Wormhole

From CryptoWiki

From Li.Fi (19-9-2022):

"Despite being best known for its token and NFT bridging solution, Wormhole is actually an arbitrary message-passing protocol allowing for cross-chain exchanges of data between fourteen chains and counting. In particular, it’s widely known for connecting Ethereum to the Solana and Terra ecosystems."

Basics

Guardians

Chorus One, Staked.us, P2P Validator, triton.one, Certus One, Everstake, Chainode Tech, ChainLayer, Staking Fund, Dokia, 01Node, Moonlet, Inotel, Figment, Staking Facilities, HashQuark, Forbole, Syncnode and Smith MCF.

Audits & Exploits

  • This protocol offers an active (3-11-2022) bug bounty of $10M.
  • The DeFi Safety score got updated (7-1-2023): "Based on some comments from the wormhole team on their Guardian mode we have increased their score to 75% with imporvements on time lock and pause control scores."
  • Previously scored 69% (3-11-2022):

"There is a little over 100% testing to code. No test coverage evidence was found, but clearly there's a complete set of tests. This protocol has not undergone formal verification. There is a page of many audits. We have reviewed two different ones. Several links go to the same file. (here and here). Each review did find significant vulnerabilities but they were properly resolved. Admin control information is not clearly defined in the documentation. A mention of a 2/3 multisig for the 19 guardians over gas prices are mentioned. The Guardian contracts are mentioned to be upgradeable, but that leaves a lot of contracts without immutability/upgradeability documentation. Smart contract change capabilities are not identified. This protocol's pause control is not documented. This protocol has no timelock documentation."

"Wormhole has been audited by Neodyme and Kudelski (x2). It has audits by OtterSec, Certik, Halborn, Trail of Bits, and Coinspect scheduled for Q3 2022. Moreover, it has the largest bounty in the crypto space via a $10 million offer on Immunefi."

Bugs/Exploits

  • Wormhole uninitialized proxy disclosed, $10 million bounty paid (21-5-2022).
  • From Rekt (3-2-2022):

"Minutes after samczsun pointed out that there was a problem, the Wormhole team stated that the network was simply “down for maintenance” whilst investigating a “potential exploit” The exploit was later addressed directly, with a bold promise to restore the funds .Less than 24 hours later, and the backing has just been restored.

The Wormhole was manipulated into crediting 120k ETH as having been deposited on Ethereum, allowing for the hacker to mint the equivalent in wrapped whETH (Wormhole ETH) on Solana. 93,750 ETH was bridged back to Ethereum over the course of 3 transactions where it still remains in the hacker’s wallet. The remaining ~36k whETH were liquidated on Solana into USDC and SOL."

Technology

"The wormhole repository has over 2500 commits, earning the protocol 100%."

Implementations

  • Consensus mechanism:
  • Algorithm:

Transaction Details

How it works

"Wormhole’s design is simple. It is a proof-of-authority network governed by 19 validators. Each blockchain supported by Wormhole is home to a “Core Bridge” contract. The core contracts emit messages to Guardians who verify and sign (aka approve) the message. This verified message is then relayed to the destination chain, where the message is processed and the cross-chain transaction finalized.

It is the guardian’s sole role to monitor the state of each supported Wormhole blockchain. Each Guardian observes and signs messages in isolation, with the resulting collection of signatures representing proof that a certain message is agreed upon by the Wormhole network. A message is only authentic if 2/3rds+ of Guardians have signed it.

Wormhole makes the following trust assumptions:

  1. Externally verified by Guardians — Wormhole’s proof-of-authority system inherently trusts that Guardians can be trusted to verify transactions and that over 2/3rd of Guardians will not collude at a certain time.
  2. Censorship risk— 1/3rd of Wormhole’s Guardians can collude to censor a message.
  3. Guardians care about reputation — Wormhole relies on the fact that the potential benefit of collusion is lesser than the reputational cost of collusion for its Guardians. However, this could become a major issue if the benefits for ⅓ of the guardians outweigh the reputational cost of collusion.
  4. Validators don’t have a bond — Guardians’ stake is not bonded, i.e., their stake won’t be slashed, or they won’t be penalized if they act maliciously. Thus, user funds are not protected by any bonding or slashing mechanism."

Fees

Upgrades

Staking

Validator Stats

Liquidity Mining

Scaling

Interoperability

"Wormhole supports messaging across 14 blockchains, including Ethereum, Solana, Terra, Binance Smart Chain, Polygon, Avalanche, and Fantom, along with Oasis, etc."

Other Details

Oracle Method

"Wormhole's oracle is defined to be the Guardian Network, consisting of 19 validators strapiucing signed messages, governed by a VAA multisig. This protocol does not document front running mitigation techniques. This protocol does not document flash loan mitigation techniques."

Usage

"The TVL on Wormhole bridge has come down significantly from a high of $4.67b to ~$500m. 80% of this TVL is locked on Ethereum with ETH accounting for about $174m. Terra, despite its crash earlier this year, still ranks at #2 by TVL. Since most TVL is locked on Ethereum and most of it is ETH, it makes sense to look at where the ETH has been going. A few patterns are noticeable: most ETH has been going to Solana, and the monthly transfer volume is down significantly since December 2021."

Pros and Cons

Pros

From Li.Fi (19-9-2022):

  1. "Non-EVM compatibility — Wormhole is one of the few messaging solutions that connects non-EVM compatible chains like Solana, Acala, Terra Classic, and Terra 2.0 to EVM-compatible chains like Ethereum and Polygon.
  2. Top tier validators — Wormhole is a proof-of-authority network secured by 19 “Guardians” that ensures cross-chain messages are safely transmitted. Among the “Guardians” are major companies like FTX, Certus One, Everstake, Staked, and Chorus One.
  3. Seamless user experience — Wormhole charges exceedingly small fees (100 lamport, or less than a cent) when transacting from Solana. Furthermore, users simply need to create a transaction on the source chain and redeem it on the destination chain to execute a cross-chain transfer."

Cons

Team, Funding and Partners

Team

  • Full team can be found [here].

Jump Trading and Wormhole have “parted ways,” as per a Bloomberg article (19-11-2023) quoting “people with knowledge of the matter.” The account further reveals that former Jump executives Saeed Badreg and Anthony Ramirez have allegedly departed to manage Wormhole independently.

Funding

Wormhole has secured $225 million in funding (29-11-2023) by Brevan Howard, Coinbase Ventures, Multicoin Capital, Jump Trading, ParaFi, Dialectic, Borderless Capital, Arrington Capital, and more.

Partners