WH Questions

1. List 3 succinct reasons why you believe your bridge/solution would best serve Uniswap governance.
   Modularity and Scalability: Wormhole’s relayer-free model enables Uniswap to seamlessly expand governance to new chains without reliance on Wormhole to officially roll out its full suite integration. Any developer can permissionlessly deploy a read-only contract on the new destination chain and configure them with the current Wormhole Guardian set.
   Critically, this compliments the Uniswap community’s sense of urgency to deploy Uni v3 onto other L1s and L2s prior to the license expiration. Relying on complex infrastructure like the operation of a relayer network may impede on those time sensitive ambitions.

   Lightweight and Implementation Ready: Wormhole’s cross-chain governance module for Uniswap is tested and implementation ready. The contracts are currently live on ETH and BNB — the solution can be easily scaled to other EVM chains. The application is lightweight as Wormhole’s Guardian network is only used to attest finalized governance decisions on Ethereum.
   I. Ethereum Message Sender: UniswapWormholeMessageSender | Address 0x128Ce3A3D48f27CE35A3F810cF2cddD2f6879b13 | Etherscan
   II. BNB Chain Message Receiver: UniswapWormholeMessageReceiver | Address 0x3ee84fFaC05E05907E6AC89921f000aE966De001 | BscScan

   Security and Decentralization: Wormhole has nineteen guardians comprised of institutional PoS validator companies who jointly attest to messages. Our Guardians are some of the largest and most respected PoS validators — collectively representing tens of billions of staked capital across Ethereum, Polygon, and more. Each Guardian holds equal weight in consensus and governance. Of the 19 guardians, Wormhole requires over two-thirds to reach consensus and pass verification - thus, we assume that at least one-third of our guardian set is honest.

   Despite Wormhole’s high degree of decentralization, we remain resolute on improving our trust assumptions — as such, contributors are placing heavy investments in moving towards a completely trustless system based on zero knowledge proofs. This architecture leverages zero-knowledge proofs as a mechanism for directly attesting to the consensus rules of the blockchain. Light clients provide a mechanism for doing exactly this. We aim to share more on our ZK roadmap soon.

2. How long has the system been running on mainnet?
   Wormhole is one of the first and longest serving generic cross-chain messaging protocols. It has been running on mainnet since August 2021.

3. How much value has the system secured? (Current TVL, total transaction volume)
   Wormhole currently secures $300 million in TVL (token bridge only).
   Since inception, nearly $35 billion in cumulative transaction volume has taken place on Wormhole via users bridging tokens over 22 connected chains — this activity comes through organic usage, no farming or token based incentives.

4. Provide a background on your team.
   All Wormhole code is open source and built in the open by dozens of contributors including both individuals as well as contributors affiliated with the Wormhole Foundation, Jump Crypto, and more. Wormhole also has contributions from within 19 Guardian members spanning P2P, Everstake, Chorus One, Staked.US, Figment and more. Together, Wormhole is one of the most decentralized projects in crypto in both number and diversity of its contributors.
   Hendrik Hofstadt is a Director of the Wormhole Foundation and is also the chairman of the supervisory board at Neodyme AG. Prior to Wormhole, Hendrik co-founded and served as CEO for Certus One, a leading blockchain infrastructure company, which was acquired by Jump Crypto in 2021.

5. Please link your developer documentation.
   Check out the Wormhole xDapp Book. The first section of the book comprehensively outlines the core elements of Wormhole’s architecture and security while the second section assists developers set up a development environment and get started composing atop Wormhole.
   Wormhole is fully open source — an intentional decision to push for the best in-class infrastructure and encourage the broader bridge community to transparently build out in the open. Our Github repository can be found here.
   Additional information on the Wormhole: Ecosystem, Guardian Network, Discord

6. Does the bridge support arbitrary message passing?
   Yes, Wormhole is a generic messaging protocol. Since inception, nearly 230 million messages have been transmitted, around 2 million messages are transmitted daily — some are regular messages (e.g. Pyth oracle data) while others are token bridges. Wormhole’s daily message load is equivalent to an L1, which demonstrates its reliability and robust throughput.

7. Has the current deployed bridge code been audited? By a third party? What attack vectors and vulnerabilities were identified, if any? Have the identified vulnerabilities been remedied?
   Wormhole has been audited 25+ times by leading audit firms, including Certik, Trail of Bits, and OtterSec, and the cohort of auditors continues to grow. You can see the complete list of auditors and publicized findings here. Those 25 audits are in addition to Wormhole’s already rigorous internal auditing standards, where a team of 6 experienced security engineers regularly perform review the protocol’s security.

8. Is there a bug bounty program?
   Yes. We remain committed to engaging with the whitehat community with clear and transparent discourse processes and bounty payoffs. Wormhole has paid out some of the largest bug bounties in crypto (see here) — our program has pushed Wormhole’s security forward and made the protocol more robust.

   Wormhole hosts two bug bounty programs, both have a top payout of 2.5 million dollars:

   • An Immunifi program and a self-hosted program

   We strive to ensure our whitehat disclosure processes are clear and transparent — and are not hidden behind opaque payoff structures and obscure disclosure emails.

9. List ANY portion of the functional bridge that is upgradeable and explain how the upgrade process works.
   Wormhole’s core contracts are upgradeable, contract upgrades are managed via Wormhole’s on-chain governance system. The on-chain governance system requires Guardians to manually vote on governance proposals which originate inside the Guardian Network and are then submitted to ecosystem contracts. Consequently, governance actions are held to the same security standard as the rest of the system (e.g. Wormhole core messaging). That is, a supermajority of the Guardians (13 of 19) are required to pass any governance action. The Governance system is fully open source in the core repository.

   As we’ve mentioned before, while the Wormhole proxy contract can point to different implementations, the Wormhole implementation contract is immutable. Thus it is trivial to verify governance messages against a specified implementation. While there are multiple ways for Uniswap to accomplish this, the most straightforward is just including the pinned implementation as an external library in the deployment.

10. Do any contracts have an owner or owner-like entity? If so, what can the owner do?
    As discussed above, governance actions can only be implemented if supermajority of the Guardians (13 of 19) vote to approve the proposal. Through governance, the Guardians can upgrade contract implementations and change the current Guadian set.

11. What is the security model of the bridge? Please describe the security model for the current implementation of the bridge. What trust assumptions are you making?
    Wormhole’s core messaging layer relies on the standard trust assumption of the PoA consensus with 19 Guardians. All messages passing through Wormhole require a minimum of observation and signing by a majority of the Wormhole Guardian set (13 of 19) — a minority (7 of 19) Guardians may refuse to sign a fraudulent message and thwart an attack.
    The Wormhole Guardian set are comprised of professional PoS validators companies and collectively represent tens of billions of staked capital across a variety of PoS L1s including Ethereum, Polygon, Polkadot, and many more. The Guardian set includes names Figment, Staked, P2P, Chorus One — the full Guardian set can be found here.

12. How can an adversary pass a fraudulent message from Ethereum to the destination chain? Please give specific and concrete examples.
    Any single adversary cannot pass a fraudulent message as all messages passing through Wormhole require a minimum of observation and signing by a majority of the Wormhole Guardian set (13 of 19). Any minority (7 of 19) Guardians may refuse to sign a fraudulent message and thwart an attack.

    Importantly, simple yet customized message recall functions can be built by individual integrators. In this case, Uniswap could simply build “edge contracts” to introduce a time delay on message acceptance, providing an integrator with an opportunity to recall the message before it becomes effective. See below for a sample technical model:

    Consider the sample technical model below (another can be found here):
    

    

    Governance Network921×884 120 KB

Governance continues to take place using the existing GovernerBeta contract and Uniswap’s existing UI.

The GovernerBeta contract feeds into the GovernanceMessenger contract on Ethereum, which serializes the requests and passes them into the Ethereum Wormhole endpoint.

Wormhole produces a VAA (verifiable action approval) for this message, which can now be submitted to the GovernanceMessageReceiver contract on the target chain.

The GovernanceMessageReceiver contract on the target chain verifies the authenticity of the VAA using the local Wormhole endpoint and passes the instruction into a local Timelock contract, which owns the local Factory. Once the Timelock contract is cleared, the instructions can be executed.

Note that a Timelock contract is put on each individual chain to add an optional layer of control over the universal bridge into the system. As an extra signer, the chain’s native bridge could act as an escape hatch by which pending proposals in the Timelock can be canceled.

Notice that there is no relayer dependency in this schematic. Any user can submit the VAA to the GovernanceMessageReceiver contract on the target chain.

This model is very easy to maintain and enhance. Subject to Uniswap governance approval, receiver contracts can be upgraded over time. Moreover, anyone can deploy the Wormhole receiver contracts on new destination chains to process VAAs without waiting for Wormhole to formally support those chains.

Wormhole message security waits for consensus to be reached on the source chain — additionally, Guardians run full nodes to protect Wormhole against consensus-level exploits in the connected chains and further reduce contagion risk. If a blockchain’s consensus is violated, the Guardians will disconnect from the network until the issue is resolved.

13. How can an adversary withhold a valid governance message from Ethereum to the destination chain? Please give specific and concrete examples.
    A single adversary cannot withhold a valid governance message — successfully refusing a valid governance message requires collusion among a minority contingent of Guardians (7 of 19).
    Any fraudulent message would be immediately attributable to the offending Guardian to the rest of the Guardian network, resulting in the subsequent expulsion from the Guardian network.

14. What are the ramifications of fraud to the malicious actor(s)? If it is legal ramification, please share the suite of legal action you can provide. If it is slashing, please point us to the codebase of the slashing behavior and describe in words how slashing works in your system.
    As mentioned above, Wormhole’s Guardians are leading PoS validators and collectively represent tens of billions staked across a number of L1s. Should they act maliciously (such as sign or forge fraudulent messages), they risk reputational consequences, external PoS businesses, and ejection from the Wormhole Guardian set.

    Consequently, there is little incentive for an individual Guardian to act maliciously. Even if a Guardian were to succeed in forging a fraudulent message, it would not affect the network state because a single signature isn’t enough to establish the super-majority required to gain quorum. Finally, a fraudulent message would be immediately attributable to the offending Guardian to the rest of the Guardian network.

15. Provide any additional information you would like here.
    Wormhole has taken a pragmatic approach to bridging -19 PoA Guardian set with the leading PoS validators, full nodes, and off-chain security features. We believe this is a nicely packaged solution that strikes the right balance between flexibility and safety, however, additional validation mechanisms are easily composable with Wormhole.

    Following up on discussions in a previous thread, Wormhole contributors built out two examples of potential add-ons to the typical integration: an additional off-chain signer and a two-of-two bridge approach. Medium post can be found here.

    Technical working examples are available here: https://github.com/wormhole-foundation/example-composable-verification

    These forms of composable verification enable Uniswap to layer their signers or other trusted signers on top of Wormhole, extending the already robust Guardian set with additional validators.