The Gonka development team recently completed a comprehensive security audit of the Ethereum bridge infrastructure, identifying and resolving three critical vulnerabilities that posed significant risks to user funds and cross-chain operations.

Block Comparison Logic Flaw

The first issue involved a fundamental error in block number comparison logic. The system was performing lexicographic (string-based) comparisons instead of numeric comparisons, causing "9" to be evaluated as greater than "10" when compared as strings. This flaw disrupted the bridge's cleanup mechanisms, potentially leaving stale transactions unprocessed and affecting the overall system reliability.

The development team implemented proper numeric comparison logic, ensuring that block numbers are evaluated correctly across all bridge operations. This fix eliminates the possibility of cleanup failures and maintains the integrity of the transaction processing pipeline.

Silent Address Validation Failure

A more severe vulnerability was discovered in the ethereumAddressToBytes function, which silently returned zero bytes when processing invalid Ethereum addresses. This behavior created a dangerous scenario where funds could be inadvertently sent to the zero address (0x0), effectively burning them and making recovery impossible.

The team redesigned the address validation system to explicitly return errors when encountering invalid input, preventing any possibility of silent failures. This change ensures that all address validations are transparent and that users receive immediate feedback when providing incorrect address formats.

Chain ID Mapping Inconsistency

The third issue involved an incomplete chain ID mapping configuration. While the withdrawal process correctly included "optimism" in its chain mapping, the minting process lacked this entry, creating an asymmetric configuration that broke round-trip bridge operations on the Optimism network.

Users attempting to bridge assets to Optimism and then back to Ethereum would encounter failures during the return journey, as the minting process could not properly identify the Optimism chain. The development team synchronized both mapping configurations, ensuring consistent chain ID handling across all bridge operations.

Impact and Resolution

These vulnerabilities collectively represented significant risks to the bridge ecosystem. The lexicographic comparison issue could have led to operational failures, while the silent address validation posed direct threats to user funds. The chain mapping inconsistency specifically affected Optimism users, potentially stranding assets on one side of the bridge.

The development team deployed all three fixes simultaneously on March 23, 2026, following extensive testing on testnets. The fixes underwent peer review and automated testing to ensure no regressions were introduced during the security hardening process.

Bridge operators and users can now rely on improved safety mechanisms that provide explicit error handling, correct block processing, and complete multi-chain support. The team continues to monitor the bridge infrastructure and maintains ongoing security auditing practices to identify and resolve potential vulnerabilities before they can impact users.