Frax Ferry: An Innovative Bridge Solution for Safer Cross-Chain Transaction

The year is 2022, and the Frax team finds themselves in the aftermath of the Harmony hack, grappling with significant losses in FRAX and damage to their reputation.

How did this happen?

On June 24th, 2022, the Harmony “Horizon Bridge” suffered a severe breach, resulting in the theft of various crypto assets with a combined value of $99.6 million. The perpetrators behind this hack exchanged the stolen crypto-assets for Ether and skillfully concealed their illicit gains using the now-sanctioned Tornado Cash.

In the aftermath of the incident, Elliptic’s investigative team diligently followed the trail of the pilfered funds as they passed through the mixer. Through their meticulous efforts, they conducted a comprehensive analysis of the exploit’s distinctive characteristics and the subsequent methods employed to launder the funds. Within a few days of the hack, Elliptic became the first to attribute the cyber attack to APT38, also known as The Lazarus Group. This attribution was later corroborated by the Federal Bureau of Investigation (FBI) in January 2023.

The hack on the Harmony Horizon Bridge was executed through a particular vulnerability in the validation procedure for approving transactions transferred over the bridge, which is a common feature in many cross-chain bridges. In this case, the bridge relied on a multi-signature system with five validators for the approval process.

However, a critical oversight emerged as the bridge implemented a 2 out of 5 validation scheme. This meant that the hacker only needed to gain access to two blockchain accounts to execute any malicious transaction of their choosing. Regrettably, the attacker managed to acquire two private keys and used them to gain entry into the Harmony Horizon bridge.

The system had individual private keys encrypted with a passphrase and managed through a key management service. Despite these security measures, the attacker successfully accessed and decrypted several keys, enabling them to create a transaction to withdraw a staggering $100 million from the bridge. They controlled two accounts and used their access to two of the bridge’s private keys to confirm the transaction.

To cover their tracks, the attacker later utilized Tornado Cash to launder many of the stolen tokens. In response to this breach, the multi-signature scheme has been updated to require consent from 4 out of the 5 validators, bolstering the bridge’s security measures and reducing the risk of future attacks.

Determined to prevent such incidents in the future, the Frax Finance team brainstormed and introduced a groundbreaking concept: Frax Ferry.

What is Fraxferry?

Frax Ferry is an innovative bridge solution that addresses the need for the secure and seamless transfer of unlimited Frax-issued assets while safeguarding the Ethereum-based protocol from potential exploits.

The way Frax Ferry works is that it breaks down the transfer of FRAX into smaller batches. Each batch is then sent through a series of checkpoints, where it is verified and approved. This process takes some time, but it makes it much more difficult for attackers to exploit the bridge.

What sets Frax Ferry apart from other bridge solutions is its distinct approach to asset transfers. Unlike instant transfers, Frax Ferry employs a timelock mechanism, allowing enough time to detect and halt any fraudulent transactions.

However, not everyone is happy about Frax Ferry. Some people in the DeFi community believe that it is too slow and cumbersome. They argue that Frax Ferry will make it difficult for people to use Frax tokens on other chains.

The Frax team is aware of these concerns, but they believe that the security of Frax Ferry is more important than speed. They believe that Frax Ferry is the best way to protect the Frax protocol from hackers and fraudsters. They believe that it is the best way to ensure the long-term security of the Frax protocol.

The FraxFerry architecture

Initially, Frax relied on third-party bridges like Wormhole and Multichain to facilitate swift transfers by minting wrapped versions of stablecoins (anyFRAX, wormFRAX) on the destination chain. However, this approach came with inherent challenges and vulnerabilities, including the risks of hacks, bugs, infinite mints, and slow transactions on certain chains.

To address these issues and bolster the stability and uninterrupted functioning of the Frax Protocol, the team introduced a new and more secure bridging mechanism called Frax Ferry.

Now, unlike other stablecoin bridges mentioned earlier, Frax Ferry operates as a front-end hosted on the Frax application, enabling end-users to interact directly with the bridging system. Before delving into the transaction lifecycle, it’s essential to understand some key roles and terms within the bridge’s architecture:

Terms:

1. Shipping process: The process of transferring funds from the source chain to the destination chain.

2. Batch: All user transactions are stored in a smart contract on the source chain in a ‘Batch,’ which is then shipped to the destination chain once every 24 hours.

Roles:

1. Captain: The Captain initiates the shipping process by querying the source chain for transactions to be shipped and has the authority to start the trip.

2. Crewmembers: These are bots run by whitelisted entities and play a crucial role in validating the batch sent by the Captain. They are responsible for checking the batch’s validity and can dispute it if they find any discrepancies or issues.

3. First Officer: The First Officer is responsible for executing non-disputed batches. They transfer the tokens from the contract to the intended recipients on the other chain.

4. Owner: The Owner is another whitelisted core developer who can manually manage tokens in the smart contract on the destination chain (by pausing, unpausing, and/or removing batches) and must ensure sufficient funds.

The general transaction process through Frax Ferry unfolds as follows:

1. User initiates the transaction on the Ferry frontend, and tokens are sent to Ferry’s contract on the source chain. This transaction is part of a batch containing other user transactions.

2. The Captain queries the transactions on the source chain and initiates the shipping process by sending a batch that includes the trip’s start and end details, along with a hash value, using the “depart()” function.

3. The user funds are transferred from the source chain to the destination chain once every 24 hours via ‘ferries.’ Therefore, users must wait for this period to elapse.

During this waiting time, Crewmember bots diligently validate the batch sent by the Captain and dispute it if they detect any discrepancies. They can raise a dispute using the “disputeBatch()” function.

If no issues are found, the Crewmembers proceed to the next step without raising disputes.

4. The funds arrive on the destination chain and are stored in Ferry’s smart contract. At this point, the Owner, a whitelisted core developer, manually manages the tokens in the smart contract. Their responsibility is to ensure that the contract holds the correct user funds sent from the source chain. If any mismatches occur, the Owner can pause the batch to prevent fraud.

5. Once the Crewmembers and the Owner have reviewed the batch and not raised any disputes, the First Officer can execute the batch by providing the transactions as calldata. This process is carried out using the “disembark()” function. The First Officer ensures that the hash of the transactions matches the hash value provided in the batch.

6. Users receive their tokens on the destination chain, successfully completing the bridging process.

To maintain the system’s integrity, there are several trust assumptions:

1. Captain will propose accurate batches: Users must trust that the Captain will not propose fraudulent batches with false transaction hashes. In case of undetected fraudulent transactions, they could be executed on the destination chain.

2. Crewmember bots will detect fraudulent transactions and maintain uptime: Users must rely on the diligence and uptime of the Crewmembers bots, run by whitelisted core developers of Frax, to detect and dispute invalid batches within the 24-hour waiting period.

3. Key roles (Captain, Crewmembers, Owner, First Officer) are whitelisted by the team: Users need to trust that the core developers whitelisted for these roles will act honestly and in the best interest of the users and the protocol, ensuring the system’s liveness.

Frax Ferry currently supports 14 EVM chains, including Ethereum, Arbitrum, Optimism, Polygon, and several others, facilitating seamless cross-chain transactions for the Frax ecosystem users. This new version offers several benefits, such as capping risks through fixed token amounts in bridge contracts, eliminating the risk of infinite minting, and enabling better scrutiny of asset movements to detect and prevent potential issues.

To ensure its security, Frax Ferry underwent an audit conducted by Trail of Bits in 2022.

Conclusion:

The launch of Frax Ferry was a significant milestone, empowering users to access native FRAX and other stablecoins in the Frax ecosystem across any chain without relying on third-party bridges. Looking ahead, Frax has ambitious plans to launch Fraxchain, a consolidation of infra products like Ferry and stablecoins onto its own Layer 2, creating a more user-friendly and interconnected ecosystem.