<aside>
đź’ˇ Assessment conclusion
The analysis of Wormhole concluded it satisfies the requirements of the Uniswap DAO's cross-chain governance use case as outlined in the assessment framework above. The set of validators includes many reputable entities, and both the number of validators and security thresholds are set at satisfactory levels.
Moreover, the implementation of the protocol and operational security practices are well considered, with significant improvements to their DevSecOps practices and incident response procedures since its exploit incident that occurred in February 2022.
The Committee has identified some areas of improvement and recommends periodical monitoring of any material changes that may affect the protocol’s security profile.
</aside>
Architectural Considerations
Technical Summary
Wormhole is a general-purpose cross-chain messaging protocol that includes a token bridge for asset transfers. The protocol relies on an external validator set for security and employs a Proof-of-Authority validation model. The security of the protocol depends on the trustworthiness of the members of the validator set. The protocol assumes that validators are reputable businesses who will behave honestly and adhere to the protocol to maintain their reputation. Additionally, the protocol assumes that stakeholders can pursue legal action in the event of malicious behaviour, as validators are known legal entities.
Wormhole's validator set is composed of 19 validators, each operated by a distinct legal entity. Most of these entities are established and reputable businesses that operate core blockchain infrastructure as part of their primary business. Each validator operates a full node for every network to which Wormhole links.
Validators observe cross-chain messages originating from a source, sign them, and then gossip their signed messages over a peer-to-peer network. The validator network provides API endpoints, which anyone can use to query for signed messages and submit them to the destination chain.
A cross-chain message is considered valid on the destination chain only if it has at least 2/3 of the validators’ signatures. This means that if 13 validators collude or are compromised, the safety of the protocol can be compromised, and invalid messages could be sent across the bridge. Similarly, if more than 1/3 of validators (i.e., 7 validators) are offline, the protocol's liveness is impacted. The same number of validators can also choose to censor messages. The protocol offers a good level of public accountability and auditability regarding the actions of validators, making attributing faults to specific validators possible.
Risks and Concerns
- Validation Mechanism: Proof-of-Authority protocols largely rely on external structural assurances that are generally difficult to confidently reason about (e.g. reputation, contractual agreements, legal recourse). It is difficult to precisely quantify how effective these deterrents to misbehaviour are for each validator. Additionally, the mechanisms for recourse are slow, difficult, expensive and uncertain (legal). The events of late 2022 and 2023 have amply demonstrated that entities that were once considered highly reputable, were demonstrably not. Indeed, FTX was a validator in the Wormhole protocol until earlier this year.
Recommendation*:** Further decentralize the validator set while maintaining a high bar for the quality of validators, building more in-protocol assurances and developing sound incentivization models for these validators.*
- Validator Set: The reputation, caliber, and general trustworthiness of validators in the validator set are essential to the security of the protocol. While the current validator set is composed mostly of entities that appear to meet these criteria, a few validators are nascent small businesses for which these assurances do not appear substantive.
In addition, to maintain an acceptable level of quality of the validator set, it is necessary to perform rigorous upfront and ongoing due diligence on individual validators. However, currently, the Wormhole Foundation does not appear to have defined diligence processes in place. This raises concerns about whether the validator set can maintain an acceptable level of quality over time.
Recommendation: The Committee encourages the team to define clear metrics for assessing the quality of validators, perform ongoing due diligence on validators, and publish validator information to the community.
- Validator Performance: Currently, there are no in-protocol mechanisms or Service Level Agreements (SLAs) to ensure that validators maintain an acceptable level of uptime and responsiveness. An analysis of over 15,000 cross-chain messages processed by the Wormhole token bridge across three chains (Ethereum, BNB, and Polygon) highlights that at least three guardians had a participation rate of below 50%, with one guardian having a participation rate of roughly 21%. This suggests that these validators either experience persistently higher latency. While the results of this analysis could also indicate that these validators are experiencing downtimes, the analysis was limited and inconclusive in this regard. The Committee was unable to obtain historical data regarding validator downtimes more broadly.
Recommendation: The Committee encourages the team to investigate extant latency issues, have measures in place to ensure minimum level of validator performance, and also to publish detailed metrics (including historical data), about validator performance.
- Validator Incentivization: The sustainability of a validator set relies on a sound incentive model. An ineffective incentive model could lead to validator attrition or passivity, and consequently, increased centralization. At present, Wormhole does not charge fees and does not appear to have a clearly-defined incentive model for validators. While it is noted that validators hold equity in the protocol, it is not clear how effective, sustainable, and scalable this model is.
- Validator Passivity: Currently, there are no in-protocol mechanisms to ensure that validators independently observe the chain and validate messages. This leaves the protocol vulnerable to scenarios in which some validators choose to be more passive, not expending resources to independently observe and validate messages, but rather rubber-stamping messages from others. This increases centralization and reduces security. Presently, the protocol encourages validators to operate full nodes for each chain but provides no mechanism to ensure this. The risk of this scenario is less significant at present because most validators operate blockchain infrastructure as part of their core business.
Recommendation: The Committee encourages the team to consider implementing in-protocol mechanisms to address this issue, drawing inspiration from other cross-chain protocols that have done so.
- Fine-grained Censorship: Because validators sign individual messages, and the protocol does not enforce message ordering, censorship through the protocol can be more targeted and less costly to perform. To censor a message, at least seven validators must collude or independently decide that it is in their best interest to do so.
Implementation Considerations
Technical Summary
The Committee carefully reviewed the implementation of the protocol, which included smart contracts for EVM chains and validator code. The implementation appears to be sound and in alignment with the protocol's specification and technical documentation. The internal design of the components appears to be well thought out and in accordance with best practices. Overall, the observations are indicative of a mature codebase. Other observations of the protocol's implementation include:
- Audits from numerous well-known security firms on different aspects of the system, with varying levels of scope. All published audits indicate that any high or critical severity issues have been resolved.
- Robust tests for core components and overall system.
- Active bug bounty of up to US $2.5m (capped at 10% of the impacted value).