L2BEAT Bridges is a work in progress. You might find incomplete research or inconsistent naming. Join our discord to suggest improvements!
Connext
...
Tokens:
Milestones
Connext Amarok announced
2022 May 11th
The new, modular architecture for Connext Amarok has been announced.
Learn moreDescription
Connext is a multilayered system that aggregates various native AMBs in an Hub-and-Spoke architecture with Ethereum being the Hub receiving messages from other domains. It implements a liquidity network on top of its Hub-and-Spoke architecture.
If you find something wrong on this page you can submit an issue or edit the information.
Risk summary
Funds can be stolen if
- native AMBs that Connext uses allow for passing forged messages and this is not caught by Watchers,
- connectors to optimistic rollups (Optimism, Arbitrum) receive a fraudulent message within 7-day fraud-proof window (CRITICAL),
- a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).
Users can be censored if
Technology
Principle of operation
Messages from various domains are aggregated into one message root and are periodically sent to Ethereum using native AMBs. Note that for Optimistic Rollups (Arbitrum, Optimism) the AMB is only used as a transport layer, but 7-day delay is being ignored. Upon being delivered to Ethereum these message roots are subsequently aggregated again into a root-of-root of messages before being delivered to their destination domains. Each message can be optimistically fast-forwarded by a network of Routers that will front liquidity (if the message is a token transfer) or post a bond (if the message is a xChain call). Upon receiving the message root via native AMBs Connext bridge will reconciles messages and return bond to the Routers. There is a configurable delay programmed into the RootManager contract and the SpokeConnectors receiving messages. During the delay period a whitelisted set of Watchers can pause the bridge if the fraudulent message passed via AMB is detected.
Validation via Native AMBs
Messages on the source chain are send perdiodically to the Ethereum chain via native AMB. Once they arrive on Etherum, they can be send from Ethereum, again via native AMB, to the destination chain. Token transfers can be fronted by Routers providing liquidity. Similarly arbitrary messages can be sped up. Watchers provide additional protection in case native AMB gets compromised and forges the message. For optimistic rollups (Optimism, Arbitrum) their native AMB is used but 7-day dispute window is ignored. For BSC (Binance Chain) MultiChain AMB is used.
Users can be censored if watchers disconnect certain connectors or pause the whole bridge for no reason.
Funds can be stolen if native AMBs that Connext uses allow for passing forged messages and this is not caught by Watchers.
Funds can be stolen if connectors to optimistic rollups (Optimism, Arbitrum) receive a fraudulent message within 7-day fraud-proof window (CRITICAL).
Permissions
The system uses the following set of permissioned addresses:
Owner of the main Connext Bridge Diamond Proxy. Can upgrade the functionality of any system component with no delay. Maintains the list of Watchers. This is a Gnosis Safe with 3 / 3 threshold.
Those are the participants of the Connext Multisig.
Permissioned set of actors who can pause certain bridge components. On Ethereum L1 Watchers can pause RootManager and MainnetSpokeConnector, i.e. modules receiving messages. They can also remove connector from the RootManager. List of watchers is maintained by the Connext MultiSig.
Permissioned set of actors that sequence routers request to forward liquidity.
Permissioned set of actors who can perform certain bridge operations.
Permissioned set of actors who can forward liquidity and speed-up message delivery.
Smart Contracts
The system consists of the following smart contracts:
The main Connext contract. Following Diamond design pattern, it contains multiple Facets that implement various parts of the bridge functionality. This contract stores the following tokens: USDC, WETH.
Contract responsible for maintaining list of domains and building root-of-roots of messages. It keeps tracks of all hub connectors that connect to specific domain.
Contract maintaining a list of Watchers able to stop the bridge if fraud is detected.
Contract that receives messages from other Domains on Ethereum.
Contract for sending/receiving messages from mainnet to Binance Smart Chain via Multichain AMB.
Contract for sending/receiving messages from mainnet to Polygon via Polygon FxChannel AMB.
Contract for sending/receiving messages from mainnet to Gnosis via Gnosis AMB.
Contract for sending/receiving messages from mainnet to Optimism via Optimism AMB transport layer. Note that it reads messages from Optimism as soon as Optimism state root is recorded on Ethereum w/out waiting for the 7-day fraud proof delay window.
Contract for sending/receiving messages from mainnet to Optimism via Arbitrum AMB transport layer. Note that it reads messages from Arbitrum as soon as Arbitrum state root is recorded on Ethereum w/out waiting for the 7-day fraud proof delay window.
The current deployment carries some associated risks:
Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).