Celer Network would like to submit our proposal and answer the listed questions.
1. List 3 succinct reasons why you believe your bridge/solution would best serve Uniswap governance.
Celer is secure.
- Celer’s protocol security design is comprehensive, built on Cosmos SDK which has been battle tested by many blockchains, including BNB Chain, Polygon PoS, and Cosmos. Celer’s PoS validators are among the most trusted in the blockchain community. Additionally, Celer offers an optimistic-rollup-like security framework for Uniswap to ensure its security even in the event of total consensus failure.
- Celer has a flawless security track record and is the only cross-chain infrastructure with significant usage (>$5b in cross-chain volume) that has no critical vulnerabilities exploited or identified.
- Celer implements a comprehensive security monitoring and communication process. Celer DAO has a dedicated 24/7 security team that builds and maintains an automated security monitoring system. This team can immediately communicate with both the Uniswap and Celer communities in the event of any security incidents.
Celer has achieved remarkable adoption, attracting well-known names like Metamask and PancakeSwap who opted to integrate Celer after thoroughly evaluating available solutions. Additionally, Celer has become widely adopted for numerous use cases such as asset bridges, cross-chain governance, cross-chain NFT bidding, cross-chain yield farming, cross-chain perpetual futures liquidity provision, one-click cross-chain swaps, and NFT bridging, with over 1.31 million cross-chain messages processed. Celer’s asset bridge, cBridge, supports 40 chains and 833 token bridges, facilitating $12.7 billion in cross-chain transaction volume and serving 333,000 unique addresses.
Celer remains dedicated to innovating towards a trust-free and open DeFi ecosystem. The Celer DAO and community developers have invested significant efforts in developing zk proofs. Soon, Celer will release a generalized messaging framework based on succinct proof of consensus. Furthermore, in the best interest of the Uniswap community and the broader DeFi ecosystem, Celer proposed a multi-messaging-aggregation solution. This proposal, supported by many delegates and industry participants, aims to establish a vendor-lock-in-free future for Uniswap and the entire DeFi ecosystem.
2. How long has the system been running on mainnet?
Celer’s cross-chain solutions were first launched in the form of an asset-only bridge in July 22nd, 2021. Building on this success, Celer released the generalized cross-chain messaging functionality on mainnet on April 15th, 2022. The core component of Celer’s cross-chain solutions, the State Guardian Network, has been running on mainnet since November 2020.
3. How much value has the system secured? (Current TVL, total transaction volume)
Current TVL: $215M
Total Transaction Volume: $12.8 billion
4. Provide a background on your team.
Celer was co-founded in 2018 by four industry veterans and entrepreneurs, each of whom holds a PhD from a prestigious institution like MIT, Princeton, UC Berkeley, and UIUC. Their security-first approach to development is rooted in their experiences securing critical networking infrastructure in Fortune 50 companies, safely operating the largest-scale Software Defined Network, and designing high-performance networking chips with zero tolerance for error.
Today, the Celer Network developer community has grown to a global network of core contributors with a similar background, as well as a large community of ecosystem developers who build exciting cross-chain applications using Celer. Before expanding to a generalized interoperability protocol, Celer released the world’s first Generalized State Channel Network, which laid the groundwork for its cross-chain efforts.
5. Please link your developer documentation.
Please see the followings:
6. Does the bridge support arbitrary message passing?
Yes, Celer supports arbitrary messaging, and its usefulness is exemplified by a number of high-impact use cases running on mainnet today. FutureSwap, for instance, uses Celer for its cross-chain governance, while PancakeSwap leverages Celer to allow users to provide liquidity on Ethereum and receive yield mining rewards on BNB Chain.
Additionally, Celer has already developed, deployed and tested a Uniswap cross-chain governance system on testnet, which employs a comprehensive security model. When a Uniswap governance decision is made on Ethereum, the governance contract calls the sendMessage function of a “send box” contract, which takes in the destination chain IDs, message to be passed, and destination contract addresses. The message contains the serialized bytes of the governance function call data, and an event is emitted containing the message.
Validators in Celer’s State Guardian Network, which is a Cosmos SDK based blockchain, witness the message and reach consensus that the message exists. The validators then generate a stake-weighted multisignature attestation that is stored on the chain.
A message executor, which can be run by Uniswap or validators of Celer Network, collects the message and calls executeMessage of a receiver contract. After necessary on-chain validation of the message, the message is put into a “quarantine zone” for a configurable period. During the quarantine period, validators in the SGN, the application’s executor, and potentially other third parties (collectively, App Guardians) can monitor and cross-check the message that arrived on the destination chain with what was sent on the source chain. If there is any mismatch, the message path is cut off immediately and the message is not executed.
Once the quarantine clock times out, the message is executed by the receiver smart contract, which calls the Uniswap contracts on the destination chain with the function and parameters specified in the message, completing the cross-chain governance process. This solution ensures the security of Uniswap’s cross-chain governance even if Celer’s State Guardian Network is completely compromised, as long as there is still one honest and live app guardian.
7. Has the current deployed bridge code been audited? By a third party? What attack vectors and vulnerabilities were identified, if any? Have the identified vulnerabilities been remedied?
Celer’s cross-chain solutions and frameworks was audited by Certik, Slowmist and Peckshield for 15 times. No critical vulnerabilities were ever identified in any of the audits for the current production code of Celer.
The audits are archived at
8. Is there a bug bounty program?
Celer was the first cross-chain interoperability infrastructure to establish a bug bounty program on ImmuneFi, with the program published on November 18, 2021, and a maximum prize of $2M. Celer has maintained a flawless security track record with no vulnerabilities discovered through these bug bounty programs.
9. List ANY portion of the functional bridge that is upgradeable and explain how the upgrade process works.
Celer’s cross-chain messaging smart contract will no longer support upgradability, and this change will take effect in the coming days. The owner role and upgradability were initially included as a security measure, but it will soon be impossible to upgrade the messaging contracts that connect to Uniswap.
10. Do any contracts have an owner or owner-like entity? If so, what can the owner do?
After the ownership deprecation, no owner-like key or entity exists.
11. What is the security model of the bridge? Please describe the security model for the current implementation of the bridge. What trust assumptions are you making?
Celer’s State Guardian Network (SGN), which is based on the Cosmos SDK consensus framework, forms the foundation of its cross-chain security model. Validators with CELR tokens stake delegations in the SGN to witness message events on the source chain and reach consensus, generating a stake-weighted multisignature attestation that is stored on the chain. An executor then relays the attestation and message to the destination chain “inbox” smart contract, which checks its validity and signatures. In case of malicious activity by any guardians, their staked CELR will be slashed by the consensus protocol. Celer’s SGN validators are run by well-known entities, such as Binance, OK Exchange, IOSG, Everstake, Forbole, Ankr, 01-Node, Infstone, RockX, HashQuark, Klever and more. In addition, smart contract restrictions are in place to prevent any single validator from surpassing ⅓ stake.
Celer also provides an application framework that enables an optimistic-rollup-like delay and two-phase-commit pattern for cross-chain message execution. With this framework, each cross-chain message must be committed to the destination blockchain’s “quarantine zone” and trigger a mandatory time delay before it can be confirmed and executed to the final destination application. This delay allows enough time for App Guardians, run by SGN validators, dApp developers, or other third parties like security firms, to cross-validate the message on the source chain. If any App Guardian detects a mismatch, it can prevent the message from being processed before the delay expires, ensuring that even if the entire SGN consensus acts maliciously, the application can remain secure without executing malicious messages.
While protocol security forms the foundation of cross-chain infrastructures, security monitoring, communication and, when possible, rapid responses are equally important. Many past bridge security incidents were due to the omission of this aspect. To address this, Celer DAO has a dedicated 24/7 security monitoring team that maintains an automated sentinel system to monitor various aspects of the system, including validator performance, stake distribution changes, cross-chain message parity between source and destination chains, system TVL, and cross-chain asset volume, among others. When an anomaly is detected, the team analyzes on-chain and real-world data, such as security incidents in connected chains. If a security issue is identified, the team communicates immediately with Celer’s community and partner community. This process will allow Celer ecosystem projects to implement any emergency responses if possible.
12. How can an adversary pass a fraudulent message from Ethereum to the destination chain? Please give specific and concrete examples.
In the default security model, an adversary can pass a fraudulent message if they compromise validators holding more than ⅔ stakes at the same time.
However, in the Uniswap implementation using the optimistic-rollup-like delay and two-phase-commit pattern, an adversary must compromise all App Guardians and SGN validators holding more than ⅔ stake at the same time to pass a fraudulent message.
In practice, hacking multiple validators to compromise a consensus protocol is a difficult task and likely to leave traces. Celer validators use the battle-tested Cosmos SDK, eliminating the need to open a wide range of external ports. This allows validator servers to sit behind strict firewall rules, making it difficult for a malicious party to gain server access via an external path. Even if they do gain access via internal compromises, there is a good chance that their actions can be detected by validators’ internal monitoring tools, such as KMS audit log monitoring, 2FA-SSH access log monitoring, and other standard DevOps security practices. Malicious access attempts may also leave traces of node liveness when attempting to tamper with the validator software and raise alert on the external security monitoring front. Therefore, whenever a validator node drops offline, they will rotate keys and review access logs to ensure no malicious access attempt has happened.
13. How can an adversary withhold a valid governance message from Ethereum to the destination chain? Please give specific and concrete examples.
By default, if an adversary compromises validators holding more than 1/3 of the stake at the same time, they can withhold a valid governance message.
When using the optimistic-rollup-like delay and two-phase-commit pattern, an adversary needs to compromise at least one App Guardian or enough SGN validators holding more than 1/3 of the stake.
However, we want to emphasize that withholding is a much lesser concern, since the Celer community and stakers can revoke the staking power of any malicious validator. Additionally, application developers can adjust the list of App Guardians through a governance multisig.
14. What are the ramifications of fraud to the malicious actor(s)? If it is legal ramification, please share the suite of legal action you can provide. If it is slashing, please point us to the codebase of the slashing behavior and describe in words how slashing works in your system.
Celer’s security model ensures that any set of validators with less than 1/3 stake cannot generate a invalid block with invalid cross-chain messages, and they will be penalized by having their stakes slashed.
Moreover, Celer’s State Guardian Network validators are publicly run by reputable PoS validators and renowned entities such as Binance, OKEX, IOSG, Everstake, Forbole, Ankr, 01-Node, Infstone, RockX, HashQuark, and Klever, among others. For these entities, a security breach or fraudulent validator would cause significant damage to their core business revenue and brand reputation.
15. Provide any additional information you would like here.
Celer has been an active contributor to Uniswap’s cross-chain governance efforts since the beginning. In fact, Celer, in collaboration with 0xPlasm team, was among the firsts to implement a single-bridge cross-chain governance solution. In addition, Celer was also the first to implement a multi-bridge solution that advocates for an open and vendor-lock-in-free future for Uniswap and the broader DeFi ecosystem.
Celer community has built through bulls and bears with unwavering persistence to bring blockchain to mass adoption. With its impeccable track record, Celer continues to innovate and will soon release a zk succinct proof-based cross-chain solution that further reduces the need for trust in application use cases such as cross-chain governance.
In summary, we are confident that Celer, in combination with a neutral vendor-lock-in-free multi-bridge architecture, is the optimal solution for Uniswap cross-chain governance.