βHackMD
Technical Spec: Lido<>Cosmos bridge
Authored by Kai Tyurin
This doc describes possible technical specification for a bridge-agnostic model of managing Lido staked Eth on Cosmos chains.
The aim of the spec is to solve issues of liquidity fragmentation and reduce any bridge-related issues, such as vendor lock and possible vulnerabilities. It mostly addresses this section of the previously made stETH bridging spec: https://hackmd.io/@lido/BJGOoX2hF#Ethereum-state-communication-channel
Overview
βββββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββ
β Ethereum β β Neutron β βCosmos chain 1 β
β β β β β βββββββ β
β βββββββ ββββββ β β βββββββ β βββββΌββββββΊβUsersβ β
β βUsersβ βLidoβ β β βUsersβ β β β βββββββ β
β ββββ²βββ βDAO β β β βββ²ββββ β β β β
β β βββ¬βββ β β β β β βββββββββββββββββ
β β β β β β β β
β β β β β ββββββΌβββββ β β βββββββββββββββββ
β ββββΌβββββ β β β βLido β IBCβ β βCosmos chain 2 β
β βLido β β β β βSatelliteβββββββΌββββΌββ β βββββββ β
β βMissionββββ β β ββββββ²βββββ β β βββΌββββββΊβUsersβ β
β βControlβ β β β β β β βββββββ β
β βββ²ββββββ β β βββββββββ β β β β
β β β β β β β βββββββββββββββββ
β β βββββββββββ β β βββββββββββ β β β
β βββΊβBridge ββββΌβββββββ€βΊβBridge ββββ€ β β βββββββββββββββββ
β β βadapter 1β β β βadapter 1β β β β βCosmos chain 3 β
β β βββββββββββ β β βββββββββββ β β β β βββββββ β
β β β β β β βββββΌββββββΊβUsersβ β
β β βββββββββββ β β βββββββββββ β β β βββββββ β
β βββΊβBridge ββββΌβββββββ€βΊβBridge ββββ€ β β β
β β βadapter 2β β β βadapter 2β β β βββββββββββββββββ
β β βββββββββββ β β βββββββββββ β β
β β β β β β
β β βββββββββββ β β βββββββββββ β β
β βββΊβBridge ββββΌβββββββ€βΊβBridge ββββ β
β βadapter 3β β β βadapter 3β β
β βββββββββββ β β βββββββββββ β
β β β β
βββββββββββββββββββββ βββββββββββββββββββ
High-level components
The whole thing consists of several main parts:
- Mission control [settled on Ethereum]
- holds locked wstETH on the Ethereum side
- allows Lido DAO to manage Satellite on the Neutron side
- communicates with bridge adapters in order to transfer messages through the bridges
- Satellite [settled on Neutron]
- mints wstETH on Neutron
- handles possible Eth-staking-on-Cosmos logic
- handles possible rebase of stETH-on-Cosmos
- Bridge adapters
- implement all the bridge-specific behavior
Modular system
Each component consists of several modules:
- Mission control:
- Common module
- Receiver module
- Sender module
Satellite:
- Common module
- Receiver module
- Sender module
Any bridge adapter:
- Common adapter interface module
- Bridge-specific sender module
- Bridge-specific receiver module
By messages (handled by Sender and Receiver) we mean the day-to-day messages mostly issued by users. These messages are bi-directional since tokens can be transferred in both directions thus both Mission control and Satellite need to have both modules. Regular messages are to be executed as fast as possible.
Modules specifications
Common
Storage
| storage name | type | who can access | description |
|---|---|---|---|
| bridge_adapters | [<address, name>] | bridge_adapters_update [write] | list of bridge adapters to work with |
| owner | address | owner_update [write] | address that is able to manage the contract |
Methods
| method name | who can call | inputs | description |
|---|---|---|---|
| bridge_adapters_update | owner | [to_add] | |
| [to_delete] | adds or removes bridge adapters | ||
| owner_update | owner | new_owner | updates owner |
Receiver
Storage
| storage name | type | who can access | description |
|---|---|---|---|
| threshold | int | update_threshold [write] | |
| execute_message [read] | number of bridges that should approve the message to consider it | ||
| receive_messages | id β <hash β <message (optional), votes>, time, status> | add_message [read/write] | |
| execute_message [read/write] | messages to process |
Methods
| method name | who can call | inputs | description |
|---|---|---|---|
| add_message | bridge adapters | id | |
| hash | |||
| data [optional] | if message doesnβt exist, creates it | ||
| if message exists and executed, all changes are ignored | |||
| if message exists timeout is expired, itβs recreated | |||
| for existing/created message adds a new hash to the map or adds a voting for existing one | |||
| execute_message | permissionless | id | |
| hash | |||
| data [optional] | if message exists for given id/hash and bridge votes for it more than threshold, validates and executes the message | ||
| update_threshold | owner | new_threshold | sets new threshold |
Why such a complex messages structure? Why have hash β <message (optional), votes> map instead of just hash, message (optional), votes structure?
We assume a bridge might misbehave. During misbehaving itβs able to create spam hashes for different message ids and thus dos txs from being transferred. By having a single hash weβd need to have a logic of deciding which one is correct. Having a map of them weβre always able to execute the correct message regardless of spam made by any misbehaving bridge.
Why have a timeout?
Without timeout during the bridge hack an attacker is able to make a βreserve for a futureβ, e.g., transfer transaction of a huge amount of tokens to the smart contract that will divide the sent tokens between this attacker and any future one. Such a smart contract will be a proposal of collusion, and without any built-in expiration for a message it needs to be explicitly removed.
Sender
Storage
| storage name | type | who can access | description |
|---|---|---|---|
| send_messages | id β <msg, hash> | create_transfer [write] | |
| send_transfer [read] | create_transfer puts messages there |
Methods
| method name | who can call | inputs | description |
|---|---|---|---|
| create_transfer | permissionless | asset to transfer | |
| gas payment compensation | |||
| recipient | creates send_message and calls send transfer for it | ||
| send_transfer | permissionless | send_message id | |
| gas payment compensation | |||
| list of bridges [optional?] | sends messages to corresponding bridge adapters | ||
| crete_general_msg | owner | general message | |
| gas payment compensation | creates send_message with an arbitrary message content |
Why do we need a separate permissionless send_tranfer method? Why not do everything by a single method?
For recovering the tx in case of bridge hack/outage/bug
Common adapter interface
Storage
| storage name | type | who can access | description |
|---|---|---|---|
| owner | address | update_owner [write] | |
| send_message [read] | Mission control or Satellite address |
Methods
| method name | who can call | inputs | description |
|---|---|---|---|
| send_message | owner | message | |
| gas payment compensation | sends message to the adapter on the other side | ||
| update_owner | owner | new_owner | updates the owner |
Full bridge outage
Two important things should be of our attention:
- in practice, weβre talking about only two bridges: Wormhole and Axelar
- the threshold shouldnβt be less than 2 since in this case single bridge being hacked compromises the whole system
It creates the risk of one of the bridges being down for a long time and completely blocking the system of operations.
Thereβre several possible scenarios preventing that:
-
onboarding βminorβ bridges: Gravity/Sifchain/β¦
- no additional security risk since the system is resistant to a single bridge hack
- the third bridge might be disabled by default and activated only when itβs needed
- this also can be used to smoothly handle temporary outages
-
making pseudo-bridge managed by multisig (this multisig will behave as a bridge and will be able to approve the necessary messages when itβs needed)
-
making pseudo-bridge controlled by Neutron DAO/SubDAO β same as previous but more decentralized
Bridge adapters design
This is TBD yet. Still, as it was already mentioned, de facto weβre talking about two bridges: Axelar and Wormhole.
Axelar
Satellite bridge by Axelar has the native support of general messages passing which makes the integration very straightforward.
https://docs.axelar.dev/dev/general-message-passing/overview
Wormhole
At the moment, Wormhole functionality is much less. In Cosmos, Wormhole is deployed on 3 chains:
- Injective
- Terra v2
- Terra Classic
Unfortunately, currently, even NFT transfers arenβt supported for Cosmos chains.
The other drawback is that the transaction is needed to be explicitly claimed on the other side of the chain via issuing a special transaction.
However, as already described in the existing research, itβs doable to overcome these issues with a special token workaround.
Because Lido StarLadder has a modular architecture, it will be possible to smoothly migrate the system to a new adapter if new features are provided.
Other bridges
For any other bridge existing now or going to be deployed in the future, itβll be possible to write an adapter for.
Roadmap
The proposed model can be implemented iteratively.
v1.0: wstETH bridging with a single bridge.
v1.1: adding one more bridge
v1.2: adding a third bridge for more reliability
v2.0: adding staking directly on the
v3.0: adding rebasing stETH bridging
Benefits and drawbacks
Benefits:
- Avoiding liquidity fragmentation
- No bridge vendor-lock
- Smooth work even one of the bridges outage
- More control over assets
- Bridge-related security risks are reduced
Drawbacks:
- Double price for bridge transfers
- Additional smart-contract risk
- Probably pretty complicated off-chain infrastructure
