Summary
The most critical subjects covered in our audit are the functional correctness of the bridging mechanism, security of the locked assets and the validation of withdrawals on the RootChain. Security regarding all the aforementioned subjects is high.
The general subjects covered are documentation, efficiency and adherence to the implemented standards. Security regarding all the aforementioned subjects is high. The codebase however could be more consistent: Multiple similar contracts exist where the implementation of the same functionality differs slightly.
This review covered a system already deployed. The actual contracts deployed do not exactly correspond to the version audited, although the changes are mostly of cosmetic nature only. The compiler version + dependencies used are outdated, however no known bug affects the live contracts.
In summary, we find that the codebase provides a high level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.
About Polygon PoS Portal Smart Contracts
Polygon PoS Portal is a bridge for assets between the RootChain (Ethereum) and the ChildChain (Polygon). Additionally a gas-swapper contract which helps users to aquire MATIC while bridging tokens to Polygon was reviewed.
“Polygon is a decentralised Ethereum scaling platform that enables developers to build scalable user-friendly dApps with low transaction fees without ever sacrificing on security.”
ChainSecurity holds a special place in my heart, only positive experiences with them and they always go above and beyond. During one of our audits, they actually found a bug in an OpenZeppelin contract we were using, 99% of auditors wouldn't bother looking there.
Gretzke.eth, Software Engineering Lead @ Polygon