L2BEAT Bridges is a work in progress. You might find incomplete research or inconsistent naming. Join our Discord to suggest improvements!

SummaryValue LockedDetailed descriptionRisk summaryTechnologyPermissionsSmart contracts

Transporter logoTransporter

About

Transporter is a Token Bridge based on Chainlink’s Cross-Chain Interoperability Protocol (CCIP) network.

  • Total value locked
  • Destination
    Various
  • Validated by
    Third Party
  • Type
    Token Bridge

    • About

    Transporter is a Token Bridge based on Chainlink’s Cross-Chain Interoperability Protocol (CCIP) network.

    Value Locked
    Detailed description

    Transporter is a Token Bridge based on Chainlink’s Cross-Chain Interoperability Protocol (CCIP) network.

    Transporter is a hybrid bridge that can work either as a Token Bridge or Liquidity Network depending on the requirements of tokens. It is using Chainlink CCIP standard for cross-chain communication, and it makes use of a secondary network of nodes, called Risk Management Network, responsible for validating the messages or halt the bridge.

    Risk summary

    Funds can be stolen if

    1. oracle network is compromised and Risk Management Network fails to halt ("curse") the bridge. Both networks would need to be separately compromised,
    2. a contract receives a malicious code upgrade. There is a 3h delay on code upgrades, during which designated Cancellers can veto the upgrade.

    Users can be censored if

    1. oracle network fails to facilitate the transfer (CRITICAL).
    Technology

    Principle of operation

    Transporter is a Token Bridge based on the CCIP network. The CCIP network is an AMB (Arbitrary Message Bridge) that enables the cross-chain transfer of arbitrary messages that are attested by ChainLink Oracles as well as a separate Risk Management Network. On each chain it has a singleton Router contract. For each route (”lane”) there is a triplet of OnRamp, OffRamp and CommitStore contracts defined. OnRamp is used to send messages to a destination chain, while OffRamp and CommitStore are used to receive messages. The CommitStore is used to store Merkle roots of CCIP messages sent from the Source chain, while OffRamp is used to verify and execute incoming messages. Both OnRamps and OffRamps use TokenPools to escrow tokens, one TokenPool per token. TokenPools - depending on token - may Lock/Release or Mint/Burn tokens. They may also use some custom setup, like e.g. for USDC where TokenPool is a wrapper for Circle’s CCTP bridge.

    Oracle Network

    Chainlink Oracle network is responsibile for validating cross-chain messages. For additional security, CCIP uses an off-chain secondary validation network called Risk Management Network. Each pathway between a source and a destination blockchain contains two Oracle committees. One committee interacts with the CommitStore contract on the destination chain to store the Merkle root of the finalized messages on the source blockchain. After the Risk Management Network verifies the merkle root and submits a voteToBless() transaction, the second oracle committee can execute the message on the destination chain.

    • Users can be censored if oracle network fails to facilitate the transfer (CRITICAL).

    • Funds can be stolen if oracle network is compromised and Risk Management Network fails to halt ("curse") the bridge. Both networks would need to be separately compromised.

    1. Risk Management Network
    Permissions

    The system uses the following set of permissioned addresses:

    RBACTimelock 0x4483…9449

    Role-based Access Control Timelock (RBACTimelock) smart contract. Onchain security-critical configuration changes and upgrades to the CCIP must pass through this contract. CCIP contract upgrades have to go through a 3h timelock.

    Timelock Admins 0x4483…9449

    Admins of the RBACTimelock contract. Can modify all other roles.

    Timelock Proposers (2) 0xE532…012F0xD659…05bf

    Proposers of the RBACTimelock contract. Can propose upgrades.

    Timelock Cancellers (5) 0xE532…012F0xAD97…F87B0xD659…05bf0xa8D5…69FF0x117e…aADc

    Cancellers of the RBACTimelock contract. Can cancel pending upgrades.

    Timelock Executors 0x82b8…5A2e

    Contract through which RBACTimelock proposals are executed. Proposals execution can be initiated by anyone.

    Smart contracts
    A diagram of the smart contract architecture
    A diagram of the smart contract architecture

    The system consists of the following smart contracts on the host chain (Ethereum):

    Router 0x8022…6f7D

    Central contract in CCIP responsible for the configuration of OnRamp, OffRamp and Commit Stores for different chains. This is an example Router contract for one of the lanes. There are many more lanes in the system, please check the specific smart contract for the lane you are interested in.

    OnRamp1 0x86B4…49d1

    OnRamp for outgoing messages to Arbitrum. This is an example OnRamp contract for one of the lanes. There are many more lanes in the system, please check the specific smart contract for the lane you are interested in.

    OffRamp1 0x3a12…c6c5

    OffRamp for incoming messages from Arbitrum. This is an example OffRamp contract for one of the lanes. There are many more lanes in the system, please check the specific smart contract for the lane you are interested in.

    CommitStore1 0x31f6…89AB

    CommitStore for storing incoming message roots from Arbitrum. This is an example CommitStore contract for one of the lanes. There are many more lanes in the system, please check the specific smart contract for the lane you are interested in.

    ARMProxy 0x411d…5e81

    The contract that manages the Risk Management Network, allowing blessing (validation) of messages and cursing (halting) the chain.

    RBACTimelock 0x4483…9449

    CCIP contract upgrades have to go through a 3h timelock.

    Value Locked is calculated based on these smart contracts and tokens:

    Generic escrow 0x0571…E1b4
    Generic escrow 0xA81f…eFda
    Generic escrow 0x8291…3B06
    Generic escrow 0x69c2…f93A
    Generic escrow 0x619E…924E
    Generic escrow 0x0C29…f4aA
    Generic escrow 0x6452…37a6
    Generic escrow 0xF84B…fA72
    Generic escrow 0xa967…349b
    Generic escrow 0xf522…dE99
    Generic escrow 0xd72F…c66c
    Generic escrow 0x0Bc4…75B4
    Generic escrow 0x66D4…dCEc
    Generic escrow 0x50f6…82ac
    Generic escrow 0xc62c…aD3e
    Generic escrow 0x8BcD…9062
    Generic escrow 0xd1b3…49DE
    Generic escrow 0x6dDF…4DB2
    Generic escrow 0x1580…2CFA
    Generic escrow 0xa176…01E7
    Generic escrow 0x7559…28CA
    Generic escrow 0x80e2…cFb8
    Generic escrow 0x8c60…2e56
    Generic escrow 0x57D3…475F
    Generic escrow 0xcd19…3526
    Generic escrow 0x2dd3…7470
    Generic escrow 0x123e…e5cA
    Generic escrow 0x73aE…90c1
    Generic escrow 0x2137…f45E
    Generic escrow 0xeaE8…9B73
    Generic escrow 0xc43c…8dF2
    Generic escrow 0xdCa0…D6d0
    Generic escrow 0x0472…0786
    Generic escrow 0xE2F0…e366
    Generic escrow 0xa370…74DA
    Generic escrow 0x8272…413a
    Generic escrow 0xb854…D7BA
    Generic escrow 0x6ce8…28F4
    Generic escrow 0x9797…28E6
    Generic escrow 0x4462…FF14
    Generic escrow 0x06f9…a9B8
    Generic escrow 0xBF7c…0982
    Generic escrow 0x8300…B12D
    Generic escrow 0x0DAF…2602
    Generic escrow 0x0238…E2E4
    Generic escrow 0xcd69…2733
    Generic escrow 0x4Ce6…675c
    Generic escrow 0xd8f7…c351
    Generic escrow 0x80Cc…E2d4
    Generic escrow 0xBA0E…24C3
    Generic escrow 0x6Ff6…cD7e
    Generic escrow 0x4C3a…7709
    Generic escrow 0xC229…0DF4
    Generic escrow 0xA82A…f858
    Generic escrow 0x2764…E73B
    Generic escrow 0xC456…CD29
    Generic escrow 0x82Df…012B
    Generic escrow 0x1175…A62e
    Generic escrow 0x7819…d288
    Generic escrow 0xa904…d000

    The current deployment carries some associated risks:

    • Funds can be stolen if a contract receives a malicious code upgrade. There is a 3h delay on code upgrades, during which designated Cancellers can veto the upgrade.