Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@brydge-network/direct-nft-protocol
Advanced tools
At a high level, our goal is to create a more seamless experience for a user to transact between protocols across chains. In this case, we look specifically at mechanisms to allow users to deposit into a protocol on the child chain while remaining on the
At a high level, our goal is to create a more seamless experience for a user to transact between protocols across chains. In this case, we look specifically at mechanisms to allow users to deposit into a protocol on the child chain while remaining on the parent chain.
The current common way of doing this would be to:
We can see here that this will require multiple signatures with possibly multiple approvals as well that the user would be required to sign throughout this process. We would like to provide some infrastructure and tools to help dapps avoid this inconvenience by implementing a clone
which could hold funds on behalf of the user.
The key difference between this and a normal relayer is that this solution utilizes the native state synchronization updates that the bor
blockchain provides, eliminating the need to trust a relayer.
At a high level, we make some key observations about how polygon
's architecture and internals function.
Bor
, polygon's block producing layer.Bor
actually fetches a batch of state updates from heimdall and _applies_them to the current world state by executing all of the state updates as if they were normal transactions. However, these 'transactions' are slightly different... For starters, they are executed as system calls, so no events will be emitted and they won't show up on etherscan like other transactions would.Putting these observations together, we can piece together a high level view of what we are trying to accomplish:
Scenario: A user is on Ethereum, with currency A and wishes to deposit currency B into protocol P which is on Polygon.
bor
will automatically execute our defined functions as itsyncs state updates
. This is incredibly convenient as we avoid having to post a constant relayer to be watching our one contract for token arrivals. Since we sent the metadata over the bridge second (after the asset), then by the time we hit our execution environment, we can be sure that the assets / tokens have already arrived.User
object's deposit
function as follows:interface IUser {
function deposit(bytes calldata depositData) external;
}
However, we still provide the flexibility of custom interactions / functionality by exposing these abstract functions and calling them internally:
abstract contract ProtocolUser {
__protocol_deposit(bytes calldata depositData) external;
}
contract User is ProtocolUser {
function deposit(bytes calldata depositData) external {
__protocol_deposit(depositData);
}
}
FAQs
Unknown package
The npm package @brydge-network/direct-nft-protocol receives a total of 78 weekly downloads. As such, @brydge-network/direct-nft-protocol popularity was classified as not popular.
We found that @brydge-network/direct-nft-protocol demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 7 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.