Executive Summary

This comprehensive threat analysis report provides an in-depth review of potential security vulnerabilities within the LightLink Token Transfer Bridge Architecture. Through rigorous application of both the STRIDE and ABC threat modeling frameworks, the report identifies key system weaknesses and offers strategic mitigation recommendations.

Process

We have performed the threat analysis on the architecture of LightLink bridge and built a model according to the aspects that are weak in architecture and should be changed. We did the analysis according to the STRIDE Model, ABC Threat Modeling and came to the conclusion that the protocol has too few improvements which are described below.

System Architecture

The LightLink Bridge system architecture is based on a Proof-of-Authority mechanism with an external validator set that stakes its individual reputation in order to earn incentives for the trades on the LightLink bridge. This ensures a robust and interconnected framework enabling seamless asset transfers between Ethereum's Layer 1 and Layer 2. The bridge architecture consists of several key components, each playing a crucial role in the overall operation of the bridge. The bridge architecture consists of three main components, the front-end dApp, validator nodes and a single keeper node.

Note: While the provided documentation for the LightLink architecture is commendable and provides an essential overview, it could benefit from further detailed elaboration. A comprehensive breakdown of each component's functionality, interactions, and the specific roles they play in the broader architecture could enhance the depth and clarity of the document. Additionally, providing more detailed technical insights, workflows, and possible edge cases could facilitate a more robust understanding of the system. This will not only aid in improved transparency but also contribute to more effective and inclusive future audits, threat modeling, and security assessments.

LightLink Bridge: Cross-Chain Transfer Life Cycle

1. Transaction Initiation from chain1 to chain2

A user interacts with the front-end dApp to initiate a cross-chain transfer. The user connects their wallet, selects Ethereum and Lightlink as the source and destination chains respectively, enters the amount they want to transfer, and initiates the transfer. Internally, the dApp uses the ethers.js library to interact with the BridgeRegistry.sol smart contract on Ethereum to deposit the specified amount.

2. Transaction Inclusion In block (Ethereum Node)

When the user initiates a deposit, the Ethereum node stores an event labeled "Deposited". This event signifies that a user has deposited tokens into the smart contract and they're ready to be bridged.

3. Transaction Validation

Validators constantly monitor Ethereum nodes for the "Deposited" event. When the event is detected, the validators confirm the finality of the transaction. They check that the event data is finalized and not likely to be reverted due to chain reorganization. After approximately 12 blocks (~6 minutes), the validators consider the transaction to be final. The validators then send a proof, including their signature, to the Keeper node.

4. Keeper Node Confirmation

The Keeper node receives proofs from various validators and checks for consensus (currently set at 70% agreement). Once consensus is reached, the Keeper node initiates a transaction on the Lightlink network to mint tokens equivalent to the deposited amount.

5. Lightlink Node Processing

The Lightlink node, upon receiving the transaction from the Keeper node, mints an equal amount of tokens and credits them to the user's account on the Lightlink network.

6. Transaction Completion

The user's tokens are now available in their Lightlink account, indicating the successful completion of the cross-chain transfer from Ethereum to Lightlink.

Withdrawal Process

The withdrawal process begins when a user initiates a withdrawal request to retrieve any type of token on the Lightlink network. The Lightlink node then registers a "Withdrawn" event.

Following this, the validator nodes start scanning the event data from their assigned full nodes, which may vary for each validator. It's noteworthy that this data validation process occurs in real-time, as the Lightlink network doesn't have chain-reorganization issues.

Once the event data is finalized, the validators send a proof that includes their signature to the Keeper server. The users receive this proof and its signature and then send a transaction to the Ethereum node to claim their assets. Please note that a transaction fee (in terms of gas) applies during this process.

Assets

While Modeling the threats analysis on the architecture of LightLink bridge, the following classes of business and data assets were identified. Furthermore, the stakeholders were also identified as threat actors or victims of threats.

1. Business Assets

• Users: The stakeholders who use the system to conduct their asset transfers.
• LightLink Bridge dApp Front End: The primary interface for users to manage their assets and execute transactions.
• Ethereum Node and LightLink Node: Vital components in the system that handle the transactions and facilitate interaction with respective smart contracts.
• L1 and L2 Smart Contracts: Crucial elements that handle the logic of cross-chain transactions, asset locking, and minting.
• Keeper Node: A unique component that checks the consensus of proofs and initiates the minting of tokens on the LightLink chain.
• Validator Nodes: These nodes validate transactions and ensure their integrity and accuracy. They also communicate with the Keeper Node to maintain the system's security and accuracy.

2. Data Assets

• User Data: This includes data such as wallet addresses and asset balances.
• Transaction Data: All data related to the cross-chain transactions. This data is generated and used in various components of the system.
• Event Data: This data is stored during deposit or withdrawal actions performed by users.
• Consensus Data: This includes the proof data generated by the Keeper Node for verifying the consensus.
• Validation Data: Data generated by validator nodes, including proof of validation and event data from full nodes.
• Smart Contract Data: This includes the rules, functions, and transaction details stored in L1 and L2 Smart Contracts.

3. Stakeholders/Potential Threat Actors

• Users: Users are the end individuals who interact with the dApp for transferring assets between Ethereum and LightLink blockchains. They connect their wallets, select networks, and initiate transactions. While they are primary stakeholders, they could also pose threats if they attempt to exploit system vulnerabilities or engage in fraudulent transactions for personal gain.

• Software Ecosystem Contributors: This category includes everyone contributing to the design, development, and maintenance of the bridge's components like the front-end dApp, smart contracts, nodes, and other software elements. It's not just limited to in-house developers but extends to third-party developers, open-source contributors, DevOps professionals, and even tooling services used in the development process. These individuals or entities have profound system understanding and control. The security risk lies in the possibility of any contributor turning malicious or if their access credentials are compromised. This could result in the introduction of malicious code or the exploitation of system vulnerabilities.

• Validator Node Operators: These operators run the validator nodes that are 

• responsible for scanning and validating transaction events. They play a critical role in maintaining the integrity and reliability of the system. However, if their systems, or third-party services such as Infura used for validation, are compromised, they could validate false or fraudulent transactions, potentially leading to a significant breach.

• Keeper Node Operator: The Keeper Node Operator runs the Keeper Node, a unique component that checks consensus and initiates the minting of tokens on the LightLink blockchain. The operator has substantial control over the system, and a compromise could result in a serious security breach, such as fraudulent minting.

• Ethereum and LightLink Network Operators: These are the entities responsible for the operation and maintenance of the Ethereum and LightLink networks, on which the bridge is based. Any misconfigurations or security issues at this foundational level could have cascading effects on the security of the bridge.

• Infrastructure Providers: If the system relies on third-party infrastructure like cloud servers, these providers could pose threats. With significant system access, they could be a weak point in the security architecture, especially if their services are compromised.

• Community: The community serves as a significant stakeholder that greatly influences the success of any product, particularly within the realm of decentralized protocols. However, the community also represents a potential risk factor. For instance, social channels like Discord and Twitter, often used for communication and updates, can be exploited or compromised, leading to the spread of misinformation, FUD (Fear, Uncertainty, Doubt), or even fraudulent instructions. Furthermore, unofficial side channels may emerge, providing a breeding ground for scams or misleading information. Such scenarios could potentially cause confusion or misconfigurations within the protocol, thereby compromising its integrity and security.

Potential Threat Vectors In The LightLink Architecture

Threat 1: Centralization of Validator Power

Threat Description:

The LightLink bridge employs two validator nodes with disproportionate powers of 50 and 20 respectively. This implies that one validator node has significantly more influence over the consensus mechanism than the other.

The threat here is of a potential collusion between the two validators, or the validator with higher power getting compromised. Given their disproportionate power, the validators could manipulate the consensus mechanism or block transfers maliciously. It could lead to potential security breaches, manipulation of asset transfers, or even rendering the entire bridge useless.

Attack Scenario: 

An attacker who gains control over the validator with power 50 could potentially manipulate the proof of deposits and withdrawals, effectively gaining control over the cross-chain transfer of assets. This could result in false transactions being validated or valid transactions being blocked.

The attack could be even more potent if both validators collude or are compromised. In such a case, they can bypass the 70% consensus threshold mechanism, leading to a complete breach of the bridge's security and functionality.

Mitigation:

• Decentralize Validator Power: The first step to mitigate this threat is to decentralize the power among validators. This could be achieved by including more validators in the system and distributing the power more evenly. This would reduce the possibility of any single validator node, or even a small group of them, being able to manipulate the system.
• Periodic Rotation of Validators: Implement a mechanism to periodically rotate validators. This reduces the risk of a long-term attack as the control over validation would change hands regularly.
• Strong Authentication and Access Control Mechanisms: Implement strong authentication and access control mechanisms for validator nodes. Regularly audit the access control mechanisms to ensure they are functioning as intended.
• Disaster Recovery Plan: Implement a robust disaster recovery plan that includes a mechanism to quickly pause all operations, backup and restore critical data, and switch to backup systems if necessary. This plan should be regularly tested to ensure its effectiveness during an actual disaster.

Threat 2: Centralization Risk in Multisig Implementation

Threat Description:

The implementation of multisig contracts in LightLink bridge currently involves only one member, creating a centralization risk. In the context of the Ronin bridge attack, this centralized multisig scheme can become a single point of failure and pose serious security threats.

In the blockchain context, multisignature (multisig) refers to requiring more than one key to authorize a transaction. It is a technique that adds an additional layer of security for blockchain transactions. The multisig members in the LightLink bridge can be either validators or separate entities depending upon the architecture design. They play a vital role in authorizing critical operations on the bridge such as asset transfers, thus, it's crucial to ensure their decentralization to avoid any single point of failure.

In the Ronin case, they claimed to have nine validators, but in reality, a single entity controlled five, effectively having control over more than 50% of the decision-making power. This issue underscores the importance of decentralization in multisig implementation, as the centralization of power can lead to catastrophic consequences if that entity is compromised.

Attack Scenario:

In the current architecture of the LightLink bridge, a malicious actor gaining control over the single member in the multisig setup could potentially manipulate asset transfers across the bridge. They could approve false transactions, block legitimate ones, or even freeze the contract entirely. This scenario mirrors the Ronin bridge attack, where a single entity's control over the majority of validators led to a massive security breach.

Mitigation:

• Decentralize Multisig Control: To mitigate this, decentralization of control in multisig implementation is crucial. Introducing more members into the multisig setup would distribute the decision-making power and reduce the risk of a single point of failure.
• Multisig Governance: Implement a governance mechanism for the multisig setup. This mechanism should include rules on how new members are added or removed, how power is distributed, and how decisions are made.
• Strong Authentication and Access Control: Implement strong authentication measures for all members of the multisig setup. Regular audits of these mechanisms are also vital to ensure they are effective.
• Transparency: Ensure transparency in the operation of the multisig setup. All decisions should be publicly logged and easily verifiable. This can help identify any potential misuse of power.

Threat 3: Unauthorized Minting and Exploitation of Wrapped Stablecoins

Threat Description:

Bridges such as the LightLink bridge are fundamental to cross-chain asset transfer, enabling transfer of a myriad of tokens including stablecoins and their wrapped counterparts. While this functionality enhances interoperability, it also introduces unique security risks. One notable threat lies in the potential unauthorized minting of wrapped stablecoins like Wrapped USDT (wUSDT), if the bridge or its components become compromised.

It's important to understand that while stablecoins like USDT are issued by a centralized entity (e.g., Tether Limited) and can be frozen or blacklisted by the issuer to halt illicit transactions, this protection doesn't inherently apply to wrapped versions of these stablecoins. The overall security of a wrapped stablecoin depends heavily on the trustworthiness and security measures of its issuer, as well as the security of the bridge.

Attack Scenario:

In a potential attack, an adversary who gains control over the LightLink bridge or its validators could create fraudulent proofs of locked USDT tokens on the Ethereum network. Leveraging this, they could then illicitly mint an equivalent amount of wUSDT on the LightLink network. If the wrapped token's issuer is less secure or slower to respond than the original issuer, the attacker could then exchange these illegitimately minted wUSDT for other assets before the fraudulent activity is detected and halted.
Mitigation:

• Use Reputable Wrapped Tokens: Restrict the types of wrapped tokens the bridge handles to those issued by reputable entities with effective security controls.
• Transaction Monitoring: Implement automated systems to monitor transactions for any suspicious activity. If a sudden surge in the minting of wrapped tokens is detected, this could indicate a security breach, prompting quick response measures.
• Distributed Trust: Establish a mechanism where multiple validators must approve a token minting event. This would make it harder for a single compromised party to fraudulently mint wrapped tokens.
• Disaster Recovery Plan: Implement a robust disaster recovery plan that includes a mechanism to quickly pause all operations, backup and restore critical data, and switch to backup systems if necessary. This plan should be regularly tested to ensure its effectiveness during an actual disaster.

Threat 4 : Exploitation of Elastic Supply Tokens

Threat Description:

Tokens with elastic supply, like Ampleforth (AMPL), operate on a unique model where the token's supply automatically adjusts or "rebases" to market conditions. This means the quantity of these tokens held by an address can fluctuate daily, without any transactions occurring.

In the context of the LightLink bridge, this could create potential security challenges. Since the quantity of tokens isn't fixed, an attacker could potentially exploit these fluctuations to manipulate transactions across the bridge.

Attack Scenario:

Let's consider an attacker who holds an elastic supply token on the Ethereum side of the bridge. They initiate a transfer to LightLink during a positive rebase period when their token quantity is increasing. The bridge smart contract locks the initial amount of tokens, but in the subsequent rebase, the attacker's token quantity increases.

Since the bridge's smart contract may not be designed to handle such fluctuations, the attacker might be able to claim more tokens than were originally locked, leading to an imbalance in the bridged tokens.

Mitigation:

• Token Whitelisting/Blacklisting: Implementing a whitelisting or blacklisting system can control which tokens can be transferred over the bridge. This could involve blacklisting tokens with elastic supply, reducing the complexity and potential attack vectors.
• Custom Logic for Elastic Supply Tokens: If allowing elastic supply tokens is a requirement, the smart contracts could be designed with additional logic to handle these tokens. This would involve checking for rebases and adjusting the locked tokens accordingly.
• Transparency: Maintain transparency in operations to foster trust within the user community. All decisions about which tokens are allowed or disallowed should be communicated openly, along with the reasons for those decisions.

Threat 5: Compromise of Centralized Interfaces

Threat Description:

Like BadgerDAO, LightLink bridge could be vulnerable to threats associated with the compromise of centralized interfaces used in its tech stack. The exploitation of Cloudflare, a web infrastructure platform, in the BadgerDAO incident highlights the potential risks that centralized services pose to blockchain applications. Attackers manipulated the vulnerability in Cloudflare to alter JavaScript files on the website, redirecting transactions to their own accounts.

Attack Scenario: 

An attacker could exploit a vulnerability in the centralized services used by the LightLink bridge, such as  Cloudflare (if used). With this foothold, they could alter the code on the website to manipulate transaction data. This could result in unauthorized asset transfers across the bridge, potentially leading to massive financial losses akin to the $120 million stolen in the BadgerDAO hack.

Mitigation:

• Decentralization: Adopting a fully decentralized architecture is a critical step towards preventing the compromise of centralized services. This includes transitioning from a Web 2.0 infrastructure to a fully-fledged Web 3.0 framework, incorporating decentralized domains, storage, and identities.
• Multi-signature Transactions: Implementing multi-signature transactions can also significantly enhance security. With this, multiple approvals are required before a transaction can be executed, providing an additional layer of security to prevent unauthorized transactions.
• Decentralized Storage: Switching to decentralized storage options, such as IPFS or Arweave, can further secure data storage and protect against the compromise of centralized storage platforms.
  Strengthening Access Control and Authentication: Robust access control and authentication mechanisms can limit unauthorized access to the bridge's systems and data, further mitigating the risk of attacks.
  Disaster Recovery Plan: A well-developed disaster recovery plan can ensure that in the event of a compromise, operations can quickly pause, critical data is backed up and restored, and operations can switch to backup systems.

Comprehensive Threat Analysis for Blockchain Bridges Considering Specific Threats

The following is a detailed analysis of threats and vulnerabilities that Blockchain Bridges, including Lightlink, may face, primarily based on the comprehensive Defi Threat Modeling repository created by a security researcher from BlockApex. This repository dissects the functional aspects of various web3 components and reveals potential security vulnerabilities and threats related to these functionalities.

• Insufficient Gas: Blockchain transactions require a certain amount of gas to be processed. If the gas provided is insufficient, transactions can fail. This threat intensifies during periods of network congestion or sudden gas price fluctuations. Mitigation of this risk involves setting up robust mechanisms to estimate gas requirements accurately and provision sufficient gas for all transactions.

• Chain Rollbacks: Blockchain reorganizations or "chain rollbacks" can potentially result in the loss of funds or double-spending situations. To mitigate this threat, it is crucial to implement measures that guarantee transaction finality even in the event of a chain reorganization.

• Unauthorized Unlocking: If the keys to a bridge contract are compromised, unauthorized entities may invoke the unlock function and transfer funds. An example of this type of attack is the Ronin Bridge Hack. The countermeasure to this threat involves implementing stringent access control measures and secure key management practices.

• Access Control Issues: Flaws in access rights management can potentially allow attackers to mint more tokens than intended, leading to an imbalance in the token supply. To counter this, it is crucial to have secure and efficient access control mechanisms in place.

• Replay Attacks:  Replay attacks occur when adversaries resubmit a transaction, misleading the system about the transaction origin. These attacks can compromise the integrity and functionality of the system. Proper management of transaction identifiers and the use of nonces are critical to ensure the uniqueness of each transaction, acting as an effective countermeasure against replay attacks.

In the specific context of LightLink architecture, replay attacks could pose a more insidious threat. In a scenario where the database storing transaction proofs is not adequately protected or rate-limited, there is a potential risk of Denial of Service (DoS) attacks or even a system crash. This situation could arise if repeated replay attacks lead to an overflow of the database disk due to the storage of excessive, potentially redundant proofs. The user experience could be severely hampered, ranging from slowed operations to complete denial of service. To mitigate this threat, it is recommended to implement rate-limiting measures, perform regular maintenance and monitoring of the database, and ensure efficient handling of transaction proofs. This way, the database can cope with the transaction load without compromising operational efficiency or system security.

• Signature Replay Attacks: These are instances where attackers manipulate transactions by replaying or forging signatures, thereby misleading the system about the transaction's origin. To prevent such attacks, proper management of signatures is required, including the use of nonces to ensure each transaction and its signature are unique. Further, employing robust cryptographic algorithms for signature generation can enhance the system's resistance against such attacks..

• Unrestricted Deposit Emitting: If tokens are not securely locked before a deposit event is triggered, attackers might bypass the lock procedure and trigger a valid deposit event, leading to unauthorized token unlocking. The mitigation strategy involves enforcing proper locking procedures before triggering a deposit event..

• Cross-Chain Messaging Failure: If events emitted on one chain aren't correctly relayed to the other, it could lead to the failure of the intended operation. To prevent this, robust mechanisms for message passing across chains should be implemented.

• Imbalancement of Source Chain Funds: Imbalances in the source chain funds could potentially be leveraged to attack the blockchain bridge. A relevant example of this was discussed in Threat 4 of the BlockApex Defi Threat Modeling document, which highlighted the risks associated with elastic supply tokens.

• 51% Attack: In a network with a small number of validators, an attacker could potentially gain majority control of the network and manipulate it. Mitigation strategies include implementing robust consensus mechanisms and increasing the number of validators. A relevant example of this was discussed in Threat 1 and Threat 2

• Fee Evasion: In the context of blockchain transactions, logical bugs in the system could allow users to evade applicable transaction fees, leading to potential financial losses for bridge operators. For example, if there's an error in the fee calculation or collection function within the bridge's smart contract, a user might be able to bypass the fee payment while still successfully executing a transaction.

• Chain ID Checks and Chain ID DOS: This threat involves scenarios where the destination chain's ID isn't adequately verified, potentially leading to loss of funds or enabling a Denial of Service (DoS) attack. For instance, if a blockchain forks, but the Chain ID isn't updated or checked dynamically, it could create an opportunity for replay attacks.

In another scenario known as "source chain poisoning", a fake blockchain could be created by an attacker that mirrors a legitimate Chain ID. If the system isn't verifying the authenticity of the chains, it could mistakenly interact with this fake chain, leading to token loss or invalid states.

Mitigation includes implementing dynamic Chain ID checks that confirm the validity of each transaction and maintaining a whitelist of allowed Chain IDs to prevent interaction with unauthorized or fake chains.

• Collision Attacks: Attackers can create collisions of identifiers such as transaction IDs, user addresses , contract addresses, signatures etc can cause system confusion. To mitigate this, unique identifiers for transactions should be used, and collision detection mechanisms should be implemented.

• Address(0) Check: Without proper checks, funds might be accidentally sent to address 0 and be permanently lost.

STRIDE: Threat Modeling

STRIDE Modelling for LightLink Assets

STRIDE was first devised by Microsoft to test traditional software applications but it is also used for blockchain protocol to identify potential major issues in the protocol. The classification below shows the threat models that were identified on the stakeholders according to STRIDE.

Mitigation Matrix

The following matrix defines the mitigations for threats identified through the STRIDE classification, assigning each threat an impact and likelihood, and providing suggestions to counter these threats. Countermeasures should be implemented against each threat to ensure the protocol is free from security loopholes.

1. Users 

2. Software Ecosystem Contributors

3. Validator Node Operators

4. Keeper Node Operator

5. Ethereum and LightLink Network Operators

6. Infrastructure Providers

7. Community

ABC: A Cryptocurrency-Focused Threat Modeling Framework

ABC is a systematic threat modeling framework that's primarily geared towards cryptocurrency-based systems. However, its tools and methodologies are also useful for any distributed system. ABC assists designers in focusing on the following key areas:

• Financial Motivation of Attackers: Understand the potential financial gains that could motivate attackers to target the system.
• New Asset Types in Cryptocurrencies: Recognize and analyze the unique assets in cryptocurrencies, including the system's own tokens, user balances, and smart contracts.
• Deriving System-Specific Threat Categories: Determine the specific categories of threats that are most relevant to the system based on its design, architecture, and functionality.
• Spotting Collusion and Managing the Complexity of the Threat Space: Identify possible areas where collusion between different entities could lead to vulnerabilities. Manage the complexity of the overall threat space using ABC's unique tool, the collusion matrix.

The ABC framework also integrates seamlessly with other crucial steps of system design such as risk management and threat mitigation, providing a comprehensive and robust approach to ensuring system security.

ABC Steps:

ABC Steps:

Step 1: System Model Characterization

From the provided details, the system model characterization for LightLink Bridge architecture might look as follows:

Activities in the system:

• User interacts with the dApp interface.
• The dApp interacts with either the Ethereum or LightLink node.
• The nodes communicate with L1 or L2 smart contracts.
• L1 and L2 smart contracts communicate with Keeper nodes.
• The Keeper node communicates with the Validator node.

Participant roles:

• Users: Users use the bridge for transferring assets.
• Ethereum and LightLink nodes: These nodes process transactions coming from the dApp.
• L1 and L2 smart contracts: These contracts execute specific functions based on the transaction details received from the Ethereum or LightLink nodes.
• Keeper nodes: These nodes ensure the integrity and security of the network by interacting with smart contracts.
• Validator nodes: These nodes validate the transactions coming from Keeper nodes.

Assets:

• DApp Server: The DApp Server is an integral part of the Lightlink Bridge architecture. It hosts the decentralized application (DApp) and acts as an intermediary, processing user requests and facilitating transactions between the Ethereum and Lightlink networks. It communicates with smart contracts and keeper and validator nodes, playing a critical role in the system's operation and security.
• User assets: This could be the Ethereum-based or LightLink-based assets that the users are trying to transfer.
• Nodes: These are the Ethereum, LightLink, Keeper and Validator nodes that process and validate transactions.
• L1 and L2 smart contracts: These contracts contain the logic and rules for processing transactions.
• Network: This includes the network infrastructure connecting the different components of the system.

External dependencies on other services:

• Ethereum Network: The dApp relies on the Ethereum network for processing transactions.
• LightLink Network: The dApp also relies on the LightLink network for processing transactions.

System assumptions:

• The Ethereum and LightLink networks are secure and reliable.
• The nodes and smart contracts are correctly implemented and free of vulnerabilities.
• Users are interacting with the dApp in good faith.

Architecture Diagram:

Step 2: Threat Category Identification

Given the nature of the system and the assets identified, here are potential threat categories:

Step 3: Threat Scenario Enumeration and Reduction

Threat 1: DApp Server

• Unauthorized Access: 

Attack Scenario:If an unauthorized entity gains access to the DApp server, it could potentially manipulate user data, change application logic, or alter server settings. Such intrusion could compromise the entire system, disrupting user transactions and potentially stealing sensitive data. This could result in severe reputation damage and financial losses.

• Denial of Service (DoS):

Attack Scenario: A DoS attack is a scenario where an attacker attempts to make the DApp server unavailable by overwhelming it with a flood of internet traffic. The attacker could potentially send an exceedingly high number of requests, exhausting server resources, and making the DApp server unresponsive to legitimate user requests. This could cause inconvenience and frustration to users and potentially make them lose trust in the system.

• Data Tampering:

Attack Scenario: If the DApp server is compromised, an attacker could potentially alter or tamper with the data stored or transferred by the server. This can affect the integrity of the system, leading to incorrect or misleading data being shown to users. It could also lead to improper transaction execution, affecting the accuracy of asset transfers or causing unexpected loss of funds.

• Information Disclosure:

Attack Scenario: In a situation where the DApp server's defenses are breached, confidential or sensitive information, including user details, private keys, or transaction details, could be leaked. This unauthorized disclosure could lead to loss of privacy, identity theft, or misappropriation of funds.

• Elevation of Privileges:

Attack Scenario: This is a scenario where an attacker manages to exploit vulnerabilities in the DApp server to gain higher-level privileges. This could allow them more control over the server and its functionalities, enabling them to manipulate data, alter application logic, or even disrupt the operation of the server.

• Using Components with known vulnerabilities

Attack Scenario: Servers are made up of different components and packages. The components can be vulnerable, given a dependent library fails due to a new bug. So If the server’s code containing a vulnerable version of the library doesn't update on time or is

patched, the result is a weakness for the protocol. Attackers can view the versions of the dependencies containing the vulnerable code and confirm the exploit as easily as by checking it on websites such as exploit-db.

Due to the large complexity of modern applications, it is easy to lose sight of all the dependencies and software being used, commonly termed as a SBoM. It is important to know that automated scanners or manual testing might reveal outdated software with issues. Exploiting known issues can have disastrous impacts, they are often the first thing the attackers look at and abuse to gain a foothold, elevate their privileges, impersonate other users and whatnot. If the attacker gets hold of the server all the users can lose their funds and NFTs.

• Social Engineering Attack

Attack Scenario: Nowadays it’s common to host the server on cloud infrastructure such as AWS so in that case if the attacker gets the admin console credentials of the server through social engineering then it can have full control over the server and can execute malicious activity which will create a financial loss for the users of ember protocol.

Threat 2: User Assets

• Unauthorized access to assets

Attack Scenario: An attacker may use phishing techniques to trick users into revealing their private keys. Once the attacker has access to a user's private keys, they can access the user's assets and transfer them to an address under their control.

• Asset loss during transfer

Attack Scenario: During the asset transfer process, a number of issues could lead to asset loss. If there's a bug or vulnerability within the L1 or L2 smart contracts, an attacker could exploit it to redirect asset transfers to their own address. Additionally, if the user interacts with a malicious dApp, it could initiate unauthorized transfers. A network disruption (due to DDoS or other reasons) during a transfer could also potentially lead to asset loss. Furthermore, if a transaction is not properly validated or if a malicious validator node is involved, assets could be incorrectly sent or not sent at all.

Threat 3: Nodes

• Node impersonation

Attack Scenario: A malicious actor could try to impersonate a legitimate node (like an ETH node, LightLink node, Keeper, or Validator) within the system. If successful, this would give the attacker the ability to manipulate the data that the node is supposed to handle, possibly leading to incorrect validation of transactions or even unauthorized transactions. For instance, if an attacker impersonates a Keeper node, they could provide false confirmations for transactions, leading to assets being sent to wrong addresses or the approval of illegitimate transactions.

• Node compromise

Attack Scenario: An attacker may exploit a vulnerability in a node's software or hardware to gain control over it. With control over a node, the attacker can manipulate transaction data, insert false transactions, or prevent certain transactions from being processed.

Threat 4: L1 and L2 smart contracts

• Contract exploitation

Attack Scenario: A malicious actor discovers a bug or vulnerability in the L1 or L2 smart contracts. This bug could be exploited to perform unauthorized actions. For instance, an attacker could manipulate the contract to redirect asset transfers to their own address, effectively stealing user assets during the transfer process.

Threat 5: Network

• Network attacks (DoS/DDoS)

Attack Scenario: Attackers could flood the network with illegitimate requests, effectively slowing down or even halting the network's ability to process legitimate requests. This could result in users being unable to transfer their assets. Alternatively, a DoS/DDoS attack could target a specific node (like a Keeper or Validator node), which could disrupt the functioning of the whole system.

• Man-in-the-middle attack

Attack Scenario: In a Man-in-the-Middle (MitM) attack, a malicious actor could position themselves between two communicating parties (e.g., between the dApp and a node or between two nodes). By doing so, they could intercept and potentially alter the data being exchanged. In the context of the LightLink Bridge architecture, this could enable an attacker to alter transaction details, redirect asset transfers, or gather sensitive information.

Collusion Matrix

Service Theft Threat Collusion Matrix

In the LightLink bridge architecture, the following are the primary stakeholders:

• Users (U)
• Developers (D)
• Validator Node Operators (V)
• Keeper Node Operator (K)
• Ethereum and LightLink Network Operators (E)
• Infrastructure Providers (I)

A Collusion Matrix could be structured as follows, considering the "Service Theft" threat:

Here, 'Y' indicates the potential for collusion between the stakeholders to perform a "Service Theft" attack. Let's further describe the possible collusion scenarios:

• Users and Developers (U-D): A malicious user could bribe a developer to alter the bridge system, granting the user unauthorized privileges or access to assets.

• Users and Validator Node Operators (U-V): A user could collude with a validator to validate fraudulent transactions, enabling the theft of assets.

• Users and Keeper Node Operator (U-K): A user could potentially collude with the keeper node operator to validate and process fraudulent transactions.

• Developers and Validator Node Operators (D-V): A rogue developer could work with a validator node operator to alter transaction validation processes and steal assets.

• Developers and Keeper Node Operator (D-K): A rogue developer and the keeper node operator could collude to alter the system's consensus rules and validate fraudulent transactions.

• Validator Node Operators and Keeper Node Operators (V-K): Both these operators could collude to validate and process fraudulent transactions.

• Ethereum and LightLink Network Operators and Other Roles (E-X): Given their foundational role in the network, these operators could potentially collude with any other stakeholder role to disrupt service integrity.

• Infrastructure Providers and Other Roles (I-X): Since they provide the underlying hardware and network resources, these providers could collude with any other stakeholder role to disrupt the bridge system's functionality.

Step 4: Risk Management and Threat Mitigation

• Unauthorized Access: This threat can be mitigated by implementing strong access control mechanisms, use of multi-factor authentication (MFA), maintaining principle of least privilege (POLP), and regularly auditing system access logs. Regularly updating and patching the system to fix vulnerabilities can also reduce the risk of unauthorized access.

• Denial of Service (DoS): This threat can be mitigated by using rate-limiting techniques to limit the number of requests a single user/IP can make in a given period. Additionally, you can use load balancing to distribute network traffic evenly across multiple servers, and ensure a robust infrastructure that can handle increased traffic or load.

• Data Tampering: To mitigate this threat, implement strong data validation and sanitization techniques. Use cryptographic techniques to secure data during transit and at rest. Implementing a robust backup and recovery plan can also help to recover tampered data.

• Information Disclosure: This threat can be mitigated by encrypting sensitive data both in transit and at rest, using secure protocols for data transmission (like HTTPS), and using secure methods for data storage. Access to sensitive information should be strictly controlled and logged.

• Elevation of Privileges: Implement the principle of least privilege (POLP), where a user is given the minimum levels of access necessary to complete their job functions. Regularly audit system and application logs to identify and investigate suspicious activities.

• Using Component with Known Vulnerabilities: Regular patching and updating of system components are critical to prevent exploitation of known vulnerabilities. Furthermore, the use of software composition analysis tools can help in identifying components with known vulnerabilities.

• Social Engineering: Employee education and awareness training about the risks and signs of social engineering can significantly reduce the threat. Regularly updating and enforcing security policies, along with implementing technical controls to detect and prevent phishing attacks and other social engineering tactics can also be helpful.

• Unauthorized Access to User Assets: This threat can be mitigated by using secure storage methods for private keys, such as hardware wallets. Furthermore, education about the risks of phishing attacks and the importance of verifying the authenticity of communication can reduce the risk of users revealing their private keys.
• Asset Loss during Transfer: To mitigate this threat, it's important to thoroughly test smart contracts to ensure that they function as expected under various conditions. Also, reliable validation and verification mechanisms should be in place to prevent unauthorized or incorrect transfers. Network security measures, such as DDoS protection, can help prevent network disruptions that could interfere with asset transfers.

• Node Impersonation: Strong authentication mechanisms can help prevent node impersonation. Each node's identity should be validated before it is allowed to participate in the network. Also, regular auditing of network activity can help detect anomalous behavior that might indicate impersonation.

• Node Compromise: Keeping the node software and hardware up to date can reduce the risk of node compromise. Regular security assessments and intrusion detection systems can help identify vulnerabilities and detect compromises early.

• Contract Exploitation: Regular auditing of smart contracts by security experts can help find and fix vulnerabilities that could be exploited. Implementing mechanisms to pause or upgrade contracts can help manage potential exploits when they are discovered.

• Network Attacks (DoS/DDoS): DDoS protection services can help mitigate these attacks. Load balancing and traffic throttling can also be used to prevent an overload of requests from impacting service availability.

• Man-in-the-Middle Attack: Secure communication protocols such as Transport Layer Security (TLS) can help prevent Man-in-the-Middle attacks. Regularly reviewing and updating security configurations can also reduce the risk of such attacks.

Disclaimer

This Threat Modeling Report is prepared by BlockApex for the express purpose of informing and advising the development team of LightLink Bridge on potential threats, vulnerabilities, and security measures relevant to their blockchain application.

While every effort has been made to ensure the accuracy and completeness of the information contained in The Report, it is provided on an "as is" basis. The information included in The Report is based on the best available information as of the date of its publication. Future changes in technology, legal and regulatory frameworks, or the security landscape may necessitate updates to The Report.

The proposed threat scenarios and mitigation strategies in The Report do not constitute an exhaustive list of all possible risks or solutions. The inclusion or omission of any particular threat or solution should not be taken as an endorsement or dismissal. Other unanticipated or unidentified threats may exist.

The mitigation strategies outlined in The Report do not guarantee complete security or immunity from breaches, hacks, or other security events. The effectiveness of these strategies is contingent upon their correct and consistent implementation and may vary depending on individual circumstances.

Neither BlockApex nor any of its officers, employees, agents, or contractors will be held liable for any losses, damages, costs, or expenses, whether direct or indirect, including consequential loss or damage, arising from or in connection with any use or reliance on the information contained in The Report.