Bridge Security Model

This model relies on a centralized entity or a designated federated multisig to hold custody of assets. Users deposit assets into a wallet controlled by the bridge operators, who then mint a representation on the destination chain.

• Trust Assumption: Users must trust the honesty and security of the bridge operators.
• Failure Mode: A malicious or compromised operator can steal all custodial funds.
• Example: Early versions of the Wrapped Bitcoin (WBTC) bridge.

Security is derived from the underlying blockchain's consensus and a decentralized network of validators or oracles. These actors stake a bond (economic collateral) and are slashed for malicious behavior.

• Trust Assumption: Users trust the economic security (stake) and the honesty of the majority of validators.
• Failure Mode: A 51% attack on the validator set or a critical bug in the bridge's smart contract code.
• Examples: LayerZero (Decentralized Oracle Network), Axelar (Proof-of-Stake validator set).

The bridge runs a light client of one chain on the other. Relayers submit cryptographic proofs (like Merkle proofs) to verify the state and transactions of the source chain directly on the destination chain.

• Trust Assumption: Users trust the cryptographic security of the underlying chains and the correctness of the light client implementation.
• Failure Mode: A successful 51% attack on the source chain can generate fraudulent proofs.
• Examples: IBC (Inter-Blockchain Communication) protocol, Near Rainbow Bridge.

Also known as Lock-and-Mint / Burn-and-Mint, this model uses a canonical token on the destination chain backed by a liquidity pool on the source chain. A liquidity provider (LP) network facilitates swaps.

• Security Focus: Shifts from bridge validation to the economic security of the liquidity pools and the correctness of the atomic swap contracts.
• Failure Mode: Impermanent loss for LPs, smart contract bugs in the pool, or insufficient liquidity (slippage).
• Examples: Connext, Hop Protocol.

Inspired by optimistic rollups, this model assumes all state transitions are valid unless challenged. A fraud proof window allows watchers to dispute invalid transactions, reverting them and slashing the bond of the fraudulent actor.

• Trust Assumption: Users trust that at least one honest watcher exists to submit a fraud proof within the challenge period.
• Failure Mode: No honest watcher is monitoring, or the challenge period is too short.
• Example: Nomad bridge (prior to its exploit, which highlighted implementation risks).

A critical component of decentralized models. Validators or relayers must post a bond (stake) that can be slashed for provably malicious actions, such as signing conflicting messages.

• Purpose: Aligns economic incentives with honest behavior.
• Key Metric: Total Value Secured (TVS) vs. Total Value Locked (TVL). A high TVS/TVL ratio indicates strong economic security.
• Risk: Correlated slashing events, where a bug causes honest validators to be incorrectly penalized.

Bridge security is fundamentally categorized by its trust assumptions. Trust-minimized bridges rely on cryptographic proofs verified on-chain, requiring trust only in the security of the underlying blockchains. Trusted (or federated) bridges rely on a permissioned set of external validators or a multi-signature wallet, requiring trust in that committee's honesty and security. Hybrid models combine elements of both, such as using light clients with economic staking slashing.

Bridges are high-value targets for several critical attack vectors:

• Validator Compromise: Gaining control of a majority of a trusted bridge's validators to sign fraudulent transactions.
• Software Bugs & Logic Flaws: Exploiting vulnerabilities in the bridge's smart contracts or off-chain relay software.
• Economic Attacks: Overwhelming the system's economic security (e.g., tricking light clients with fake block headers).
• Frontend/UI Attacks: Hijacking the bridge's website to redirect user funds (a common phishing vector).

Most bridges act as oracles, reporting state information (e.g., "Transaction X happened on Chain A") from one chain to another. This creates a critical data availability and authenticity problem. Attackers aim to feed the destination chain with fraudulent state proofs. Solutions include using light client verification, optimistic challenge periods, and zero-knowledge proofs to make oracle reports cryptographically verifiable.

Bridges that use locked & mint or pooled liquidity models introduce specific risks. In locked & mint models, the canonical assets are custodied on the source chain; a compromise of the custodian contract leads to total loss. In liquidity pool models, users face slippage, impermanent loss, and the risk of the pool's liquidity being drained through an exploit or a malicious withdrawal approved by compromised validators.

Bridges must correctly interpret the finality of transactions on connected chains. A bridge that acts before a transaction is truly final is vulnerable to reorg attacks, where an attacker deposits funds, the bridge releases them on the destination chain, and then the attacker reorganizes the source chain to erase the original deposit. This is a major risk when bridging to/from chains with probabilistic finality (e.g., proof-of-work).

Proactive security requires robust monitoring of bridge validator sets, contract admin keys, and transaction patterns. Key practices include:

• Implementing circuit breakers and pause functions for emergency shutdowns.
• Using multi-signature schemes with time locks for privileged operations.
• Maintaining bug bounty programs and undergoing regular third-party audits.
• Designing graceful degradation to limit loss scope during a partial compromise.

A trusted or federated bridge relies on a permissioned set of external validators (a multisig committee) to attest to cross-chain transactions. This model prioritizes speed and finality but introduces a trust assumption in the validator set.

• Examples: Multichain (formerly Anyswap), early versions of Polygon PoS Bridge.
• Security Trade-off: Users must trust the honesty and security of the designated validators, creating a central point of failure.

An optimistic bridge uses a challenge period during which any watcher can dispute invalid state transitions. A single honest verifier is sufficient to keep the system secure, assuming they are actively monitoring.

• Examples: Nomad Bridge (pre-hack), Across Protocol (using bonded relayers).
• Security Trade-off: Introduces a delay (the challenge window) for full finality but can reduce operational costs compared to live validation.

This model uses cryptographic light clients to verify block headers and Merkle proofs (like SPV proofs) on the destination chain. Security is derived directly from the underlying blockchain's consensus.

• Examples: IBC (Inter-Blockchain Communication), Near Rainbow Bridge.
• Security Trade-off: Maximally trust-minimized but can be computationally expensive to verify on-chain, limiting generalizability.

Also known as atomic swap bridges or liquidity networks, this model does not mint wrapped assets. Instead, it uses liquidity pools on both chains and hash time-locked contracts (HTLCs) to facilitate atomic, non-custodial swaps.

• Examples: Connext, Chainflip.
• Security Trade-off: Eliminates custodial and minting risk but is limited by the depth of available liquidity pools.

The most secure model where bridge validation logic is built directly into the blockchain's consensus protocol. Validators of one chain natively verify the state of another.

• Examples: Cosmos IBC (for Cosmos SDK chains), Polkadot XCM (for parachains).
• Security Trade-off: Offers the highest security but requires deep protocol-level integration and shared validator sets or governance.

This model secures the bridge by requiring validators to post substantial economic bonds (stake) that can be slashed for malicious behavior. Security is tied to the cost of attacking the system.

• Examples: Axelar, LayerZero (with its Oracle and Relayer set), Wormhole (Guardian network stake).
• Security Trade-off: Aligns validator incentives but concentrates risk if the bond value is low relative to the value secured.

Also known as a Lock & Mint / Burn & Mint bridge. Users' assets are locked on the source chain, and a wrapped representation is minted on the destination chain by a liquidity provider. Security depends on the custodial model of the locking contract and the collateralization of the minted assets.

• Example: Wrapped BTC (WBTC) on Ethereum.
• Risk Profile: Centralized custodial risk for the locked assets; relies on the minting entity's solvency and honesty.

A peer-to-peer, hash time-locked contract (HTLC) mechanism that enables the direct, non-custodial exchange of assets across different chains without an intermediary bridge operator.

• Key Mechanism: Uses cryptographic hash locks and time locks to ensure the swap either completes entirely for both parties or fails, reverting funds.
• Risk Profile: Minimizes trust but is limited by liquidity and is typically used for direct swaps rather than generalized messaging.