Push Chain required security coverage across its entire protocol stack — from Solana and EVM bridge gateways to its custom Layer 1 blockchain — before mainnet launch. Hacken conducted four separate audits, identified and remediated key vulnerabilities in vault integrity, privilege separation, and oracle security, and delivered comprehensive L1 blockchain assurance across the full cross-chain architecture.
What is Push Chain?
Push Chain is a universal Layer 1 blockchain built to enable shared app experiences across all chains. Developed by the team behind Push Protocol — the industry standard for web3 notifications — Push Chain extends that infrastructure into a full execution layer where smart contracts can be triggered from any blockchain without requiring users to bridge assets or switch wallets.
The platform combines EVM and Solana bridge gateways, a custom Proof-of-Stake consensus mechanism, and universal smart contracts that are chain-agnostic by design. Backed by over seven years of web3 infrastructure experience, Push Chain is positioned as a unifying execution layer for the multi-chain ecosystem.
The Challenge
Push Chain's architecture spans three distinct execution environments — EVM, SVM (Solana), and a custom L1 — each with its own attack surface. Before mainnet launch, the team needed end-to-end security assurance: not just smart contract coverage, but validation of the blockchain infrastructure itself.
Key risks included the integrity of vault-based asset custody, the TSS signature scheme authorizing all outbound fund releases, rate limit and price feed configuration on gas routes, and privilege separation across admin and pauser roles.
On TSS specifically: while the threshold signature scheme is the sole authorization mechanism for all outbound fund releases, Push Chain's implementation is MPC-based using the DKLs23 protocol via Silence Labs, with a signer-sidecar model where no single participant ever holds the full key. Key resharing on validator churn ensures key material stays distributed as the validator set evolves. Hacken's audit validated this architecture while also identifying and remediating the surrounding operational controls — access permissions, role separation, and configuration boundaries — that determine how safely that architecture operates in practice.
How Hacken Delivered
1. Cross-Environment Smart Contract Audits
Hacken conducted three separate smart contract audits tailored to each environment — Solidity on EVM, Rust/Anchor on Solana, and core protocol contracts. On the Solana side, auditors identified a vault collateralization flaw where gas fee reimbursements were incorrectly drawn from the bridge vault rather than the protocol fee pool. Left unaddressed, this would have caused systematic SOL undercollateralization under normal protocol operation — no attacker required. Each audit included proof-of-concept development for high-impact findings, with the SPL liquidity fragmentation vector demonstrated via working exploit code.
2. Privilege Separation and Access Control Review
Hacken identified that the pauser role could both pause and unpause the gateway, breaking the intended separation between emergency halt authority and recovery authority. In a live incident, this would allow a lower-privilege actor to reverse an admin-initiated halt without authorization. The finding was fixed by introducing a dedicated unpause action restricted to admin only. Auditors also flagged inconsistent pause constraints across admin functions — some admin operations were blocked during pause while others were not, forcing the admin to temporarily unpause the protocol just to apply emergency configuration changes. This was resolved by aligning all admin functions to a consistent pattern.
3. Oracle and Rate Limit Security
The SVM Gateway enforces per-transaction USD caps and a per-slot block USD budget on inbound gas route deposits using an on-chain price feed configuration managed through Push Chain's own infrastructure. Hacken identified that the price staleness window was hardcoded to one hour — far exceeding the 30–90 second industry standard. With a one-hour window, users have meaningful ability to select favorable historical prices and bypass USD caps. Hacken replaced the hardcoded constant with an admin-configurable parameter defaulting to 60 seconds.Auditors also identified a rate limit reset flaw where updating a token's epoch threshold silently cleared accumulated usage mid-epoch — an operational footgun that would defeat the intent of tightening limits during abnormal activity. The fix preserves accumulated epoch usage on subsequent threshold updates.
4. L1 Blockchain Audit
Smart contract audits cannot reach consensus safety, P2P networking, or validator infrastructure. For a new Layer 1, these layers represent the deepest attack surface. Hacken conducted a full blockchain audit of the Push Chain node software — built on Cosmos SDK with a custom EVM layer (pchaind) — covering the Proof-of-Stake consensus mechanism, block production and finalization, P2P networking and Sybil resistance, state machine correctness, and key management for validator operators and TSS participants — delivering the end-to-end assurance that a launch-stage L1 requires before mainnet.
The Result: Zero Critical and High Findings
Push Chain successfully completed all four security engagements with no Critical or High severity vulnerabilities identified across any audit. Every High and Medium severity finding was resolved, mitigated, or formally acknowledged before final report publication. Most findings were fixed in code and re-verified by Hacken; a small number were formally accepted as intentional design decisions with the reasoning documented; and a few were mitigated where a complete fix sat outside the audited scope. No finding was left unaddressed.
Key security improvements delivered:
- Vault 1:1 backing invariant protected by correcting the gas fee reimbursement source
- SPL liquidity fragmentation closed with canonical ATA enforcement across all bridge paths
- Forged revert data injection prevented by authenticating revert_msg in the TSS-signed payload
- Two-step admin transfer implemented, eliminating the risk of permanent admin key loss
- L1 blockchain infrastructure independently validated before mainnet activation
Read the full Hacken audit reports:
What This Means for Push Chain Users and Partners
For developers building on Push Chain: The audits confirm that universal smart contracts and bridge infrastructure have been independently reviewed against real attack scenarios, not just theoretical checklists.
For institutional integrators: Four completed Hacken audits — covering EVM, Solana, core contracts, and the L1 itself — provide a comprehensive security record spanning the full protocol stack.
For the broader web3 ecosystem: Push Chain's commitment to auditing every layer before launch sets a high standard for cross-chain infrastructure security.
About Hacken's Smart Contract Audit Service
