Push Chain

We express our gratitude to the Push Chain team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Push Chain is a Solana-side bridge gateway that locks user deposits in a PDA-controlled vault and releases them via TSS-signed outbound operations (withdraw, execute, revert, rescue), enabling bidirectional asset and payload bridging between Solana and Push Chain.

The system users should acknowledge all the risks summed up in the risks section of the report

Documentation quality

• Functional requirements are provided.

• Technical description is provided.

Code quality

• Some compute-inefficient patterns were identified, such as redundant oracle calls or redundant validations.

• The development environment is configured.

Test coverage

Code coverage of the project is 95.4% (line coverage).

• Deployment, initialization, and admin configuration flows are fully covered.

• Positive and negative cases are covered across deposit, withdraw, revert, and rescue paths, including replay protection, pause enforcement, zero-amount rejection, and insufficient balance checks.

• Multi-user interactions involving SPL token deposits into non-canonical vault accounts are covered via PoC tests.

• Execute-mode CPI paths with TSS signature verification are covered through the test-counter integration tests.

• Uncovered lines (4.6%) are primarily error branches in initialize.rs and edge cases in pricing.rs and validation.rs.

The Push Chain SVM Gateway is the Solana-side bridge gateway for asset movement between Solana and Push Chain. It accepts inbound deposits on Solana, escrows assets under protocol-controlled accounts, and later processes outbound withdrawals, finalize operations, reverts, and rescues based on TSS authorization.

Architecture

The gateway maintains two core custody accounts:

• Vault (vault_sol) holds bridged native SOL and serves as the authority for SPL token vault accounts.

• Fee Vault (fee_vault) holds protocol fees collected from inbound deposits and is intended to fund relayer reimbursements without consuming bridge collateral.

Additional protocol state includes:

• Config: stores admin and pauser authorities, pause state, protocol fee settings, USD cap parameters, and Pyth oracle configuration.

• TssPda: stores the active TSS Ethereum address and chain ID used for secp256k1 verification on outbound operations.

• CEA: a per-user PDA used as a persistent execution identity for outbound CPI and staged execution flows.

• ExecutedSubTx: replay-protection state keyed by sub_tx_id.

• RateLimitConfig: stores the per-slot USD cap and epoch duration for inbound rate limiting.

• TokenRateLimit: stores per-token epoch-based rate-limit state.

Inbound Flow

Users initiate deposits through send_universal_tx. The gateway collects the protocol fee, classifies the request by route type, applies route-specific controls, transfers assets into protocol custody, and emits a UniversalTx event for downstream processing.

• GAS / GAS_AND_PAYLOAD: native SOL route with USD-denominated checks using the configured Pyth SOL/USD feed.

• FUNDS / FUNDS_AND_PAYLOAD: standard bridge route for native SOL or SPL tokens with token-based epoch rate limiting.

Outbound Flow

All outbound operations require a valid TSS secp256k1 signature. The gateway supports four outbound paths:

• Withdraw (withdraw) releases assets from protocol custody to a Solana recipient.

• Finalize (finalize_universal_tx) stages assets to a user-specific CEA, then transfers, executes CPI, or routes assets back into the gateway.

• Revert (revert_universal_tx) returns assets when a cross-chain operation must be canceled or rolled back.

• Rescue (rescue_funds) provides an operator-controlled recovery path for exceptional cases.

Privileged Roles

The admin (config.admin) holds the highest privilege. It can update the TSS address, rotate admin and pauser authorities, configure the Pyth oracle feed, set USD caps and rate limits, set the protocol fee, and pause or unpause the gateway. All admin actions take effect immediately with no timelock.

The pauser (config.pauser) can pause and unpause the gateway. The admin can also pause and unpause, meaning the pauser cannot enforce a pause against the admin's will.

The TSS is the sole authorization mechanism for all outbound operations. It produces ECDSA secp256k1 signatures verified on-chain. No funds can leave the vault without a valid TSS signature.

The scope of the project includes the following smart contracts from the provided repository:

Assets in Scope