Skip to main content

Architecture and Security Overview

This page presents an overview of the architecture and security measures implemented in the Massa bridge. The bridge is designed to facilitate the secure transfer of assets between EVM networks and Massa, ensuring the integrity and reliability of cross-chain transactions. As of today, the Massa bridge supports two EVM networks; Ethereum and Binance Smart Chain (BSC). Our system is designed to ensure the secure, efficient, and transparent bridging of assets, leveraging a lock-mint and burn-redeem scheme underpinned by state-of-the-art security practices.

System Architecture

Component Overview

The bridge system comprises several key components:

  • Massa Bridge UI: Serves as the user interface for initiating bridge transactions. It supports wallet connections and transaction initiations for both EVM and Massa blockchains.
  • BridgeVault Contract (Ethereum): Acts as the custodian of assets on the EVM side. It is responsible for locking assets during the bridge process and executing redeem transactions based on verified requests.
  • Bridge Contract (Massa): Handles the minting of tokens on the Massa blockchain in response to locked assets on the EVM chain and manages the burning of tokens for redemption back to the EVM chain.
  • Relayer Network: A set of independent nodes responsible for monitoring bridge transactions, verifying events, and facilitating the cross-chain communication necessary for asset transfers.

User flow

To initiate bridging from an EVM chain to Massa, a lock transaction is sent to the BridgeVault contract on the EVM chain. This lock transaction will transfer the assets from the user's wallet to the BridgeVault contract, locking them in the process. In order to ensure that the bridge operation meet all the requirements, users should always use the Massa bridge UI. Once the lock transaction has received enough confirmations, it will be handled by the relayer network; On detecting a lock event, each individual relayer will produce a signature corresponding to this particular bridge operation. Once at least 3 out of 4 relayers have signed the lock transaction, the relayer network will forward this bridge operation to the Bridge contract on Massa. The Massa Bridge contract will then verify the signatures, and mint the corresponding amount of tokens to the user's wallet on Massa. The user will then receive a notification that the mint operation has been completed.

To initiate bridging from Massa to an EVM chain, a burn transaction is sent to the Bridge contract on Massa. This burn transaction will transfer the assets from the user's wallet to the Bridge contract, burning them in the process. Once the burn transaction has received enough confirmations, it will be handled by the relayer network; On detecting a burn event, each individual relayer will produce a signature corresponding to this particular bridge operation. During the process, the Massa Bridge UI will query the relayer network for the signatures. Once at least 3 of the 4 relayers have produced their signatures, the Massa bridge UI will prepare the redeem transaction. The user will then sign and send the redeem transaction to the EVM blockchain, triggering the release of the tokens.

Bridge flow

Security Measures

The BridgeVault contracts on the EVM chains hold the assets locked during the bridging process. The only way assets can be redeemed is by sending a message signed by the 3 out of 4 nodes of the relayer network. This ensures that the assets are only released when the relayer network has verified the corresponding burn transaction on Massa, while maintaining availability in case a single relayer crashes. The public keys of the relayers are stored in the Bridge contract on Massa, and can only be updated by a gnosis safe multisig wallet controlled by the bridge operators. Moreover, a 48h timeLock from Openzeppelin is implemented in the Bridge contract on Massa, which requires a 48h delay before the relayer network can update the public keys. This ensures that the bridge operators have enough time to intervene in case of a malicious update of the public keys.

Gnosis safe Safe proxy address: 0xDB1a35B0C8Bb727A8ce5314B4fCCa874614138BB

Signer NameAddressStatus
Signer 10x675Ebdc155e89c31229b0C7aF38D8D355E61F50Active
Signer 20xB744a01980b2f1ee61ED742df42B21b3AAfE1A31Active
Signer 30xcF6fB27ddC0A0270A36F7E7E5270CB179D2bfD32Active

The Bridge contract on Massa is responsible for minting the tokens in response to the locked assets on Ethereum. The Bridge contract can only mint tokens when it receives a message signed by 3 out of 3 nodes of the relayer network. The synthetic token contracts ownership, has yet to be transferred to a multisig wallet after deployment. The public keys of the relayer nodes are hardcoded in the contract and cannot be updated. This contract as well can be paused for maintenance or security. The Bridge contract can charge fees but have been set to 0.

On chain architecture

The relayer network is a set of independent nodes responsible for monitoring bridge transactions, verifying events, and facilitating the cross-chain communication necessary for asset transfers. The three nodes are hosted on different cloud providers to avoid common points of failure. For redundancy, each node has a fallback mechanism and redundant RPC connections.

The Massa Bridge smart contracts have undergone security audits conducted by Certik, the report is publicly available here.