Update on Snowbridge

Howdy everyone, just an update on our progress:

  1. A while back, we completed the re-architecture of our bridge to support BridgeHub, AssetHub, and XCMv3. Please read the following for more details: https://docs.snowbridge.network/architecture/

  2. The Ethereum side of our bridge (also known as the Gateway), is now completely governed by Polkadot OpenGov on the Polkadot side of the bridge. This means there are no governance fallbacks or escape hatches on the Ethereum side. We found a way to make it work.

  3. The main audit of our code has been completed, and after a QA process, we can expect the final report to be published some time next month. We’re working on several issues discovered in the audit. However these are largely straightforward fixes and don’t impact our timelines substantially. Some of the more important audit issues include:

    • On BridgeHub, a permissionless API (create_agent) could be used as DOS vector. The solution involves requiring a deposit for the use of this API.
    • On BridgeHub, Administrative commands to the Ethereum side of the bridge could be throttled and delayed. The solution involves giving these admin commands priority in the outbound queue to Ethereum.
    • On BridgeHub, Incoming messages from Ethereum could be silently discarded if there was HRMP congestion between BridgeHub and the final destination parachain. The solution involves failing the entire substrate transaction, so that message relayers back-off until congestion resolves.
  4. With help from W3F and CommonPrefix, we’ve designed improvements that increase the security of our BEEFY light client running on Ethereum. The light client uses RANDAO on Ethereum PoS as a source of randomness for selecting a subset of BEEFY validators which relayers must provide signatures for. The solution forces relayers to provide increasingly larger number of signatures if they attempt to game the system in a way that biases the selected RANDAO seed in their favour.

  5. We’ve successfully tested bidirectional ERC20 token transfers between Rococo and Goerli (An ethereum PoS testnet). We’ll want to start testing with other Rococo parachains soon.

  6. As an estimation, we’re looking at another month of development before starting the process of deploying on Kusama. Since our bridge lives on a system parachain (BridgeHub), we need to align with Parity’s release process for system parachains.

    • Fixing remaining audit issues (should not take longer than 2-3 weeks)
    • Updating to latest Polkadot-SDK dependencies which includes new BridgeHub & AssetHub APIs we have to consume.
    • Merging portions of our codebase into the bridges subproject of the Polkadot-SDK monorepo
    • Some outstanding issues relating to collecting XCM delivery fees on BridgeHub
    • We also require that BEEFY is deployed and activated on Kusama first.
  7. To be clear, while the core of our bridge is designed to be general-purpose, we are launching features in an iterative manner. Our initial launch will include ERC20 token transfers. A subsequent upgrade post-launch will enable XCM::Transact. Followed by support for transferring Polkadot-native tokens to Ethereum. We believe this iterative process increases the security of the bridge by allowing our team and our auditors to focus on one feature at a time. Nevertheless, we’ve made sure our core architecture and APIs are flexible enough to support this iterative model. For example, on Ethereum, our Gateway.sendToken API will be used to send both Ethereum-native and Polkadot-native tokens to Polkadot

  8. I’ll be presenting at Sub0 next week. We’ll also have a demo booth where people can try out our Rococo bridge.


Hearty congratulations! Its a very long road, I hope you guys enjoy the sweat and tears of the journey =)

Can you write up how this works here (and update snowbridge governance), specifically sharing the timing of regular vs emergency actions that you anticipate could be needed?

Some easy basic FAQ stuff:

  • Does registerToken (of ERC20 vs Assethub tokens) require an explicit OpenGov action?
  • What does a parachain need to do to get their AssetHub / Polkadot native asset as an ERC20?
  • How can the bridge/gateway be paused/resumed?

Congratulations! For Rococo Assethub => Goerli Testnet, can you share the following:

  1. working registerToken AssetHub on Rococo extrinsicID
  2. working sendToken extrinsicID and the evidence of success (tx logs/events) on Goerli Testnet

For Goerli Testnet => Rococo Assethub, can you share the following:

  1. working registerToken(address) transaction hashes
  2. working sendToken(address, ParaID, bytes32, uint128) transaction hashes and the evidence of success (extrinsic events) on Rococo Assethub

Please highlight the outbound/inbound messages and post your Goerli contract addresses / Bridgehub / Assethub runtime versions so people can do a deep-dive, thank you!

Kindly share the url where we can try it?

How is the ethereum side being trusted? Did you go the ETH Light Client rotue?

Sure, yeah we do need to flesh out documentation site. Though let me try and answer some of your questions quickly:

Regarding governance, on BridgeHub there are several privileged governance APIs that only Polkadot OpenGov can invoke. For example:

  • Upgrading the Gateway contract on Ethereum
  • Selectively pausing/resuming the Gateway on Ethereum, for example to disable outbound messages to Polkadot
  • Pausing/resuming specific bridging pallets on BridgeHub. For the sake of uniformity These APIs are actually shared with Polkadot-Kusama bridge, and so we can expect to have similar governance playbooks.

Regular governance actions will include upgrading the Gateway contract (and any of its dependencies, such as our Beefy light client). The upgrades should be audited before being proposed to OpenGov.

Emergency actions would be a halting/resuming parts of the bridge, as per the APIs described above.

  • Does registerToken (of ERC20 vs Assethub tokens) require an explicit OpenGov action?

Nope. Token registration is permissionless. However it will require a hefty deposit to discourage spamming. Even so, malicious parties on Ethereum can pay that deposit and register fake ERC20 tokens. It’s up to indexers, users, and other parachains to exercise good judgement when deciding whether to trust a specific bridged token on AssetHub.

  • What does a parachain need to do to get their AssetHub / Polkadot native asset as an ERC20?

As I described in my original post, the bridge does not currently support bridging Polkadot-native tokens to Ethereum. This will be one of the priorities after our initial launch.

We do have a design mapped out, and it will be a 2-step process:

  1. Parachain governance calls a register_token(location, metadata) extrinsic on BridgeHub using Xcm::Transact. This will send a command over to Ethereum, resulting in a new ERC20 contract being instantiated with the provided metadata (name, symbols, decimals).

  2. The parachain can then send regular XCM asset instructions to BridgeHub, resulting in new tokens being minted in the ERC20 contract from (1).

To send Polkadot-native tokens back to Polkadot, users can use the existing Gateway.sendToken API.

We’re not quite ready to support the public in using our Rococo testnet, but in the meantime, here are some of those transactions you’ve requested :slight_smile:.

Note that we are running our own instances of BridgeHub and Asset on Rococo until our auditing process is completed.

Register Token

  1. Register token initiated from Goerli for the Native Goerli ETH (GETH) token.

  2. Snowbridge BridgeHub fork (Parachain 3016) inbound message received.

  3. Snowbridge AssetHub fork (Parachain 3416) Create asset processed.

Send Token

  1. Send token initiated from Goerli for the Wrapped Ether (WETH) token.

  2. Snowbridge BridgeHub fork (Parachain 3016) inbound message submitted.

  3. Snowbridge AssetHub fork (Parachain 3416) Issue asset processed.

Send tokens back to Goerli

  1. Bridge transfer initiated on Snowbridge AssetHub fork (Parachain 3416) to send WETH back to Goerli. (Note this extrinsic is being depreciated in favor of pallet-xcm in future versions)

  2. Snowbridge BridgeHub fork (Parachian 3016) outbound message submitted.

  3. Inbound message received and processed on Goerli.