Osmosis' adoption of the Axelar bridge for chains outside of the Cosmos Ecosystem has been great for interchain and cross-ecosystem operability, but does it come with a potential risk?
What is Axelar?
Axelar is a blockchain interoperability network allowing secure cross-chain communication for Web3. Built on the Cosmos Ecosystem stack, Axelar is a delegated proof of stake chain with it's own token $AXL.
Axelar Bridge
Currently, the inter-blockchain communication protocol (IBC) can connect around 52 independent blockchains within the Cosmos ecosystem, but bridges are required to connect the Cosmos ecosystem to other chains.
The Axelar bridge connects chains together, including both Cosmos native chains and those that are not yet part of the Cosmos ecosystem, such as Ethereum. Axelar's bridge allows cross-chain communication, token transfers, and contract calls.
The Axelar bridge uses a decentralized network of validators who maintain the Cross-chain Gateway Protocol (CGP) and secure the bridge to other blockchains. There are currently 60 active validators.
Osmosis adopts Axelar Bridge
In May 2022, Osmosis - the largest DEX in the Cosmos Ecosystem, voted to adopt Axelar as it's bridge service provider for chains outside of the Cosmos/IBC ecosystem.
Is Axelar centralized?
Despite running on a decentralized network, as Axelar is not entirely trustless.
In a Twitter post by @luisqagt of Zenith Station this week, the question of Axelar's upgradeable contracts being controlled by a 4/8 developer multi-sig was brought to light.
Did you know Axelar bridge can stop the bridge without governance or validator support? They can also set the bridge fee in the same way. Currently there is no incentivized stablecoin alternative in @osmosiszone.
— luisqa | Zenith Station 🛰️ (@luisqagt) January 16, 2023
Don't trust, verify.
What is a 4/8 multisig?
In order to achieve timely upgradability such as providing better features or gas fees, Axelar deployed a multisig contract whereby 4 out of 8 developers can sign to make changes to contracts on the network. This adds an element of centralized control.
Potential Risks of Multisig Use
The use of multisig keys inherently makes the Axelar bridge more vulnerable to social engineering, and dev team or regulator interference.
Hacks
In 2022 alone, hackers stole over 1.4 billion by exploiting crypto bridges. Issues that could arise include compromised multisig keys or in-user theft.
- In June 2022, the Harmony dev team announced that an estimated $100million was stolen from the Horizon bridge due to compromised private keys.
- In April 2022, the Ronin bridge on Axie Infinity’s Ronin Network was attacked and $624 million was extracted. An unknown person managed to obtain five of the nine validator keys responsible for securing the Ronin network.
- In August 2021, the Poly Network suffered one of the biggest attacks in crypto history when over $600million worth of coins was stolen triggered by the leak of a private key that was used to sign the cross-chain message.
Dev or Regulator Interference
- The development team can take full control or make changes at any time without community governance; they only need half of the key holders to agree.
- As seen in previous hacks, poor security or social engineering can also leave any bridge vulnerable to even the most noble of key holders.
Since Axelar uses an upgradable solidity contract a multisig can replace the contract and change the rules at any time.
— Justin Kilpatrick (@ttk314) January 17, 2023
So 4/8 members of the anon multisig directly-control all funds. https://t.co/gcgpl8PwDb pic.twitter.com/ek7Wchz0M2
- Centralized control allows for the potential of the state/regulators in the future to force multisig owners to shut the bridge down.
- Due to the very nature of bridges themselves, the effects of an attack on one bridge can quickly and catastrophically spread across multiple chains.
Can bridges be done in a decentralized way?
In the aforementioned Twitter thread, Gravity Bridge was mentioned as a potential alternative.
What is Gravity Bridge?
Gravity Bridge is a trust-less blockchain that bridges assets between the Ethereum and Cosmos ecosystems.
Using it's full validator set to sign transactions, control over Gravity bridge is handled entirely by validator consensus, ensuring neutrality and decentralization.
In Defense of Multisigs
Axelar Core developer Sergey Gorbunov, quickly shared his defense of their approach.
Multisigs provide the development team with greater opportunities for risk mitigation and bug patching when upgrading, saving time, expense and allowing for quicker upgrades.
It's a tradeoff-you either assume everything is perfect, close the upgrade paths,&pray you don't have bugs [heard of bridge hacks due to bugs?]. Or put security practices throughout the stack with rotations, rate limits, multi-million bug bounties, 30+ audits.We choose the later.
— Sergey Gorbunov (@sergey_nog) January 17, 2023
Sergey also mentioned changes that are being considered in the future in the form of validator co-signing for upgrades.
There are some benefits to the centralized approach too:
- Multisig control allows for quicker updates at a lower cost.
- It is easier to mitigate risk when upgrading on centralized bridges.
- In a real world example of a smart contract related hack, a flaw was exploited in the Wormhole bridge’s code costing the bridge $325 million. Quick access to make upgrades and catch bugs before they go into production is important.
Axelar v Gravity: Attack Threats
Generally, there are two types of attacks on bridges, and in order to best prevent them, different approaches are required.
1. Code attacks: exploiting vulnerabilities in smart contracts
In this scenario being able to close off points of attack quickly is paramount - a benefit of centralized control.
2. Network design attacks: often involves social engineering for keys
Here, human access and control is a fatal point of failure, and so decentralization is beneficial.
Axelar v Gravity: Efficiency & Upgradability
The ability to add new features quickly and reduce costs is a benefit of the Axelar bridge approach, yet it comes at the cost of centralization.
Justin Kilpatrick, lead designer and developer for Gravity Bridge, posted the following summary video outlining how their approach to upgradability and contract setup is different to that of Axelar.
Worth the 2 minute watch:
In summary, both bridges have pros and cons depending on the scenario:
- Gravity's bridge is unstoppable and not upgradable.
- Axelar's bridge is stoppable and upgradable.
What does this mean for the Cosmos Ecosystem?
As more value flows through cross-chain bridges than ever before, they will only continue to become more attractive targets in the future.
The connection of chains has brought many amazing opportunities, but interoperability is a risky game. Bridged stable-coins are only as secure as the bridge itself.
The Newsletter
Sign up to learn the latest about the Cosmos ecosystem.
Final Thoughts
What constitutes the best bridge will come down to your own personal ethos.
Are you willing to accept a certain level of centralization and trust for ease of use and more efficient rollout of features?
Or are you in the 'don't trust, verify' camp and willing to accept the trade-offs for a truly decentralized, trust-less bridging architecture?
No matter which way you swing, one thing is clear, we must choose our bridges wisely.
Thank you for reading, fellow Cosmonauts! If you've been enjoying our work, please consider following our Twitter, or you can help us by sharing.
Disclaimer: none of the information given in this article is financial or investment advice. Please DYOR and assess your own risk.