Full Report
Ethereum was a great prototype for a blockchain that can execute arbitrary code. However, at this point, it's fairly slow and pricey. As a result, many projects are trying to scale Ethereum and move assets to/from it. Doing so is very complicated! This wiki describes many of the patterns used for this, use cases and security threats. Just wanted to put here as documentation for later.
Analysis Summary
# Research: Crosschain Risk Framework
## Metadata
- Authors: Not explicitly listed (Document appears to be an ongoing, community-driven wiki/framework)
- Institution: Implicitly associated with the broader blockchain/security research community (Hosted on GitHub Pages)
- Publication: Crosschain Risk Framework Wiki
- Date: Last Update: October 13, 2023
## Abstract
This document serves as a systematic, high-level framework for surveying and analyzing the security risks inherent in crosschain interoperability protocols. Driven by the rapid proliferation of Layer-1s, Layer-2s, and modular architectures, the necessity for secure cross-chain communication (asset exchange, transfer, and general messaging) is critical. The research motivation stems from the significant financial losses observed in high-profile bridge hacks ($>\$2.5$ Billion stolen between 2021-2022), which severely undermined confidence in the multichain ecosystem. The framework identifies key stakeholder perspectives, classifies common crosschain interaction types, and establishes core security properties that such protocols must uphold.
## Research Objective
The primary objective is to provide a systematic overview of security risks in crosschain protocols by identifying, classifying, and analyzing the risk elements present in their design, implementation, and operation. A secondary goal is to offer a set of risk controls and best practices to mitigate the likelihood and severity of these risks, ultimately fostering more secure and robust crosschain infrastructure for the multichain future.
## Methodology
### Approach
The methodology is documentary and analytical, focusing on establishing a conceptual framework rather than empirical testing of specific protocols. It involves:
1. Identifying the context necessitating crosschain solutions (multichain adoption trends).
2. Classifying the fundamental types of crosschain interactions.
3. Identifying and analyzing stakeholders affected by crosschain risks.
4. Defining the fundamental security guarantees required of any crosschain interaction.
### Dataset/Environment
Not applicable in the traditional sense of testing. The analysis is based on the observed real-world deployment, adoption rates (e.g., $27B TVL in Ethereum bridges in late 2021), and noted security failures (bridge hacks totaling $>\$2.5$B).
### Tools & Technologies
The document itself acts as the primary tool—a structured wiki/framework—for reasoning about crosschain risks.
## Key Findings
### Primary Results
1. **The Multichain Future is Inevitable:** The convergence of L1 traction, L2 scaling roadmaps, modular blockchains, and application-specific chains validates the necessity of crosschain protocols to connect disparate ecosystems.
2. **High Incentive for Attack:** Despite enabling critical functionality, the rapid growth of crosschain usage has been met with devastating security failures, indicating significant unaddressed risks, leading to substantial monetary loss and regulatory scrutiny.
3. **Critical Security Properties:** Any functional crosschain protocol linking a source network to a destination network must guarantee three core security properties:
* **Validity:** Only states proven valid and final on the source network are communicated.
* **Liveness/Timeliness:** All relevant state transitions are relayed in a timely manner.
* **Invariance Preservation:** Any invariants established by the crosschain interactions are preserved across chains.
### Supporting Evidence
- **Financial Scale of Risk:** Token bridge hacks alone accounted for over two-thirds of all DeFi hacks between 2021 and 2022, totaling over US$2.5 Billion stolen.
### Novel Contributions
- **Stakeholder Analysis:** Explicitly defining and differentiating between direct users and various indirect stakeholders (Network Participants, Applications, Investors), whose incentives and risk exposures differ.
- **Interaction Taxonomy:** Categorizing crosschain protocols based on functionality: Asset Exchange, Asset Transfer (locking/minting synthetics), and General-Purpose Messaging (orchestration).
- **Security Property Definition:** Establishing the three fundamental security guarantees (Validity, Timeliness, Invariance Preservation) as the bedrock for risk assessment in crosschain dependencies.
## Technical Details
Crosschain interaction fundamentally relies on **dependency relationships** between networks, where a state change in one (the source) drives a state change in another (the destination). These dependencies can be unidirectional/bidirectional and transient/persistent. Protocol failures often arise when the mechanism guaranteeing the integrity of these state transitions (e.g., relayers, light clients, multisig validators) is compromised or flawed.
## Practical Implications
### For Security Practitioners
Practitioners must understand that crosschain security is not simply the sum of the underlying chain securities. The *interoperability mechanism itself* introduces a primary attack surface dependent on trust assumptions about external actors or external verification mechanisms (e.g., external validators, message relayers).
### For Defenders
Defenders must evaluate protocols based on how well they enforce the three core security properties. Mitigation strategies should target the weakest guarantee—often related to external consensus validation (light client complexity, external sequencer trust) or the economic incentives governing proofers/relayers.
### For Researchers
The framework suggests that future work must focus on formalizing risk assessments against these three core properties across different classes of crosschain designs (e.g., optimistic vs. ZK-based bridges). It also highlights the need to consider the security implications for indirect stakeholders.
## Limitations
The documentation explicitly states it is a "**work in progress**." A significant limitation acknowledged is that the analysis primarily focuses on **direct stakeholders** (Users) and does not deeply analyze every individual protocol or the complexities affecting indirect stakeholders (like underlying chain stability or investor influence).
## Comparison to Prior Work
This work positions itself as a high-level, systematic diagnostic toolkit intended to organize thought around crosschain risk, contrasting with analyses that might focus on vulnerability classes or specific protocol audits. It aims to provide a foundational vocabulary and set of objectives (the three core properties) for future comparative analysis.
## Real-world Applications
- Serving as a baseline checklist for due diligence on new crosschain protocols.
- Guiding the design choices for new interoperability solutions aiming for enhanced decentralization and trustlessness.
## Future Work
- Expanding the analysis to include the dynamics and risks affecting indirect stakeholders (Network Participants, Applications, Investors).
- Developing and integrating concrete risk controls and best practices aligned with the identified risk elements affecting the core security properties.
## References
- Vitalik Buterin: Ethereum scalability roadmap endgame.
- Emerging patterns in modular blockchains and application-specific chains (referenced via external links).
- DeFLLama data on bridge hacks (2021-2022 figures).
- Related research on DeFi hack statistics.