security_review("agglayer")
AggLayer Vault Bridge
Independent security assessment · Cantina · May 2026
Yield-bearing cross-chain bridge vault (USDC, USDT, WBTC, USDS, ETH) on Ethereum mainnet.
3,039 lines of Solidity reviewed across 7 contracts.
HIGH
2
MEDIUM
3
LOW
5
INFO
3
TOTAL FINDINGS
13
LINES REVIEWED
3,039
H-01 · Proxy Takeover via Unprotected reinitialize
H-02 · Unlimited Approval to Arbitrary Address
M-01 · Cross-chain Redemption Permanently Broken
M-02 · No Timelock on Critical Governance Functions
M-03 · Yield Oracle Manipulation → vbToken Over-minting
L-01 · CEI Violation in _withdraw
L-02 · burn() Reverts on yieldRecipient vbTokens
L-03 · Auto-rebalance Silently Disabled
L-04 · setCustomToken Permanently Blocked
L-05 · migrationFeesFund Permanently Locked
I-01 · Catch Block Assumes Fixed Revert Format
I-02 · NatSpec Inaccuracy on setYieldRecipient
I-03 · Directly Transferred Tokens Unrecoverable
[ DOWNLOAD REPORT PDF ]