It uses a set of trusted validators to verify deposits for lock-mint bridging. Tokens sent to the bridge escrow can be further sent to yield generating contracts (e.g. AAVE, Spark) by permissioned actors to accrue interest.

Risk summary

Principle of operation

The Gnosis bridge is comprised of two standard multisig-validated token bridges (Omni and xDAI) with similar architecture and validators. While the xDAI bridge is only used for bridging DAI-related tokens (xDAI is Gnosis Chains gas token), the Omni bridge can be used to bridge many other ERC-20 tokens. Both bridges on ethereum are served by external validators that sign bridge messages via custom multisigs. Assets that are locked in one of the escrows on ethereum can be ‘invested’ by permissioned actors to generate yield. In the case of DAI / sDAI (Spark protocol), the yield is handed down to sDAI users on Gnosis Chain. The addition of Hashi (EVM Hash Oracle Aggregator) and light clients for message validation is being tested but remains optional for now.

Incoming transfers are externally verified

Incoming messages to Ethereum are validated by Multisigs with publicly known entities as their signers. The DAI bridge validators are validated by the 4/7 BridgeValidators_DAI Multisig and the Omni bridge by the 4/7 BridgeValidators_Omni Multisig. Only messages signed by at least the threshold amount of validators from the respective multisig are accepted for releasing funds from the escrow contract or for executing messages.

Users can be censored if validators decide to not pass selected messages between chains.
Funds can be stolen if validators sign a malicious message to mint or release tokens that they did not burn or lock on the other side.
Funds can be frozen if validators don't relay messages between chains.

Gnosis bridge documentation

Destination tokens

Users receive wrapped ERC677 tokens on Gnosis Chain. There’s a separate bridge for Dai.

Other considerations

Rehypothecation

User assets in the bridge escrow are not locked and can be moved by permissioned actors. This is usually done to generate yield, which can then be forwarded to the users.

Funds can be stolen if there's an exploit in external contracts that are used to invest user deposits.
Funds can be frozen if there are not enough tokens in the escrow to service withdrawals due to investing.

Permissions

A dashboard to explore contracts and permissions

Go to Disco

Explore in Disco

Ethereum

Roles:

Validator (2) BridgeValidators_DAI BridgeValidators_Omni

Permissioned to sign crosschain messages, attesting to their validity.

Actors:

Gnosis Bridge Multisig 0x42F3…A3F6

A Multisig with 8/16 threshold.
Can upgrade with no delay
- DaiForeignBridge
- ForeignAMB
- ForeignOmnibridge
- BridgeValidators_DAI
- BridgeValidators_Omni
Can interact with DaiForeignBridge
- change all critical configurations like fees, yield farming for escrowed funds, limits, validating contract references
Can interact with ForeignAMB
- change external validation logic refered to by this contract (e.g. Hashi)
Can interact with ForeignOmnibridge
- change all critical configurations like yield farming for escrowed funds and limits
Can interact with BridgeValidators_DAI
- change the threshold and manage signers
Can interact with BridgeValidators_Omni
- change the threshold and manage signers

Participants (16):

GnosisSafe 0xb817…a21e 0xDdf2…d992 0xf59E…24e5 0xA078…6481 0x329c…3eD4 0xcF9e…75cE 0x5b10…7893 0xc44c…d2C8 0x8393…0780 0xB646…7ae4 0x10DD…06bd 0x80BA…1d97 0xb2a3…c4e8 0x57B1…332B 0x544c…2eFA

BridgeValidators_DAI 0xe157…201E

A Multisig with 4/7 threshold.
Custom multisignature contract for Validator addresses.
A Validator - acting directly

Participants (7):

Gateway EOA 1 Karpatkey EOA Gnosis DAO EOA 1 CoW Protocol EOA 1 Safe EOA 1 Protofire EOA 1 Giveth EOA 1

BridgeValidators_Omni 0xed84…4064

A Multisig with 4/7 threshold.
Custom multisignature contract for Validator addresses.
A Validator - acting directly

Participants (7):

Gateway EOA 2 Karpatkey EOA Gnosis DAO EOA 2 CoW Protocol EOA 2 Safe EOA 2 Protofire EOA 2 Giveth EOA 2

Hashi Multisig 0x670a…0957

A Multisig with 2/4 threshold.
Can interact with HashiManager_Omni
- change critical configurations of the Hashi protocol like the validation contract addresses
Can interact with HashiManager_DAI
- change critical configurations of the Hashi protocol like the validation contract addresses

Participants (4):

0xeca6…51aC 0x0577…a9Af 0xB1dD…c49f 0x9bd9…2eF8

EOA 1 0x30Fb…0B2E

Can upgrade with no delay
- HashiManager_Omni
- HashiManager_DAI

Smart contracts

A dashboard to explore contracts and permissions

Go to Disco

Explore in Disco

Note: Contracts presented in this section had their implementations updated since the last time our team looked at this project. The information presented may be inaccurate.

A diagram of the smart contract architecture

Ethereum

DaiForeignBridge 0x4aa4…5016 Implementation (Upgradable)Admin

Token bridge implementation and escrow for DAI-related tokens. Escrowed Dai can be invested in the Spark protocol for sDai. This contract stores the following tokens: cDAI, DAI, sDAI.

Can be upgraded by:

Gnosis Bridge Multisig with no delay

ForeignAMB 0x4C36…E64e Implementation (Upgradable)Admin

Arbitrary Message Bridge validated by the BridgeValidators. Can be used for token bridges or any other cross-chain messaging.

Can be upgraded by:

Gnosis Bridge Multisig with no delay

ForeignOmnibridge 0x88ad…5671 Implementation (Upgradable)Admin

Token bridge implementation and escrow for ERC-20 tokens. This contract can store any token.

Can be upgraded by:

Gnosis Bridge Multisig with no delay

Yaru 0x30f6…25ba

Contract handling inbound messages for the Hashi protocol.