A trust assumption is a condition or entity that users must rely on for the system to function correctly and securely. In cross-chain communication, these assumptions dictate who or what is responsible for validating and relaying messages between blockchains. The core models are: trust-minimized (relying on cryptographic proofs and economic security), trusted (relying on a known set of entities), and hybrid models that combine elements of both. Misunderstanding these models is a primary cause of security failures, as seen in bridge hacks like Wormhole and Ronin.
LABS
Guides
How to Identify Cross-Chain Trust Assumptions
A technical guide for developers to systematically analyze and evaluate the trust models of cross-chain protocols like bridges, oracles, and messaging layers.
Chainscore © 2026
introduction
INTRODUCTION
How to Identify Cross-Chain Trust Assumptions
Every cross-chain bridge or protocol operates on a specific set of trust assumptions that define its security model. Identifying these is the first step in evaluating any interoperability solution.
To identify a protocol's trust model, start by examining its verification mechanism. Does it use light client proofs, like IBC's Tendermint light clients? Does it rely on a multi-signature committee, like many canonical bridges (e.g., Polygon PoS Bridge)? Or does it use an optimistic challenge period, like Optimism's cross-chain messaging? The verification layer reveals the fundamental security guarantor. For example, a bridge using a 5-of-9 multisig places trust in those specific signers, while a zero-knowledge proof-based bridge like zkBridge places trust in the underlying cryptographic assumptions and the correctness of its circuit.
Next, analyze the data availability and execution layer. Where is the transaction data posted and who can submit it? Some models, like rollup bridges, post data to a base layer like Ethereum, making it publicly verifiable. Others may rely on a smaller set of permissioned relayers to submit data, creating a potential censorship vector. A key question is: if the primary validating entity fails or acts maliciously, is there a cryptoeconomic slashing mechanism or a fraud proof window that allows others to intervene? The presence and robustness of these safeguards define the trust recovery process.
Finally, map the governance and upgradeability controls. Who can change the protocol's core parameters or upgrade its smart contracts? A system with a 7-day Timelock controlled by a decentralized autonomous organization (DAO) presents different risks than one where a single admin key can instantly upgrade contracts. Real-world analysis shows that admin key compromises are a frequent attack vector. Always check the owner or admin functions in the bridge's smart contracts on Etherscan or a block explorer to understand the centralization risks in the upgrade path.
prerequisites
PREREQUISITES
How to Identify Cross-Chain Trust Assumptions
Before building or using a cross-chain application, you must understand the trust models that secure the assets and data you're moving. This guide explains how to analyze and categorize these fundamental security assumptions.
A trust assumption defines the set of entities or mechanisms you must rely on for a system to function correctly and securely. In cross-chain communication, these assumptions are critical because they represent the security floor—if they fail, user funds or data can be lost. Unlike a single blockchain where security is consolidated (e.g., trusting Bitcoin's proof-of-work miners), cross-chain systems introduce new trust vectors. The primary models are trust-minimized (cryptographic/economic), federated (multi-party), and trusted (centralized). Identifying which model a bridge or protocol uses is the first step in evaluating its risk profile.
To identify the trust model, examine the validators or attestors. For a trust-minimized bridge like the IBC protocol, security is inherited from the connected chains' consensus; you trust the validators of chain A to correctly relay state proofs to chain B. A federated model, used by many token bridges, relies on a known set of off-chain parties (a multisig or committee) to attest to events. Here, you must trust that a majority of these parties are honest. A fully trusted model involves a single custodian, like a centralized exchange's bridge, where you trust that entity's internal security and honesty completely.
Next, analyze the data availability and verification mechanism. Trust-minimized systems typically use on-chain light clients or zero-knowledge proofs to verify state from another chain autonomously. For example, a zkBridge uses a zk-SNARK proof to verify that an event occurred on a source chain, requiring no additional trust in relayers. In contrast, a federated system often uses off-chain attestations (signed messages) that are posted on-chain; you must trust that the attested data is correct. Check the smart contract or protocol documentation to see if it verifies cryptographic proofs or merely checks signatures from a known set.
Finally, consider the economic security and slashing conditions. Trust-minimized bridges that use bonded validators (like Cosmos IBC) can slash staked tokens for malicious behavior, creating a strong cryptographic-economic deterrent. Federated models may have slashing or legal agreements, but the security is often more social than cryptographic. Trusted models have no on-chain slashing; recourse is purely legal. By mapping out these three components—validator set, verification method, and economic guarantees—you can clearly articulate the trust assumptions of any cross-chain system you interact with or build upon.
trust-model-framework
CROSS-CHAIN SECURITY
A Framework for Trust Models
Understanding the security assumptions behind different cross-chain communication protocols is critical for developers and users. This framework categorizes the primary trust models.
Cross-chain bridges and messaging protocols operate on a spectrum of trust, defined by the security assumptions users must accept. At one end, you have trust-minimized models that rely on cryptographic proofs and the security of the underlying blockchains. At the other, trusted models depend on a committee or federation of external validators. The core question is: Who or what is responsible for verifying and relaying the cross-chain state? The answer determines the protocol's security, liveness guarantees, and potential attack vectors.
The most trust-minimized model is native verification. Protocols like IBC (Inter-Blockchain Communication) and some optimistic or zk-rollup bridges fall into this category. Here, the destination chain runs a light client of the source chain, verifying the cryptographic proofs of state transitions directly. Security is inherited from the source chain's consensus mechanism. For example, a Cosmos chain using IBC verifies Tendermint consensus signatures. This model offers strong security but requires compatible consensus algorithms and can be computationally expensive.
Externally verified models introduce a third-party network of provers or attestors. This includes optimistic systems with a fraud-proving window (like Arbitrum's cross-chain messaging) and zero-knowledge (zk) systems using validity proofs (like zkBridge). Users trust the cryptographic soundness of the proof system and the liveness of the prover network. While the trust in individual actors is reduced, you must trust the correctness of the complex cryptographic implementation and the economic incentives for honest proving.
The federated or multisig model is the most common for app-specific bridges. A predefined set of entities (often the project team and partners) control a multisig wallet or run validator nodes. Cross-chain messages are only passed when a threshold of signatures is collected. Users must trust that a majority of these entities will not collude to steal funds. This model is simpler to implement but centralizes risk, as seen in incidents like the Wormhole and Ronin bridge hacks where attacker compromised validator keys.
To evaluate a protocol, map its components to this framework. Ask: Does it use light clients? Are proofs generated by permissionless provers or a designated committee? Is there a fraud-proof window? For developers, the choice involves trade-offs between security, generality, and cost. A native verification bridge between two EVM chains using Ethereum as a hub (like the Polymer protocol's vision) maximizes security but has higher development complexity. A multisig bridge can be deployed quickly for a new app-chain but introduces custodial risk.
Ultimately, no model is perfect. The framework helps you identify the weakest link in the security assumption. When using or building cross-chain applications, explicitly document these assumptions. For users, this means understanding if their safety depends on Ethereum's validators, a zk-SNARK circuit, or the integrity of a 5-of-9 multisig held by named entities. This clarity is the first step in managing cross-chain risk.
key-concepts
CROSS-CHAIN SECURITY
Key Trust Components
Every cross-chain interaction relies on a specific set of trust assumptions. Understanding these components is essential for evaluating protocol security and risk.
03
Custody Models
This defines who holds the locked/wrapped assets on the source chain. It's a major point of failure.
- Lock & Mint: Assets are locked in a smart contract or custodian vault on Chain A, and a representation is minted on Chain B.
- Liquidity Networks: Use liquidity providers (LPs) on both sides; assets are not locked but swapped via pools (e.g., Connext).
- Risk: A centralized custodian or a buggy vault contract can lead to total loss of funds.
$2B+
Lost to Bridge Hacks (2021-2023)
06
Economic Security & Slashing
What financial incentives ensure honest behavior? Economic security is the cost to attack the system versus the potential reward.
- Bonded Stake: Validators must stake assets (e.g., ETH, AXL) that can be slashed for malicious actions.
- Coverage vs. TVL: Is the total bonded value sufficient to cover the Total Value Locked (TVL) in the bridge? A $10M bond securing $1B TVL is insufficient.
- Insurance Funds: Some protocols maintain a treasury to cover user losses in case of a failure.
>100x
Typical TVL to Bond Ratio Risk
CORE ARCHITECTURE
Trust Model Comparison: Major Protocols
A comparison of the primary trust assumptions and security models for leading cross-chain messaging protocols.
| Trust Model & Feature | LayerZero | Wormhole | Axelar | Chainlink CCIP |
|---|---|---|---|---|
Primary Trust Assumption | Decentralized Verifier Network | Guardian Multisig (19/34) | Proof-of-Stake Validator Set | Decentralized Oracle Network |
Validator/Guardian Count | ~30 Decentralized Verifiers | 34 Guardians | 75+ Validators | Independent Oracle Nodes |
Fault Tolerance (Byzantine) |
|
|
|
|
Economic Security / Slashing | Yes (via Stargate) | No (Reputation-based) | Yes (AXL staking) | Yes (LINK staking & slashing) |
Execution Environment | On-Chain Light Client + Executor | Off-Chain Guardian Attestation | Gateway Smart Contracts | On-Chain Router + Off-Chain Network |
Time to Finality | Block confirmation + proof generation | Guardian observation period | Validator set finality + proof | Block confirmation + DON consensus |
Native Token for Security | No (optional for staking) | No | Yes (AXL) | Yes (LINK) |
Permissionless Validation | Permissioned set, moving to permissionless | Permissioned Guardian set | Permissioned set, governed by AXL | Permissionless node operation |
audit-methodology
SECURITY GUIDE
Step-by-Step Audit Methodology
A systematic approach to deconstructing and evaluating the trust assumptions of cross-chain bridges and messaging protocols.
Auditing a cross-chain system begins with mapping its trust model. Identify the core components: the verification layer (e.g., light clients, optimistic games, multi-signature committees), the messaging layer (protocols like LayerZero's Ultra Light Node, Wormhole's Guardians, Axelar's validators), and the execution layer (target chain smart contracts). Document the exact data flow: where a message originates, how it is attested, and which entities have the authority to finalize its state on the destination chain. This architectural map reveals the initial set of trusted actors and cryptographic assumptions.
Next, analyze the security of each trust component in isolation. For a multi-signature bridge, audit the validator set management: is the governance upgradeable? What are the slashing conditions? For a light client bridge, verify the on-chain verification logic. For example, an IBC light client on Ethereum must correctly verify Tendermint consensus proofs; your audit must check for proper handling of validator set updates and misbehavior evidence. For optimistic bridges, scrutinize the fraud proof window duration, challenge mechanism, and bond economics. Use tools like Slither or Foundry to write invariant tests for these components.
The critical phase is testing the integration points between components, where most vulnerabilities reside. Examine how the messaging layer interacts with the verification layer. A common flaw is a mismatch where the messaging contract accepts messages from an outdated or incorrectly proven state root. Check for single points of failure: can a compromise in the off-chain relayer network or the oracle feed drain funds even if the on-chain code is correct? Perform scenario analysis for consensus attacks (e.g., 51% attack on the source chain) and liveness failures to see how the system degrades.
Finally, evaluate the system's economic security and governance. Calculate the cost to corrupt the trust assumption. For a validator set with a $10M stake, the attack cost is not $10M but the cost to bribe or compromise a threshold of keys. Review governance proposals and timelocks: can a malicious upgrade be pushed through? Assess failure modes: what happens if a core relayer goes offline? Document these findings in a risk matrix, categorizing issues by likelihood and impact, to provide a clear, actionable security assessment for developers and users.
code-analysis-tools
TRUST ASSESSMENT
Tools for Code-Level Analysis
Understanding a bridge's security requires analyzing its on-chain code. These tools help you audit smart contracts, verify upgradeability, and map trust assumptions.
TRUST ASSUMPTIONS
Frequently Asked Questions
Understanding the trust models behind cross-chain bridges is critical for secure development and user protection. These answers address common developer questions about identifying and evaluating bridge security.
Cross-chain bridges operate on three primary trust models, each with distinct security implications for developers and users.
1. Trusted (Custodial) Bridges:
- How it works: A centralized entity or federation holds the locked assets on the source chain and mints representations on the destination chain.
- Trust Assumption: Users must trust the honesty and security of the custodian(s).
- Examples: Early versions of Binance Bridge, Wrapped BTC (WBTC) on Ethereum.
2. Trust-Minimized (Optimistic) Bridges:
- How it works: A set of validators or watchtowers attest to state changes. Fraud proofs allow assets to be slashed if malicious activity is detected within a challenge period.
- Trust Assumption: Users assume at least one honest participant will submit fraud proofs.
- Examples: Nomad (pre-hack model), Across.
3. Trustless (Native) Bridges:
- How it works: Security is derived directly from the underlying blockchains using light clients or validity proofs (ZK-SNARKs/STARKs).
- Trust Assumption: Users trust only the consensus security of the two connected chains.
- Examples: IBC (Cosmos), rollup bridges like Arbitrum and Optimism, zkBridge.
resource-links
DEVELOPER REFERENCES
Resources and Further Reading
These resources help developers and researchers analyze the trust assumptions behind cross-chain bridges, messaging layers, and interoperability protocols. Each card points to a concrete tool, framework, or primary source used in real security reviews.
conclusion
KEY TAKEAWAYS
Conclusion and Next Steps
Identifying cross-chain trust assumptions is a foundational security skill. This guide has provided a framework for analyzing bridge designs, from trusted third parties to optimistic and zero-knowledge models.
The core principle is that all cross-chain communication introduces a trust vector. Your task is to map it. Start by asking: who or what is the ultimate authority for finality? Is it a multisig council (like Wormhole's 19/24 guardians), a decentralized validator set (like LayerZero's Oracle and Relayer), or the underlying blockchain's consensus (like IBC)? Document every external dependency, including price oracles for liquid staking tokens, off-chain relayers, and upgradeable smart contracts. Treat each component as a potential failure point.
To apply this analysis, use the trust spectrum as a practical tool. For high-value transfers, prioritize bridges leaning toward trust-minimization, such as canonical bridges (e.g., Arbitrum's L1/L2 bridge) or light-client-based systems (like IBC). For speed and cost-sensitive operations, you might accept the trade-offs of an optimistically verified bridge (like Across) or a ZK-verified bridge (like zkBridge). Always verify the current security model by checking the project's documentation and recent audits; assumptions can change with upgrades.
Your next step is hands-on verification. 1) Inspect the contracts: Use a block explorer to examine the bridge's verify function on the destination chain. Does it check signatures from a known set? Does it verify a Merkle proof from the source chain? 2) Monitor governance: Follow the project's forum and snapshot pages for upgrade proposals that could alter trust parameters. 3) Use monitoring tools: Services like Chainscore provide real-time alerts for bridge anomalies and security events, adding a layer of proactive defense to your analysis.
Continue your research with primary sources. Study the Chain Security Cross-Chain Bridge Risk Framework for a formalized assessment methodology. Review incident post-mortems, such as the Wormhole or Nomad bridge exploits, to see how trust assumptions failed in practice. Engaging with the developer communities on Discord or GitHub can provide insights into the operational security and roadmap of these critical protocols.