Bridges: Path Forward

Do I understand correctly that Celer and Axelar have the same / very similar model?

I do not fully understand the “optimistic rollup delay”. How, who and when would someone activate that to prevent funds from being lost?

Hey @alexei, yes Celer uses a Proof-of-Stake chain to reach consensus on the on-chain statuses of the chains it supports.

The optimistic rollup delay is a security design on the smart-contract level. As long as a threshold is hit a 2PC model will step in to allow a buffer for extra monitoring and validation. Thresholds vary across different tokens.

Instead of instantly processing a message routed by the SGN, a two-phase commit-confirm pattern is used to process any inter-chain message. Before any application consumes the message, the message has to be “committed” to the blockchain by SGN into a “quarantine zone” for a period of time. Only after the delay has passed, can this message be “confirmed” and pushed to the final destination application.

During this delay buffer, a dApp can run an App Guardian service to double-validate the message on the source chain and check the authenticity of the message committed in the quarantine zone. If the App Guardian detects any inconsistency, it can prevent the message from being processed before the time buffer expires. For application developers who cannot run an App Guardian themselves, they can commission the SGN nodes to undertake the task of an App Guardian. In that case, the security model is strengthened to a trust-any model for the SGN. Therefore, even in the worst-case scenario of an SGN consensus failure, inter-chain dApps including cBridge built on top of Celer’s construct will still maintain safety properties without any concern.

Niko & Moonbeam Community,

Thank you for the invitation to comment.

Secure bridging is a difficult problem. There are a host of protocols mentioned in this forum that will attest to that. I’m not here to propose another bridge for your consideration; rather, I’d like to advocate on behalf of something I feel is applicable regardless of which cross-chain bridge protocol the community decides on. Chainlink Proof of Reserve.

If you’re unfamiliar, Proof of Reserve (PoR) enables independent validation of assets that back liabilities (source-chain and bridged tokens in this case). Chainlink Proof of Reserve is powered by decentralized oracle networks that leverage the same time-tested Chainlink Node Operators to reliably monitor reserve assets (both off-chain and cross-chain) that back on-chain tokens using real-time automated attestations.

To highlight this additional layer of assurance in action, I’d like to briefly touch on two of the most common vulnerabilities and attack vectors in bridging and how PoR can mitigate these risks:

Infinite Mint Attack

An “infinite mint” exploit occurs when the bridged representation of the asset on a destination chain has its supply artificially increased beyond what is custodied on the source chain. The bridged asset becomes undercollateralized (no longer 1:1 backing) and should not be considered equivalent to the underlying asset it is presumed to represent.

With Proof of Reserve, protocols have the ability to verify, in the same block of an infinite mint exploit, whether the supply of bridged assets is greater than the amount of reserve assets backing such assets. Data from the Proof of Reserve data feed can be used by dApps to pause functionality involving the exploited bridged asset(s). Additionally, bridge protocols can significantly increase credibility and security by natively integrating PoR by checking against the feed whenever bridged tokens are minted.

Source Chain Attack

A source chain exploit occurs when the reserve assets held by the bridge on the source chain are removed from the bridge protocol’s custody without an equivalent burn of bridged assets on the destination chain (i.e. there exists more bridged assets than reserves needed for 1:1 collateralization). Source chain exploits can occur from malicious bridge operators or improper private key management.

Utilizing Proof of Reserve, dApp protocols can quickly identify the collateralization of bridged assets and halt operations preventing further damage to users and other protocol assets, such as preventing the use of unbacked bridged tokens as collateral to borrow native assets on a money market protocol.

We’re already seeing cross-chain protocols like AAVE adopt Chainlink Proof of Reserve to secure their platform. We’re optimistic that the redundancy and validation enabled by PoR as a standard can be something that helps mitigate systemic risk in bridging. I’m happy to answer any questions the community may have.

2 Likes