This repository is for the audit competition for the Aleph-Zero--Most-Relayer. To participate, submit your findings only by using the on-chain submission process on .
- follow the instructions on
We look forward to seeing your findings.
Bring your assets to Aleph Zero and benefit from its scalable privacy-enhancing ecosystem.
*'bridge' in Slavic languages.
- Aleph Zero contractsazero/contracts/most
- the main bridge contractazero/contracts/gas-price-oracle
- a contract for informing the guardians about Ethereum gas pricesazero/contracts/token
- a PSP22 token implementation for the tokens created by the bridge
- Ethereum contractseth/contracts/Most.sol
- the main bridge contracteth/contracts/Governance.sol
- a contract for making governance decisions about the bridge contracts on Ethereumeth/contracts/WETH9.sol
- a wrapped ethereum implementation for testing purposeseth/contract/Token.sol
- an ERC20 token implementation for testing purposes
- the component doing the actual bridging between the chains
Have docker, docker-compose (1.29.2
) and cargo-contract (3.2.0
) installed.
To run the tests for the Solidity Most.sol
contract, run:
make test-solidity
It will run the tests using the Hardhat framework.
Alternatively, you can run the tests directly from the selected file in the eth
directory, for example:
cd eth
npx hardhat test test/Most.js
To run the unit tests for the ink! contracts, run:
make test-ink-unit
These will allow you to test the contracts in isolation, without the need for running a blockchain node in the background.
To run DRink! based tests, which allow for testing interactions between multiple contracts without the need to run a node, run:
make drink-tests
DRink! tests are located in azero/contracts/drink-tests/
To run the end-to-end tests for the ink! most
contracts, run (requires docker-compose 1.29.2
make test-ink-e2e
These tests are located at azero/contracts/tests
To run a local development environment, run:
make bridge
This will start a local development environment with the following components:
- Aleph Zero Development chain
- Ethereum PoS Development chain
- Bridge contracts deployed on both chains
- Redis instance
- Relayer process
To run the development chain without deploying the contracts or running the relayer, run:
make devnet-eth
make devnet-azero
First, run the signer:
cd relayer
RELAYER_ID=1 scripts/
The signer will output the CID on which it is running, but you should also be able to just use 2 (meaning host) as the CID.
Next, run the relayer, passing the signer CID to connect to:
# in most/relayer
SIGNER_CID=2 scripts/
To stop the networks (and redis) and clean up:
make clean
get a shell into running container:
docker exec -it eth_bootnode "geth attach /root/.ethereum/geth.ipc"
attach console to the geth process:
geth attach /root/.ethereum/geth.ipc
Check the connected peers, confirm these are the correct nodes:
To deploy the contracts on the EVM chain:
make deploy-eth
This command will deploy the contracts and print out the contract addresses.
Now, open a Hardhat console:
cd eth && npx hardhat console --network development
Interact with the deployed contracts instance:
let Most = await ethers.getContractFactory("Most")
let most = Most.attach("insert contract address here")
let accounts = await ethers.getSigners();
await most.isGuardian(accounts[0])
await most.isGuardian(accounts[1])
To deploy the contracts on the Aleph Zero chain:
make deploy-azero
make run-relayers
Given a deployed (by us) Aleph Zero contract with some code hash C
it's possible to check that the contract has been
produced from a certain version of the source code in this repo (say a given commit). To do so:
git checkout $COMMIT
make print-azero-codehashes
- Find the contract in question in the list and ensure that the printed code hash is the same as
The contracts will be deployed using the same docker image as the one used for this procedure, which smooths out indeterminism in ink! contract compilation.
Given a deployed Ethereum contract address it's possible to post verified sources to etherscan and sourcify. You will need an API key for etherscan - can be obtained at if you have an account. To do so:
git checkout $COMMIT
- where$COMMIT
is the commit from which the contract has been deployedcd eth
For example, if you deploy Token.sol
to the sepolia testnet like so:
const usdt = await Token.deploy(
and the address is 0xbd737D2061ed3b24C95FA88566Ad896c9Fcc84b0
, then you would post verified sources like so:
ETHERSCAN_API_KEY=[YOUR API KEY] npx hardhat --network sepolia verify "0xbd737D2061ed3b24C95FA88566Ad896c9Fcc84b0" \
"12000000000000000000000000" "Tether" "USDT"
Assuming a contract verified on etherscan, there's a convenience script to decode a call to that contract. Just call:
Valid values for NETWORK
are mainnet (default)
, sepolia
, and goerli
For example:
NETWORK=sepolia \
CALL=0x095ea7b30000000000000000000000005a344a8721d743393847c17613dd78c7776b271400000000000000000000000000000000000000000000000000000000000004d2 \
CONTRACT=0x5a344a8721d743393847C17613dd78C7776b2714 \
make decode-eth
Contract: Token
Method: approve(address,uint256)
Arguments: Result(2) [ '0x5a344a8721d743393847C17613dd78C7776b2714', 1234n ]