We’ve recently had open discussions with many of the delegate groups around the security features and fundamental architecture of LayerZero and its fitness for secure and scalable omnichain governance for the Uniswap protocol. The following are key topics and outcomes from the discussion shared publicly for the community’s awareness:

—LayerZero’s omnichain governance executor (complete open source code here) is designed to enable Uniswap governance to add, remove, or swap validation layer components directly from on-chain votes via GovernorBravo.

What this means: Security of the protocol’s cross-chain governance can scale with the protocol over time. Governance always maintains the ability to propose and vote to change parameters which, if passed, are executed on-chain via GovernorBravo and amended in the smart contracts owned by Uniswap.

—LayerZero created and deployed a gasless oracle for applications to participate easily in their own security

—Major Uniswap delegates and top stakeholders (such as the most strongly incentivized investors of the protocol, L1/L2 Foundations, and major security and infrastructure platforms) can run a gasless oracle as part of the network.

To provide additional context, several of these organizations are already actively involved in the ongoing decentralization of LayerZero’s validation layer.

What this means: We’ve implemented a gasless signing mechanism to allow a group of ad hoc parties to easily manage an ad hoc oracle network between them. The gasless oracle is a brand new feature we had planned to announce in late February; documentation will be completed shortly. The LayerZero Labs team will commit dedicated human capital and technical resources to assist teams to fully run the node; estimated set-up time is less than 2 hours from end-to-end per team.

We propose that Uniswap utilize a gasless oracle of at least 5+ signers. We recommend a consensus grouping of the most respected industry entities and aligned parties with Uniswap (which Uniswap has already done an amazing job attracting via its Delegates) which will provide the most secure and aligned security structure to the protocol itself.

—We propose that at launch, Uniswap chooses to pair a gasless oracle run by a minimum of 5+ significant Uniswap delegates and the LayerZero Labs relayer as their validation layer within the broader LayerZero security model.

In the future, governance may choose to update these hyperparameters via an on-chain governance process enabling robust, flexible, and governance driven security.

We thank the delegate groups who reached out to us for their time and commitment to Uniswap governance and look forward to conversations with more stakeholders over the coming days.

I’m voting for LayerZero because based on my reading of the thread & professional experience I believe that is the best option.

I would note though, if there was an abstain / wait option I would’ve chosen that. I do not believe this is the type of decision that is well suited for a token vote. I’m a big fan of @devinwalsh’s plan to form a committee to evaluate options in depth and I would follow the recommendations there.

I also question if a bridge is even strictly needed right now. Since its only bridging governance commands presumably this could be added later? I’d prefer that option.

Adding my own two cents here, for context we provide security audits to both LayerZero and Wormhole.

The security models are quite fundamentally different, but both bridges - as far as we can tell - care very deeply about security. In my opinion, the primary question voters should evaluate is which security model/assumptions they think is more suitable for Uniswap, as opposed to the implementation risks which are relatively minimal.

Thank you for posting this updated proposal, LayerZero.

We believe this proposal addresses a lot of the questions we have raised before. And their ability to change Chainlink with a set of Uniswap-aligned oracle validators is very promising.

For total transparency, LayerZero reached out to us and addressed most of our technical concerns.

One thing we believe we undervalued, in our initial assessment, is the immutability of the bridge. Many hacks happen because of simple upgrades. Under LayerZero’s design, the underlying infrastructure (LayerZero protocol) is immutable. The changeable parts, the Oracle (header sync) and Relayer (MIP), can only be changed by Uniswap governance.

Given the immutability and LayerZero’s new proposed Oracle, we would like to signal to the community that we have tentatively moved LayerZero as our preferred bridge provider for BNB.

We would also love to see more documentation provided from LayerZero’s side, especially around the oracle and relayer services.

Hi Everyone,

Several folks have asked for our opinion on the current vote and the abnormal governance process. First, we would like to emphasize that the overall goal here is to deploy UniV3 on BSC in the near future, and we have been pleasantly surprised by the demand for the DEX to deploy on BSC. As for the abnormal governance process, we’re supportive of the Foundation’s move to post the Snapshot so Ilia can finalize the BSC deployment and their proposed working group to conduct a thorough review of each bridge.

GFX Labs has cast our vote for Wormhole in the current snapshot, and while we’ve made our concerns about Celer clear in the forum thread, we haven’t done the same for Layerzero.

Our primary resources for researching Layerzero

• Docs
• Ethereum Endpoint
• Ethereum UltraLightNodev2
• L2 Beat

For context, Layerzero messages are sent from the local Endpoint. Oracles are responsible for moving block headers from the source to the destination. Upon delivery, Relayers can deliver the transaction’s proof to the destination Endpoint. This model, in its current implementation, is a 2-of-2 msig.

Messages are sent to a verifying library. The verifying library (VL) manages oracles and Relayers on behalf of the application. The Ultra Light Node (ULN) is a VL. The Endpoint manages the relationship between the user application (UA) and the VL (the ULN, in practice). The UA selects a VL via the Endpoint. The UA may also configure that VL directly (e.g. by selecting a Relayer in the VL). Relayers submit proofs to the VL (the ULN, in practice), and the VL chooses how to validate these. In the ULN, the owner chooses proof validation libraries and may choose any contract.

Applications are intended to choose their own VL & Relayer since they can configure which library to use in the Endpoint contract. The Endpoint owner sets a default VL. However, the ULN is the only verifying library that exists, so all apps must use it.

We tried to review how the Relayer worked, but according to the docs the Relayer is not open-source at this time, which seems to line up with L2Beat’s concern of the Relayer contract being unverified.

Additionally, the only info we found in the governance section was “info coming soon!” This was not the answer we were expecting since there is an owner on the Ethereum Endpoint and UltraLightNodev2 contracts. The owner appears to be a 2/5 Gnosis Multisig. While the Endpoint isn’t a traditional proxy contract, it does rely upon referenced contracts for core logic and operation. The below owner controllable functions appear to be able to alter the functionality significantly.

onlyOwner functions on the EndPoint contract:

• setSendVersion
• setDefaultSendVersion
• setDefaultReceiveVersion
• renounceOwnership
• transferOwnership

onlyOwner functions on the UltraLightNodeV2 contract:

• setLayerZeroToken
• setTreasury
• addInboundProofLibraryForChain
• setDefaultConfigForChainId
• setDefaultAdapterParamsForChainId
• setRemoteUln
• setChainAddressSize
• renounceOwnership
• transferOwnership

The ULN’s owner can set the oracle, relay, proof systems, and other security parameters. It appears that the owner can entirely bypass the oracle/relay system in their current implementation.

Through this process, we arrived at the conclusion that Layerzero is not ready to be integrated with Uniswap. However, as developers ourselves, do we realize that the development process is fluid and that research is ongoing. Our vote reflects the current state of development and available information.

Hi raz from LayerZero.

So I want to first say we’ve never spoken to GFX Labs (despite reaching out) and although we now have time scheduled tomorrow (Monday), this analysis was written without a single question sent to us. I’ve gone through and done a line-by-line response to everything above but wanted to tl;dr some of the obvious mistakes in the analysis in case they get lost below in the broader post.

Firstly, GFX Labs missed the _getAppConfig() function which is the very first line of validateTransactionProof() with comments “Retrieve UA’s configuration using the _dstAddress from arguments.”

11600×149 106 KB

Taking a look at this function, you can clearly see that the first thing that it does is retrieve the User Application’s config and the default config.

21600×113 87 KB

Then it goes through each config item and if and only if the configurations are not set, the contract sets it to the default config item.

31154×150 17.7 KB

The crux of the GFX Labs argument seems to be centered around the perceived ability for the LayerZero ULN owner to be able to modify application parameters, however this is clearly not possible and enforceable in the immutable base layer of the code.

This seems clearly misleading as the two parties (oracle and relayer) are abstracted accounts with arbitrary implementation e.g. a fully decentralized network, not to mention the current proposal which I had assumed GFX Labs had reviewed extensively prior to this is for a new architecture with a number of major Uniswap delegates participating within the validation set.

The owner of the ULN contract cannot choose proof libraries on behalf of the user application. The owner can only add new proof libraries (i.e. append-only registry) of which the user application can select from.

The ULN can hold multiple validation libraries within itself for applications to choose from (ex. A zk-Validation Library could be added to the ULN V2 as a different method for verifying messages). This is an explicit design decision; LayerZero’s architecture supports the evolution of best cryptographic security practices. These libraries and the ULN itself are immutable and only by selection of the user application.

Most other bridges and messaging protocols offer blanket validation techniques and only upgradeable smart contracts. Many notable hacks have occurred due to a buggy upgrade forced upon applications built on top of a bridge’s infrastructure, including two identical instances from Wormhole resulting in a $10m bug bounty paid and then later reducing their bug bounty from $10m to only $2.5m.

41600×381 161 KB

To be clear, both of these issues are completely separate from the $325m hack Wormhole suffered.

We believe critical infrastructure should be immutable, open source, and always owned by user applications.

It is common practice to not open source or verify Oracle and Relayer smart contracts. These smart contracts are only responsible for on-chain quoting in gas. All validation logic resides immutably in the messaging library. In a competitive marketplace of Oracles and Relayers, unique pricing mechanisms are often the proprietary edge for providers. These smart contracts can only quote pricing and do not affect security in any way, therefore being verified is irrelevant to its purpose.

The governance section of our documentation is in reference to the upcoming open source governance module we proposed in this forum thread (see above).

The Endpoint Contracts are for setting default configurations for developers to be able deploy and test easily. It is recommended that applications desiring more control over their security opt to set their own configuration settings. Default configuration cannot override user application configured settings; this is an explicit design decision and a feature of a true protocol.

The UltraLightNodeV2 settings are a combination of default configurations and one-time setters for adding new chains and proof libraries. The multisig owner cannot change any existing configurations set by the user or modify any existing validation libraries.

This statement is both entirely verifiably false and addressed in the opening part of the post.

I hope the line by line was helpful. I know we haven’t gotten to speak yet but looking forward to speaking to GFX Labs tomorrow and addressing any outstanding concerns and walking through the proposed security configuration in detail.

-raz

Hey all, it’s Abdullah from Blockchain at Michigan

Firstly, we are glad to see the community’s ability to coordinate an unorthodox approach for deciding the Uni<>BNB bridge via an extra temp check. In an instance like this, it is imperative that we derive a quantitative measure for what the community is feeling as opposed to a soft metric like forum-based sentiment.

To that end, we believe that instead of prolonging the bridge discussion beyond necessary means, it is important for us to efficiently decide on a single messaging system. After one solution is implemented, we can focus on a multi-bridge system. The primary reason for this haste, as @Porter mentioned, is the limited amount of time we have to deploy Uni v3 prior to the license expiring on April 1st of this year. Perhaps this urgency is not warranted for other L1s–but for BNB Chain, quick deployment is necessary due to the BNB community’s hankering to quickly deploy forked code (the BNB ecosystem is very much quantity over quality at the moment) and capture much of the present user activity.

As of now, we are inclined to side with LayerZero for handling cross-chain governance. We put Wormhole and Celer in a similar bucket due to their reliance on a validator set, emblematic of a proof of authority mechanism. Naturally, such designs are less decentralized and subject to collusion.

Potentially, Celer’s current total stake is not large enough from a dollar-value standpoint to be secure. Over time, this should resolve since the ability of an entity to buy up 2/3 of staking dominance will become harder–granted the SGN system proves viable over time and the CELR token remains strong. As for Wormhole, they have stood the test of a major exploit and have since made their system more robust, with a continual promise to prevent future exploits via a large bug bounty program and a multitude of audits. However, our main contention with Wormhole is, again, the limited 19-entity validator set. We realize the credibility of the guardians and how much stake they have to lose from a reputation perspective. But when the going gets tough, entities often focus on doing whatever they can to merely survive, forgoing their pristine reputation.

We are not limiting the merits of Wormhole or Celer; however, we feel that when the option to select a system that allows for a higher degree of control over the messaging stack is present, we should select that method. LayerZero would allow the Uni community to control its parameters (oracle and relayer) however it deems fit without the risk of collusion between a handful of validators. Yes, the risk assumption for LZ is that the relayer and oracle are themselves uncorrupted–Uniswap is not likely to face this issue. Unlike other applications using LZ, Uniswap has a robust, distributed governance base. The alteration of the relayer and oracle would require the community to collectively decide parameters, making malicious activity very difficult. That is, unless a hacker alters the parameters by subverting the governance process somehow.

We will cast our vote later tonight after our final discussions with Jump and LayerZero.

Hi Raz,

We devoted a chunk of time to reviewing and researching a bit over the last few days. The questions and concerns raised in our message come from our good-faith efforts to review the resources available. To recap, as part of our review of Celer’s system, we identified significant differences between what was advertised and what is actually happening. Since then, we’ve been attempting to verify anything we read on the forum as part of our own due diligence process.

We have made efforts to review each bridge with the limited knowledge and resources we have available. While we have a pre-relationship with Wormhole, GFX only works with projects that we believe in and have first-hand knowledge about. Our primary duty, however, is to advocate for Uniswap’s success. While our post might, in hindsight, contain some inaccuracies, it was made with good intentions after reviewing publicly available documentation and included an open offer to utilize your technology — importantly, many of the core criticisms remain.

Regarding the only owner functions. We’ll edit our prior post to reflect that change. Thank you for the clarification.

LayerZero is running the Relayer, and Chainlink is running the Oracle. While these are independent entities of which multiple could theoretically exist to process messages, only two exist at this time. This is functionally a 2/2 multisig, both parties must agree; otherwise, the message will not be processed. We were able to find information on how to run an oracle, but as you said, the existing relayer is currently closed source, and we cannot find an MVP example for a full relayer setup (both on and off-chain components).

• Could you help us understand what would happen to message passing if either of these two systems went offline?
• What would happen if the two systems colluded?
• We assume the goal is to have multiple relayers. Can you estimate when you think the code or simpler version of the relayer might be released so additional members can participate?
• What is the incentive for new participants to join the system as an oracle or relayer?

As for the unique signing model proposed, we’ve discussed with a few delegates about utilizing a multisig for UniV3 deployments over a bridge and came to the rough conclusion that delegates would not be comfortable being on that multisig due to the perceived legal risks. Our intent is not to need additional signers. Thus our efforts have been put toward finding a bridge partner. The recommendation of additional signers seems to speak to the lack of parties participating in Layerzero 0.

Suppose Uniswap was to consider the signer method. Would it not make the most sense to utilize Chainlink’s Oracle system directly, with the Uniswap signers filling the role as the relayer? It seems that would be the strongest combination because the alternative would be to remove the most secure component (Chainlink) from the stack and replace it with the least secure solution (Uniswap Signers).

To make sure we are on the same page - is this also the only current possible configuration, assuming that Uniswap does not take charge of the Oracle or Bridge duties?

If this is the case, then what is the true cost of using L0 as a relayer? Assuming that Uniswap will not move to run its own relayer, is there any other mechanism to prevent a monopolistic relayer from price-gouging messages through an upgrade? If not, how quickly would Uniswap be able to modify its cross-chain infrastructure such that it could continue performing cross-chain messaging at a reasonable price?

Thank you for the clarification.

While that makes sense, we think it would have saved a lot of time for everyone if the owner functionality was better documented.

Thank you for the prompt answers. We appreciate the clarification, and I’m sure the other delegates reading the thread do as well.

As a final request for now, can you please deploy your proposed system on testnet and link the relevant transactions as we have done with Wormhole? We don’t want to delay the BSC deployment any further than necessary.

I like the new governance flow, but it is difficult to find the snapshot post/link in this thread. Have to keep scrolling up to find this post, when checking on the vote status.

A suggestion if possible: have a “snapshot is live” button under the thread scroller on the right side where the “reply to thread” and “notifications” buttons are.

Throwing in some comments here. We’ll preface by saying that considering how “unexpected” this discussion arose, we appreciate the UF team for their quick thinking and on the feet decisions.

When looking at the main debate surrounding L0 and Wormhole, we’re still internally conflicted on which is ultimately the best, and think each has benefits of their own. Ultimately, we don’t think this proposed structure of finding a bridge partner is ideal and sets a bad precedence. We propose:

• A working group that gets set up will “whitelists” all bridges looking to be a bridging solution. This can be confirmed with a governance vote if deemed necessary.
• Once a bridge passes this step, they will enter an “approved” pool
• When “x-chain” wants to deploy, they can work out individual relations with any “approved” bridge as their partner
• As @Kydo mentioned with us, the partner bridge for “x-chain” can be multiple bridges that cross check each other and can decrease further the chance of malicious actors.

Overall, this reasoning stems from: 1) we believe there are multiple valid bridges/solutions to this question. 2) Combining L0 & Wormhole & maybe other bridges with a majority rules outcome will present the best security 3) Puts incentives with bridges and “x-chain” better in our opinion to market compete in each situation.

Just to be completely objective when we are choosing a bridge for Uniswap v3, I ask all community members also to read the report published today by James Prestwich, regarding the potential vulnerabilities in LayerZero contracts.

@GFXlabs @pennblockchain @AbdullahUmar @Kydo @Porter

Full article: ZeroValidation - by James Prestwich - Proof of James

We are very much looking forward to the comments from the LayerZero team @raz , as our snapshot bridge poll is coming to an end tomorrow.

I would say that’s one of the least objective posts of all time. I responded to it here albeit in not a very formal tone and I’d like to state clearly that it’s both wrong, misleading, and has absolutely 0 impact on the proposed Uniswap architecture because as discussed in the proposal Uniswap would not be using the defaults and would be selecting their own oracle, relayer, and VL.

Did anyone consider Axelar?

With Osmosis opting for it over Wormhole in their search for a canonical Ethereum bridge, which some might argue was more thorough, I think it’s worth considering.

Thanks for the clarification, Bryan!

Yup 100%! Just want to make sure there is clarity

I believe it’s too early to pick any solution. Because all these solutions are early, Uniswap is way too important for this ecosystem’s health, and we still haven’t fully understood each provider’s implications and loopholes.

Would love to provide some insightful links, but don’t have the permissions.

We know we’re late to the party, but we wanted to throw our hat in the ring as well. We understand it’s too late to be formally considered in the temp check vote, but we’d love to have Hyperlane (fka Abacus) considered in future votes. We were previously involved in the RFP process, and chosen by several well known delegates alongside Axelar, which is also conspicuously missing from this vote! You can read more about that here: RFC: Uniswap Universal Governance Module - #21 by blockchaincolumbia

We’ll be submitting our case formally through the Cross Chain Bridge Assessment process, in that thread, using the template provided.

Hey all, we’ve (a16z) reviewed the various bridge proposals, evaluated each, and strongly support LayerZero. We’re unable to vote in the current Snapshot due to infrastructure limitations with the custodian on short notice, but we will be participating in the on-chain vote when it goes live, in addition to any new Snapshot votes that may come up. We just wanted to put this out before the vote ends tomorrow morning for clarity on the process from our end.

On Running Infrastructure and Bridges

There’s been a lot of back and forth in the thread around immutability, decentralization, trusted entities, and degrees of control by cross-chain messaging protocols. We wanted to clarify these discussion points by calling out the two ways Uniswap would integrate a messaging layer and comparing the guarantees of both Wormhole and LayerZero under each scenario.

Simply put, the two scenarios are:

1. Uniswap runs infrastructure
2. Uniswap doesn’t run infrastructure

Uniswap runs infrastructure

LayerZero

LayerZero suggests that integrators can either use their “default” configuration, a low-security option or run infrastructure via a “custom” configuration.

The latter model is proposed as the method by which the application developer (in this case Uniswap) can avoid collusion risk between the default Oracle and Relayer infrastructure operators within LayerZero. Additionally, in this model, Uniswap or its delegates would need to run infrastructure such as a “gasless Oracle” (which has not been released yet), which the LayerZero Relayer would pick up and deliver to the destination. Relayers in LayerZero are always permissioned and are required for liveness and security, thus Uniswap would also have to run Relayer infrastructure. The Relayer source code is currently not open-source, so Uniswap would need to implement a bespoke untested solution or run LayerZero’s proprietary implementation.

However, this may still be problematic. Due to the Proof Library requiring ongoing mitigation with each chain, a non-default config is **insufficient until the issue above is addressed. The LayerZero team can add a new default chain config, register a default proof handler, and exploit an application in a single atomic transaction. The application cannot mitigate this using configuration. Applications can only mitigate via a custom relayer and potentially an “approved chains” list in the application itself. The flagship application on LayerZero, Stargate, itself is semi-immutable and will have a difficult time mitigating this issue, and would need to make a custom Proof Library to implement the approved chains list.

TL;DR — if Uniswap does not want to trust LayerZero’s current default configuration, it needs to run its own infrastructure. Even when doing so, there are underlying issues that necessitate further action from LayerZero’s team to truly make any custom infrastructure setup truly trustless.

Wormhole

We want to clarify that if Uniswap wants to run its own infrastructure with Wormhole, it can achieve the same level of customization that LayerZero touts, as no protocol has a monopoly on deploying bespoke infra. If desired, Uniswap can configure a deployment of Wormhole, which improves upon the security guarantees of LayerZero’s default while also ensuring sovereign security relative to the canonical Wormhole deployment.
Wormhole’s contracts are designed so that the Guardian set is customizable on initial deployment (see here: Setup.sol) and can further be rotated via an in-protocol governance mechanism whereby the current guardian set can vote on the next guardian set. Should Uniswap delegates decide to run their own infrastructure, they may run their own oracle nodes by following instructions at Operations.md. In this model, Uniswap oracles produce signed observations (VAAs) which can be submitted permissionlessly on the target chain (BNB), so no relayer infra is needed, and therefore no need to manage gas funds. However, relayers can very easily be made permissioned if desired, which would allow Uniswap to run a permissioned relayer like the one discussed in the LayerZero model.

From a security and operational load perspective, however, we could offer Uniswap to layer their signers on top of Wormhole i.e. extend the already robust Guardian set with their additional validators. This option surpasses the level of flexibility and security of LayerZero’s oracle (in this case Wormhole) and Relayer (chosen by Uniswap) mode in which Uniswap benefits from Wormhole’s significantly more robust signer set but is safe as long as the signer set does not collude with the Uniswap chosen signers. We start from the far stronger base of 19 signers and can arbitrarily increase security beyond that with additional Uniswap-affiliated validators. The easiest way to produce these additional signatures is for the Uniswap DAO signers to download and run the existing, open-source, and in-production Wormhole oracle software. After verifying the Wormhole signatures, the Uniswap governance contract can verify these additional signatures from the selected Uniswap DAO signers. Additionally, relayers can very quickly be permissioned, allowing Uniswap to run a permissioned relayer like the one discussed in the LayerZero model.

While the proxy contract can point to different implementations, the Wormhole implementation contract is immutable. Thus it is trivial to verify governance messages against a specified implementation. While there are multiple ways to accomplish this, the most straightforward is just including the pinned implementation as an external library in your deployment.

This deployment can be done in a fully permissionless manner without having to trust (or ever interact) with the 19 Guardians that operate the default Wormhole deployment.

Uniswap doesn’t run infrastructure

LayerZero

The security assumption of LayerZero’s default configuration is that the default Oracle and Relayer are independent. Uniswap would have to trust a 2/2 multisig of these two components. The relayer is unverified, but LayerZero claims that this is not an issue:

“It is common practice to not open source or verify Oracle and Relayer smart contracts. *These smart contracts are only responsible for on-chain quoting in gas. All validation logic resides immutably in the messaging library.
[…]
*****These smart contracts can only quote pricing and do not affect security in any way, therefore being verified is irrelevant to its purpose.”

This statement contradicts with the LayerZero whitepaper, which claims the following:

“Given two entities that do not collude, if (1) one entity can produce a block header for the block containing tA on chain A, (2) the other entity can independently produce the proof for tA on that block (transaction proof), and (3) the header and transaction proof in fact agree, then the communication protocol can deliver m to the client on chain B with the guarantee that tA is stably committed on chain A.”

The Oracle is responsible for producing the block headers, and the Relayer is responsible for the inclusion proofs — these responsibilities are far beyond on-chain gas quoting.

“LayerZero leverages direct MPT validation construction of the source transaction and verifies the merkle inclusion proof directly on the destination chain via the protocol’s novel Ultra Light Node (ULN).”

At this point, it’s unclear if there are other Oracle/Relayer options available to choose from outside of the default. In any case, if the Oracle and Relayer collude, they can forge messages.

Contract upgradeability is a critical discussion point. It’s true that bugs can be introduced in upgrades, but upgrades can (and do) fix existing bugs. Presenting only one side of this coin is misleading at best.
If any bugs are discovered in LayerZero’s contracts, patching them would be a significant task. Such a scenario would involve the proof validation code being implemented with a patch, and then all affected user applications would have to change their configurations to the patched implementation.

Wormhole

The 19 Guardians that operate Wormhole’s default deployment are the largest PoS validator companies. The safety assumption is that of an honest superminority (at least 7 of them are honest) or, conversely, that there are no 13 colluding entities. The equivalent assumption under LayerZero’s setup is that the 2 entities do not collude. The contracts are upgradeable via a governance mechanism that requires the approval of 2/3+ of the Guardians. Importantly, the Wormhole cross-chain governance solution has already been tested (see above) and implemented on testnet and is ready for production.

Happy to answer any additional questions.

Hey all, cross-posting a few thoughts from Twitter.

1/ great to see the snapshot driving attention/clarity on bridging’s role in cross-chain protocol deployments

2/ I’m abstaining from the vote as I don’t think the list of options on offer is comprehensive or deeply researched

3/ zooming out, my view is that its suboptimal for communities to be voting on singular bridge choices, effectively king-making solutions.

protocol design needs to adapt for a multi-chain world, to reap the benefits of competition through standardization, not voting.

4/ closing thought: glad the convo is moving forward , and hope this proposal will kick off more efforts to dig deeper into bridge research and protocol design to enable multiple choices.