Scores/Across Protocol

Across Protocol

DAMASCUS

Bridge · Multi-chain · $500M+ TVL · 10 contracts

Official site: across.to ↗

776

3004756508251000

Confidence80%

Z-Factor0.80

Updated 2026-05-27Public score

Security Profile

Access Control
72

Economic Soundness
68

Oracle Integrity
71

Compositional Risk
58

Governance
68

Maturity
75

Resilience
50

Supply Chain
69

Op Security
62

Cascade Exposure
100

Access Ctrl
72

Economic
68

Oracle
71

Compos.
58

Govern.
68

Maturity
75

Resilience
50

Supply Ch.
69

OpSec
62

Cascade
100

Min

Avg

Max

100

Audit History

OpenZeppelin

2022-10

Trail of Bits

2024-01

Bug Bounty Program

$1,000,000

Max payout on Self-hosted

View Program

Assessment

ENRICHED_FROM_ARCHITECTURE: Well-defended optimistic bridge with mature UMA oracle. Higher BRI than Abracadabra due to stronger defense-in-depth (dispute mechanism, bond requirement, challenge period). Cross-chain composition is primary risk factor keeping it below 700.

Dimension Breakdown

Methodology

Access Control

Weight 18% · 75% confidence

+14SpokePool admin is cross-domain (HubPool via bridge) - strong access control

+14proposeRootBundle is permissionless but requires bond

+14executeRootBundle is gated by liveness period + Merkle proof

+14Owner-only functions for critical configuration (adapters, routes)

Provenance

Economic Soundness

Weight 13% · 65% confidence

+17Bond requirement makes malicious proposals economically costly

+17LP token model with utilizedReserves tracking

+17Relayer incentive model aligns interests (fill now, claim later)

+17No flash loan capability reduces attack capital amplification

Provenance

Oracle Integrity

Weight 13% · 70% confidence

+18UMA optimistic oracle is battle-tested dispute resolution

+18Dispute mechanism provides human-in-the-loop verification

+18No reliance on price feeds for core operations

+18Root bundle verification is binary (valid/invalid), not price-dependent

Provenance

Battle-Tested Maturity

Weight 12% · 80% confidence

+15Live since 2021, V3 deployed 2023

+15Multiple audits (OpenZeppelin, others)

+15No critical exploits in production history

+15Active bug bounty program

Provenance

Governance & Upgradeability

Weight 10% · 60% confidence

+23Owner multisig controls critical configuration

+23Emergency delete capability is centralized but provides safety

+23UMA governance provides decentralized dispute resolution

-32No timelock on adapter changes (risk)

Provenance

Adversarial Resilienceredacted

Weight 10% · 30% confidence

Optimistic challenge period provides defense window
Bond slashing deters malicious proposals
Fill status tracking prevents double-fill replay
Emergency controls available for rapid response

Provenance

Operational Security

Weight 10% · 60% confidence

-19No branch protection detected

-19CI/CD present but unstable (0% success)

+16Commit signing: 100% verified

+16Strong PR review culture (83% reviewed)

Provenance

Compositional Risk

Weight 5% · 55% confidence

+14Cross-chain message composition is inherently complex

+14Multiple L2 adapters (Optimism, Arbitrum, etc.) - each is a trust boundary

+14Adapter compromise would bypass all on-chain verification

+14MerkleLib used for proof verification - standard but critical dependency

Provenance

Cascade Exposure

Weight 5% · 55% confidence

100

+33Appears in 1 cross-protocol cascade chain(s)

+33Member of 1 dependency cluster(s)

+33Source: cross_protocol_composition.json dependency analysis

Provenance

Supply Chain

Weight 4% · 55% confidence

+23Standard Solidity + OpenZeppelin base

+23MerkleLib is custom but well-audited

+23UMA SDK dependency is external but mature

Provenance

Top Score Drivers

Dimensions with the greatest marginal impact on BRI.

Adversarial Resilience

50+34.2 potential

Access Control

72+29 potential

SpokePool admin is cross-domain (HubPool via bridge) - strong access control

Economic Soundness

68+24.5 potential

Bond requirement makes malicious proposals economically costly

Operational Security

62+23.3 potential

No branch protection detected

Oracle Integrity

71+21.7 potential

UMA optimistic oracle is battle-tested dispute resolution

Adversarial Risk Signals

Publicly verifiable security posture indicators.

Disclosure HistoryNot Assessed

Remediation VelocityNot Assessed

Bug Bounty ProgramNot Assessed

Audit CoverageNot Assessed

Incident HistoryNot Assessed

Deployed 2021-11-0110 dimensionsProvenance Ledger

methodology v2.1formula v1.1weights v1.1evidence sha256:sha256:7...

Score History & Verification

Score provenance tracking begins with the next reassessment.

Full provenance ledger

On-Chain Data

Protocol Slug: "across"
Oracle: BRORegistry (Base)
Evidence: IPFS (pinned)
Staleness Threshold: 24 hours

Read Score

registry.getScore("across")

Reduce exploitable risk

Continuous adversarial analysis, vulnerability detection, and verified reassessment.

View Plans Methodology

Embed this score

Live, updates automatically. Free for any site. Click-through links open the full report on BlackHart.

Public

Style

Theme

Format

Preview

Copy iframe code

<iframe
  src="https://blackhart.io/embed/oracle/across?variant=card&theme=dark"
  title="BlackHart Risk Index: Across Protocol"
  width="340"
  height="290"
  frameborder="0"
  loading="lazy"
  style="border:0; max-width:100%;"
></iframe>

Believe this score contains a factual error? Submit evidence for review