Modular Economic Security: Bridge Disaster Insurance

Make Bridges Secure Again

Most of us feel by now that trusting a bridge approximates a “trust me bro” assumption. Users are afraid to bridge due to an illustrious history of hacks. That being said, I think bridge FUD is holding the entire industry back. Advancements in scaling and privacy must be battled tested on new chains before they can be included in Ethereum hard forks. We need secure and usable bridges to scale Ethereum.

The research community believes the bridge endgame is consensus and execution light clients. However, in an industry which prides itself on “don’t trust, verify” ethos, few can verify these complex implementations. Further complicating things, light client proofs are only practically verifiable on-chain with ZK succinctness or optimistically with interactive fraud proofs. User experience suffers from slow proving times and high overhead. New chains are forced to inherit legacy consensus and VMs or incur huge upfront costs to build light clients orthogonal to their core product and value proposition. The de facto alternative is a trusted multisig. As a pragmatist, I think this is reasonable. As an optimist, I think we can do better.

Proof-of-Stake

On September 15th, 2022, only a little over a year ago, Ethereum executed the Merge. This marked the network’s transition to Proof of Stake, one of the largest and most successful economic experiments in human history. Following this regime change, validators must deposit 32 ETH into a smart contract to participate in consensus and be eligible to propose the next block. If a validator breaks consensus protocol rules they will be slashed, forfeiting some of their deposit. This misbehavior is attributable because validators sign all blocks with a key registered when they stake.

In proof-of-stake networks, an attacker must acquire a majority of total stake to successfully commit fraud (2/3 for safety fault, 1/3 for liveness). If the total stake is sufficiently large, conducting this attack is prohibitively expensive (on Ethereum, ~$19B) — we refer to this as economic security. There are two challenges with economic security: operational costs and the opportunity cost of capital: what interest-generating opportunity are stakers sacrificing to participate? To compensate stakers, rewards must be continuously distributed to ensure security remains high. Economic security enables users to reason discretely about risk exposure. Applications contribute to the security budget by having users pay fees to stakers.

Modular Economic Security

To enable bridges between heterogenous chains, we need some modular origin chain commitment to the source of truth and destination chain verification mechanism. Hyperlane achieves this with a multi-VM smart contract and relayer framework that generalizes origin chain commitments (post-dispatch hooks) and destination chain proving (interchain security modules) on messages passed between chains.

For modular economic security, we need a proof of stake system colocated with the origin chain commitment. On the destination chain, we can use votes on the commitment to accumulate economic security on delivered messages¹.

If an observed vote does not match the commitment to the truth, anyone can permissionlessly slash the validator by providing this proof. As long as a validator’s time to unstake is sufficiently long, this guarantees punishment for fraudulent votes. Forfeited stake can be allocated to an insurance fund used to cover losses incurred by defrauded message recipients.

This has several advantages over heavier light client designs. Validators do not participate in complex multi-round consensus but simply broadcast votes lowering overall latency and operational complexity. Consuming applications are not forced to pay for all available security and can use application context to scale their economic security requirements. The slashing protocol is extremely simple: compare votes to local commitments without interactivity, building SNARK proofs, or replaying transaction history.

Bridge Insurance

Economic security does not always prevent fraud, but guarantees a floor on the cost to commit fraud.

Instead of paying for expensive ZK proofs or patiently waiting for optimistic settlement, the value at risk in the slashing protocol functions as insurance on any fraud that occurs. This allows protocols to have dynamic, application-specific risk tolerances (see my previous modular security blog post). Maybe more importantly, it removes proving latency and complexity from the user experience of bridging. Professional validators, that can more holistically evaluate this, underwrite this risk.

This architecture sounds great in theory but, as in any proof of stake system, we must compensate validators for the opportunity cost of capital. It is a classic network bootstrapping problem: validators are attracted to fee revenue, users are uncomfortable before there is sufficient economic security, and one must come first. It is a common belief that Ethereum needed Proof of Work to bootstrap security before it could transition to the more sustainable Proof of Stake.

Opportunity Cost of Capital

The problem with a proof-of-stake system on every chain is the linear cost of capital. Alternative designs introduce an intermediate chain with a shared pool of stake but this approach severely compromises security and scalability². However, there is a middleground that balances capital efficiency with scalability and security. Ethereum emerging as a shared settlement layer for rollups is conducive to a hybrid model.

If we assume that rollups eventually settle via their native bridges, the same message commitments from these rollups will be available to smart contracts on Ethereum. Therefore, rollups that share a settlement layer can have bridges with colocated slashing protocols. This enables a single shared pool of stake to secure outbound messages from and between rollups.

Notably, validators can attest to rollup pre-confirmations before they have settled, providing instant economic security on other chains while taking on the rollup’s settlement risk. This facilitates the rollup endgame that so many allude to where users seamlessly move across rollups without friction.

Eigenlayer and Restaking

Conveniently, the Merge bootstrapped a massive pool of stake on Ethereum and Eigenlayer’s imminent launch opens the market for this native economic security to be leveraged by other protocols. Simple slashing contracts and a modular bridging architecture uniquely suit Hyperlane to take advantage of restaking without overloading Ethereum’s social consensus.

Restaking has clear advantages for economically secured bridges: the marginal cost of becoming a validator is effectively zero because there is no additional cost of capital, native validation is a superset of the operational burden, and slashing risk is extremely low for benign validators. Additionally, bridging fees are a net new revenue stream for native validators, bolstering the entire network’s economic security and creating a flywheel for growth. As a second order effect, rollups might be more strongly incentivized to launch with trust minimized settlement or risk losing out on the network effects of this shared economic security.

What’s Next

The Hyperlane team has been collaborating with the Eigenlayer team for several months and is excited to launch our AVS integration in early 2024.

If you are excited about bridge insurance and want to join the discussion and contribute, reach out to the team!

We are hiring across all engineering disciplines: join us on the mission to scale Ethereum.

Footnotes

1 In Hyperlane’s implementation, we prioritize censorship resistance. If validators can preferentially skip some votes without punishment, the system is vulnerable to censorship. To combat this, votes are only valid for a commitment to all historical messages. Additionally, rewards paid to validators are on a per-use basis. This forces validators to eventually vote or risk losing profitability and ensures any historical message can be verified against the vote. Introducing this feature does slightly increase contract complexity but we feel it is an essential component of a sustainable cryptoeconomic protocol. Futhermore, we have prevented this from leaking to users as onchain fee overhead through a clever data structure called an incremental merkle tree that the Ethereum deposit contract also used. It would be fun to host a gas golfing competition for VM specific optimizations which do not compromise on these security properties.

2 Some bridge protocols introduce an intermediate chain where an exogenous pool of stake and validator set attest to messages originating from and destined for other chains. This does not inherit origin chain consensus without light client proofs and crucially does not allow for objective slashing criteria. Slashing in these systems assumes an honest majority, enabling validators to collude and circumvent punishment, crippling the economic security. Additionally, this intermediate chain’s own consensus becomes a throughput bottleneck when many chains are connected. I may do a deep dive on these trust assumptions across other protocols in future.

More about Hyperlane

Hyperlane is the first Permissionless Interoperability layer, enabling anyone to connect any blockchain, out-of-the-box. With Hyperlane, developers can build Interchain Applications, apps that abstract away the complexity of interchain interactions and serve users on any connected chain. Additionally, Hyperlane’s modular security stack gives developers the power to customize their interchain security. Hyperlane development is open-source and led by core developers at Abacus Works.

Go Interchain with Hyperlane

Start building with our Docs.
Experiment with Hyperlane in 5 minutes with our Quickstarts.
Join our Discord if you have any questions.
Apply to join our crew Here.
Find us on Twitter.