Firepan finds two real auth-bypass primitives in VIA Labs' production cross-chain gateway — both confirmed and fixed in the same review pass.

Cross-chain messaging is the part of the smart-contract stack that breaks hardest when it breaks. A bug in a single-chain DeFi pool spills the pool. A bug in a cross-chain message-validation predicate spills every project on the network that trusts the validator set. The economic surface is not your protocol's TVL — it's every integrator's TVL, multiplied by the cross-product of chains the protocol routes between.

VIA Labs had built their EVM v1 stack with the seriousness that surface demands: three independent signer layers (VIA / Chain / Project), per-layer thresholds, off-chain validators producing ordered signature blobs, and a permissionless economic model that pays the gateway for forwarding work. The team's internal review was rigorous; the architecture was deliberate. But the predicate that ties it all together — _validateMessage on ViaGatewayV1 — needed an outside set of eyes against the kind of class signatures that production cross-chain bridges have historically died to: registration writes a property; validation does not consult it.

That's the class of bug Firepan went looking for.

The engagement ran February through March 2026 as a permissioned private-repo review. Firepan was granted read access to the DruuuCLT/viagateway-v1 repository on the EVM_v1 branch and walked the four core contracts — ViaGatewayV1.sol, ViaIntegrationV1.sol, FeeCollector, and GasHandler — contract-by-contract through the three-layer signer architecture.

The methodology was predicate-level enumeration on _validateMessage's signature-tallying predicate. For each per-layer counter (VIA / Chain / Project), the question was a single one: does the predicate re-assert the layer's scoping invariant at validation time? Registration sites were walked alongside validation sites, and every property written at registration was traced through to every reader.

Seventeen items were surfaced and delivered to the VIA Labs team. The team responded with a color-coded per-item rationale document — Green = By Design, Yellow = Clarification Requested, Red = Confirmed Finding. Firepan replied per item in Emberlime. This is the kind of substantive engineering exchange that distinguishes a serious engagement from a checkbox audit: every Green item carried an architectural argument that Firepan walked, accepted, or pushed back on.

Two items came back marked Red = Confirmed Finding — both in _validateMessage, both with VIA Labs-authored inline fixes proposed at the same review pass. Firepan reviewed both proposed patches inline and confirmed the mechanics are correct, offering to verify the patched code once deployed. The invitations are recorded verbatim in the engagement comments.

The discipline that's worth surfacing as a separate beat: Firepan downgraded one of its own findings during the review cycle.

Item #9 in the original delivery flagged tx.origin usage in setProjectSigner / setProjectRelayer as a privilege-escalation surface. VIA Labs responded with the onlyAllowedSigner / onlyAllowedRelayer modifier policy on the integration contract, combined with the if (msg.sender == tx.origin) revert CallerMismatch(); direct-EOA-call rejection — access controls Firepan had not initially accounted for. Firepan recorded the self-correction in full:

"We overstated the severity by not accounting for these existing access controls. We'll downgrade to Informational with a general note that tx.origin usage is a known anti-pattern worth documenting for integrators, while acknowledging the mitigations in place."

An honest audit downgrades its own findings when the evidence demands it. The two findings that survived the same calibration are documented at the classification they earn from the VIA Labs response — not inflated for marketing, not deflated under client pushback. The calibration is the value.

The economics of cross-chain messaging security have a structural asymmetry. The contracts that route messages between every chain — gateways, validators, integration scaffolds — carry the trust-radius of every integrating project on the network. When one of those contracts has a predicate-level bug, the blast-radius is not one TVL; it's the cross-product of every integrator's TVL and every chain the protocol bridges.

The VIA Labs engagement is a clean demonstration of what closes that surface: a private-repo review that walks the predicate level-by-level with the engineering team, finds the two class-signatures that mattered, calibrates honestly when the team surfaces mitigations the auditor missed, and produces patches the team is willing to ship in the same review pass.

This is the use case Firepan was built for. Not as a replacement for the multi-week specialist review on a critical bridge, but as the security layer that finds the bugs in the contract that validates the bridge — in days rather than months, with the predicate-level discipline that catches what scale alone misses.

The full technical report is published alongside this case study at firepan.com/reports/vialabs-evm-v1/ (FP-AUDT-2026-0003), with the per-finding detail, the proposed inline patches, and the verbatim engagement comments.