As Qi Dao has expanded its reach into an ever growing number of chains over the past several months, it has become imperative for the DAO to take risk management more seriously in order to better secure user and protocol funds. While we have worked on an extensive risk analysis framework directly influenced by Aave’s own risk matrix, we should now look to expand this risk analysis to encompass partnerships, liquidity providers, and as will be the focus of this article, cross-chain bridges.
What is a bridge?
For most DeFi users, a bridge is simply a way to transfer tokens from one blockchain to another. As the DeFi ecosystem has grown to encompass a larger set of layer 1 chains — and of course, level 2 chains as the need for larger transaction capacity and lower fees arises — bridges have become an integral part of users and protocols’ daily lives. Bridges serve as a means of connecting two chains which may often be home to different protocols, governance mechanisms, and rulesets securely (let’s hope), allowing users and protocols to chase the best yields, leverage arbitrage opportunities, or even just try to try something new.
Just like any other token or protocol, not all bridges are created equal, and so we must first look at the different types of bridging mechanisms.
How do bridges work?
While there may be some differences in the specific implementations across various different protocols, bridges generally fall into one of two categories: messaging bridges and liquidity networks.
A large number of already trusted bridges fall into the first category, including Multichain, Optimism and Polygon’s native bridges, Axelar, and others, while popular bridging protocols like Hop Protocol fall into the second. So what are the differences?
Messaging bridges allow users to transfer tokens from one chain to another either through locking or burning mechanisms on the source chain, then minting a native version of the same token on the destination chain.
Liquidity networks, on the other hand, essentially use liquidity pools across multiple chains to swap the assets from one chain to another with assets that have already been bridged through one of the various messaging bridges.
Let’s discuss how these two approaches differ when it comes to bridge security so we can begin to establish criteria and techniques for generating risk assessments on bridging solutions.
Bridge security
Due to the different approaches between the aforementioned bridge types, security is handled differently by each, but will generally fall into the following categories:
State Validation: bridges that verify state transitions across two chains, such as many layer 1 to layer 2 bridges.
Consensus Validation: bridges that verify consensus mechanisms across chains such as those on the Cosmos and Polkadot ecosystems.
Optimistic Validation: bridges that provide a challenge period to verify fraud proofs, such as Across. Be sure to check out the Across documentation for an excellent explainer on Optimistic bridges.
Hash Timelock Contracts: bridges that use a smart contract to create a time-based escrow system that requires a cryptographically encrypted passphrase to unlock. The most widely used version of this bridge is Polygon’s native bridge.
Conditional Transfers: the bridge provides the user with access to the bridge funds while itself waiting on confirmation from the liquidity provider to receive the funds in return. Bridges such as Hop Protocol fall into this category.
External Validation: the bridge relies on an external third party outside of any validation mechanism, generally a centralized entity such as Binance or a multisig to verify requests such as is the case for bridges like Synapse and Stargate.
For a great visualization on bridge security, please reference the below chart by Consensys, and be sure to read their excellent summary on bridge security for additional information. Though Consensys uses slightly different terminology in their methodology, the chart still serves as a great explainer.
Decentralization and censorship resistance
Two of the most important concepts for believers in the future of crypto are decentralization and censorship resistance. While discussing the merits of each of these concepts is beyond the scope of this article, there is no doubt that when transferring tokens across various chains, it is imperative to have solutions that can work without single points of failure, and without the risk of asset seizure.
We have already discussed the downsides of this when looking at external validation in the bridge security section, but we must reiterate that for the safety of user and protocol funds, it is essential that a bridging solution partner for Qi Dao falls into the category of decentralization and censorship resistance.
Qi Dao prides itself on the fact that users can become their own bank by minting MAI in a trustless and secure manner, and so any bridge which offers native MAI bridging should itself abide by the same ethos.
Of course, this can lead us into a discussion on “trusted” versus “trustless” bridges, but that will be a discussion for a future article. Until then, read an excellent explainer on the topic on Connext’s own Medium post titled The Interoperability Trilemma.
Bridge liquidity
Like in any other financial market, liquidity is king in DeFi, and the same applies to bridges. As a collateralized debt position (CDP) stablecoin protocol, Qi Dao requires not just enough liquidity for users to be able to bridge enough MAI for users to try out the latest and greatest MAI LPs, but must also have access to enough liquidity for liquidators to be able to bridge funds to keep the protocol healthy and the MAI peg strong in the case of large price fluctuations in the underlying vault collaterals.
The important questions to ask here, in no particular order, are as follows. Please note that some of these may only apply to specific bridge types.
Can the bridge mint enough tokens on the destination chain to meet the demand of users and liquidators?
Are liquidity pools large enough to allow for low slippage, and can the bridge provide 1:1 swaps across chains?
What is the maximum amount of tokens that can be transferred on the bridge before a race condition is triggered?
Codebase longevity
An important factor to consider when assessing bridges, and particularly bridging partners is longevity. We are not referring to simply how long a bridge has been in existence, after all, security may be upheld simply through “security through obscurity” which is not security in itself, but a recipe for potential disaster. By longevity, we imply that we should take into consideration how long a bridge has existed since the latest deployed smart contract without suffering a security breach.
Simply analyzing security audits is not a sound security measure and should simply serve as a first step towards assessing risk factors. Rather, by looking at the longevity of the codebase, we can truly begin to see how secure it might actually be. According to Token Terminal, about 50% of all DeFi exploits are a result of bridge hacks. After all, no platform is safe, and even multibillion dollar platforms like Binance can fall prey to such exploits.
In the development of a risk matrix for bridges, longevity should serve as an “X factor” or multiplier, applied to the overall risk score where the score may increase or decrease based on the frequency and size of a breach.
Conclusion
We hope that by establishing some criteria for understanding bridging risks, this committee, along with the help of the Qi Dao team and the community as a whole, can develop a simple plug and play solution to better assess new bridge partnerships. It is the belief of this committee that by improving risk management awareness, the community can make more educated decisions when considering governance proposals and look to the safety and security of the protocol as its number one priority. After all, in the immortal words of “The Planet Of The Apes,” qimps together strong.