# Security audits
## CrossCurve Consensus Bridge CDP Security Audit Report by MixBytes
[**CrossCurve CDP**](https://docs.crosscurve.fi/crosscurve-metalayer/what-is-crosscurve-metalayer/crosscurve-token-bridge) (Cross-Chain Data Protocol) is a messaging protocol designed for cross-chain data transfers, utilizing multiple projects like [**LayerZero**](https://www.axelar.network/), [**Axelar Bridge**](https://layerzero.network/) and [**CrossCurve Bridge**](https://docs.crosscurve.fi/crosscurve-metalayer/what-is-crosscurve-metalayer/crosscurve-consensus-bridge). This security audit covers the latest updates to the protocol logic, including the integration of Router Protocol as an additional cross-chain messaging layer.
The audit was conducted over 2 days by 3 auditors, involving an in-depth manual code review and automated analysis within the scope.
During the audit, in addition to verifying standard attack vectors and our internal checklist, we conducted an in-depth review of the following areas:
* **Cross-Chain Message Replay Protection.**
* **Cross-Chain Data Decoding Consistency.**
* **Treasury Fund Protection.**
* **Bridge State Enforcement.**
* **Threshold-Based Message Validation.**
* **Threshold and Validation Enforcement.**
* **Multi-Bridge Priority System.**
* **State Consistency.**
* **Request ID Uniqueness.**
* **Correctness of the integration with Router.**
* **Verification of the fee compensation module.**
[Eywa CDP Security Audit Report.pdf](https://github.com/mixbytes/audits_public/blob/master/EYWA/CDP/Eywa%20CDP%20Security%20Audit%20Report.pdf)
๐ [**Link**](https://github.com/mixbytes/audits_public/tree/master/EYWA/CDP) to MixBytes EYWA reports.
## CrossCurve DAO Security Audit Report by MixBytes
**1. Project architecture review:**
* Build an independent view of the project's architecture.
* Identifying logical flaws.
**2. Checking the code in accordance with the vulnerabilities checklist:**
Eliminate typical vulnerabilities (e.g. reentrancy, gas limit, flash loan attacks etc.).
**3. Checking the code for compliance with the desired security model:**
Detect inconsistencies with the desired model.
**4. Consolidation of the auditors' interim reports into one:**
* Double-check all the found issues to make sure they are relevant and the determined threat level is correct.
* Provide the Client with an interim report.
**5. Bug fixing & re-audit:**
* Verify the fixed code version with all the recommendations and its statuses.
* Provide the Client with a re-audited report.
**6. Final code verification and issuance of a public audit report:**
* Conduct the final check of the code deployed on the mainnet.
* Provide the Customer with a public audit report.
[Eywa DAO Security Audit Report.pdf](https://4033939941-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MeeWpeOIxH8_6YI1UtB%2Fuploads%2Fvz9pn54q4zlomxFYnFue%2FEywa%20DAO%20Security%20Audit%20Report.pdf?alt=media\&token=8fe03551-6f74-44dd-ba96-d96a9e73e3dc)\
๐ [**Link**](https://github.com/mixbytes/audits_public/tree/master/EYWA/DAO) to MixBytes EYWA reports.
## CrossCurve CLP security audit by MixBytes
A group of auditors are involved in the work on the audit. Security engineers check the provided source code independently of each other in accordance with the methodology described below:
**1. Project architecture review:**
* Build an independent view of the project's architecture.
* Identifying logical flaws.
**2. Checking the code in accordance with the vulnerabilities checklist:** Eliminate typical vulnerabilities (e.g. reentrancy, gas limit, flash loan attacks etc.).
**3. Checking the code for compliance with the desired security model:**
Detect inconsistencies with the desired model.
**4. Consolidation of the auditors' interim reports into one:**
* Double-check all the found issues to make sure they are relevant and the determined threat level is correct.
* Provide the Client with an interim report.
**5. Bug fixing & re-audit:**
* Verify the fixed code version with all the recommendations and its statuses.
* Provide the Client with a re-audited report.
**6. Final code verification and issuance of a public audit report:**
* Conduct the final check of the code deployed on the mainnet.
* Provide the Customer with a public audit report.
[Eywa CLP Security Audit Report.pdf](https://4033939941-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MeeWpeOIxH8_6YI1UtB%2Fuploads%2Fc5NijkC7ogku3KH8HHsP%2FEywa%20CLP%20Security%20Audit%20Report.pdf?alt=media\&token=706b39da-90ab-4bc7-86c0-a3141c8a46e4)
๐ [**Link**](https://github.com/mixbytes/audits_public/tree/master/EYWA/CLP) to MixBytes EYWA reports.
## CrossCurve CDP security audit by Smartstate
The core architectural element of the CrossCurve ecosystem is the **CrossCurve Cross-chain Data Protocol**, which is a transport layer between blockchains. All CrossCurve products for DeFi users are based on this protocol.
Although at the time of this audit the core of CrossCurve multisig is represented by a trusted group of projects, CrossCurve aims for DAO, as reflected in CrossCurve project current documentation.
**CDP Smart Contracts:** These smart contracts serve as a means for sending and accepting cross-chain calls. They also include a node registration contract used in the Proof of Authority (POA) consensus among oracle nodes.
**Smart State evaluation:** 8/10
[EYWA\_CDP\_Sะก\_report.pdf](https://4033939941-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MeeWpeOIxH8_6YI1UtB%2Fuploads%2FoDPF19BlL5XdBQQwAVE1%2F05062305_EYWA_CDP_S%D0%A1_report.pdf?alt=media\&token=9c39f2ec-7108-4a19-a1e8-1c2e398c7a15) CDP report from SmartState
## Security audits by Smartstate
**2026** - Audit of smart contracts for connecting **CrossCurve MetaLayer** with the **Bungee** aggregator.
{% file src="" %}
**Audit of the connection system with Bungee Apr 09 2026**
{% endfile %}
**CrossCurve Cross-chain Liquidity Protocol** ensures the operation of EYWA DEX v1
**CLP smart contracts** - are smart contracts for processing synth and burn operations, as well as mint and lock tokens. They are also responsible for swap processing and liquidity handling operations.
**Smart State evaluation:** 10/10
{% file src="" %}
**CLP report from SmartState Jun 05 2023**
{% endfile %}
{% file src="" %}
**CLP Smart contract audit report from SmartState Aug 29 2025**
{% endfile %}
๐ [**Link**](https://smartstate.tech/clients/eywa.html) to SmartState CrossCurve reports.
## Security audits by Hexens
**2026** - smart contract audit of the **CrossCurve OFT protocol**. No critical vulnerabilities found, all recommendations have been addressed.
{% file src="" %}
**CrossCurve OFT contracts audit report from Hexens Mar 26 2025**
{% endfile %}
The Hexens team [**audited various components**](https://hexens.io/audits#eywa) of CrossCurve, such as the BLS cryptography module in CrossCurve CDP as well as EYWA NFT.