L2BEAT Bridges is a work in progress. You might find incomplete research or inconsistent naming. Join our discord to suggest improvements!


...


Tokens:

Milestones

Connext Amarok mainnet deployment

2023 Feb 2nd

Connext Amarok mainnet deployment.

Learn more

Connext Amarok announced

2022 May 11th

The new, modular architecture for Connext Amarok has been announced.

Learn more
Show more

Description

Connext is a multilayered system that aggregates various native AMBs in an Hub-and-Spoke architecture with Ethereum being the Hub receiving messages from other domains. It implements a liquidity network on top of its Hub-and-Spoke architecture.

If you find something wrong on this page you can submit an issue or edit the information.

Risk summary

Note: This project's overview requires more research and might not present accurate information. If you want to contribute you can edit the information on Github. Alternatively you contact the project team on Twitter and encourage them to contribute a PR.

Technology

Principle of operation

Messages from various domains are aggregated into one message root and are periodically sent to Ethereum using native AMBs. Note that for Optimistic Rollups (Arbitrum, Optimism) the AMB is only used as a transport layer, but 7-day delay is being ignored. Upon being delivered to Ethereum these message roots are subsequently aggregated again into a root-of-root of messages before being delivered to their destination domains. Each message can be optimistically fast-forwarded by a network of Routers that will front liquidity (if the message is a token transfer) or post a bond (if the message is a xChain call). Upon receiving the message root via native AMBs Connext bridge will reconciles messages and return bond to the Routers. There is a configurable delay programmed into the RootManager contract and the SpokeConnectors receiving messages. During the delay period a whitelisted set of Watchers can pause the bridge if the fraudulent message passed via AMB is detected.

Validation via Native AMBs

Messages on the source chain are send perdiodically to the Ethereum chain via native AMB. Once they arrive on Etherum, they can be send from Ethereum, again via native AMB, to the destination chain. Token transfers can be fronted by Routers providing liquidity. Similarly arbitrary messages can be sped up. Watchers provide additional protection in case native AMB gets compromised and forges the message. For optimistic rollups (Optimism, Arbitrum) their native AMB is used but 7-day dispute window is ignored. For BSC (Binance Chain) MultiChain AMB is used.

  • Users can be censored if watchers disconnect certain connectors or pause the whole bridge for no reason.

  • Funds can be stolen if native AMBs that Connext uses allow for passing forged messages and this is not caught by Watchers.

  • Funds can be stolen if connectors to optimistic rollups (Optimism, Arbitrum) receive a fraudulent message within 7-day fraud-proof window (CRITICAL).

Permissions

The system uses the following set of permissioned addresses:

Connext Multisig 0x4d50…6625

Owner of the main Connext Bridge Diamond Proxy. Can upgrade the functionality of any system component with no delay. Maintains the list of Watchers. This is a Gnosis Safe with 3 / 3 threshold.

Connext Multisig participants 0xf8d8…57540x48fd…F06A0xA08f…8E1f

Those are the participants of the Connext Multisig.

Permissioned set of actors who can pause certain bridge components. On Ethereum L1 Watchers can pause RootManager and MainnetSpokeConnector, i.e. modules receiving messages. They can also remove connector from the RootManager. List of watchers is maintained by the Connext MultiSig.

Sequencers 0x4fFA…82E7

Permissioned set of actors that sequence routers request to forward liquidity.

Smart Contracts

The system consists of the following smart contracts:

ConnextBridge 0x8898…63C6

The main Connext contract. Following Diamond design pattern, it contains multiple Facets that implement various parts of the bridge functionality. This contract stores the following tokens: USDC, WETH.

RootManager 0xd5d6…C2e1

Contract responsible for maintaining list of domains and building root-of-roots of messages. It keeps tracks of all hub connectors that connect to specific domain.

WatcherManager 0x6a59…a7A6

Contract maintaining a list of Watchers able to stop the bridge if fraud is detected.

MainnetSpokeConnector 0xF7c4…296c

Contract that receives messages from other Domains on Ethereum.

MultichainHubConnector 0xFaf5…26A8

Contract for sending/receiving messages from mainnet to Binance Smart Chain via Multichain AMB.

PolygonHubConnector 0xB01B…82aE

Contract for sending/receiving messages from mainnet to Polygon via Polygon FxChannel AMB.

GnosisHubConnector 0x245F…6413

Contract for sending/receiving messages from mainnet to Gnosis via Gnosis AMB.

OptimismHubConnector 0x66a4…8eeE

Contract for sending/receiving messages from mainnet to Optimism via Optimism AMB transport layer. Note that it reads messages from Optimism as soon as Optimism state root is recorded on Ethereum w/out waiting for the 7-day fraud proof delay window.

ArbitrumHubConnector 0xd151…0961

Contract for sending/receiving messages from mainnet to Optimism via Arbitrum AMB transport layer. Note that it reads messages from Arbitrum as soon as Arbitrum state root is recorded on Ethereum w/out waiting for the 7-day fraud proof delay window.

The current deployment carries some associated risks:

  • Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).