Callisto Network
WebsiteSecurity DepartmentTwitter
  • Whitepaper
    • 🇮🇹Whitepaper (ITA)
    • 🇮🇳Whitepaper (TELUGU)
    • 🇮🇳Whitepaper (HINDI)
    • 🇨🇳Whitepaper (CN Traditional)
    • 🇭🇰Whitepaper (CN Simplified)
    • 🇫🇷Whitepaper (FR)
    • 🇵🇭Whitepaper (PH)
  • 📌Strategic Plan
  • Callisto Network Vision
  • 🚀Callisto Network Progress Tracker
  • 🗓️Ecosystem Reports
    • Callisto Monthly - February 2023
    • Callisto Monthly - January 2023
      • 🇮🇹Callisto Monthly - January 2023 (ITA)
      • 🇫🇷Callisto Monthly - January 2023 (FR)
      • 🇮🇳Callisto Monthly - January 2023 (TELUGU)
    • Callisto Monthly - December 2022
      • 🇮🇹Callisto Monthly - December 2022 (ITA)
      • 🇫🇷Callisto Monthly - December 2022 (FR)
      • 🇵🇭Callisto Monthly - December 2022 (PHI)
    • Callisto Monthly - November 2022
      • 🇫🇷Callisto Monthly - November 2022 (FR)
      • 🇮🇹Callisto Monthly - November 2022 (ITA)
      • 🇮🇳Callisto Monthly - November 2022 (TELEGU)
    • Callisto Monthly - October 2022
      • 🇮🇹Callisto Monthly - October 2022 (ITA)
      • 🇫🇷Callisto Monthly - October 2022 (FR)
      • 🇵🇭Callisto Monthly - October 2022 (PHI)
      • 🇨🇳Callisto Monthly - October 2022 (CN Simplified)
      • 🇭🇰Callisto Monthly - October 2022 (CN Traditional)
      • 🇷🇺Monthly - October 2022 (RU)
    • Callisto Monthly - September 2022
      • 🇮🇹Callisto Monthly - September 2022 (ITA)
      • 🇫🇷Callisto Monthly - September 2022 (FR)
      • 🇵🇭Callisto Monthly - September 2022 (PHI)
      • 🇨🇳Callisto Monthly - September 2022 (CN Simplified)
      • 🇭🇰Callisto Monthly - September 2022 (CN Traditional)
    • Callisto Monthly - August 2022
      • 🇮🇹Callisto Monthly - August 2022 (ITA)
      • 🇫🇷Callisto Monthly - August 2022 (FR)
      • 🇵🇭Callisto Monthly - August 2022 (PH)
    • Callisto Monthly - July 2022
      • 🇮🇹Callisto Monthly - July 2022 (ITA)
    • Callisto Monthly - June 2022
    • Callisto Monthly - May 2022
    • Callisto Monthly - April 2022
    • Callisto Monthly - March 2022
  • Technologies
    • 📈Callisto Dynamic Monetary Policy
      • Crypto-models To Overcome Inflation and Callisto Network's Approach
      • Skuld Hard Fork - Update On Progress
    • 🧊Cold Staking
      • Cold Staking And PoS Staking Comparison
    • 🪙Wrapped Callisto (ccCLO)
    • ®️DexNS 2021
    • ⛏️Proof of Work
      • ZPoW #1 - Exploiting The Block Time & Block Size
      • Callisto Network Introduces the Dynamic Gas Price
    • Ⓜ️Callisto Network Masternodes
    • 🎓Tutorials
      • Setting Up Metamask For Callisto Network
        • Update the RPC URL in MetaMask
      • How to buy Callisto with Your Credit Card
      • How to Run a Callisto Network Node?
      • Callisto Network Masternodes Set-up
    • 🌐Callisto Hub
    • 🧩Web 3.0 Infrastructure
    • 🔍Chain Inspector
  • We Fund You!
    • 💲We Fund You!
      • We Fund You Award - 1st Edition
  • Security Department
    • 🔍Auditing Department
      • Auditing Department Amendment v5
    • 📖Documentation
      • 🛡️Security Department Best Practices
      • 🪙ERC 223 Token Standard
        • ERC20 Standard Main Issue
      • 🖼️CallistoNFT Standard
        • Roadmap
      • ✖️Cross-Chain Bridges Security Model
    • Products & Services
      • 🔍Security Audits For Smart Contracts
        • Mission: Securing The Smart Contracts Ecosystem
        • Trust and Smart Contracts: Code is the Limit
    • 🤝Various Contributions
      • Ethereum Classic
        • ECIP-1092 51attack solution: PirlGuard & Callisto proposal
      • Ethereum
        • Statement regarding Geth v1.10.8 split
      • EOS
        • Page 1Chintai (EOS resource exchange) low severity issue.
        • EOS congestion 9/13/2019 and EOSPlay hack
      • Ultimate solution to 51% attacks: amend the Nakamoto consensus
  • Hack Investigation Dept.
    • Hack Investigation Department
    • Helio Exploit
    • Binance Bridge Hack
    • TempleDAO's STAX Contract Hack Investigation
    • NFT Theft Analysis
    • AUDIUS Governance System Exploit Overview
    • LUNA ‘Hardfork’ Review
  • One Earth, One Heart
    • 🌎One Earth, One Heart
    • 💚Callisto Charity Efforts
  • Community
    • 📥Callisto Network Improvement Proposals
    • 💬Callisto AMAs
      • Callisto Team's Ask Me Anything on 04/05/2023
      • Callisto Team's Ask Me Anything on 03/03/2023
      • Callisto Team's Welcome AMA on 10/11/2022
      • Callisto Team's Ask Me Anything on 10/10/2022
      • Callisto Security Team's Ask Me Anything on 02/09/2022
      • Callisto Team's Ask Me Anything on 28/07/2022
      • Dexaran's Ask Me Anything on 11/04/2022
    • 📌Get Started
  • Callisto Enterprise
    • 🪙Callisto Enterprise Token
      • Vision and Tokenomics
    • 👥Team
      • Callisto Team Motivation System
  • In The Press
    • 🟢Callisto Network
      • Ethereum, Ethereum Classic, Callisto Network, A Common History
      • Callisto Network: Three Years After Mainnet Launch
      • Czech Ethereum Killer
    • 🖼️NFTs
      • Artist Creates And Then Destroys Art To Launch CallistoNFT
      • Security Network Develops New NFT Standard To Address ERC-721 Flaws
  • Miscellaneous
    • 🧩Media Kit
Powered by GitBook
On this page
  • Introduction to Cross-chain Bridges
  • Cross-chain Bridges in a Nutshell
  • Contract Modes
  • Authorities — Low Trust / Minimal Permissions
  • Freezers — Emergency Stop Permissions
  • Owner — Governance Permissions
  • Founders — The Least Exposed Keys
  1. Security Department
  2. Documentation

Cross-Chain Bridges Security Model

PreviousRoadmapNextProducts & Services

Last updated 2 years ago

Introduction to Cross-chain Bridges

Cross-chain bridges were recently implemented connecting the Callisto chain to the Binance smart-chain and Ethereum mainnet.

For this time, we followed a centralized approach where the Callisto team will hold a set of servers as “authorities” that sign cross-chain transactions (and forward data from one chain’s contract to another). In this system, security is critical because an attack vector would allow a hacker to print an unlimited quantity of funds on behalf of the contract.

Cross-chain Bridges in a Nutshell

A Cross-chain bridge allows users to swap assets from one chain to another. It’s a pair of two contracts at two different chains. One contract accepts a selected asset at the first chain and freezes it. At the same time, this contract emits a signal for the second contract to create the same quantity of “wrapped” tokens at the second chain.

The problem here is that contracts can not transfer data from one chain to another, and there must be a relay that will take the signal from one contract and deliver it to another, telling it that some action needs to be performed.

Contract Modes

The contract system may operate in different modes.

  • Frozen — the contract is not actively processing cross-chain swaps in this mode. Special accounts with “Freeze” permissions can freeze the contract immediately in case of anomaly detection. Returning the contract to the normal mode requires ‘Owner’ permission and “Setup Mode”.

Authorities — Low Trust / Minimal Permissions

Callisto Bridges rely on “Authorities” as relays. Every Authority is a special account (with its own private key) that is governed by a script at its dedicated server. Storing private keys on a server is not secure — that’s why Authorities are not trusted and only given a minimal set of privileges.

Every Authority is located at its own server.

Authority should only sign transfers. A minimum of 3 Authority signatures from different Authorities are required to consider that the transfer is valid. Every Authority has freeze permission to stop the contract if it observes the misbehavior of other authorities.

It is considered that an Authority can be malfunctioning or compromised during the workflow.

One “required” authority must sign every transfer — without this signature, the transfer can not be validated even if it has sufficient signatures from other authorities.

Freezers — Emergency Stop Permissions

There can be special accounts with “Freeze” permission that does not have permission to sign transfers. These accounts are only used to observe the authorities.

Owner — Governance Permissions

A special account is granted “Owner” permissions to debug the contract or punish malfunctioning authorities in the event of misbehavior.

Owner can remove authorities immediately.

Owner can enable “setup mode” to gain access to debugging functions of the contract, but the setup mode will be enabled after 24 hours since the function call.

In setup mode, the owner can:

“Owner” is a multisig account with its own internal logic under the hood. A consensus model of (50% + 1) is used, which means that 3 owners of 5 total engaged accounts must approve an action in order to execute it.

The “Owners multisig” will be used to set up the contract, which means that the owner keys are sometimes used to sign transactions and possibly exposed to some services. Owner keys are initially given to 5 different persons.

Founders — The Least Exposed Keys

This action can be effective immediately, which means that the “founders multisig” can replace Owners before it can enable the Setup mode.

Founders have no other permissions, and these keys will never be exposed during the normal contract workflow unlike Owners multisig.

Founders multisig consists of 5 accounts (different from those at Owners multisig), and a consensus model of (50%+1) is used.

A conception of was used when designing the system and access restrictions model.

Setup Mode — some “risky” functions are only available in setup mode. Only ‘Owner’ can enable the setup mode, but it will be enabled after from the moment of the function invocation.

Upgrading — it is possible to switch this contract to a newer version deployed at a new address. Upgrading requires ‘Owner’ permission and can be performed after the function invocation.

the contract

, which is required to validate a cross-chain transfer and mint new tokens

from cross-chain transfers (if fees are enabled)

immediately

There is an additional special account called “Founders multisig”. This account has no permissions but to with a new one in case Owners keys are compromised.

📖
✖️
layered security
24 hours
72 hours
unfreeze
add new authorities
set authorities threshold
set the address that receives fees
set the required authority
disable setup mode
replace an “Owners” multisig