We had the chance to connect with @ilia_0x yesterday over Telegram — we’ve answered the questions you’ve posed to us! The Wormhole community is excited to throw our hat in the ring, and we look forward to engaging with the Uniswap community more broadly 
Hi everyone —We’re Wormhole, a leading arbitrary message passing protocol that connects 22 heterogeneous chains. Today, the Wormhole community includes several independent core contributing teams as well as a network of 19 industry leading Validators securing the network. The Wormhole community is investing deeply in a fully trustless future and is working on a Zero-Knowledge (ZK), light client based, backend designed to deprecate the Guardian software. Once enabled, chains can trustlessly validate other connected chains.
-
Does the bridge support arbitrary message passing?
a) Yes, Wormhole is one of the first and longest serving arbitrary messaging protocols. Since launching on mainnet in August 2021, 185 million messages have been transmitted, with 2 million messages currently generated daily between asset transfers and messaging through organic usage. -
Is the bridge secured by a trusted entity, by a multi-sig, or a protocol/set of incentivized nodes?
a) Wormhole is secured by 19 validators (aka: Guardians) who jointly attest to messages. Each message must be attested by at least 13 of the 19 Guardians. Our Guardian set comprises the leading PoS validators, including Staked, Figment, Chorus One, P2P, and more. The complete set of current validators can be found here: https://wormhole.com/network/
b) As mentioned above Wormhole is making significant progress in developing ZK-based light clients to facilitate completely trustless message-passing. -
Does the bridge leverage the security of the source chain (e.g. Ethereum L1) or destination chain, or is security provided by another third party entity?
a) Wormhole message security waits for both consensus to be reached on the source chain as well as additional safety features provided by the bridge. Additionally, Guardians run full nodes to protect the protocol against consensus-level exploits in the connected chains and further reduce contagion risk. -
Is it possible for a fraudulent message to be passed to the destination chain? If so, are there any recall mechanisms?
a) All messages passing through Wormhole require a minimum of observation and signing by a majority of the Wormhole Guardian set (13 of 19).
b) While there is currently no out-of-the-box recall mechanism for messages, a minority (7 of 19) Guardians may refuse to sign a fraudulent message and thwart an attack.
c) Simple yet customized message recall functions can be built by individual integrators. An integrator would simply build “edge contracts” to introduce a time delay on message acceptance, providing an integrator with an opportunity to recall the message before it becomes effective. -
What are the ramifications of fraud to the malicious actor?
a) Wormhole’s Guardians are leading PoS validators and some of the most respected names within the validator community. They collectively represent tens of billions in value staked and carry valuable reputations in the communities where they serve. Should they act maliciously (such as sign or forge fraudulent messages), they risk reputational consequences, external PoS businesses, and ejection from the Wormhole Guardian set.
b) There is little incentive for an individual Guardian to act maliciously. Even if a Guardian were to succeed in forging a fraudulent message, it would not affect the network state because a single signature isn’t enough to establish the super-majority required to gain quorum. Finally, a fraudulent message would be immediately attributable to the offending Guardian to the rest of the Guardian network. -
Has the bridge code been audited? By a third party? What attack vectors and vulnerabilities were identified, if any? Have the identified vulnerabilities been remedied?
a) The bridge has been audited 25+ times by leading audit firms, including Certik, Trail of Bits, and OtterSec, and the cohort of auditors continues to grow. You can see the complete list of auditors and publicized findings here. Those 25 audits are in addition to Wormhole’s already rigorous internal auditing standards, where a team of 6 experienced security engineers regularly perform review the protocol’s security.
As these 3rd party audits are completed and issues are sufficiently addressed, we make those audits public.
- January 2022 - Neodyme: Ethereum Contracts
- January 2022 - Neodyme: Solana Contracts
- January 2022 - Neodyme: Terra Contracts
- January 2022 - Neodyme: Guardian
- January 2022 - Neodyme: Solitaire
- July 2022 - Kudelski: Ethereum Contracts
- July 2022 - Kudelski: Solana Contracts
- July 2022 - Kudelski: Terra Contracts
- July 2022 - Kudelski: Guardian
- August 2022 - Kudelski: Algorand Contracts
- September 2022 - OtterSec: NEAR Contracts
- September 2022 - Trail of Bits: Solana Contracts
- September 2022 - Trail of Bits: CosmWasm Contracts
- October 2022 - OtterSec: Aptos Contracts
- October 2022 - Hacken: NEAR Integration
- November 2022 - Zellic: Aptos Integration
- Q4 2022 - Halborn (DRAFT): Wormchain
- Q4 2022 - Halborn (DRAFT): Accounting
- Q4 2022 - Certik (DRAFT): Ethereum Contracts
- Q4 2022 - Certik (DRAFT): Solana Contracts
- Q4 2022 - Certik (DRAFT): Terra Contracts
- Q4 2022 - Certik (DRAFT): Guardian
- Q4 2022 - Certik (DRAFT): Solitaire
- Q4 2022 - Coinspect (DRAFT): Algorand Contracts
- Q4 2022 - Hacken (DRAFT): NEAR Contracts
- Q1 2023 - Trail of Bits (ONGOING): Guardian
We feel Wormhole is well-qualified to support Uniswap’s cross-chain messaging between ETH and the BNB PoS Chain, and we appreciate GFX Labs’s proposed solution. If anyone has additional questions, we would be happy to answer them.
Wormhole Resources: