Multi-bridge, The Solution to Governance Hacks?
Governance attacks have shaken up the DeFi space in 2023.
The $665,000 heist on the Tornado Cash DAO, for example, put an already weary and beleaguered community on edge, as they have been victims of a non-stop onslaught from hackers in 2023.
So, the announcement of Multichain bridging protocol LiFi launching what appears to be the solution to governance hacks felt almost like a crypto godsend.
Their solution was inspired by Uniswap community months long debate on how to effectively protect the protocol from governance attack.
A debate which ended up with one resouding conclusion: they have to stop relying on a single bridge and implement a multi-bridge governance.
After working for months with the Uniswap Foundation, LiFi developed a Multi-Message Aggregation (MMA):
It utilizes multiple Arbitrary Messaging Bridges (AMB) to send messages from one EVM chain to another EVM chain.
Instead of relying on a single AMB, MMA allows the message sender to relay the message through multiple AMBs. This way, even if one AMB is exploited, no malicious actions can be executed on the destination chain. — LiFi
An additive security module for cross-chain messaging, touted as as “a secure, modular, and generalizable tool for unbiased cross-chain messaging & more.”
Applied to DAO’s governance, the new bridge aggregator will allow cross-chain DAOs to only accept votes confirmed by more than one bridge!
For instance, if one bridge registers a “yes” vote while two other bridges indicate “no,” the “no” vote takes precedence.
The aggregator’s setup can also be adjusted to incorporate three out of five bridges or any desired ratio as determined by the DAO.
This development is groundbreaking as it significantly complicates hackers’ ability to execute a governance attack and siphon away funds.
As a reminder, a governance attack occurs when a malicious actor obtains sufficient voting power within blockchain projects utilizing decentralized governance frameworks.
This enables them to alter regulations by reshaping rules or swaying token holders to cast partial votes on a proposal, often resulting in the vote of a malicious proposal.
As it was the case in the Tornado Cash DAO attack, which suffered an hostile takeover when the fraudster succesfully passed a proposal aimed at penalizing cheating participants but also included an additional function that allowed them to acquire 1.2 million votes.
With these votes surpassing the legitimate Tornado Cash votes, the attacker gained complete control over the project and among other things the ability to drain all of the tokens in the governance contract which they did and got away with around $655,000.
The ability of DeFi protocols to safeguard themselves from those attacks can only be celebrated!
What’s surprising though is that LiFi is actually not the first to have created a multi-bridge aggregator, 6 months ago Gnosis had already come up with its own protocol called “Hashi”.
When asked why the UniswapDAO didn’t pick up existing Hashi rather than wait for LiFi’s MMA, they justified their choice by the fact that the project lacked a bug bounty program, had pending audits and was simply not production-ready.
LiFI indeeds plan to implement a bug bounty program through Immunefi, is apparently in the process of “finalizing the solution,” and will soon undergo in-depth testing and an audit process through blockchain security firm “Trail of Bits.”
While this innovation appears to open a new era where DeFi protocols could be safe from governance attacks, MMAs could also turn into an attack vector if they are not properly secured and maybe, in the worst case scenario, make it even easier for crypto criminals to operate governance attacks!
In March 2022, LiFi has unfortunately already suffered a breach of security through a smart contract exploit during which around ~$600,000 were lost.
Ensuring every step is taken to tightly secure MMAs will be key.
Either MMA will turn into the groundbreaking innovation it aims to be, or it will become, yet again, a new DeFi’s Achille heels.
Find the detailed LiFi MMA presentation by LiFi research lead Arjun Chand here:
About us
Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.
Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.
Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.
