Uniswap DAO debate shows devs still struggle to secure cross-chain bridges
Developers face tradeoffs between making bridges upgradeable to fix bugs versus making them decentralized.
Over $2.5 billion was stolen in cross-chain crypto bridge hacks from 2021 to 2022, according to a report by Token Terminal. But, despite several attempts by developers to improve bridge security, a debate from December 2022 to January 2023 on the Uniswap DAO forums has laid bare security weaknesses that continue to exist in blockchain bridges.
In the past, bridges like Ronin and Horizon used multisig wallets to ensure that only bridge validators could authorize withdrawals. For example, Ronin required five out of nine signatures to withdraw, whereas Horizon required two out of five. But attackers figured out how to circumvent these systems and withdrew millions of dollars worth of crypto, leaving users of these bridges with unbacked tokens.
After these multisig bridges were hacked, developers started turning to more sophisticated protocols like Celer, LayerZero and Wormhole, which claimed to be more secure.
But in December 2022, Uniswap DAO began discussing deploying Uniswap v3 to the BNB Chain. In the process, the decentralized autonomous organization (DAO) had to decide which bridge protocol would be used for cross-chain Uniswap governance. In the discussion that followed, the security of each solution was challenged by critics, leaving some observers to conclude that no single bridge solution was secure enough for Uniswap’s purposes.
As a result, some participants concluded that only a multibridge solution can secure crypto assets in the cross-chain environment of crypto today.
Over $10 billion of crypto assets are currently locked on bridges as of Feb. 15, according to DefiLlama, making the issue of bridge security an urgent one.
How blockchain bridges work
Blockchain bridges enable two or more blockchains to share data with each other, such as cryptocurrency. For example, a bridge may enable USD Coin (USDC) to be sent from Ethereum to BNB Chain or Trader Joe (JOE) from Avalanche to Harmony.
But each blockchain network has its own architecture and database, separate from others. So in a literal sense, no coin can be sent from one network to another.
To get around this problem, bridges lock coins on one network and mint copies of them on another. When the user wants to “move” their coins back to the original network, the bridge then burns the copies and unlocks the original coins. Although this doesn’t move coins between networks, it’s similar enough to suit the purposes of most crypto users.
However, the problem arises when an attacker can either mint unbacked coins on the receiving chain or withdraw coins on the sending chain without burning its copies. Either way, this results in the receiving chain having extra coins that are not backed by anything. This is exactly what happened in the Ronin and Horizon hacks of 2022.
Ronin and Horizon: When bridging goes wrong
Ronin bridge was a protocol that allowed Axie Infinity players to move coins between Ethereum and the Ronin sidechain to play the game.
The Ethereum contracts for the bridge had a function called “withdrawERC20For,” which allowed Ronin validators to withdraw tokens on Ethereum and give them to the user, with or without burning them on Ronin. However, the Ronin software that validators ran was programmed only to call this function if the corresponding coins on Ronin had been burned. Calling the function required signatures from five out of the nine validator nodes, preventing an attacker from withdrawing the funds even if they got control of a single node.
To further ensure that the funds couldn’t be stolen, Axie Infinity developer Sky Mavis distributed the majority of validator keys to other stakeholders, including Axie DAO. This meant that if Sky Mavis’s computers were taken over, the attacker still wouldn’t be able to withdraw coins without their backing since the attacker would only have four keys.
But despite these precautions, an attacker could still obtain all four of Sky Mavis’ keys, plus a fifth signature from Axie DAO to withdraw over $600 million worth of crypto from the bridge.
Recent: SEC vs. Kraken: A one-off or opening salvo in an assault on crypto?
Sky Mavis has since reimbursed victims of the attack and has relaunched the bridge with what the developers call a “circuit breaker” system that halts large or suspicious withdrawals.
A similar attack happened to the Harmony Horizon Bridge on June 24, 2022. This bridge allowed users to transfer assets from Ethereum to Harmony and back again. The “unlockTokens” (withdraw) function could only be called if two out of five signatures from the Harmony team authorized it. The private keys that could produce these signatures were encrypted and stored using a key management service. But through some unknown method, the attacker was able to gain and decrypt two of the keys, allowing them to withdraw $100 million of crypto from the Ethereum side of the bridge.
The Harmony team proposed a reimbursement plan in August 2022 and relaunched the bridge using LayerZero.
After these hacks, some bridge developers believed they needed better security than a basic multisig wallet. This is where bridging protocols came in.
The rise of bridging protocols
Since the Ronin and Horizon hacks have called attention to the problem of bridge security, a few companies have begun to specialize in creating bridge protocols that other developers can customize or implement for their specific needs. These protocols claim to be more secure than just using a multisig wallet to handle withdrawals.
In late January, the Uniswap DAO considered launching a BNB Chain version of its decentralized exchange. In the process, it needed to decide which protocol to use. Here are the four protocols considered, along with a brief explanation of how they try to secure their bridges.
According to the LayerZero docs, the protocol uses two servers to verify that coins are locked on the original chain before allowing them to be minted on the destination chain. The first server is called the “oracle.” When a user locks coins on the sending chain, the oracle transmits the block header for that transaction to the destination chain.
The second server is called the “relayer.” When a user locks coins on the sending chain, the relayer sends proof to the second chain that the locking transaction is contained within the block referenced by the oracle.
As long as the oracle and relayer are independent and do not collude, it should be impossible for an attacker to mint coins on chain B without locking them on chain A or to withdraw coins on chain A without burning them on chain B.
LayerZero uses Chainlink for the default oracle and provides its own default relayer for application developers that want to use it, but devs can also create custom versions of these servers if they want to.
According to the Celer cBridge docs, Celer relies on a network of proof-of-stake (PoS) validators called “state guardians” to verify that coins are locked on one chain before being minted on another. Two-thirds of the validators have to agree that a transaction is valid for it to be confirmed.
In the Uniswap debate, Celer co-founder Mo Dong clarified that the protocol also offers an alternative mechanism for consensus called “optimistic rollup-style security.” In this version, transactions are subject to a waiting period, allowing any single state guardian to veto the transaction if the information it has contradicts the two-thirds majority.
Mo argued that some app developers, including Uniswap, should use the “optimistic rollup-like security model” and run their own app guardian to guarantee they can block fraudulent transactions even if the network is compromised.
In response to a question about who the validators for the network are, the Celer co-founder stated:
“Celer has a total of 21 validators, which are highly reputable PoS validators securing chains such as Binance Chain, Avalanche, Cosmos and more, such as Binance, Everstake, InfStones, Ankr, Forbole, 01Node, OKX, HashQuark, RockX and more.”
He also emphasized that Celer slashes validators who attempt to get fraudulent transactions confirmed.
According to a forum post from the team, Wormhole relies on 19 validators called “guardians” to prevent fraudulent transactions. 13 out of 19 validators have to agree for a transaction to be confirmed.
In the Uniswap debate, Wormhole argued that its network is more decentralized and has more reputable validators than its peers, stating, “Our Guardian set comprises the leading PoS validators, including Staked, Figment, Chorus One, P2P, and more.”
The deBridge docs say that it is a proof-of-stake network with 12 validators. Eight of these validators have to agree that a transaction is valid for it to be confirmed. Validators that attempt to pass through fraudulent transactions are slashed.
In the Uniswap debate, deBridge co-founder Alex Smirnov stated that all deBridge validators “are professional infrastructure providers that validate many other protocols and blockchains” and “all validators bear reputational and financial risks.”
In the later stages of the debate, Smirnov began advocating for a multibridge solution rather than for using deBridge as the sole solution for Uniswap, as he explained:
“If deBridge is chosen for the temperature check and further governance voting, the Uniswap-deBridge integration will be built in the context of this bridge-agnostic framework and thus, will enable other bridges to participate.”
Throughout the Uniswap bridge debate, each of these protocols was subjected to criticism in terms of its security and decentralization.
LayerZero allegedly gives power to app devs
LayerZero was criticized for allegedly being a disguised 2/2 multisig and for putting all power into the hands of the app developer. On Jan. 2, L2Beat author Krzysztof Urbański alleged that the oracle and relayer system on LayerZero can be circumvented if an attacker takes control of the app developer’s computer systems.
To prove this, Urbański deployed a new bridge and token using LayerZero, then bridged some tokens from Ethereum to Optimism. Afterward, he called an admin function to change the oracle and relayer from the default servers to ones under his control. He then proceeded to withdraw all of the tokens on Ethereum, leaving the tokens on Optimism unbacked.
Urbański’s article was cited by multiple participants in the debate, including GFX Labs and Phillip Zentner of LIFI, as reasons why LayerZero shouldn’t be used as the sole bridging protocol for Uniswap.
Speaking to Cointelegraph, LayerZero CEO Bryan Pellegrino responded to this criticism, stating that a bridge developer using LayerZero “can burn [its] ability to change any settings and have it be 100% immutable.” However, most developers choose not to do this because they fear imposing immutable bugs into the code. He also argued that putting upgrades into the hands of a “middlechain auth” or third-party network can be riskier than having an app developer control it.
Some participants also criticized LayerZero for having an unverified or closed-source default relayer. This would allegedly make it difficult for Uniswap to develop its own relayer quickly.
Celer raises concerns about security model
In an initial non-binding vote on Jan. 24, the Uniswap DAO chose to deploy to BNB Chain with Celer as the official Uniswap bridge for governance. However, once GFX Labs started testing the bridge, they posted concerns and questions about Celer’s security model.
According to GFXLabs, Celer has an upgradeable MessageBus contract under the control of three of five multisigs. This could be an attack vector by which a malicious person could gain control of the entire protocol.
In response to this criticism, Celer co-founder Mo stated that the contract is controlled by four highly-respected institutions: InfStones, Binance Staking, OKX and the Celer Network. Dong argued that the MessageBus contract needs to be upgradeable to fix bugs that may be found in the future, as he explained:
“We made the MessageBus upgradeable with the goal of making it easier to address any potential security issues just in case and add must-have features. However, we approach this process with care and continually evaluate and improve our governance process. We welcome additional active contributors such as GFXLabs to be more involved.”
In the later stages of the debate, Celer began supporting a multibridge solution instead of arguing for its own protocol being the only bridge.
Wormhole not slashin’
Wormhole was criticized for not using slashing to punish misbehaving validators and for allegedly doing a lower volume of transactions than it is admitting.
Mo argued that a PoS network with slashing is usually better than one without, stating, “Wormhole does not have any economic security or slashing built in the protocol. If there is any other centralized/off-chain agreement, we hope wormhole can make them known to the community. Just by looking at this comparison, a reasonable level of economic security in protocol >> 0 economic security in the protocol.”
Mo also claimed that Wormhole’s transaction volume might be lower than the company admits. According to him, over 99% of Wormhole transactions come from Pythnet, and if this number is excluded, “there are 719 message per day in the last 7 days on Wormhole.”
DeBridge had very little criticism directed against it, as most participants seemed to think that Celer, LayerZero and Wormhole were the dominant choices.
In the later stages of the debate, the deBridge team began advocating for a multibridge solution.
Toward a multibridge solution?
As the Uniswap debate continued, several participants argued that no single bridging protocol should be used for governance. Instead, they argued that multiple bridges should be used and that a majority or even unanimous decision from all bridges should be required to confirm a governance decision.
Celer and deBridge came around to this point of view as the debate progressed, and LIFI CEO Phillip Zentner argued that Uniswap’s move to BNB should be postponed until a multibridge solution could be implemented.
Ultimately, the Uniswap DAO voted to deploy to BNB Chain with Wormhole as the official bridge. However, Uniswap executive director Devin Walsh explained that deployment with a single bridge does not preclude adding additional bridges at a later date. So the advocates for a multibridge solution will likely continue their efforts.
Can blockchain bridges be secure?
No matter what ultimately happens to Unsiwap’s cross-chain governance process, the debate has illustrated how hard it is to secure cross-chain bridges.
Putting withdrawals into the hands of multisig wallets creates the risk that bad actors may gain control of multiple signatures and withdraw tokens without the consent of users. It centralizes the blockchain world and makes users rely upon trusted authorities instead of decentralized protocols.
Recent: DeFi security: How trustless bridges can help protect users
On the other hand, proof-of-stake-style bridging networks are complex programs that may be found to have bugs, and if their contracts are not upgradeable, these bugs can’t be fixed without a hard fork of one of the underlying networks. Developers continue to face a tradeoff between putting upgrades into the hands of trusted authorities, who may get hacked, versus making protocols truly decentralized and, therefore, non-upgradeable.
Billions of dollars of crypto assets are stored on bridges, and as the crypto ecosystem grows, there may be even more assets stored on these networks over time. So the problem of securing a blockchain bridge and protecting these assets continues to be critical.