• contracts/ — wBLOZ, BlozBridge, BlozWrapClaim on BSC
• relayer/ — deposit watcher, claim signer, unwrap payouts, auto-refunds
• web/ — bridge.bloz.org UI

Users trust the bridge operator to:

1. Hold enough native BLOZ to back all wBLOZ (reserve ≥ totalSupply)
2. Sign valid wrap claims only after confirmed deposits
3. Pay unwrap and refund payouts promptly
4. Not abuse admin pause() without cause

Users do not need to trust the operator for manual wBLOZ minting — minting goes through BlozWrapClaim on-chain.

• Custodial — not a trustless light-client bridge
• No audit — review source and verified contracts yourself
• Single admin — deployer can pause contracts; no multisig/timelock yet
• Sender resolution — auto-refunds walk the first input of the deposit tx; coinjoin / multi-input sends may resolve wrong (optional returnBz1 on wrap creation is safer)
• Solvency — operator must keep bridge BLOZ ≥ wBLOZ supply; there is no on-chain enforcement

• Admin key compromise — attacker can pause(), grant MINTER_ROLE, or stop payouts
• Relayer downtime — unwrap/refund delays; funds remain in bridge wallet
• Fake wBLOZ token on BSC — users must use official contract from bridge.bloz.org
• No rate limits on wrap API — griefing via many deposit addresses (low impact)

Open a GitHub security advisory or contact the Block Zero maintainers via the project Discord / GitHub org.

Do not post exploit details publicly before a fix is available.

• Keep bridge wallet BLOZ reserve ≥ wBLOZ supply
• Verify contracts on BscScan after each deploy (npm run verify:bsc)
• Monitor /api/status — backed must stay true
• Fund operator wallet with BNB for claim signatures (off-chain only)
• Rotate keys if relayer host is compromised; pause contracts if needed

1. pause() on wBLOZ and BlozBridge via admin key
2. Stop relayer service
3. Post status in community channels
4. Investigate DB + wallet txs; resume only when reserves and logic are confirmed