Omni Bridge

Funds can be stolen if

1. validators relay a fake message to Gnosis chain to mint more tokens than there are locked on Ethereum thus preventing some existing holders from being able to bring their funds back to Ethereum (CRITICAL),
2. validators relay a fake message to Ethereum chain allowing a user to withdraw tokens from Ethereum escrow when equivalent amount of tokens has not been deposited and burned on Gnosis chain (CRITICAL),
3. there's an exploit in contracts that invest user deposit (CRITICAL),
4. a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).

Funds can be frozen if

5. validators don't relay messages between chains,
6. there's insufficient liquidity of requested token in escrow and Aave.

Users can be censored if

7. validators decide to not pass selected messages between chains (CRITICAL).

Principle of operation

This is a Lock-Mint bridge that takes ownership of tokens in escrow contracts on Ethereum and mints "representation tokens" on the Gnosis Chain. When bridging back to Ethereum, tokens are burned on the Gnosis Chain and then released from the escrow on Ethereum. Tokens in Ethereum escrow are not effectively locked, as deposited tokens can be invested to generate yield (interest is intended to go to GnosisDAO). Bridge contract enables its owner (currently 7/16 Multisig) to specify or disable a separate external contract with investment logic. Currently investment contracts have been disabled around the time of the Ethereum Merge. Previously used investment contract sent part of deposited USDC and USDT to Aave. A special care needs to be taken when bridging xDai token that is native to Gnosis Chain. There's a separate bridge for xDai and Omni bridge should not be used, as it mints non-native "representation version" of xDai.

Transfers are externally verified

Omni bridge is built on top of Arbitrary Message Bridge (AMB), a trusted cross-chain message relaying mechanism currently validated by a 4/6 Validator MultiSig. A separate Governor 7/16 Multisig is used for updating validator set, signature thresholds, bridge parameters and bridge contracts. For Omni bridge, messages are passed between "Mediator" contracts deployed on both chains. When user deposits a token to Mediator escrow on Ethereum, an AMB message is passed to Mediator on Gnosis chain, which mints a "representation token", optionally deploying a necessary token contract on Gnosis chain if this is the first time this token is transferred. Transfers from Gnosis chain to Ethereum use the same mechanism in the opposite direction but tokens on Gnosis are burned and tokens on Ethereum are released from escrow.

• Users can be censored if validators decide to not pass selected messages between chains (CRITICAL).

• Funds can be stolen if validators relay a fake message to Gnosis chain to mint more tokens than there are locked on Ethereum thus preventing some existing holders from being able to bring their funds back to Ethereum (CRITICAL).

• Funds can be stolen if validators relay a fake message to Ethereum chain allowing a user to withdraw tokens from Ethereum escrow when equivalent amount of tokens has not been deposited and burned on Gnosis chain (CRITICAL).

• Funds can be stolen if there's an exploit in contracts that invest user deposit (CRITICAL).

• Funds can be frozen if validators don't relay messages between chains.

• Funds can be frozen if there's insufficient liquidity of requested token in escrow and Aave.

1. Omnibridge documentation