The security part.
On the HomeBridge contract, a request to pass a message raises an UserRequestForSignature event. N validating oracles must validate the request submitting a signature. When N signatures are collected (with N < M, where M is the number of total validators and N is a parameter of the bridge) the Home chain raises a CollectedSignature event. At this point, the last validating oracle must submit the message with the signatures to the ForeignBridge contract. The contract validates the signatures recovering the signing addresses and comparing them with the validators addresses.
If a malicious agent wants to trigger on the ForeignBridge a (false) message dispatch, for example to trigger an unauthorized tokens mint, he must forge a message and steal the keys of N validators. If N is reasonably hight and each validator keeps his key safely the bridge is reasonably secure.
Is this analysis correct?
On the other side, on the ForeignBridge contract, a request to pass a message raises an UserRequestForAffirmation event. Each validating oracle must submit the message to the HomeBridge. This submission doesn’t trigger message processing until we have N submissions. Is not requested any signature. The method can be called only by validators. We rely only on the chain security.
Why this behavior is different in the respect to the other side of the bridge? Because we trust the home bridge but we cannot trust the foreing bridge?
The reliability part.
The reliability of the bridge is guaranteed by the fact that to pass a message we need N < M working oracles. So if N is reasonably lower than M the bridge is reasonably reliable.
The only weak point seems to be in the Home to Foreign bridge: the last validating oracle (the oracle that submits the last needed signature) is choosen to pass the message to the other side. If he fails, this message is lost.
Is this analisys correct?
Thanks in advance