POA Forum

Arbitrary Message Bridge - Security and reliability

Hi!

The security part.

On the HomeBridge contract, a request to pass a message raises an UserRequestForSignature event. N validating oracles must validate the request submitting a signature. When N signatures are collected (with N < M, where M is the number of total validators and N is a parameter of the bridge) the Home chain raises a CollectedSignature event. At this point, the last validating oracle must submit the message with the signatures to the ForeignBridge contract. The contract validates the signatures recovering the signing addresses and comparing them with the validators addresses.

If a malicious agent wants to trigger on the ForeignBridge a (false) message dispatch, for example to trigger an unauthorized tokens mint, he must forge a message and steal the keys of N validators. If N is reasonably hight and each validator keeps his key safely the bridge is reasonably secure.

Is this analysis correct?

On the other side, on the ForeignBridge contract, a request to pass a message raises an UserRequestForAffirmation event. Each validating oracle must submit the message to the HomeBridge. This submission doesn’t trigger message processing until we have N submissions. Is not requested any signature. The method can be called only by validators. We rely only on the chain security.

Why this behavior is different in the respect to the other side of the bridge? Because we trust the home bridge but we cannot trust the foreing bridge?

The reliability part.

The reliability of the bridge is guaranteed by the fact that to pass a message we need N < M working oracles. So if N is reasonably lower than M the bridge is reasonably reliable.

The only weak point seems to be in the Home to Foreign bridge: the last validating oracle (the oracle that submits the last needed signature) is choosen to pass the message to the other side. If he fails, this message is lost.

Is this analisys correct?

Thanks in advance
michelangelo

1 Like

Yes, your analysis is correct. The difference in handling is due to difference of transactions cost on different sizes of the bridge. It is assumed that the transactions fees on the Home size is significantly less than transactions fees on the Foreign side. That’s why the validators have economical benefit to collect signatures on the Home side.

If you look at the implementation of the executeSignatures method you will notice that this method is callable for every one. So, everyone who picks up the collected signatures from the contract on Home side is able to pass message to another side. This is still secure since the message this person passes will be confirmed by the signatures the person should provide - recovering the addresses from the signatures and the message will points to the validators set.

2 Likes