Hi Mo, I love the tech that you’re building at Celer, but I think that the Uniswap community may misinterpret a number of your points, so these need to be clarified.

Consensus Model

When you say a “Cosmos-consensus Security Model” or “L1-PoS-blockchain security mode,” someone may interpret that Celer inherits the security model from the Cosmos chain or from the layer-1 where the message was initiated — both of these statements are not the case. Instead, it is accurate to say that with this model, the Celer network is using Tendermint and Cosmos SDK as a set of ready-to-use tools and technologies for implementing consensus and networking layers for the project.

The PoS consensus implementation allows anyone with ⅔ of the voting power (i.e. ⅔ of the amount of staked tokens) to have full control over the consensus and validation of cross-chain messages.

The current total stake is 2,587,158,380 CELR and thus, if nodes with more than 2/3 of the total stake act maliciously, they can forge any message. 7 nodes currently have enough stake to control consensus.

⅔ of the total current stake is 1,724,772,247.33 CELR ≈ $25M at current market price. This is the approximate cost that would allow an attacker to withdraw liquidity from all Celer liquidity pools and forge any message to extract value from any Apps built using Celer Network, and, importantly, I assume the potential value extracted by an attack on Uniswap may be higher than the cost of attack.

The only staked asset is the CELR governance token, which means that validators’ collateral directly correlates with the protocol’s performance. This is why an attacker could open a large short perpetual futures position before attacking the protocol, and recover/hedge the cost of their acquired stake.

Having more than 2/3 of the protocol voting power would allow a malicious entity to control the consensus process and make arbitrary decisions about which blocks to add to the blockchain, forge cross-chain messages, reverse and censor transactions, create fake transactions, and create their own set of validation nodes.

Correct me if I’m wrong, but this attack can be performed by any single whitelisted Celer validator now.

Optimistic security model

You may say that the described problem can be solved through an Optimistic rollup-like security model which is the second alternative provided by Celer. My guess is that this wouldn’t add any additional security to the validation layer for a few reasons:

1. The optimistic component can always be implemented on the application level, where the receiving smart contract in BNB Chain can have a “quarantine zone” for a configurable period of time, during which whitelisted App Guardians can cancel execution of the message content. If any app can easily add an optimistic component, then why should it be provided by the interoperability solution itself as a second security model?
2. If an optimistic approach is implemented into the interoperability protocol itself, it delegates responsibility from the validation layer of cross-chain infrastructure to the application, which should elect “App Guardians” who become participants of the new validation mechanism. This approach performs implicit change from the “shared” to “isolated” security model of the validation layer. The reasoning behind why the isolated security model is not suitable for a validation layer can be found in this L2Beat article and my Twitter thread.

I’m not trying to attack a competitor here, I want to make sure that all trust assumptions and risks are made clear for the Uniswap community, as Celer has been endorsed in the temperature check.