Addition of checklist item for DeBridge - From samtdomi @fresco_io on X #15
Description
DeBridge Security Checklist & Vulnerability Report / Economic Design Vulnerability / Lack of On-Chain Checks Open Potential Issue
Vulnerability: Insufficient Slashing Incentives & Validator Collusion Risk
🔧 Category
Bridge Consensus / Economic Incentive Design
Description
DeBridge relies on a multisig validator set (currently 8/12) to sign cross-chain messages (VAAs). While it includes staking and slashing contracts (e.g., DelegatedStaking), validator staking is not enforced, and slashing mechanisms are inactive or discretionary. As of mid-2024, validators can operate with zero economic bond, reducing deterrence for collusion or malicious behavior.
Risk
Without enforced collateral or penalties:
- Validators can collude to approve fraudulent transfers.
- The system is vulnerable to censorship or DOS.
- Users and integrators have no assurance of economic alignment between validators and network safety.
Impact
- High severity: Potential unauthorized minting, loss of peg integrity.
- Systemic risk: Undermines user trust in cross-chain guarantees and weakens DeBridge’s security assumptions.
Evidence & References
- DeBridge Docs – Slashing & Delegated Staking
- Security Roadmap (Blog)
- Validator Set and Airdrop Info – Publish0x
- Historical Bridge Attacks – Cointelegraph
- Restaking Security Risks (arXiv)
Recommendations
| Recommendation | Description |
|---|---|
| Mandatory staking | Require all validators to bond a minimum amount before participating. |
| Auto-slashing enforcement | Enable slashing for inactivity, double-signing, or malicious behavior. |
| Transparency dashboard | Public view of validator stake, uptime, and slash status. |
| Dynamic quorum scaling | Use adaptive thresholds (e.g. 10/12 for high-value messages). |
| On-chain alert system | Flag validators acting without stake or signing suspicious messages. |
Summary
This bug class is rooted in economic misalignment. By not enforcing slashing or mandatory staking, DeBridge leaves the door open for coordinated validator abuse. Activating and auditing slashing mechanisms is essential to securing the protocol against a repeat of Wormhole-style exploits.
DeBridge Audit: Real-Time Asset Consistency Violation
Vulnerability: Inconsistent On-Chain Asset Accounting
Category
Asset Accounting / State Consistency
Description
DeBridge relies on off-chain validator consensus to ensure that the total tokens issued (deAsset supply) do not exceed actual collateral deposited on the source chain. While validators are instructed to reject cross-chain messages (VAAs) that could overdraft assets, this check occurs off-chain only and is not enforced by on-chain logic.
This opens the door to inconsistencies caused by high-velocity asset flows, such as liquidations, large redemptions, or sudden token movements between the off-chain check and on-chain VAA execution.
Exploit Scenario
- A validator observes that
withdrawalAmount + totalWithdrawn <= deAsset.totalSupply, and signs a VAA. - Between the signing and on-chain execution, another large withdrawal occurs or the protocol’s reserves are reduced.
- The VAA is then executed, but on-chain reserves are now insufficient to support the full withdrawal.
- The result is an overdraft of assets, leaving the bridge illiquid and users unable to redeem real value.
This check is not within the smart contracts and Is missing as an on-chain check, making DeBridge rely COMPLETELY on off-chain sources
require(
deAsset.totalSupply() <= IERC20(underlying).balanceOf(address(this)),
"Asset supply exceeds backing"
);
---
### References
- DeBridge Docs: Validator Requirements
https://debridge.finance/learn/blog/10-strategies-for-cross-chain-security/
- DeBridge Docs: Slashing, Staking & Monitoring
https://docs.debridge.finance/the-debridge-messaging-protocol/slashing-and-delegated-staking
- Wormhole: $320M exploit due to lack of state verification in VAA
https://cointelegraph.com/news/uniswap-dao-debate-shows-devs-still-struggle-to-secure-cross-chain-bridges
- Count of Monte Crypto (Stanford):
https://arxiv.org/abs/2106.09440
---
### Recommendations
| Action | Description |
|-----------------------------------|----------------|
| **Enforce supply invariants on-chain** | Add `require(deAsset.totalSupply() <= collateralBalance)` to withdrawal execution functions |
| **Embed asset state in VAAs** | Include `totalWithdrawn` and `totalDeposited` in VAA payload; verify on execution |
| **Pause bridge on mismatch** | If execution detects overdraft, trigger emergency pause or circuit breaker |
| **Cross-chain reconciliation** | Periodically sync asset state via reconciliation VAAs |
| **Off-chain monitoring/alerts** | Watchdogs should detect abnormal delta in asset supply or reserves between VAA signing and execution |