Chainlink CCIP and LayerZero OFT based cross-chain messaging in two distinct implementations; one relying on the lock-release pattern (i.e. akin to the OFTAdapter notion) compatible with most EIP-20 implementations and one acting as an EIP-20 token itself (i.e. akin to the OFT implementation).
Over the course of the audit, we identified an inconsistency in the message senders utilized across implementations that would result in improper Chainlink CCIP cross-chain payloads to be relayed in both implementations.
Similarly to the original OFT system by LayerZero, the current OFTAdapterUpgradeableWithCCIP implementation is not compatible with fee-on-transfer tokens or any tokens that do not honor a one-to-one transfer relation (i.e. might result in less funds being received by the recipient of the transfer).
We advise the Avant Protocol team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Avant Protocol team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Avant Protocol and have identified that all exhibits have been adequately dealt with no outstanding issues remaining in the report.
Post-Audit Conclusion (cac155665a)
After deploying the contracts, the Avant Protocol team observed that the Avalanche-to-Linea CCIP connection lane requires the extraArgs parameter of the EVM2AnyMessage to be set explicitly so as to include a gas limit as well as out-of-order execution configuration.
The out-of-order execution is mandatory on CCIP lanes that interact with zero-knowledge blockchains such as Linea due to technical limitations with the way zero-knowledge proofs are generated.
We evaluated the introduced change to the codebase and consider it sufficient to render the contracts compatible with zero-knowledge CCIP lanes, such as the Avalanche-to-Linea connection lane.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 5 | 5 | 0 | 0 |
 | 0 | 0 | 0 | 0 |
 | 2 | 2 | 0 | 0 |
 | 0 | 0 | 0 | 0 |
During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 6 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: