Chainlink has set itself apart as one of the most used Oracles in the Web3 industry. The Chainlink Cross-Chain Interoperability Protocol (CCIP) is one of its foundational tools that has given the firm a huge success after its official launch on July 17, 2023, and mainnet early access stage three days later.
Speaking at the SmartCon2023, Lorenz Breidenbach, Head of R&D at Chainlink Labs, provided a deep dive into the security model of CCIP.
The CCIP is a cross-chain solution that enables the transfer of data and value between public or private blockchain environments directly from their backend systems.
The multi-chain protocol which has been integrated with Ethereum, Avalanche, Polygon, and Optimism, is designed to establish a universal connection between hundreds of blockchain networks, both private and public.
The effect is that it will unlock isolated tokens and provide smart contract developers with a generalized, more robust computer infrastructure for transferring data and smart contract commands across blockchain networks.
The growing Web3 ecosystem needs an efficient security system
During Lorenz’s presentation, he highlighted the dynamic and ever-changing nature of the multi-chain ecosystem within the Web3 industry.
Chainlink has successfully integrated with a wide range of 17 diverse chains, each boasting its own unique attributes such as varying consensus algorithms, layer types, and much more.
He added that the growing interest in layer 2 solutions and emerging layer 3 chains further emphasizes the need for cross-chain interoperability. To unlock the full potential of these chains, seamless connectivity is paramount.
However, Lorenz said that there is a pressing concern: security breaches in cross-chain protocols. To date, over $2.6 billion has been hacked from such protocols, a stark reminder of the complexity and challenges inherent in this space.
To solve this problem, he said, cross-chain protocols must navigate distributed systems, cryptography, smart contract engineering, and deal with sophisticated adversaries, including state-level actors.
CCIP security built on three key principles
In describing a formidable solution for the security gap for cross-chain services, the Chainlink’s head of R&D told the audience that CCIP uses three basic security principles to address the challenge.
The first is “Rate Limiting”. CCIP’s design allows for the rate-limiting of token flows. Lorenz said that limiting the value per unit of time minimizes the potential damage caused by attackers.
“We can cap the value that flows in and out of CCIP to provide defense and depth,” he noted. And “this is possible because CCIP is designed from the ground up to be value aware.”
As a result, the CCIP system can track the quantity of tokens that a smart contract is accessing and transferring over time.
The second principle is the Risk Management Network.
“The risk management network is a completely independent system built in a different programming language than the CCIP primary system,” he said.
This idea is inspired by the concept of n-version programming.
N-version programming (NVP) is a software engineering technique that involves developing multiple functionally equivalent versions of a software system independently from the same initial specification.
The goal of NVP is to improve the reliability and fault tolerance of software systems by reducing the likelihood of a single point of failure.
The third is the Secondary Approval. Messages within CCIP must receive explicit approval from the Risk Management Network before they can be executed.
This secondary approval adds a layer of security, ensuring that even if issues arise in the primary system, they are unlikely to affect the Risk Management Network’s independent processes.
He noted that with this, the Chainlink network continuously monitors all blockchain participants in CCIP and can detect anomalies.
In the event of a detected anomaly, the system can be immediately paused, providing time for investigation and mitigation.
Lorenz said that CCIP prioritizes safety over liveness, meaning that the system may halt to protect assets rather than compromise security. This approach mitigates a broad spectrum of risks and vulnerabilities.
