Explore the security mechanisms of 5 message cross-chain projects

Original title: "Exploring the security mechanism of 5 message cross-chain projects "

< p>Original author: Ailsa  

The prosperity of multi-chain ecology has given birth to users' demand for cross-chain. The cross-chain interaction between chains is increasing day by day, but at the same time, cross-chain security incidents are frequently heard, and cross-chain security has become the focus of market attention. According to the "2022 Global Web3 Blockchain Security Situation Report and Encryption Industry Supervision Policy Summary" jointly issued by Chengdu Lianan and others, the total loss caused by various attacks in the Web3 field in 2022 will reach 3.6 billion US dollars, of which cross-chain application security The losses caused by incidents accounted for 52.5%, ranking first among all project types.

According to public data, there will be 25 cross-chain application security incidents in 2021 and 2022, and 19 cross-chain bridge projects was attacked, and the total loss amounted to 2.646 billion US dollars. Cross-chain projects that have lost hundreds of millions of dollars in hacking attacks include Ronin Bridge, Poly Network, Binance Bridge, Wormhole, Nomad, and Harmony Bridge (Horizon), with losses reaching $624 million, $611 million, $570 million, and $326 million, respectively. US dollars, 190 million US dollars and 100 million US dollars.

Usually cross-chain projects are collected With a large number of assets, the TVL (Total Value Locked) owned by it far exceeds the general blockchain protocol, which makes cross-chain projects easy to become the preferred target of hacker attacks. Cross-chain security is of paramount importance.

Security is not only derived from the security brought by the cross-chain solution itself, but also rooted in the design of project decision makers to prevent and prevent the occurrence of security crises security policy.

The current market demand for cross-chain is mainly for digital assets, but cross-chain is not limited to the transfer and exchange of assets. More and more abundant, the cross-chain of blockchain will definitely develop from the current asset cross-chain to message cross-chain and function cross-chain, from the cross-chain of a single type of data to the cross-chain of general data.

Currently, there are already cross-chain projects in the market that have begun to deploy message cross-chain fields. Such as Axelar, Celer Network, Layerzero, Multichain, Wormhole, Chainlink CCIP, Polkadot XCMP, Cosmos IBC, etc. Since the development of Chainlink CCIP is still in progress, Polkadot XCMP and Cosmos IBC are mainly suitable for cross-chains between isomorphic blockchains. Therefore, this article mainly expands on Axelar, Celer Network, Layerzero, Multichain and Wormhole. Sorting out and summarizing the security-related content of the revolutionary message cross-chain project.

 1. Security brought by cross-chain solutions 

Cross-chain Chain technology mainly solves the problem that assets or information cannot be exchanged between different blockchains. A cross-chain process consists of multiple different blockchain transactions, which run on different blockchain systems. Due to the differences in consensus mechanisms and rules between different chains, in the cross-chain process, it is necessary to The content is verified to ensure the security of the cross-chain process.

The cross-chain security attribute is closely related to the trustless level of the cross-chain bridge, which is reflected in how the cross-chain project verifies the initial chain status and transfers the transaction to the target chain process. Each cross-chain solution has its own security and trust mechanism.

1.Axelar

Axelar is a network platform designed to provide secure cross-chain communication for WEB3 Universal Overlay Network, In May 2022, Axelar launched Universal Messaging on its mainnet. Through Axelar’s universal messaging capabilities, many-to-many communication can be enabled across all chains, allowing users to combine DeFi functions, move tokens and NFTs, and perform any type of multi-chain call between dApps in various ecosystems. Axelar solves complex cybersecurity problems by deploying multiple layers of defense. Its security stack starts with POS consensus and a diverse node technology stack.

Axelar network itself is an L1 block based on Pos consensus chain, Axelar consists of a decentralized network of validators, secure gateway contracts, unified translation, routing architecture, and a set of programming interfaces (APIs) for protocols and applications.

Axelar obtains and synchronizes the state information in each blockchain system through its validators running nodes of different chains. Validators are elected by Token holders and get voting rights in proportion. The voting weight is calculated by weighting the entrusted rights and interests. There are currently 70 active validators on the Axelar network and must obtain a majority of more than 66.67% of the votes to sign a message.

Furthermore, voting weight skew reduces the security of PoS systems. Axelar adopts a quadratic voting scheme for PoS in order to alleviate the imbalance problem of the verifier and prevent the voting rights from being too concentrated. The signature weight will be proportional to the square root of the number of Tokens pledged by the verifier. As validators continue to increase the number of pledges, it becomes more difficult to accumulate voting rights.

2.CelerIM

Celer IM is Celer Network's tools and infrastructure for developers , cBridge can be regarded as an asset bridge built on Celer IM.

Celer provides double security for all users.

First of all, the security of cBridge is guaranteed by the State Guardian Network (SGN for short). SGN is a tendermint-based PoS blockchain. Other products of Celer Network, including cBridge and Celer IM, highly utilize SGN's PoS security, fast confirmation and low-cost features in cross-chain transactions.

SGN has 21 verifiers, and a message must be approved by 2/3 of the verifiers. Verifiers who want to become SGN need to pledge the token CELER. In addition, Axelar has set up a pledge and slashing mechanism. If the verification fails or is maliciously damaged, it will bear the risk of being confiscated. The more CELR is pledged, the more secure the network will be.

Currently, the Celer State Guardian Network 2.0 has been successfully upgraded. Compared with SGN1.0, SGN2.0 focuses on optimizing its ability to capture value from transactions: for cBridge, the value captured by SGN is based on the size of each transaction it processes in the cBridge fund pool mode; for Celer IM For , value capture is based on the size of cross-chain messages.

Intermediate delay is an extra guarantee specially set by Celer for Dapps. Even if most SGNs are hacked, if no assets are actually sent, Celer can interrupt the casting on the target chain through an intermediate delay, and Dapps can make different choices and trade-offs in the choice of delay. During this delay, dApps can implement or delegate the SGN node to serve as a guardian to double-authenticate messages, and the guardian needs to remain honest and functional during this process.

3.Layerzero

LayerZero is a full-chain interoperability protocol that focuses on Data messaging between chains LayerZero is also a transport layer protocol without an application layer. LayerZero's architecture mainly includes endpoints (Endpoint), relay nodes (Relayer) and oracles (Oracle).

LayerZero passes messages and messages The proof transfer and the verification relayer transfer transaction are separated to ensure the security of the cross-chain process. Relayer is responsible for delivering messages and message proofs, and Oracle is responsible for obtaining block headers from the source chain on demand according to the block where the message is located, and then the terminal on the target chain verifies the transaction delivered by Relayer based on the block headers obtained by Oracle. Layerzero's verification of the block header itself is completed by a third-party Oracle network as an external verifier. The verification process occurs off-chain, which is essentially an act that requires trust in a third party. In addition, the effective transmission of Layerzero cross-chain messages requires its relay nodes and oracles to be independent of each other, and it needs to be assumed that there is no malicious collusion between the oracle and the relay.

4.MultichainanyCall

The predecessor of Multichain is Anyswap, which is a cross-chain competition Road infrastructure, committed to becoming the ultimate router for Web 3. anyCall is a new generation of comprehensive message cross-chain interaction protocol abstracted by Multichain based on its Bridge and Router products.

Multichain's cross-chain technology solution adopts a secure multi-party computing (Secure Muti-party Computation, referred to as SMPC) solution, through the unique key sharding technology , the key shards are distributed on different nodes, each node owns part of the private key independently, and the complete private key will not appear in the entire MPC network life cycle, through the SMPC secure multi-party computing + TSS threshold signature technology to ensure the encryption The whole process of key generation, storage and verification is safe, and the interoperability between nodes is realized on the basis of this security guarantee.

According to the anyCall white paper, anyCall consists of an off-chain trust mechanism at the lower layer and an upper layer call/trigger API deployed on the chain. Among them, the off-chain trust mechanism is responsible for verifying the consensus on the "message" of the source chain, executing the addressing of the target chain according to the specified logic, and constructing corresponding operations.

The underlying fastMPC decentralized trust machine It ensures the decentralization of anyCall's comprehensive message cross-chain interaction protocol. The current Multichain network consists of 21 nodes, run by different institutions, and requires a majority of nodes to jointly verify messages. The security of Multichain relies on the reputation of nodes. SMPC node members do not need to pledge and are relatively fixed. The security of AnyCall is based on the assumption of trust in SMPC nodes.

At present, Multichain has upgraded the bottom trust layer from SMPC network to fastMPC Network. The execution speed of fastMPC nodes is 4-5 times faster than that of the original SMPC 1.0. It is a faster and smoother cross-chain solution. At the same time, since fastMPC is open to the public in the community, the advantages of this open mode of decentralization are more prominent.

5.Wormhole

Wormhole is a general messaging protocol, Wormhole trust The layer is built with the PoA mechanism, and a group of trusted Guardians (guardians) are responsible for the verification, transmission and processing of messages from one blockchain to another blockchain between chains. Guardians are specific entities with capital and reputation endorsements, including well-known institutions such as Jump Crypto, Everstake, and Chorus One. At present, there are 19 guardians in the guardian network. The guardians are responsible for transaction verification on the Wormhole network. 2/3 of the guardians need to verify together. Once the consensus is reached, the proof will be sent to the target network for transactions or specific contract execution.

It is worth explaining that based on SMPC Compared with the multi-signature scheme, the cross-chain scheme is more decentralized. The multi-signature scheme requires the verifier to have a complete private key to sign the transaction. In the SMPC-based scheme, the complete private key has never actually appeared during the entire key management cycle, and the complete private key is not independently owned during verification. Key, signature confirmation transaction only needs to gather the signatures of several private key fragments, and there is no problem of leaking the complete private key.

Second, Security Incident Response Policy 

Cross-chain project’s own cross-chain solution The plan does not mean that all risks can be avoided, and other security policies need to be added to actively prevent and respond to security risks. The design of security policy can provide users with stronger security guarantees, and the security policy should run through before, during and after the occurrence of security incidents.

Before the security incident: There may be security risks in the project at this stage, but they have not been discovered or exploited. The project carries out the security operation of the project in accordance with the security policy determined in advance.

A security incident is occurring: a security incident is occurring at this stage, but the project party may not be aware of it. It is very important to take measures to let the project discover the security incident in time .

After a security incident: this stage may involve asset loss, and the project needs to take further measures after knowing the occurrence of the attack and the existence of the vulnerability to reduce the risk of attack fluctuations range to avoid further losses. The determination of the user compensation plan, how to restore the business to normal operation more quickly, as well as reflect on the problems existing in the security process and propose further security guarantee mechanisms also take place at this stage.

1.Axelar

Axelar's security incident response policy focuses on , the main measures include conducting security audits, enabling bug bounties, frequent key rotation, and rate limiting.

(1) Security audit. At present, Axelar's security audit coverage covers its core protocol, smart contract, cryptographic library, front-end and back-end code, etc. From August 2021 to August 2022, Axelar has conducted more than 27 audits, and audit agencies include Ackee Blockchain, Chaintroopers , Certik, etc. See < https://github.com/axelarnetwork/audits> for details.

(2) Bug bounty. Starting from March 10, 2022, the cooperation between Axelar and Immunefi has set up a bounty program with a maximum value of 2.25 million US dollars, see <https://immunefi.com/bounty/axelarnetwork/> for details. Axelar also clarified the method of submitting vulnerabilities in its official documents, but by submitting vulnerabilities to security@axelar.network, Axelar clearly stated that the maximum reward is $100. For details, see<https://docs.axelar.dev/bug- bounty>.

(3) Frequent key rotation. Attackers may attempt to amass malicious keys by sequentially compromising validators. Key rotation protects the Axelar network from persistent attackers.

(4) Rate limiting. Axelar’s ERC-20 contracts feature rate limiting, which allows Axelar to set an upper limit on how many assets can be transferred in a given time interval. This minimizes attacks and reduces the amount of funds that could be stolen in the event of an attack.

2. CelerNetwork

Celer Network's security incident response policy mainly focuses on security incidents Before and during security incidents.

Celer’s main measures before a security incident include conducting security audits, enabling bug bounties, building a risk control system, limiting traffic at the application layer, 24-hour monitoring and Proactive front-end and DNS integrity checks.

(1) Security audit. For Cbridge, Celer has only conducted 3 audits so far, and the cooperative audit agencies are CertiK, PeckShield and SlowMist. See [https://cbridge-docs.celer.network/reference/audit-reports for details. For Celer](https://cbridge-docs.celer.network/reference/audit-reports% E3%80%82% E9%92%88% E5% AF% B9Celer) IM, Celer has currently conducted 2 audits, Cooperative auditors are PeckShield and SlowMist. See < https://im-docs.celer.network/audit-reports> for details.

(2) Bug bounty. Since November 18, 2021, Celer has partnered with Immunefi to set up a bounty program of up to $2 million. See < https://immunefi.com/bounty/celer/> for details.

(3) Build a risk control system. The overall liquidity, asset information and changes of the bridge can be monitored through the wind control system.

(4) Current limiting function. The security barrier set by Celer at the application layer makes it impossible to exceed a certain threshold per unit time, and if it exceeds, the time delivery will be postponed.

(5) 24-hour monitoring mechanism. Suspicious problems can be found in the first time.

(6) Proactive Frontend and DNS Integrity Checking. This is a feature that Celer added in response to the attack that occurred in August 2022 to prevent similar incidents from happening again.

In the process of discovering security incidents, according to the analysis of the truth of the cBridge cross-chain bridge accident in August 2022 by the SlowMist security team, it can be found that other than its own 24-hour monitoring mechanism, Celer has joined forces with the SlowMist security team. See < https://mp.weixin.qq.com/s/SInU_o3Ct-7A6pFbKLqzHQ> for details.

3.Layerzero

Layerzero's security incident response policy mainly focuses on security incidents before they occur , the main measures include conducting security audits and enabling bug bounties.

(1) Security Audit. LayerZero Labs stated that it has commissioned more than 35 audits, but LayerZero is relatively opaque in terms of code deployment, and its security audit content cannot be publicly queried on its Github. For details, see [https://github.com/LayerZero-Labs /Audits](https://github.com/LayerZero-Labs/Audits%E3%80%82).

(2) Bug bounty. In the official layerero document, it is stated that a real-time bug bounty program with a maximum reward of 15 million US dollars will be established, and the report submission address is given. See https://layerzero.gitbook.io/docs/bug-bounty/bug- bounty-program.

Additionally, in April 2022, LayerZero announced a partnership with Immunefi to set up a $15 million bug bounty program. But so far the item has not been retrieved on the Immunefi platform.

4.Multichain

August 2022, Multichain Algorithm & Security Officer X Chang In his official blog, he clearly mentioned Multichain's security strategy, which is divided into three stages according to the time point of the hacking incident, namely: before the occurrence, when the occurrence occurs, and after the occurrence, and each stage has corresponding response steps and Strategy.

Security measures before security incidents include security company audits and internal developer audits, enabling bug bounty, public opinion monitoring of security incidents, cross-chain amount limits and chain Fund flow and total limit.

(1) Company-wide audit and internal developer audit. Up to now, Multichain has conducted a large number of external audits. The external audit partners include BlockSec, Certik, Dedaub, PeckShield, SlowMist, TrailofBits, Verichain and many other well-known institutions. AnyCall, Router V7, VeMulti, Multichain V6, Threshold-DSA, V5ERC20, Cross Chain-Bridge and other products launched by Multichain have all undergone strict external audits. See https://github.com/anyswap/Anyswap-Audit/ for details. At the same time, the Multichain team has set up periodic internal audit meetings, at least once a month.

(2) Bug bounty. Multichain runs two bug bounty programs. The first is that since March 16, 2022, Multichain has formally established cooperation with Immunefi, setting up a bounty program with a maximum value of 2 million US dollars, and according to the specific analysis of the severity of the submitted bugs, the reward There is no cap on gold. See [https://immunefi.com/bounty/multichain/ for details. In addition, Multichain also offers an optional bug bounty program, which will provide rewards of up to $1 million for eligible bug discoveries. See   https://docs.multichain.org/getting-started/security/bug-bounty-alternative> for details.

(3) Public opinion monitoring of security incidents. By setting keywords to monitor public opinion on major media platforms, we hope to obtain the latest security incidents in the industry as soon as possible, draw inferences from one instance, reflect on whether there are similar problems in Multichain products, and respond to incidents in a timely manner.

(4) Cross-chain amount limit and chain capital flow and total limit. For cross-chain transactions of large amounts of funds, the platform adopts the rule of delaying the arrival of funds. For a newly developed chain or a chain with a slightly lower security rating, within a certain period of time, the total amount of cross-in or cross-out is limited within a certain range.

Security measures in the event of security incidents include monitoring abnormalities on the chain and mobilizing the power of the community and DAO to feedback abnormal behaviors of platform products.

(1) Monitoring of abnormal conditions on the chain. By setting up a series of on-chain monitoring strategies Watchdogs, it is hoped that data anomalies can be detected in a timely manner.

(2) Mobilize the power of the community and DAO to feedback the abnormal behavior of platform products. Distribute the power of community users and DAO to give feedback on the abnormal situation of Multichain products, and the team will make timely response measures after analyzing the abnormal behavior verification.

Safety measures after the security incident include suspending all related platform products and security funds to cover user asset risks.

(1) Suspend all related platform products. After knowing the existence of the vulnerability in the first time, shut down the product in a timely and effective manner.

(2) Security Fund covers the risk of user assets. Multichain has set up a security fund, agreeing to take out 10% of the cross-chain handling fee to compensate users for the loss of funds under special circumstances, and to bring security to the assets of platform users. The Multichain Security Fund was established in March 2022. As of the first quarter of 2023, the Multichain Security Fund has accumulated an amount of over US$1.44 million. See <https://medium.com/multichainorg/detailed-disclosure-of-multichain-security-policy-bde0397accf5> for specific security policies.

5.Wormhole

Wormhole's security incident response policy focuses on and security incidents. Security measures before security incidents include security audits, enabling bug bounties, social media monitoring, setting heterogeneous monitoring policies, and rolling out Governor functions.

(1) Security Audit. Wormhole also attaches great importance to security audits, and has cooperated with Certik, Coinspect, Hacken, Halborn, Kudelski, Neodyme, OtterSec, Trail of Bits, and Zellic in security audits. See < https://medium.com/@wormholecrypto/wormhole-security-program-end-of-year-update-212116ecfb91> for details.

(2) Bug bounty. The Wormhole project also runs two bug bounty programs, the first with Immunefi starting February 11, 2022, with a maximum bounty program of $2.5 million. See https://immunefi.com/bounty/wormhole/ for details. In addition, you can also browse relevant information and submit reports on its official website. See https://wormhole.com/bounty/ for details. In addition, Wormhole provides a list of strategies for using Wormhole, which can lower the threshold for white hat hackers to find security holes in Wormhole.

(3) Social media monitoring. Wormhole maintains a social media monitoring program so that the Wormhole project is aware of vulnerabilities in dependencies that could negatively impact Wormhole, its users, or the chains Wormhole is connected to.

(4) Set heterogeneous monitoring strategy. Wormhole sets up heterogeneous monitoring policies in Guardian, increasing the likelihood of detecting fraudulent activity. Wormhole expects all Guardians to develop and maintain their own security monitoring strategy.

(5) Launch the Governor function. The core reason for creating and deploying this feature is to help protect against the existential risk of smart contract or L1 compromise. This feature allows Wormhole Guardians with the optional ability to rate limit the flow of nominal value of any registered asset on a per-chain basis.

Wormhole’s security measures during the security incident are not clear, but the Wormhole attack in February 2022 was a routine inspection by Wormhole network contributors Notice discrepancies in outstanding funds and immediately investigate identified gaps.

Safety measures after a security incident include establishing an incident response mechanism and emergency suspension.

(1) Event response mechanism. Wormhole maintains an incident response program in response to vulnerabilities or active threats to Wormhole, its users, or its connected ecosystem.

(2) Emergency timeout. The Wormhole project evaluates concepts with safety features that allow Wormhole smart contracts to be suspended during existential crisis states without contract upgrades.

In addition, in the report on the February 2, 2022 hacking incident, Wormhole mentioned that it will further strengthen the security of cross-chain messaging and bridging Measures mainly include accounting mechanisms to isolate the risks of each chain, dynamic risk management, continuous monitoring and early detection of incidents.

3. Exploration of more trustless solutions < /h3>

Currently, there are three verification methods in the cross-chain market, namely native verification, local verification and external verification. These three types of verification methods have their own limitations, and it is difficult to balance trustlessness, scalability, and versatility.

The external verification scheme is a very versatile and scalable cross-chain computing scheme that can support more complex cross-chain applications. The Axelar, Celer Network, Layerzero, Multichain and Wormhole mentioned in this article are all external verifiers. They can complete the verification under the chain, have high scalability, can cover blockchains with different technical architectures, and can Realize general message cross-chain. However, since users must trust the relay network composed of a group of external nodes, its security is weaker than trustless local authentication and native authentication schemes.

The most secure cross-chain bridge design should be to minimize trust. However, the native verification schemes currently on the market, such as Hop and Connext, have poor versatility and are not suitable for general message cross-chains. Native verification schemes such as Cosmos IBC and Polkadot XCMP have weak scalability and are more suitable for isomorphic blockchains. , it is difficult to be compatible with many heterogeneous chains such as Ethereum and Solana.

ZKP technology brings a new path for secure cross-chain communication. ZKP cross-chain operation has the advantages of trustlessness, strong versatility, and low cost. Compared with the current cross-chain solution that achieves cross-chain communication by trusting a third party, ZKP cross-chain does not introduce any trust assumptions. Users only need to trust the source chain consensus and target chain consensus, which belongs to the category of native verification schemes. Moreover, ZKP reduces the need for Gas fees by generating concise ZKP proofs, so that the target chain can efficiently verify the target chain transactions, and the verification cost on the chain is reduced.

Hyper Oracle, Succinct, Nil.foundation, etc. have entered the cross-chain market through ZKP technology, which also confirms the potential of ZKP technology for more secure cross-chain solutions. At present, Multichain, Celer Network and Wormhole have begun to deploy ZKP cross-chain.

In addition, through Axelar, Celer, Layerzero, Multichain and The information disclosed by Wormhole and its policy on responding to security incidents can be found to have the following problems.

(1) Innovative solutions are very scarce. Multichain sets up a security fund to compensate users for any potential losses caused by multichain system and service vulnerabilities. This kind of security solution with a bottom-up nature is still rare in the industry.

(2) Not every cross-chain project covers security policies before, during, and after. Among the five projects selected in this article, only Multichain has a clear security policy before and after.

(3) The security mechanism is not yet perfect. Opening bug bounties and conducting security audits are common operations before security incidents. However, cross-chain projects lack a comprehensive and comprehensive security response solution and security mechanism. Relevant security measures are often put forward after a security incident occurs, and there is no complete security standard and crisis response process in advance. For example, Wormhole and Multichain cooperated with Immunefi to start the bug bounty program after the security incident occurred.

Cross-chain technology is still in the preliminary exploration stage, and a unified cross-chain standard and a stable cross-chain system have not yet been formed in the industry. Although cross-chain projects have put a lot of effort into cross-chain security, relying on the solutions of the cross-chain project itself and the non-technical security measures taken cannot solve the problem of cross-chain security once and for all. Preventing security attacks is a never-ending task. Although ZKP has given new ideas to solve cross-chain security issues, overall, ZK cross-chain projects have generally not undergone large-scale market testing, and the security of contracts still needs further improvement. Track and observe. Various cross-chain solutions will also encounter various security challenges in the development process, such as network security challenges, challenges in the technology itself, and unavoidable smart contract loopholes. The road to cross-chain security has a long way to go!

Original link
< /blockquote>

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia