Skip to main content
Warp Router’s security model relies on multiple layers of protection to ensure safe execution of cross-chain operations and protocol integrations.

Delegatecall Context

Adapters are always executed via delegatecall from the Router contract. This is a critical security consideration.

Understanding Delegatecall Execution

When the Router calls an adapter:
Critical implications:
  1. Storage context: Adapter code runs in Router’s storage space
  2. Balance access: Adapters can access Router’s token balances
  3. msg.sender: Preserved from original caller
  4. address(this): Equals Router address during execution
Adapters have full access to Router’s storage and balance during execution. Only install trusted, audited adapters.

Adapter Security Requirements

From AdapterBase.sol:17-21:

OnlyViaRouter Modifier

All adapter functions must use the onlyViaRouter modifier:
From AdapterBase.sol:99-111. How it works:
  • During delegatecall: address(this) equals _ROUTER
  • During direct call: address(this) equals adapter address ✗
Always use onlyViaRouter on adapter fill/claim functions to prevent direct calls that could bypass Router security.

Atomic Fill Signatures

All fill operations require a signature from the designated atomic signer to prevent unauthorized execution.

Signature Validation

From RouterLogic.sol:145-154:
Security properties:
  1. Authorization Control: Only designated signer can approve batches
  2. Replay Protection: Hash binds signature to specific calldata
  3. Immutable Signer: Set at deployment, cannot be changed
  4. Pause Mechanism: Setting signer to address(0) pauses fills

What Gets Signed

From RouterLogic.sol:200:
The signature covers:
  • All adapter calldatas in the batch
  • Order and content of operations
  • Function selectors and parameters
The atomic fill signer is immutable after deployment. Choose a secure address (hardware wallet or multisig) for production deployments.

Arbiter Access Control

Arbiters have exclusive access to protocol-level settlement functions.

OnlyRouter Pattern

From ArbiterBase.sol:289-302:
Why this matters:
  • Arbiters unlock user funds from protocols (TheCompact, Permit2)
  • Only Router should trigger these operations
  • Prevents unauthorized claim attempts
  • Ensures proper settlement flow

Pre-Claim Operations

From ArbiterBase.sol:165-188:
Security considerations:
  • Pre-claim ops execute before settlement
  • Must validate signatures properly
  • Gas stipend limits execution time
  • Failure reverts entire transaction

Reentrancy Protection

All external Router functions are protected against reentrancy.

ReentrancyGuardTransient

From RouterLogic.sol:74:
Used on all entry points:
Transient reentrancy guard uses TSTORE/TLOAD (EIP-1153) for gas efficiency when available.

Adapter Development Guidelines

Required Implementations

From AdapterBase.sol:23-60:
1

Return Function Selectors

All fill/claim functions MUST return their own selector:
2

Implement supportsInterface

Add all selectors to IERC165 implementation:
3

Use onlyViaRouter

Protect all fill/claim functions:
4

Avoid Untrusted Calls

Never call untrusted external contracts:

Storage Safety

From AdapterBase.sol:39:
Storage variables in adapters write to Router’s storage during delegatecall. Use immutable variables or be extremely careful with storage layout.

Pre-Funding Security

Same-chain settlements use pre-funding to prevent manipulation attacks.

Pre-Funding Pattern

From SameChainAdapter.sol:233-246:
Security properties:
  1. Atomic execution: If arbiter fails, pre-funding reverts
  2. Front-run protection: Recipients get outputs before inputs unlock
  3. MEV resistance: Prevents sandwich attacks on settlements

Gas Stipend Validation

From ArbiterBase.sol:118-125:
Protects against:
  • Griefing attacks with insufficient gas
  • Failed operations due to gas underestimation
  • EIP-150 gas forwarding limits

Security Checklist

  • All fill/claim functions use onlyViaRouter modifier
  • All functions return their own selector
  • supportsInterface includes all selectors
  • No direct calls to untrusted contracts
  • No storage variables (use immutable only)
  • Only interact with audited protocols
  • Proper relayer context validation
  • Atomic fill signer is secure (hardware wallet/multisig)
  • Only install audited adapters
  • Adapter adder role is restricted
  • Adapter remover role can respond to emergencies
  • Regular security audits scheduled
  • Monitoring for suspicious activity
  • Validate all order signatures off-chain first
  • Check token balances before settlement
  • Monitor for gas price attacks
  • Implement slippage protection
  • Use secure key management
  • Monitor for failed transactions

Audit Resources

Router Security

Core routing logic with atomic signatures and reentrancy protection

Adapter Security

Delegatecall context and trusted protocol integration

Arbiter Security

Access control and settlement validation

Pre-Funding

Atomic settlement and MEV protection