Top 3 Multi-Chain Security Issues

[Did you know - This article got featured in one of the most reputable security blogs, Blockchain Threat Intelligence, in the security research category]

Blockchains for the long term depended on singularly isolated ledgers that in many cases, weren’t interoperable with each other. This has led to the fragmentation of these different chains without the ability to cross-communicate. Leaving both users, dApps, and liquidity living in silos. However, this has begun to change with the rise of what we call omni-chain protocols.

These protocols act as “Layer 0” protocols transmitting messages from one blockchain to the other and allowing us to move away from fragmented chains and into the multi-chain future that allows for interconnectedness and easier access for users. Of course, no innovation in Web3 comes without its fair share of security concerns. In this article, we’ll be discussing some of the most common issues found with multi-chain protocols and how you as a developer can avoid these.

Understanding Cross-Chain Auditing

Cross-chain protocols are fundamental in creating a more interconnected and functional blockchain ecosystem, enabling greater flexibility and utility for decentralised applications and digital assets. However some of the pitfalls of this are that different chains can have different gas costs, may support different opcodes, and some even have different block times or block numbers. All of this can affect how your smart contract is developed so you should take caution when working with cross-chain protocols.

Key Components of Cross-Chain Protocols

There are some key components to ensure that cross-chain protocols interact easily with multiple chains. Here’s a brief overview:

1. Relays or Bridges: These act as intermediaries, relaying information between blockchains. They can be centralised or decentralised. In many cases, these Relayers are listening for events that are being emitted on one chain and use those events to send a message to another chain.

2. Smart Contracts: Many multi-chain protocols work by deploying smart contracts on multiple chains. These contracts act as entry points for dApps to interact with. They receive messages from dApps to be sent cross-chain.

3. Consensus Mechanisms: Ensuring that all participating blockchains agree on the validity of the cross-chain transactions.

Top 3 Most Common Security Issues

1. Inadequate Validation in Smart Contracts

Smart contracts may lack proper validation mechanisms for verifying the authenticity and integrity of the data received from another chain.

Vulnerable example:

// Hypothetical smart contract snippet lacking adequate validation
function updateDataFromOtherChain(address fromChain, bytes32 data) public {
    // Potential issue: No validation of the data or its source
    externalData[fromChain] = data;
}

Improved version:

function updateDataFromOtherChain(address fromChain, bytes32 data) public {
        // Validation is implemented
    require(isValidChain(fromChain), "Invalid source chain");
    require(verifyData(data), "Data validation failed");
    externalData[fromChain] = data;
}

2. Modified Opcodes in Different Chains

Different blockchain networks might change or not support certain opcodes that you would typically find in Ethereum.

For example, Optimism uses its own versions of opcodes like block.coinbase, block.difficulty, and block.basefee. The behavior of tx.origin can also be different, especially in transactions from Layer 1 to Layer 2. Additionally, Optimism introduces new opcodes that other chains don’t have.

Many L2s are notorious for not having the PUSH0 opcode which forces developers to lock their Solidity versions to 0.8.19

3. Blocked LayerZero Channel

The LayerZero documentation explains the standard security procedure for a cross-chain message and what occurs if a cross-chain message fails. A failed transaction on the destination application blocks the channel between the source and destination application. The failed transaction must then be successfully retried before any new transactions can proceed.

This can lead to issues for users. If a developer does not wrap the cross-chain message in a try/catch and the transaction fails, this channel is now blocked and the same transaction must be retried to unblock it. Another issue that arises with blocked channels is if developers do not implement the forceResume function as per the LayerZero documentation. This function allows you to force a stuck transaction through the channel effectively unblocking the channel for other transactions to pass through. To mitigate against these attacks it is recommended to use ILayerZeroApplicationConfig instead of writing your implementation as it protects devs against all of these attacks.

Read more about this type of issue here or check out the LayerZero documentation here.

Conclusion

This article presents various examples that arise with Multi-Chain implementation. Developers should take some of these into consideration when integrating multi-chain protocols and cross-chain messaging services like LayerZero. Fragmentation of blockchains may be an idea of the past leading us to more user onboarding, greater liquidity, and more decentralisation as we won’t need to rely on centralised parties like Binance and Coinbase to send transactions cross-chain. Though, this is an exciting future, we as developers have to be careful to not introduce more risk to our users when building these types of applications. Being thorough when building a cross-chain protocol is the first step to building secure multi-chain dApps.

---

Rivanorth is a boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit https://rivanorth.com/ to find out more.

You build the future. We help you secure it.