Original source:Immutable X
Original compilation: Captain Hiro
Original source:
Original compilation: Captain Hiro
Security is a fundamentally difficult and asymmetrical problem for any software company. And when it comes to security issues, there is no silver bullet — several technology companies have had notable breaches (e.g. Okta, HubSpot) in the last month alone. However, the self-custodial and irreversible nature of cryptocurrencies means that a security breach could result in billions of dollars in permanent losses. This constant risk is a huge challenge for NFT projects with long-term ambitions.
The loss of hundreds of millions of dollars in user funds has seriously damaged the reputation of the NFT space and seriously damaged related companies and projects. This risk is unacceptable for many businesses entering the space, especially those with existing customer bases, reputations and legal obligations. Therefore, security will become increasingly important as a criterion for selecting platforms for NFT projects. Alex Connolly,Immutable Every platform has a strong incentive to position itself as sufficiently secure. But the truth is, all solutions are quid pro quo, and it is important for projects to have a very clear understanding of the specific quid pro quo for them and their platform.
I am
CTO and Co-Founder - We built one of the leading platforms for large-scale, high-quality NFT projects, especially games. I wanted to write this article to provide a detailed and largely unbiased assessment of the choices made by some of the most popular NFT platforms, including Ronin, Polygon, Immutable, Solana, and Optimism.I will specifically focus on two core elements of each platform's underlying security:
Consensus security:Difficulty of stealing assets by attacking the platform's nodes/validators (e.g. through a 51% attack)
Bridge Security:
The security of the mechanism for transferring assets from Ethereum. This is usually the bigger concern, as compromises often put user funds directly at risk
Ronin
This article will be an in-depth discussion on the security of NFT platforms, so as to provide the necessary technical details for relevant project leaders to make informed choices. If you just want to briefly understand some key points, you can take a look at the table below.
Next, let's dig into the security of some NFT platforms.
Ronin is a blockchain created by Sky Mavis Labs that currently powers Axie Infinity and its ecosystem exclusively.
consensus security
Ronin is a "sidechain" - a blockchain with its own nodes and consensus mechanism, but which maintains an official "bridge" connection to Ethereum. Ronin is a Proof of Authority (POA) blockchain, it has 10 nodes at once, and these nodes stake their reputation on the fact that they will not abuse their power. This is the same as Ethereum's testnets like Goerli (POA of 20 nodes). If any 5 of these nodes (more than 50%) become malicious or compromised nodes, they will be able to conduct a 51% attack on the network and steal users' funds through double spending or other attacks. In general, this is considered an extremely low node count (Bitcoin has 15,000, Ethereum has close to 6,000) and results in a more centralized network in exchange for faster and cheaper transactions. In addition, users cannot run their own nodes, and the source code of Ronin nodes is not public, so it cannot be audited by Ronin users.
bridge security
Polygon
Ronin's official Ethereum bridge is controlled by a 5-9 "multisig". Multisig requires m signers out of a total of n keyholders to approve each transaction. In Ronin, every bridge action needs to be approved by this multi-signature. However, there is no mechanism to check that the deposit or withdrawal actually worked - anyone with access to 5 of the 9 private keys can withdraw any amount of any token held in the Ronin Bridge to any Ethereum address. This means that any user of the bridge directly trusts this multisig with all funds.
This trust was put to rest in March 2022 after a hacker obtained 4 private keys held by the Axie team and 1 private key lent to the Axie team by an Axie DAO validator (node) (giving them 5/9) Hackers stole $625 million. What we know so far suggests that this is a classic network security breach with serious consequences due to the centralization of these validator private keys. Sky Mavis has committed to repaying those lost funds and reaching 21 independent validators within the next three months to ensure Ronin is more resilient to future attacks, despite stronger consensus/bridge mechanisms and the reliability of the network. There may be trade-offs between scalability.
Polygon currently offers a proof-of-stake Ethereum sidechain (Polygon PoS), as well as a dedicated NFT service business, Polygon Studios, supporting major projects such as Skyweaver and ZED RUN. Polygon is moving towards offering a range of different scaling solutions, most of which are based on zk-rollup technology (discussed later), but currently only Polygon PoS is live as an NFT platform.
Polygon PoS is a side chain whose basic model is similar to Ronin, except that Polygon is a "commit side chain" that periodically submits checkpoints of the state on the chain to Ethereum. The Polygon PoS consensus has two main components. First up is the Bor chain, which is where Polygon transactions actually happen: a rotating subset of block producers, chosen from a larger pool of validators, run a modified proof-of-authority network that determines the inclusion and ordering of transactions. However, only one block producer (see PolygonScan block validators) from this subset is selected to propose 64 consecutive blocks.
Next is the Heimdall checkpoint system, where more validators (currently capped at 100) reach a two-thirds "proof-of-stake" consensus on a summary snapshot of the last ~30 minutes of the Bor block, and publish that snapshot as a checkpoint on ethereum. However, although there are 100 validators, 4 validators control 53% of the stake and 7 validators control 67% of the stake (see here, click "Show All" and sort by stake), while the required The two-thirds majority refers to stake, not the number of validators. This means that with only 7 private keys compromised, all funds on the chain, not just funds on the bridge, can be stolen through malicious checkpoints; and stakers must keep their private keys hot at all times. Furthermore, since a quorum requires two-thirds of the stake and 43% of stake is controlled by 3 validators, only 3 hot wallets need to be compromised to completely freeze withdrawals and checkpoints.
image description
Of the $2,307,879,127 staked, the top 7 validators staked $1,540,761,159 (~67%)
Contract upgrades can be used to defend against malicious checkpoints (assuming it is detected quickly enough), but this has its own security risks, which we discuss next.
bridge safety
Immutable
Polygon's bridge differs from Ronin in that the checkpoint system removes the need for groups of independent validators to sign every deposit and withdrawal. However, this means that the security of the bridge is entirely dependent on the Heimdall and Bor consensus, which is vulnerable to the above-mentioned attacks.
Additionally, Polygon uses 5-8 multisig to manage their bridge smart contracts, and contract updates can be made instantly with no time lock. This protects against smart contract bugs or compromise of the stakeweight validators discussed above. Four of the private keys are held by the founder of Polygon. This structure has been strongly criticized by security researchers in the community, because as long as there is another private key, it is possible to transfer all the funds of the Polygon contract (5 billion USD) completely exhausted. However, since Polygon's signers do not sign every deposit and withdraw transaction, these administrative keys can be kept offline, making them less likely to be compromised.
Immutable is a platform for building high-quality, high-scale NFT projects, such as games. Notable projects based on Immutable include Illuvium, Gods Unchained, Ember Sword, and Guild of Guardians.
consensus security
Immutable is a zk-rollup built using StarkWare's StarkEx verifier (prover)/validator system. This means that Immutable books a batch of Layer 2 network (L2) transactions, generates a STARK proof that those transactions are valid, and submits this proof to the mainnet (L1) smart contract "validator", which updates the Some mainnet state (in our case, the root of a merkle tree containing the balances of millions of users' NFTs). Importantly, this is much better than naive batch transactions, since the verification cost of STARK proofs scales sublinearly with the number of transactions.
Since all state transitions must be verified by the mainnet smart contract, even if Immutable's system is completely destroyed, it is impossible for Immutable to embed invalid transactions into rollups or steal assets. This is a very strong security property, and part of the reason Vitalik describes rollups as "Ethereum's key scalability solution for the foreseeable future."
However, Immutable operates as a "single operator" rollup (only Immutable can order or attest transactions). This means that Immutable can extract miner-extractable value (MEV) by preprocessing or reordering transactions. Currently, almost all rollups are "single operator", although most have plans to decentralize over time.
bridge safety
Rollups use a fundamentally different bridge structure than sidechains, as they maintain a verified "state" on the mainnet that can only be updated with valid proofs. Bridge funds require that this verification state already includes your recharge/withdrawal, there is no multi-signature attack (such as Ronin), and there is no way to increase the "fake" state transition by destroying the validator (such as Polygon), every transaction is blocked Verification, just as it happens on mainnet. This trustless bridge is why rollups are called "layer two networks" - their security relies directly on Ethereum's consensus, rather than a separate consensus mechanism with a trust bridge.
At any time, a user can submit a "withdraw" transaction to bridge their funds from the second-layer network to the mainnet. If Immutable includes this transaction in a proven set of state changes, users will be able to withdraw their funds directly to Ethereum in a trustless manner. If Immutable does not handle this withdrawal (unavailable or deliberately censored), users will always be able to use the "full withdrawal" flow by interacting directly with the main bridge contract.
If this new "full withdrawal" request is not serviced, the exchange state will be frozen and all users will be able to withdraw by providing their asset path in the state merkle tree. Ensuring that users can access this data, even if Immutable is malicious or offline, is the "rollup data availability problem". In the standard zk-rollup structure, this has a simple solution: require the necessary data to be published to the Ethereum mainnet before state updates are allowed. However, this introduces a small linear gas cost that many applications are unwilling to pay. This cost will not change after the merger, but will be substantially reduced by proposals such as EIP-4488, the original database, and (eventually) sharding, as Ethereum accepts its role as the underlying validation and data availability layer for rollups.
However, with none of these solutions live and the cost of publishing calldata on-chain remains prohibitive for use cases like large-scale NFT minting, Immutable is currently operating as a Validium rollup. Validium rollups are zk-rollups that don't publish all the data needed to rebuild the state in exchange for cheaper transactions. To ensure that this data remains available even if Immutable goes offline or becomes malicious, Immutable relies on a "Data Availability Committee (DAC)". A majority of this committee (made up of prominent ecosystem companies) and a few "mandatory" members must sign off on each batch to certify that they have the necessary data. This is different from validator multisig: as long as any one DAC is honest, the user can successfully exit. Even in the event of a data withholding attack where the entire DAC and sequencer are compromised, Immutable can still use contract upgrades to prevent ransom attacks.
Solana
Immutable's rollup validator contracts can be upgraded, but with a 14-day time limit, which would give users a chance to exit the system if they are unhappy with the new contract (even if Immutable maliciously censors transactions).
Immutable is moving to a Volition model, where individual "vaults" (users, tokens, quantity primitives) can be flagged as requiring on-chain data. Since most of the value stored in a rollup resides in large token/ETH balances or high value NFTs, this value can be stored in relatively few on-chain databases. This structure may allow most of the value in the rollup treasury to be supported by on-chain data, reducing data availability risks while retaining the ability to do cheap, large-scale NFT minting, which is critical for projects such as games.
Solana operates as a completely independent mainnet blockchain with a special focus on enabling low-cost, high-scale transactions through a custom consensus mechanism.
consensus security
Solana currently has over 1500 active nodes, although it does place significant hardware requirements on these nodes in order to achieve its high TPS (reducing the ability of individuals to verify transactions, which is an important principle of blockchain decentralization) . Importantly, a super-minority of 20 nodes currently controls over 33% of SOL staking. If these nodes collude, or are compromised, they will be able to halt the network or censor transactions at will.
bridge safety
Optimism
As a completely independent mainnet, Solana has no official bridge to Ethereum. However, the most popular (and semi-official) bridge for Solana users is Wormhole, which allows assets to move across some chains. Wormhole relies on a group of validators called guardians who reach a two-thirds plus one proof-of-authority consensus on all bridge actions. There are currently 19 active guardians. Since Solana and Ethereum cannot verify each other's transactions, the bridge contract relies entirely on the consensus of guardians when assets cross the bridge. This means that if two-thirds of these guardians are compromised, all user funds within Wormhole could be stolen. This mechanism is actually very similar to the one used by Ronin, unfortunately the guardian's private key must also be kept hot to sign new transactions.
In early 2022, a bug at the Wormhole bridge allowed $325 million in user funds to be stolen. This is not actually a compromise of the validator system, but a smart contract bug was discovered that allowed an attacker to trick the bridge into issuing ETH on Solana that was not deposited into Ethereum. Jump Crypto stepping in and compensating users is an amazing indication of the power of capital in cryptocurrency, but a completely unsustainable model as the space grows. This is not an indictment of Solana or Wormhole, as all on-chain systems are vulnerable to smart contract vulnerabilities. While guarantees can never be guaranteed, it is better to use audited/formally verified contracts that stand the test of time and public scrutiny, for example Wormhole was heavily scrutinized after the bug and no further bugs were found .
Optimism is an Ethereum Optimistic rollup developed by Optimism PBC. It landed on mainnet in August 2021 for whitelisted projects, and has seen limited adoption by NFT projects on it so far, despite an early community on marketplaces like Quixotic.
consensus security
Optimism rollups work similar to zk-rollups: collect transactions and upload a compressed version of the final state of all those state transitions. However, where zk-rollups provide "validity proofs" for each state transition, Optimism's rollup transitions are considered valid unless someone can generate a "failure proof" that an invalid transaction occurred. If someone can produce such a proof, they are rewarded, while the publisher of the proof is punished. To allow this challenge to occur, Optimism rollups require a one-week dispute time delay before the transaction is fully closed. This asynchrony introduces an interesting class of potential economic attacks, and mitigating these attacks is an active research topic.
However, failure proofs for Optimism are currently disabled - meaning that Optimism (or anyone breaking Optimism multisig) could steal all user funds by submitting invalid state transitions. This is a temporary state that will be upgraded once the new failure proves the system is ready, but in its current state poses a serious danger to user funds. Since Optimism is a single sequencer rollup, it is also open to potential MEV extraction.
bridge security
Optimism rollup also provides a trustless bridge to Ethereum. However, since any user can challenge the validity of the batch at any time during the 1-week dispute period, assets that are withdrawn to mainnet will be locked for at least that time. For fungible assets, this lock-up can be circumvented using "fast withdrawals" (effectively lending to users assuming the state transition does not involve a fraudulent transaction). However, since NFTs are unique and cannot be replaced, users must wait the entire dispute period (up to a week) before transferring their assets back to the Ethereum mainnet.
Optimism (like all Optimism rollups) requires intermediate transaction data to be published on-chain in order to be able to effectively challenge - this incurs higher fees, but circumvents any complex data availability structures, as discussed when analyzing Immutable .
Security Beyond the Core Platform
It doesn't matter that you have the best core platform security in the world if your project security is compromised through other mechanisms. To truly make an informed decision, NFT projects need to consider a variety of factors beyond consensus and bridge security, including:
Wallet security: how are user keys stored? What are the implications if this storage system is compromised (e.g., hosted wallet provider, a malicious version of a native wallet application, a bad dependency in a browser extension)?
Metadata Security: How is asset metadata (including images) stored? What would be the market impact if these metadata were changed or replaced due to compromise?
Project Security: Projects on any platform usually keep some administrative private keys for their projects. What happens if these private keys are compromised? Does your project have the function of actively monitoring vulnerabilities? Does your platform support best practices for key management?
Security of Funds: Most platforms will have a large reserve of tokens (e.g. for rewards or grants). How are these funds held? How to authorize and execute the transfer from the vault? What is the impact of a compromise?
Flaws at any one of these layers can expose users of even the most secure underlying platform to harm—anyone describing a program as impenetrable is clearly wrong. Unfortunately, when dealing with a new asset class, especially one that is growing so rapidly, there is a constant search for new vulnerabilities and exploits. In such an environment, a solid understanding of these tradeoffs is critical to choosing the right platform for your project.dialogueAt Immutable, we are addressing the core challenges of those wanting to build high-quality, high-scale, long-term NFT projects such as games, including the aforementioned security challenges. If you're a builder, we'd love to start with you
I would also like to thank those who provided feedback on different parts of this post. Kelvin Fichter (Optimism), Avihu Levy (StarkWare), Bartek Kiepuszewski (MakerDAO, L2 Beat), Philippe Castonguay (Horizon/Skyweaver) and the Wormhole team - any remaining errors in this article are my fault.
IOS
Android