Summary of Uniswap Foundation's Bridge Assessment Report
The highly anticipated “Bridge Assessment” was released by the Uniswap Foundation Bridge Committee today. Recognizing that most won’t have the time to read the entire report, here’s a summary highlighting the Committee’s outlook on some of the most popular Arbitrary Messaging Bridges (AMBs).
Note that each of the opinions in this summary belongs to the Uniswap Bridge Committee — not LI.FI!
Let’s dive in!
Biggest Talking Points
Below are some of the noteworthy points from the report:
The Committee evaluated six bridges and approved two: Wormhole and Axelar.
Wormhole fully satisfied the requirements of the bridge committee for Uniswap DAO’s cross-chain governance use case.
Axelar was conditionally approved, contingent on its transition away from multisig governance (which does not impact its core security).
It was deemed that the other four bridges do not currently satisfy the requirements of the Uniswap governance use case and were recommended to be reassessed based on certain conditions.
LayerZero's default configuration does not currently meet the full breadth of the requirements for Uniswap’s governance use case. However, the Committee recommended to reassess LayerZero’s new configuration after at least three months of active usage.
The committee raised concerns about Celer’s PoS distribution, lack of a slashing mechanism, and transparency issues, among others. Celer will be reassessed after six months if the identified issues are resolved.
The committee recommended deBridge to be reassessed at a later time, as significant changes to its security guarantees are expected in the near future with the launch of a token and to a PoS system w/ slashing.
The committee raised concerns over Multichain’s lack of clarity in its trust model, security, transparency, and limited technical documentation and recommended they focus on clarifying the issues.
The Committee concluded that a multi-bridge architecture is the best option for Uniswap's cross-chain governance in the future.
Current multi-bridge solutions (Hashi, Hyperlane, MMA) show promise but are not ready.
Need at least 3 mature bridges to make a secure bridge set (assuming a 2-of-3 quorum)
Bridge Assessments
Author’s Note: The UF Bridge Committee's report evaluates bridges to meet Uniswap's cross-chain governance requirements.
To conduct these evaluations, the Committee devised a thorough framework comprising well-defined criteria and objectives. Building upon some of the early work on Cross-Chain Risk Framework by ConsenSys and LI.FI, the framework further elaborates on 20 subcategories and includes 130 assessment questions.
Furthermore, the Committee has made actionable recommendations to each bridge to enhance their overall security measure.
Wormhole
Verdict: Approved, subject to continued monitoring for changes to its core security model.
Positive Notes
Most of Wormhole’s 19 validators are distinct reputable entities operating core blockchain infrastructure.
Wormhole provides good transparency through public accountability and auditability of validator actions.
Wormhole’s codebase is mature and aligns with documentation.
Wormhole made substantial improvements in its DevSecOps practices after the hack in 2022.
Concerns
A few validators are new small businesses, and some face high latency in confirming txs.
Some validators have low participation rates. At least three validators participate in less than 50% of transactions, with one as low as 21%.
Recommendations
Increase decentralization of validators while maintaining high quality.
Enhance in-protocol assurances and incentive models for validators to ensure minimum performance.
Develop tools to provide insights into additional metrics on validator performance.
Read the Bridge Committee’s full assessment of Wormhole here.
Axelar
Verdict: Approved, subject to Axelar’s move away from multisig governance in Q2 2023.
Positive Notes
Axelar's PoS mechanism provides robust cryptoeconomic security.
Axelar’s validator set with 70 active validators and 60% safety thresholds for ensuring safety and liveness are sufficient for Uniswap’s governance use case.
Axelar’s tech stack adheres to high standards, and its implementation aligns with the technical documentation.
Axelar offers significant visibility into validator operations and relevant security parameters governing the network.
Concerns
Axelar employs a 4-of-8 multisig setup for governing key protocol aspects.
Therefore, its approval is contingent upon successfully moving away from this multi-sig arrangement by Q2 2023 (July 31).
The volatility of the AXL token may undermine Axelar's cryptoeconomic security.
To address this, Axelar is working on securing the protocol with a basket of assets that include other Cosmos-based tokens.
Recommendations
Publish an updated whitepaper soon, as the current version contains outdated information on the protocol’s safety and liveness thresholds.
Read the Bridge Committee’s full assessment of Axelar here.
LayerZero
Verdict: Recommended reassessment after at least three months of active usage of its new configuration.
Important Note: The assessment of LayerZero was conducted before the launch of its ZK Client with Polyhedra and is restricted to its default configuration available at the time.
Concerns
The security guarantees of LayerZero’s default configuration do not currently meet the requirements for Uniswap’s governance use case.
Validating a message requires the signatures of three Oracle nodes and one Relayer, which are relatively low thresholds.
LayerZero offers custom configuration options, but this is not an option currently for Uniswap DAO due to the operational overhead.
LayerZero's off-chain components, such as the Relayer and Oracle code, still need to be audited.
LayerZero's off-chain components are currently not open-source.
Recommendations
Implement the new configuration that involves 11 entities operating a decentralized network of Relayers and Oracles (with a threshold of 7 out of 11 required for message validation).
The off-chain components should been open-sourced, audited, and included in the bug bounty.
Reassess LayerZero after the new configuration has been actively operational for at least three months and has demonstrated sufficient usage.
Note: the committee believes LayerZero is “on a path” to fully satisfy the requirements necessary for cross-chain governance for Uniswap DAO.
Read the Bridge Committee’s full assessment of LayerZero here.
Celer
Verdict: Recommended reassessment after six months if the identified issues are materially ameliorated.
Concerns
Collusion of as few as six validators could compromise Celer’s safety. Moreover, the protocol’s cryptoeconomic guarantees lack protection against such scenarios.
Celer does not have a functional slashing mechanism.
Lack of transparency around the validator set (20 validators).
A few entities could be running multiple validators, resulting in less than 18 distinct validators.
Operational processes governing important protocol updates lack transparency.
Celer is governed by a 3/5 multisig (2/5 if required) that can make significant changes to security parameters.
The role and volatility of the CELR token can expose Celer to sophisticated economic attacks.
Recommendations
Maturity of the codebase can be improved, including audits and documentation.
Uniswap to reassess Celer after at least six months, provided these issues are resolved.
Read the Bridge Committee’s full assessment of Celer here.
deBridge
Verdict: Recommended reassessment once the introduction of governance token and slashing/delegating staking system have been established and matured.
Concerns
Several of deBridge's security guarantees are expected to undergo significant changes in the near future.
deBridge’s current validator set (8-of-12 threshold) falls short of Uniswap’s security requirements (only 11 are operational right now and requires 2/3 of validators to sign a message for it to be considered valid).
The delegated staking and slashing mechanisms have yet to be fully implemented.
deBridge's bug bounty of $200k is low.
Concerns around deBridge’s maturity — documentation primarily focuses on desired state rather than the current implementation.
Recommendations
Uniswap can reassess deBridge after it has successfully transitioned to its planned Proof-of-Stake upgrade and has been operational for a sufficient duration.
Read the Bridge Committee’s full assessment of deBridge here.
Multichain
Verdict: Recommended to focus on clarifying issues around the security model of the protocol and improving transparency before it can be reassessed.
Concerns
Multichain's trust model, security assumptions, and protocol properties are unclear.
Multichain does not have any mechanism to ensure validator independence and it is difficult to determine the level of centralization of the validator set since the protocol is permissionless.
Multichain lacks cryptoeconomic guarantees.
The absence of disincentives for validator collusion leads to an ambiguous security model.
Multichain lacks transparency and auditability concerning critical security properties (ex: threshold for signing messages).
Limited technical documentation is available.
There are notable implementation risks associated with Multichain's core cryptographic components, as highlighted in audit reports and the critical security vulnerability discovered in March 2023.
Recommendations
Prioritize addressing fundamental issues identified.
Take necessary steps to improve the protocol's security and transparency.
Providing clear documentation of the protocol's fundamental security properties
Improving the implementation of core cryptographic components.
Read the Bridge Committee’s full assessment of Multichain here.
Multi-Bridge Designs
Author’s Note: The Committee concluded that a multi-bridge architecture is the most suitable option for Uniswap's future cross-chain governance. However, these solutions are not yet ready for production.
The Committee suggests that a multi-bridge solution should consist of at least three bridges in the bridge set, assuming a 2-of-3 quorum, to derive meaningful benefits from the architecture.
Furthermore, the Committee recommends using multi-bridge solutions for L1 and side-chain deployments. However, for L2s, the Committee believes that native L2 bridges should continue to be utilized.
Below is a table that summarizes the Committee’s outlook on the different multi-bridge solutions (Hashi, Hyperlane, MMA):
Recommendations from the Committee:
Uniswap Foundation funds an assessment of ERC-5164 as a potential standard interface for bridges.
If deemed suitable, the UF should request selected bridges to build ERC-5164 compliant bridge adapters.
Work with multi-bridge protocol teams to ensure the development and integration of connectors for ERC-5164-compliant bridge adapters.
UF’s Future Plans
The Uniswap Foundation plans to fund a work stream for cross-chain governance with the following scope:
Ensuring continuous monitoring of previously assessed bridges.
Addressing the community’s questions about the framework.
Implement some architectural improvements to Uniswap's cross-chain governance flow.
Subsidize an ad hoc grants program to conduct bridge assessments or re-assessments in the future.
Moreover, the UF has committed to funding an audit of the MMA code by Trail of Bits.
Get Started With LI.FI Today
For more information about the LI.FI protocol,
Head to our link portal at link3.to/lifi
Read our SDK’ quick start’ at docs.li.fi
Join the official Discord server
Follow our Telegram Newsletter
Subscribe on our Substack
or try our any-2-any swaps NOW at jumper.exchange