Smart contract audits are table stakes. They verify code logic but ignore the oracle dependency and sequencer risk that dominate bridge failures. The Wormhole and Nomad hacks exploited off-chain message verification, not contract bugs.
smart-contract-auditing-and-best-practices
Blog
The Future of Interoperability Demands Audits Beyond Smart Contracts
A critique of current auditing practices, arguing that effective security for bridges and cross-chain protocols requires evaluating the entire off-chain and economic stack, not just the on-chain smart contract code.
introduction
THE SYSTEMIC RISK
The Bridge Audit Fallacy
Smart contract audits are insufficient for securing interoperability, as systemic risks emerge from off-chain infrastructure and economic dependencies.
The real attack surface is systemic. A bridge like LayerZero or Axelar is a complex system of relayers, oracles, and governance. Auditing a single contract misses the trust assumptions between these components and their liveness guarantees.
Economic security is the ultimate audit. Protocols like Across use bonded relayers and fraud proofs, making economic incentives the primary security layer. The audit shifts from code to cryptoeconomic design and stress-testing liquidation scenarios.
Evidence: The Multichain collapse demonstrated custodial risk and opaque off-chain operations. No amount of smart contract auditing could have prevented the loss of funds controlled by a single entity.
thesis-statement
THE NEW PERIMETER
The Core Argument: The Stack is the Attack Surface
Modern interoperability demands security audits that extend beyond smart contracts to the entire technical stack.
Smart contracts are not enough. The security perimeter for a cross-chain transaction includes the off-chain relayer network, the oracle price feed, and the governance multisig. A bug-free contract is irrelevant if the relayer's signing key is compromised.
LayerZero and Wormhole illustrate this. Their core contracts are heavily audited, but their security models depend entirely on off-chain verifier sets and guardian nodes. The attack surface is the entire messaging stack, not just the on-chain endpoint.
The evidence is in the exploits. The Nomad hack exploited a flawed merkle tree initialization, a system-level flaw, not a contract bug. The Poly Network attacker compromised private keys controlling a multisig. These are stack failures.
Audits must now cover infrastructure. This means reviewing the TLS configurations of RPC endpoints, the key management for relayers, and the consensus mechanisms of off-chain networks like Axelar or Chainlink CCIP.
key-trends
BEYOND THE CONTRACT
The Expanding Attack Surface of Interoperability
Modern cross-chain systems are complex state machines; securing the smart contract is now just table stakes.
01
The Off-Chain Relayer is the New Root of Trust
Protocols like Across and LayerZero shift trust from on-chain consensus to off-chain attestation networks. The attack surface expands to relayer infrastructure, governance key management, and oracle liveness.\n- Vulnerability: A single malicious or compromised relayer can sign fraudulent state proofs.\n- Solution: Mandate audits of the entire signing ceremony, including MPC/TSS implementations and key rotation policies.
~70%
Of Bridge Hacks
Off-Chain
Root Cause
02
Intent-Based Architectures Create Hidden Dependencies
Systems like UniswapX and CowSwap abstract execution to solvers, creating a meta-game of economic security. The core risk migrates from contract code to solver competition, MEV extraction logic, and filler reputation systems.\n- Vulnerability: A solver cartel can censor or extract maximal value from user intents.\n- Solution: Audit the economic incentives and game theory of the solver marketplace, not just the settlement contract.
$1B+
Monthly Volume
Solver Risk
New Vector
03
Cross-Chain State Synchronization is a Logic Bomb
Omnichain apps and restaking protocols like EigenLayer require perfect sync across heterogeneous chains. A desync between Ethereum slashing and Avalanche validator sets can break the security model.\n- Vulnerability: Time delays, chain reorganizations, and fork choice rules create inconsistent global states.\n- Solution: Audit the state synchronization logic, including worst-case latency assumptions and fork resilience.
10+
Chains Synced
Seconds
Sync Latency
04
Upgrade Mechanisms are a Systemic Single Point of Failure
Most interoperability protocols use proxy patterns or multi-sigs for upgrades. The governance process itself—Snapshot voting, timelocks, executor permissions—becomes the most critical component to audit.\n- Vulnerability: A rushed or malicious upgrade can bypass all prior security work in a single transaction.\n- Solution: Mandate formal audits of the entire upgrade pathway, including governance contract logic and social consensus safeguards.
1 Tx
To Pwn All
Governance
Critical Path
AUDIT SURFACE EXPOSURE
Anatomy of a Cross-Chain Breach: Where Attacks Actually Happen
Compares the primary attack surfaces for major cross-chain messaging protocols, highlighting where audits must focus beyond smart contract code.
| Attack Vector / Layer | LayerZero | Wormhole | Axelar | CCIP |
|---|---|---|---|---|
Relayer Network Centralization | Permissioned, 1-of-N (Stargate) | Permissioned Guardian Set | Permissioned Validator Set | Decentralized Oracle Network |
Off-Chain Executor Risk | Executor (Off-Chain) | Guardian (Off-Chain) | Gateway Service (Off-Chain) | ARM Committee (Off-Chain) |
Upgradeability / Admin Key Risk | Multi-sig (6/12) | Multi-sig (9/19) | Multi-sig (Axelar Foundation) | Multi-sig (Chainlink Labs) |
State Verification Method | Ultra Light Client (UCL) / Oracle | Signed VAAs (Wormhole Core) | Threshold Cryptography (TSS) | CCIP-Read with DON |
Economic Security / Slashing | Slashing for malicious acts | Slashing via DON stake | ||
Time to Finality for Security | ~3-4 mins (Ethereum PoS) | ~1-2 mins (Guardian consensus) | ~1-2 mins (TSS signing) | ~1-2 blocks (DON attestation) |
Historical Major Exploit Vector | Signature Verification (Stargate) | Guardian Impersonation (Solana) | Validator Key Compromise |
deep-dive
BEYOND THE CONTRACT
The Four Pillars of a Full-Stack Interoperability Audit
Modern cross-chain security requires auditing the entire transaction lifecycle, not just the smart contract code.
Smart contract audits are insufficient. They ignore the off-chain infrastructure that powers every cross-chain message. A full-stack audit must examine the relayer network, oracle design, and governance mechanisms that execute the protocol's logic.
The weakest link is off-chain. A bridge's security is defined by its lowest-trust component. A perfect contract fails if its attested state root relies on a centralized oracle or if its off-chain verifiers have a single point of failure.
Audit the economic layer. Analyze the incentive alignment for relayers and watchers. Protocols like Across and LayerZero use bonded economic security; an audit must stress-test these cryptoeconomic assumptions under adversarial conditions.
Evidence: The Wormhole and Nomad exploits targeted the off-chain guardian/processor networks, not the core contract logic, resulting in losses exceeding $1.5B. This validates the need for holistic security reviews.
case-study
BEYOND THE SMART CONTRACT
Protocol Spotlight: Security Models Under the Microscope
The next generation of interoperability will be secured by holistic audits of off-chain infrastructure, economic incentives, and governance, not just on-chain code.
01
The Problem: The Oracle is the Bridge
Most cross-chain protocols like LayerZero and Wormhole rely on external oracle/relayer networks for message attestation. The smart contract is just a mailbox; the real security boundary is a multi-sig or a permissioned set of nodes. Auditing must shift to these off-chain components and their governance.
- Attack Surface: Compromise of ~19/31 guardian nodes (Wormhole) or the LayerZero Oracle/Relayer set.
- Real-World Impact: The $325M Wormhole exploit originated from a signature validation flaw in the guardian network's off-chain code.
~31
Guardian Nodes
$325M
Historic Exploit
02
The Solution: Economic Security as a First-Class Audit
Protocols like Across and Chainlink CCIP bake cryptoeconomic security directly into the bridge design. Auditors must now model capital efficiency, slashing conditions, and liquidity provider incentives as core security parameters.
- Key Metric: Bond size vs. Max Transfer defines the economic cost of an attack.
- Real-World Example: Across uses a bonded relayer model with fraud proofs, making attacks capital-intensive and detectable.
10-100x
Bond Multiplier
Optimistic
Security Model
03
The Problem: Intent-Based Routing is a Black Box
Architectures like UniswapX and CowSwap's CoW Protocol delegate transaction routing to off-chain solvers. User security now depends on the solver competition mechanism and its resistance to MEV extraction and collusion.
- Audit Focus: The solver selection algorithm, fee auction mechanics, and timeout/fallback logic.
- Hidden Risk: A dominant solver or cartel can extract value while appearing to offer 'best execution'.
~3s
Auction Window
Solver Cartel
Primary Risk
04
The Solution: Verifiable Execution with ZK Proofs
Projects like Polygon zkBridge and Succinct Labs are moving the security guarantee from social consensus to mathematical proof. The audit scope changes from 'who signs' to 'is the cryptographic proof valid?'.
- Key Benefit: Trust minimization—security reduces to the validity of the ZK-SNARK verifier contract.
- New Audit Vector: Correctness of the circuit logic and prover/verifier implementation off-chain.
ZK-SNARK
Core Tech
Trustless
Security Model
05
The Problem: Upgrade Keys Are a Single Point of Failure
Nearly every major bridge, including Multichain (RIP) and Portal, has a privileged admin key for upgrades and pausing. The smart contract audit is irrelevant if the multi-sig signers are compromised or malicious.
- Critical Failure: The Multichain collapse was triggered by authorized key holder access, not a code bug.
- Audit Mandate: Must include governance delay, timelock duration, and signer identity analysis.
5/8
Typical Multi-sig
48h+
Safe Timelock
06
The Solution: Progressive Decentralization as a Security Roadmap
Forward-looking protocols publish and adhere to a clear, verifiable path to remove admin keys. Auditors should score projects on the specificity and enforceability of their decentralization commitments, like those outlined by Chainlink and Arbitrum.
- Key Metric: Time-to-immutability and the existence of on-chain, permissionless governance triggers.
- Investor Signal: A detailed decentralization roadmap is now a more critical document than the whitepaper.
Roadmap
Critical Doc
On-Chain
Governance Goal
FREQUENTLY ASKED QUESTIONS
FAQ: The Builder's Guide to Full-Stack Security
Common questions about securing modern, multi-chain applications where interoperability demands audits beyond just smart contracts.
The primary risks are smart contract vulnerabilities, centralized relayers, and validator set failures. While exploits like the Wormhole and Nomad hacks dominate headlines, systemic risks like liveness failures in LayerZero oracles or governance attacks on Axelar are equally critical. Audits must cover the entire stack.
takeaways
BEYOND THE SMART CONTRACT
TL;DR: The Non-Negotiable Audit Checklist
Interoperability is the new attack surface. Auditing just the contract is like checking the engine but ignoring the highway.
01
The Problem: The Bridge is a Black Box
You can't audit what you can't see. Off-chain relayers, oracles, and sequencers handle ~99% of cross-chain transaction logic. Their liveness and correctness are assumed, not verified.
- Attack Vector: Byzantine or censoring relayers can freeze $10B+ in bridged assets.
- Audit Gap: Traditional audits ignore the network layer and economic security of external actors.
99%
Logic Off-Chain
$10B+
At Risk
02
The Solution: End-to-End Message Integrity
Audit the entire data lifecycle. Prove that a message sent on Chain A is the exact message executed on Chain B, with cryptographic finality.
- Verification: Require Merkle proofs or ZK proofs of state transitions, not just event signatures.
- Tools: Scrutinize implementations of LayerZero's DVNs, Axelar's interchain amplifiers, and Wormhole's Guardian network for single points of failure.
ZK Proofs
Gold Standard
0
Trust Assumptions
03
The Problem: Economic Security is an Afterthought
A bridge with $200M in TVL secured by $20M in staked tokens has a 10x mismatch. Slashing conditions are often theoretical and untested.
- Real Risk: Nomad's $190M exploit was enabled by a faulty
proveAndProcessfunction and trivial economic security. - Audit Gap: Models for validator/staker collusion and liveness penalties are glossed over.
10x
TVL/Security Mismatch
$190M
Historic Exploit
04
The Solution: Stress-Test the Incentive Layer
Model adversary profits under maximum extractable value (MEV) and liquidation cascades. The security budget must exceed the attack profit.
- Requirement: Audit the bonding, slashing, and reward mechanisms of networks like Across and Synapse.
- Metric: Ensure the cost-to-corrupt is 5-10x the value at risk, with clear liquidation pathways.
5-10x
Safety Ratio
MEV
Primary Vector
05
The Problem: Upgrade Keys Are a Time Bomb
A multi-sig of 5/9 dev keys controlling a $1B+ bridge is not decentralized; it's a honeypot. Timelocks are often insufficient or can be bypassed.
- Centralization Risk: The Poly Network exploit and Wormhole pause highlight admin key vulnerabilities.
- Audit Gap: Governance and upgrade procedures are treated as an ops manual, not a security protocol.
5/9
Common Multi-sig
$1B+
Single Point of Failure
06
The Solution: Enforce Decentralized Governance & Timelocks
Treat the upgrade path as a core protocol component. Mandate on-chain, token-weighted voting and immutable timelocks > 14 days for all critical changes.
- Verification: Audit the permissionlessness of the governance process and the irreversibility of the timelock.
- Standard: Move beyond multi-sigs to systems like Connext's upgradable modules or Cosmos IBC's client governance.
14+ Days
Min Timelock
On-Chain
Governance Only
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall