SIP-351: Implement Cross-Chain SNX Token Transfers on Base via Chainlink CCIP

Author
Roger Brogan
StatusRejected
TypeGovernance
NetworkEthereum & Base
ImplementorTBD
ReleaseTBD
Created2023-12-01

Simple Summary

Expand Synthetix’s existing usage of Chainlink’s Cross-Chain Interoperability Protocol (CCIP) to enable secure cross-chain SNX token transfers between Ethereum and Base.

Abstract

This proposal enables the cross-chain transfer of SNX tokens between Ethereum and Base via Chainlink CCIP, and as a result, users would no longer have to wait the seven-day challenge period for withdrawals from the L2 Base network to Ethereum mainnet.

No modification is required for the existing SNX token contract on Ethereum and no changes are needed for existing V2X contracts. If implemented, SNX token pool contracts will be deployed on Ethereum and Base to facilitate token transfers between networks.

By laying this initial groundwork, the Synthetix community has the optionality to expand support for cross-chain SNX to additional chain environments in the future, which will help prevent fragmentation and maintain fungibility for SNX as it moves cross-chain.

Motivation

It’s long been a priority for the Synthetix community to launch on Base, but there are limitations to the Base bridging solution proposed in SIP-338. Namely, the seven-day challenge period for withdrawing from optimistic rollups, such as Base, as well as creating fragmented SNX token liquidity from different variations of SNX-bridged tokens across networks. Furthermore, given the historical value exploited by unsecure cross-chain protocols ($2.75B+), Synthetix requires the most secure cross-chain interoperability protocol.

Specification

Overview

This SIP proposes using Chainlink CCIP to securely transfer SNX between Ethereum and Base. Additionally, this SIP provides the foundation for expansion to additional chains in the future with a cross-chain fungible version of SNX.

  • Between Ethereum and non-native chains: Use CCIP lock-and-mint to transfer canonical versions of SNX.
  • Between non-native chains: Use CCIP burn-and-mint to transfer canonical versions of SNX.

Rationale

Chainlink CCIP is the optimal solution to continue supporting Synthetix’s cross-chain expansion. CCIP leverages multiple Decentralized Oracle Networks (DONs) per chain-lane, an independent Risk Management Network that continuously monitors and validates the behavior of the primary CCIP network, high-quality node operators, and additional security features such as token rate limiting (expanded upon below).

Chainlink and Synthetix have had a long-standing relationship of innovating DeFi together, as Synthetix was the first user of Chainlink Price Feeds back in 2019 and has since used numerous crypto, equity, forex, and commodity Price Feeds across both Ethereum and Optimism. Synthetix also uses Chainlink Automation and then became the first user of CCIP for cross-chain transfers via the Synthetix Teleporter (burn-and-mint for sUSD). This proposal continues our tradition of joint leadership by enabling SNX token transfer through CCIP to connect Synthetix tokens to the broader blockchain landscape, with this proposal focused on Base as a starting point.

Furthermore, given Synthetix’s extensive usage of various Chainlink services for multiple protocol functions, we believe this proposal would add little-to-no additional trust assumptions to the Synthetix protocol.

There are many key benefits of CCIP over native bridges:

  1. Immediate L2 -> L1 transfers: No need to wait for the seven-day challenge period of optimistic rollups (e.g., Base) to withdraw back to mainnet.
  2. Faster time to market: A single interface and implementation, no matter which chain the community wants to expand to in the future.
  3. L2 <-> L2 interoperability: With CCIP, users can burn-and-mint between any two supported non-Ethereum mainnet blockchains, such as L2s, without needing to touch the locked tokens on Ethereum mainnet. In contrast, using the native bridges of each chain creates liquidity fragmentation, as each wrapped version is not directly fungible or interoperable.
  4. Ownership: Protocols have flexibility and complete ownership over the token contract on the destination chain instead of the bridge.
  5. Configurable rate limiting: Protocols can define an upper bound on the number of tokens that can flow across CCIP over a period of time, both per-token and per-lane, reducing risk-exposure during worst-case scenarios.

Security

Developed with security and reliability as the primary focus by some of the industry’s leading academic researchers, CCIP operates at the highest level of cross-chain security. CCIP’s defense-in-depth security and suitability for the Synthetix ecosystem can be broken down across multiple categories:

Multiple Layers of Decentralization

CCIP is powered by the same proven decentralized oracle infrastructure model that underpins all Chainlink services. Rather than operating as a single monolithic network, CCIP operates via multiple decentralized oracle networks (DONs) per chain lane, with each lane consisting of a unique source chain and destination chain. This approach allows CCIP to be horizontally scalable, as additional DONs are added to CCIP for each additional blockchain network supported, versus funneling all cross-chain traffic through a single network:

  • The committing DON is a decentralized network of oracle nodes that monitor events on a given source chain, wait for source chain finality, bundle transactions to create a Merkle root, come to consensus on that Merkle root, and finally commit that Merkle root to the destination chain.
  • The executing DON is a decentralized network of oracle nodes that submit Merkle proofs on a destination chain, which is then verified onchain by ensuring the transactions were included in a previously committed Merkle root validated by the Risk Management Network.

Risk Management Network

The Risk Management Network is a separate, independent network that continuously monitors and validates the behavior of CCIP, providing an additional layer of security by independently verifying cross-chain operations for abnormal activity. The Risk Management Network utilizes a separate, minimal implementation of the Chainlink node software, creating a form of client diversity for increased robustness while minimizing external dependencies to prevent supply chain attacks.

More specifically, the Risk Management Network was written in a different programming language (Rust) than the primary CCIP system (Golang), developed by a separate internal team, and uses a distinct non-overlapping set of node operators compared to the CCIP DONs. The Risk Management Network is a wholly unique concept in cross-chain interoperability that builds upon established engineering principles (N-version programming) seen in mission-critical systems in industries such as aviation, nuclear, and machine automation.

To increase the security and robustness of CCIP, the Risk Management Network engages in two types of activities:

  • Secondary Approval: The Risk Management Network independently recreates Merkle roots based on transactions from the source chain, which are then published on the destination chain and compared against the Merkle roots posted by the Committing DON. Cross-chain transactions can only be executed if the Merkle roots from the two networks match.
  • Anomaly Detection: The Risk Management Network monitors for abnormal behavior from the CCIP network (e.g., committed transactions with no source chain equivalent) and the behavior of chains (e.g., deep block reorgs). If suspicious activity is detected, the Risk Management Network can trigger an emergency halt to pause all CCIP lanes and limit any losses.

CCIP-Diagram-04_v04.gif

Configurable Rate Limits

As an additional layer of security for cross-chain token transfers, CCIP implements configurable rate limits, established on a per-token and per-lane basis, which are set up in alignment with token contract owners like Synthetix. Furthermore, CCIP token transfers also benefit from the increased security provided by an aggregate rate limit (across token pools) on each lane, so even in a worst-case scenario, the system is designed to prevent every token’s limit to be maxed out before the aggregate rate limit on a lane is hit.

Audits and Source Code

Security is the number one priority for the Chainlink ecosystem, a value we do not and will not compromise upon. Chainlink Labs has put an immense amount of resources into developing the security model of CCIP, and as such, it is the most audited Chainlink solution to date.

Both the on-chain and off-chain code for CCIP and the Risk Management Network were subjected to 14 independent audits by five leading security firms (Cure53, Dedaub, NCC Cryptography Services, Sigma Prime, and Trail of Bits) in preparation for the initial mainnet launch.

Additionally, two crowdsourced audits of CCIP and the Risk Management Network were conducted on the Code4rena (C4) platform:

All valid findings were remediated, and fixes were confirmed with the respective auditors. In some cases, findings represented expected behaviors and were reviewed with auditors upon receipt of audit reports.

The source code for CCIP is publicly viewable on GitHub:

Technical Specification

  • No modification is required for the existing SNX token contract on Ethereum and no changes are needed for existing V2X contracts.
  • Token pool contracts are deployed on each chain corresponding to the SNX contracts.
  • For the native chain (Ethereum), the CCIP token pool contract implements a Lock/Release mechanism.
  • For Base, and in the future other non-Ethereum mainnet chains,
    • The token pool contract implements a burn-and-mint mechanism.
    • SNX Token contracts: Synthetix deploys the SNX token contract and provides burn() and mint() authorization to the CCIP token pool contract.
  • Appropriate rate limits are set for SNX token transfers per lane based on requirements from Synthetix.
  • A CCIP sender contract is implemented on each chain. This CCIP Sender contract initiates the ccipSend() request that calls the CCIP Router contract on the source chain. This CCIP sender contract is integrated with the Synthetix dApp for SNX transfers, using a similar UI integration approach that was used for sUSD Teleporters that utilize CCIP.

Test Cases

N/A

Configurable Values (Via SCCP)

N/a

Disclaimer

Chainlink Labs’ work is offered “as is” without representations, guarantees, or warranties of any kind, on a commercially feasible basis and subject to Synthetix DAO’s acceptance of the Chainlink Labs terms of service (available at Terms of Service – Chainlink Labs). The benefits are solely being made available to the Synthetix platform and not to any other party, including Synthetix DAO.

Copyright and related rights waived via CC0.