Multi-Message-Aggregation (MMA)
A General Design for Multi-Bridge Governance.
Abstract
Multi-Message-Aggregation (MMA) is a message aggregation method for Uniswap to securely relay governance instructions from Ethereum to another chain. Instead of making one bridge provider the default message relayer, MMA relies on multiple bridge providers and a group of signers. This design offers more security than any one bridge and is designed for governance-related tasks. Moreover, this design is relatively engineering-lite and can be implemented in a reasonable time.
Compared to the existing design
Compared to the Universal Governance Model by @AlexSmirnov @modong , this design does not rely on an algorithmically onchain selecting function. We believe this mechanism should be reserved for future implementation due to 1) its potentially long engineering time, 2) new attack surface/bugs due to increased code complexity, and 3) the difficulty to standardize messaging formats across bridge providers. Instead, we delegate this algorithmic function to a 11/15 multisig. The multisig will select the message which will be executed. This way, we believe while keeping the contract complexity and engineering time low, we can still achieve high-security guarantees.
MMA Design
The MMA design can be split into three parts. Ethereum, the destination chain, and the off-chain world. On Ethereum, it is made up of the Uniswap Governance Complex (refers to the smart contracts that Uniswap relies on to issue governance actions) and individual bridge endpoints. In the off-chain world, there are bridge providers and multisig signers. On the destination chain, there are bridge endpoints, a message selection contract, and Uniswap contracts.
On Ethereum, once a governance proposal is approved and is related to deployments on other chains, the governance complex
will send messages to each individual bridge endpoints
for relaying to the destination chain(s). For simplicity, we will assume we are only sending governance message to one destination chain, but the concept is the same when sending to multiple chains. This design will not change the current voting process but would require the governance payload to be modified if cross-chain governance is involved.
Once the message reached the endpoint
on the Ethereum side, each bridge provider will handle relaying the message to the destination chain independently.
Once the bridge provider relayed the message to the destination chain’s endpoint
, the endpoint
will send the message
into the Message Selection Contract
. The multisig will then select which message
to execute and submit a transaction executing the message
on the destination chain. We are recommending an 11/15 Safe multisig.
The rough implementation of the Message Selection Contract
can be found here.
Security
Two kinds of malicious activities could surface: 1) fradulent governance message and 2) withholding attack.
A fradulent governance message is a governance message that got executed on the destination chain but was not approved by the Ethereum Uniswap Governance Complex. This can happen if and only if an adversary took control of one or more of the bridge providers AND more than 11 of the multisig signers. The adversary would first need to use the bridge provider to pass in a fradulent governance message into the Message Selection Contract
and then use the 11 of the signers to approve the transaction to be executed. We believe this is unlikely to happen because hacking 11 independent signers and a bridge provider is not economically profitable to attack the governance bridge.
A withholding attack is when more than 4 of the multisig signers or all of the bridge providers refuse to sign or relay the message. Bridge’s withholding attack would be a concern if Uniswap has only one bridge provider; however, given we have three in this example, simultaneous withholding attacks from the bridge providers would be extremely unlikely. Multisig signers’ withholding attack could be more likely given the small subset of the participants involved. To address this problem, we should have a governance process to elect only the reputable governance delegate for this multisig role; alternatively, we could increase the total multisig size to make a withholding attack harder to coordinate.
Summary
We proposed a cross-chain governance mechanism, Multi-Message-Aggregation (MMA). This design aggregates messages relayed by bridge providers and a group of multisig signers select which message from the set to execute. MMA aims to be an intermediary solution for cross-chain governance between relying on one bridge provider and algorithmically aggregating multiple bridge providers. The security guarantee of MMA is also higher when compared to a single bridge provider.
We would love to hear thoughts from other technical members within the Uniswap ecosystem on MMA and the potential security vulnerability or engineering difficulties involved.