🔒Bridge Security

What is Fiorin’s bridge?

Fiorin’s bridge is a mechanism which ports Ethereum tokens to Bitcoin SV (BSV) (and vice-versa).

Fiorin’s bridge consists of two functions:

1. A smart contract on the Ethereum network and;

2. A token issuance mechanism on the BSV network

These functions are encapsulated within the Fiorin wallet UI for a completely seamless stablecoin deposit / withdrawal experience.

Is the bridge safe?!

Bridges are notorious for being insecure / unsafe. In order to have a higher level of confidence in a bridge, a user should consider the below:

1. Bridge smart contract is audited

2. Bridge smart contract is open source

3. Bridge smart contract locked and issued token amounts are public and verifiable

4. Controls / limits are hardcoded into the bridge smart contract

We address each of these points below.

Has the bridge smart contract been audited?

Yes! Fiorin bridge has been audited by Coinscope. The audit revealed:

• 0 critical findings

• 0 medium findings

• 11 informative findings (which have since been resolved on a redeployed smart contract)

Is the bridge smart contract code open source?

Yes! Here is the link to the Github repository.

What is the Ethereum smart contract address for the bridge?

What security controls are in place?

1. User must specify their ERC20 withdrawal address when the wallet is created and this address cannot later be changed

2. ERC20 withdrawal addresses cannot be reused between different Fiorin wallets

3. User cannot withdraw funds until 24 hours after their first deposit

4. User has a 24 hour withdrawal limit equal to the maximum deposit they have made into the wallet

5. There is a maximum daily withdrawal amount from each user account of $100,000

6. All withdrawals are automatically blocked if there is an imbalance between locked and issued stablecoin amounts (next section)

7. There is a auxiliary private key (in cold storage) for the Ethereum bridge smart contract that can nullify the primary private key and issue new primary and auxiliary private keys

Can locked and issued stablecoin balances be verified?

Fiorin’s bridge consists of two functions:

1. • Locked ERC20 balances can be verified on Etherscan here

2. • The 1:1 wrapped USDXS tokens can be verified here

What token protocol does Fiorin use?

Fiorin allows ERC20 tokens (Ethereum) deposits which it then wraps 1:1 as USDXS tokens using STAS (BSV):

AML screening?

Fiorin monitors (via 3rd party api) both inbound and outbound ERC20 transfers to/from the bridge smart contract. Suspicious sends/receives will be blocked.

What are the risks of using the bridge?

1. The bridge smart contract is exploited. Attackers could withdraw locked ERC20 tokens

2. Fiorin server is compromised. Attackers could action ERC20 withdrawal from bridge accounts of their choosing

3. Fiorin server is compromised. Attackers could mint unlimited USDXS tokens on BSV

• Mitigated by using open source bridge code

• Mitigated by having a reputable 3rd party audit

• Mitigated by public disclosure of locked ERC20 tokens and issued USDXS tokens. If these balances do not perfectly reconcile, the bridge smart contract can be disabled

• Mitigated by hardcoded bridge smart contract controls

  • Each bridge user has their own account with a fixed and pre-specified withdrawal address as well as 24 hour withdrawal limits

• Mitigated by an auxiliary private key (kept in cold storage) which has the power to disable the bridge smart contract and reissue new primary and auxiliary private keys