# Cross-Chain Bridges Security Model

![](/files/XWq133ocTIJKs7SFHSpV)

## Introduction to Cross-chain Bridges

Cross-chain bridges were recently implemented connecting the Callisto chain to the Binance smart-chain and Ethereum mainnet.

For this time, we followed a centralized approach where the Callisto team will hold a set of servers as “authorities” that sign cross-chain transactions (and forward data from one chain’s contract to another). **In this system, security is critical because an attack vector would allow a hacker to print an unlimited quantity of funds on behalf of the contract.**

A conception of [layered security](https://en.wikipedia.org/wiki/Defense_in_depth_\(computing\)) was used when designing the system and access restrictions model.

&#x20;

## Cross-chain Bridges in a Nutshell

A Cross-chain bridge allows users to swap assets from one chain to another. It’s a pair of two contracts at two different chains. One contract accepts a selected asset at the first chain and freezes it. At the same time, this contract emits a signal for the second contract to create the same quantity of “wrapped” tokens at the second chain.

The problem here is that contracts can not transfer data from one chain to another, and there must be a relay that will take the signal from one contract and deliver it to another, telling it that some action needs to be performed.

&#x20;

### Contract Modes <a href="#d817" id="d817"></a>

The contract system may operate in different modes.

* **Setup Mode** — some “risky” functions are only available in setup mode. Only ‘*Owner*’ can enable the setup mode, but it will be enabled after [24 hours](https://github.com/EthereumCommonwealth/CallistoBridge/blob/9a54ae9af083771ae35074d6ff10708b7a91650b/contracts/Bridge.sol#L460) from the moment of the function invocation.
* **Frozen** — the contract is not actively processing cross-chain swaps in this mode. Special accounts with “Freeze” permissions can freeze the contract immediately in case of anomaly detection. Returning the contract to the normal mode requires ‘*Owner*’ permission and “Setup Mode”.
* **Upgrading** — it is possible to switch this contract to a newer version deployed at a new address. Upgrading requires ‘*Owner*’ permission and can be performed [72 hours](https://github.com/EthereumCommonwealth/CallistoBridge/blob/9a54ae9af083771ae35074d6ff10708b7a91650b/contracts/Bridge.sol#L366) after the function invocation.

&#x20;

### Authorities — Low Trust / Minimal Permissions

Callisto Bridges rely on “*Authorities*” as relays. Every *Authority* is a special account (with its own private key) that is governed by a script at its dedicated server. Storing private keys on a server is not secure — that’s why *Authorities* are not trusted and only given a minimal set of privileges.

Every *Authority* is located at its own server.

*Authority* should only sign transfers. A minimum of 3 *Authority* signatures from different *Authorities* are required to consider that the transfer is valid. Every *Authority* has freeze permission to stop the contract if it observes the misbehavior of other *authorities*.

It is considered that an *Authority* can be malfunctioning or compromised during the workflow.

One “required” authority must sign every transfer — without this signature, the transfer can not be validated even if it has sufficient signatures from other authorities.

&#x20;

### Freezers — Emergency Stop Permissions

There can be special accounts with “Freeze” permission that does not have permission to sign transfers. These accounts are only used to observe the *authorities*.

### Owner — Governance Permissions

A special account is granted “*Owner*” permissions to debug the contract or punish malfunctioning authorities in the event of misbehavior.

*Owner* can remove *authorities* immediately.

*Owner* can enable “setup mode” to gain access to debugging functions of the contract, but the setup mode will be enabled after 24 hours since the function call.

In *setup mode*, the *owner* can:

* [*unfreeze* ](https://github.com/EthereumCommonwealth/CallistoBridge/blob/main/contracts/Bridge.sol#L408)the contract
* [add new *authorities*](https://github.com/EthereumCommonwealth/CallistoBridge/blob/main/contracts/Bridge.sol#L421)
* [set *authorities threshold*](https://github.com/EthereumCommonwealth/CallistoBridge/blob/main/contracts/Bridge.sol#L448), which is required to validate a cross-chain transfer and mint new tokens
* [set the address that receives fees](https://github.com/EthereumCommonwealth/CallistoBridge/blob/main/contracts/Bridge.sol#L440) from cross-chain transfers (if fees are enabled)
* [set the required authority](https://github.com/EthereumCommonwealth/CallistoBridge/blob/main/contracts/Bridge.sol#L435)
* [disable setup mode](https://github.com/EthereumCommonwealth/CallistoBridge/blob/9a54ae9af083771ae35074d6ff10708b7a91650b/contracts/Bridge.sol#L454) immediately

&#x20;

“Owner” is a multisig account with its own internal logic under the hood. A consensus model of *(50% + 1)* is used, which means that 3 owners of 5 total engaged accounts must approve an action in order to execute it.

The “Owners multisig” will be used to set up the contract, which means that the owner keys are sometimes used to sign transactions and possibly exposed to some services. Owner keys are initially given to 5 different persons.

### Founders — The Least Exposed Keys

There is an additional special account called “Founders multisig”. This account has no permissions but to [replace an “Owners” multisig](https://github.com/EthereumCommonwealth/CallistoBridge/blob/9a54ae9af083771ae35074d6ff10708b7a91650b/contracts/Bridge.sol#L377) with a new one in case Owners keys are compromised.

This action can be effective immediately, which means that the “founders multisig” can replace Owners before it can enable the Setup mode.

Founders have no other permissions, and these keys will never be exposed during the normal contract workflow unlike Owners multisig.

Founders multisig consists of 5 accounts (different from those at Owners multisig), and a consensus model of *(50%+1)* is used.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://callisto-network.gitbook.io/callisto-network/security-department/documentation/cross-chain-bridges-security-model.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.