PR #132 merged the accepted default-vs-audit policy path, so default product and L1 E2E now pass on main while explicit Slither audit still reports known findings.
Current evidence from isolated origin/main checkout at merge commit 14f378b:
npm run flowchain:product-e2e
npm run flowchain:l1-e2e
node infra/scripts/check-unsafe-claims.mjs
git diff --check
All passed. Explicit audit remains failing:
npm run contracts:hardening:slither
Observed findings after 84 passing Foundry tests:
missing-zero-check for BaseBridgeLockbox.releaseNative(...).recipientlow-level-calls for the native release call in BaseBridgeLockbox.releaseNative
Scope:
- Decide whether these findings require a contract change, a Slither suppression with rationale, or a documented audit-only accepted risk.
- Add/adjust tests or docs appropriate to the chosen path.
- Do not use this issue to claim production bridge, real-funds bridge, or formal audit readiness.
Acceptance evidence:
- Exact command output for
npm run contracts:hardening:slither, or a documented accepted-risk/suppression path reviewed by contracts/security.
npm run flowchain:product-e2enpm run flowchain:l1-e2enode infra/scripts/check-unsafe-claims.mjsgit diff --check
PR #132 merged the accepted default-vs-audit policy path, so default product and L1 E2E now pass on
mainwhile explicit Slither audit still reports known findings.Current evidence from isolated
origin/maincheckout at merge commit14f378b:All passed. Explicit audit remains failing:
Observed findings after 84 passing Foundry tests:
missing-zero-checkforBaseBridgeLockbox.releaseNative(...).recipientlow-level-callsfor the native release call inBaseBridgeLockbox.releaseNativeScope:
Acceptance evidence:
npm run contracts:hardening:slither, or a documented accepted-risk/suppression path reviewed by contracts/security.npm run flowchain:product-e2enpm run flowchain:l1-e2enode infra/scripts/check-unsafe-claims.mjsgit diff --check