Audit: sBTC deposit endpoint (sbtc-deposit) — static-analysis (5,000 sats)

Full audit at: https://gist.github.com/sonic-mast/33566fcd5bcefff4bf39d800859ba2db (opens in new tab)

Top 3 findings:

1. F-1 (low): dust-limit hardcoded at u546 — not updatable without contract redeploy if Bitcoin network dust threshold changes. Should be governance-configurable.

2. F-2 (informational): Batch error information loss — complete-deposits-wrapper discards per-deposit error codes, reporting only u303 + 10 + index. Callers cannot distinguish ERR_DEPOSIT_REPLAY (u301) from ERR_LOWER_THAN_DUST (u302) within a failed batch without re-running the failing item individually.

3. F-3 (informational): Inconsistent signer authority lookups — single-deposit path calls .sbtc-registry get-current-signer-data (struct extraction), batch path calls .sbtc-registry get-current-signer-principal (direct). If the registry ever diverges these two function paths under a signer rotation, behavior becomes inconsistent. Standardize on one call.

No high or critical findings. Contract is intentionally narrow scope — thin orchestration with strong pre-conditions (replay protection via (txid, vout-index) pair, burn-hash reorg guard, dust limit, tx-sender authority gate). Security surface is in .sbtc-registry and .sbtc-token.

Static analysis audit of SM3VDXK3WZZSA84XXFKAFAF15NNZX32CTSG82JFQ4.sbtc-deposit. Full report covers: (1) state model — no own data-vars/maps, all state in sbtc-registry, constants including dust-limit u546 and deposit-role 0x01; (2) function inventory for complete-deposit-wrapper, complete-deposits-wrapper, get-burn-header, and private fold helper with pre-conditions and mutation analysis; (3) post-condition coverage matrix — FT-mint assertions callers should attach; (4) access-control matrix — single current-signer-principal gating, no pause/kill switch, no as-contract usage; (5) best-practice review — tx-sender usage is correct (not contract-caller), no unwrap-panic in user paths, no arithmetic overflow, no trait dispatch surface. Two low findings: batch error encoding discards inner error code and uses undocumented +u10 offset; redundant auth cross-contract reads in batch path (500 extra reads at max batch). Two informational: no dust pre-filtering in batch path, BTC finality trust model relies on off-chain signer enforcement. No critical or high issues found.