Push Chain

We express our gratitude to the Push Chain team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Push Chain is a fully EVM-compatible Proof-of-Stake Layer 1 blockchain designed to enable universal application deployment. It allows developers to deploy a Solidity-based smart contract once on Push Chain, while enabling users from multiple blockchain networks to interact with it using their existing wallets.

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional requirements are provided via markdown documentation (docs/) covering architecture overview, UEA/CEA flows, migration mechanics, and threat modelling.

• Technical description is provided at a high level. Low-level implementation details (storage layout, upgrade invariants, exact encoding rules) are not documented.

Code quality

• The codebase uses OpenZeppelin upgradeable contracts for access control (AccessControlDefaultAdminRulesUpgradeable), pausability (PausableUpgradeable), reentrancy guards (ReentrancyGuardUpgradeable), and proxy patterns (Clones, ERC1967Proxy). Custom implementations are used where protocol-specific logic is required (UEA/CEA proxy storage slots, PRC20 synthetic token, WPC wrapper).

• Shared constants and types are properly centralized in Types.sol and Errors.sol. Custom errors are used consistently across all contracts, improving gas efficiency and debuggability.

• Role-based access control follows a granular separation pattern: ROLE_MANAGER_ROLE administers operational roles, contract-specific admin roles (UVCORE_ADMIN_ROLE, UEA_ADMIN_ROLE, CEA_ADMIN_ROLE) control configuration, OPERATOR_ROLE manages address setters and unpause operations, and PAUSER_ROLE is restricted to pause-only actions. This design limits the blast radius of a single compromised key.

• The development environment is configured with Foundry (forge build/forge test toolchain), Solidity 0.8.26, Shanghai EVM target, and via_ir optimization enabled.

Test coverage

Code coverage of the project is 91.92% (branch coverage).

• The test suite includes unit tests, fuzz tests (property-based), fork tests.

• Deployment and basic user interactions are well covered.

• Proxy initialization edge cases (UEAProxy, CEAProxy) have lower branch coverage (~50–67%).

• Cross-contract interaction scenarios (e.g., full UEA→CEA round-trip, migration under concurrent operations) are not tested end-to-end.

Push Chain is an EVM-compatible Proof-of-Stake Layer 1 designed for universal app execution across multiple ecosystems. Developers deploy once on Push Chain, while users from different chains interact using their native identities/wallets via protocol-managed execution accounts.

Core Module

• UniversalCore.sol is the main protocol coordinator on Push Chain. It manages PRC20 deposit/refund flows, chain gas metadata, supported gas tokens, and swap-and-burn logic through Uniswap-style integrations.

• PRC20.sol implements upgradeable synthetic ERC-20 assets representing external-chain tokens. It supports protocol-authorized minting (deposit), user burning, and stores source-chain token metadata plus UniversalCore linkage.

• WPC.sol is the wrapped native Push coin contract with standard wrap/unwrap and ERC-20-style transfer/allowance behavior used by core swap paths.

UEA Module Universal Executor Accounts

• UEAFactory.sol is the upgradeable factory/registry for UEAs. It maps chain identifiers to VM types, stores UEA implementations, deploys deterministic proxy instances (CREATE2), and controls pause/migration configuration.

• UEAProxy.sol is the minimal per-account proxy that stores implementation in a fixed slot and delegates all runtime calls.

• UEA_EVM.sol is the EVM UEA implementation. It validates ECDSA universal payloads (with trusted-module bypass path), applies nonce/deadline logic, and executes single-call, multicall, and migration dispatch.

• UEA_SVM.sol is the SVM UEA implementation. It mirrors EVM execution flow but verifies Ed25519 signatures through the verifier precompile before dispatching calls.

• UEAMigration.sol is the delegatecall-only migration singleton used to update UEA proxy implementation slots (separate targets for EVM/SVM logic).

CEA Module Chain Executor Accounts

• CEAFactory.sol is the upgradeable factory for destination-chain CEAs. It deploys deterministic proxy clones, maintains UEA↔CEA mappings, and manages vault/gateway/implementation/pause/migration parameters.

• CEAProxy.sol is the lightweight per-account proxy for CEAs with fixed-slot implementation storage.

• CEA.sol is the execution logic for CEAs. It is vault-gated, tracks executed tx IDs for replay protection, supports single-call/multicall/migration execution, and exposes outbound universal transaction initiation toward the gateway.

• CEAMigration.sol is the delegatecall-only migration singleton that updates CEA proxy implementation slots.

Shared Libraries

• Errors.sol centralizes common and module-specific custom errors.

• Types.sol defines shared structs/enums/constants (universal account ID, payload formats, multicall entries, selectors, and signing typehashes).

• Utils.sol provides utility helpers, including strict decimal-string-to-uint256 conversion (StringUtils).

Privileged roles

• UniversalCore.sol

• • DEFAULT_ADMIN_ROLE: root governance control with 1-day timelock for admin role transfers; can grant/revoke ROLE_MANAGER_ROLE.

  • ROLE_MANAGER_ROLE: grants operational roles (UVCORE_ADMIN_ROLE, OPERATOR_ROLE, PAUSER_ROLE); acts as the role admin for all operational roles.

  • UVCORE_ADMIN_ROLE: controls protocol configuration — protocol fees, gas tokens, gas limits, staleness thresholds, fee tiers, auto-swap support, deadline defaults, and native PC rescue.

  • OPERATOR_ROLE: address setters (updateWPC, updateUniversalGatewayPC, updateUniswapV3Addresses) and unpause.

  • PAUSER_ROLE: can pause core operational entrypoints, acting as an emergency stop operator.

  • UNIVERSAL_EXECUTOR_MODULE (hardcoded: 0x14191Ea54B4c176fCf86f51b0FAc7CB1E71Df7d7): executes module-only flows (token deposit, auto-swap, gas refund, chain metadata updates), making it a high-trust execution authority.

  • universalGatewayPC (privileged actor): exclusive caller for gateway burn/swap flow (swapAndBurnGas), so gateway integrity is a hard dependency.

• PRC20.sol

• • UNIVERSAL_EXECUTOR_MODULE: can update key token-level admin settings (updateUniversalCore, setName, setSymbol).

  • UNIVERSAL_CORE + UNIVERSAL_EXECUTOR_MODULE (mint authority): both are allowed to mint via deposit path, so issuance trust is shared between these two actors.

• UEAFactory.sol

• • DEFAULT_ADMIN_ROLE: root governance with 1-day timelock; can grant/revoke ROLE_MANAGER_ROLE.

  • ROLE_MANAGER_ROLE: grants operational roles (UEA_ADMIN_ROLE, OPERATOR_ROLE, PAUSER_ROLE).

  • UEA_ADMIN_ROLE: controls UEA ecosystem governance — implementation mapping, migration target, chain/VM registration, Push Chain ID; defines what logic UEAs trust over time.

  • OPERATOR_ROLE: can unpause UEA deployment operations.

  • PAUSER_ROLE: can pause UEA deployment operations.

• UEA_EVM.sol and UEA_SVM.sol

• • UNIVERSAL_EXECUTOR_MODULE: can execute UEA payloads without user-signature verification path, including migration-triggering payload types; this is a strong delegated execution trust assumption.

• CEAFactory.sol

• • DEFAULT_ADMIN_ROLE: root governance with 1-day timelock; can grant/revoke ROLE_MANAGER_ROLE.

  • ROLE_MANAGER_ROLE: grants operational roles (CEA_ADMIN_ROLE, OPERATOR_ROLE, PAUSER_ROLE).

  • CEA_ADMIN_ROLE: controls CEA factory implementation configuration — proxy implementation, logic implementation, migration target.

  • OPERATOR_ROLE: address setters (updateVault, updateUniversalGateway) and unpause.

  • PAUSER_ROLE: can pause CEA deployment operations.

  • VAULT: exclusive deploy caller for deployCEA, so operational control of vault affects account rollout.

• CEA.sol

• • VAULT: only inbound executor for universal tx handling; vault controls what gets executed on each CEA.

  • address(this) self-call gate (execution constraint): outbound gateway-send path (sendUniversalTxToUEA) is intentionally restricted to internal/self-call flows, not arbitrary external callers.

The scope of the project includes the following smart contracts from the provided repository:

Assets in Scope