Across Protocol
DAMASCUSBridge · Multi-chain · $500M+ TVL · 10 contracts
Confidence 80%Z-Factor 0.80Updated 2026-05-17Public Score
Public risk assessment — scores are produced with the same methodology as monitored protocols
776
BRI Score
3004756508251000
Security Profile
Access Control
72
72
Economic Soundness
68
68
Oracle Integrity
71
71
Compositional Risk
58
58
Governance
68
68
Maturity
75
75
Resilience
50
50
Supply Chain
69
69
Op Security
62
62
Cascade Exposure
100
100
Access Ctrl
72
72
Economic
68
68
Oracle
71
71
Compos.
58
58
Govern.
68
68
Maturity
75
75
Resilience
50
50
Supply Ch.
69
69
OpSec
62
62
Cascade
100
100
Min
50
Avg
69
Max
100
Audit History
OpenZeppelin
2022-10
Trail of Bits
2024-01
Bug Bounty Program
$500,000
Max payout on Immunefi
Assessment
ENRICHED_FROM_ARCHITECTURE: Well-defended optimistic bridge with mature UMA oracle. Higher BRI than Abracadabra due to stronger defense-in-depth (dispute mechanism, bond requirement, challenge period). Cross-chain composition is primary risk factor keeping it below 700.
Dimension Breakdown
How scores work →Access Control
Weight 18%75% conf
72
arrow_forwardGood
+14SpokePool admin is cross-domain (HubPool via bridge) - strong access control
+14proposeRootBundle is permissionless but requires bond
+14executeRootBundle is gated by liveness period + Merkle proof
+14Owner-only functions for critical configuration (adapters, routes)
receipt_longView provenance chainarrow_forward
Economic Soundness
Weight 13%65% conf
68
arrow_forwardModerate
+23Bond requirement makes malicious proposals economically costly
+23LP token model with utilizedReserves tracking
+23Relayer incentive model aligns interests (fill now, claim later)
-32No flash loan capability reduces attack capital amplification
receipt_longView provenance chainarrow_forward
Oracle Integrity
Weight 13%70% conf
71
arrow_forwardGood
+36UMA optimistic oracle is battle-tested dispute resolution
+36Dispute mechanism provides human-in-the-loop verification
-14No reliance on price feeds for core operations
-14Root bundle verification is binary (valid/invalid), not price-dependent
receipt_longView provenance chainarrow_forward
Battle-Tested Maturity
Weight 12%80% conf
75
arrow_forwardGood
+19Live since 2021, V3 deployed 2023
+19Multiple audits (OpenZeppelin, others)
-25No critical exploits in production history
+19Active bug bounty program
receipt_longView provenance chainarrow_forward
Governance & Upgradeability
Weight 10%60% conf
68
arrow_forwardModerate
+23Owner multisig controls critical configuration
+23Emergency delete capability is centralized but provides safety
+23UMA governance provides decentralized dispute resolution
-32No timelock on adapter changes (risk)
receipt_longView provenance chainarrow_forward
Adversarial Resiliencelock
Weight 10%30% conf
50
Concerning
- Optimistic challenge period provides defense window
- Bond slashing deters malicious proposals
- Fill status tracking prevents double-fill replay
- Emergency controls available for rapid response
Operational Security
Weight 10%60% conf
62
arrow_forwardModerate
-10No branch protection detected
-10CI/CD present but unstable (0% success)
+16Commit signing: 100% verified
+16Strong PR review culture (87% reviewed)
receipt_longView provenance chainarrow_forward
Compositional Risk
Weight 5%55% conf
58
arrow_forwardModerate
+14Cross-chain message composition is inherently complex
+14Multiple L2 adapters (Optimism, Arbitrum, etc.) - each is a trust boundary
+14Adapter compromise would bypass all on-chain verification
+14MerkleLib used for proof verification - standard but critical dependency
receipt_longView provenance chainarrow_forward
Cascade Exposure
Weight 5%55% conf
100
arrow_forwardExcellent
+33Appears in 1 cross-protocol cascade chain(s)
+33Member of 1 dependency cluster(s)
0Score: 100/100 (higher = more isolated from systemic risk)
+33Source: cross_protocol_composition.json dependency analysis
receipt_longView provenance chainarrow_forward
Supply Chain
Weight 4%55% conf
69
arrow_forwardModerate
+23Standard Solidity + OpenZeppelin base
+23MerkleLib is custom but well-audited
+23UMA SDK dependency is external but mature
receipt_longView provenance chainarrow_forward
Risk Drivers
Primary risk factors driving this score, ordered by severity.
Adversarial Resilience50
Compositional Risk58
Operational Security62
Adversarial Risk Signals
Observable security posture indicators. These signals reflect publicly verifiable information and responsible disclosure outcomes. No specific vulnerability details are exposed.
Disclosure HistoryNot Assessed
Remediation VelocityNot Assessed
Bug Bounty ProgramNot Assessed
Audit CoverageNot Assessed
Incident HistoryNot Assessed
Score History & Verification
Score provenance tracking begins with the next reassessment.
On-Chain Data
- Protocol Slug
- "across"
- Oracle
- BRORegistry (Base)
- Evidence
- IPFS (pinned)
- Staleness Threshold
- 24 hours
Read Score
registry.getScore("across")Reduce exploitable risk
BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.