# Cross-Chain Bridge Layer Logged. Reading USER.md to add the preference cleanly.Logged. Both formatting rules now in `_jarvis/USER.md` Working Style section -- the dash rule and the `sec` rule co-located. Drafting sec5 now. *** > The bridge layer is the part of hstXDC where the wrong architecture choice is the most common cause of catastrophic failure in cross-chain products. Most bridge exploits in the last five years did not lose user funds because of cryptography or smart-contract bugs; they lost user funds because the trust model collapsed to a small committee of signers who could be compromised, coerced, or arrested. This section walks why hstXDC's bridge layer avoids that failure mode by construction. ### The architecture choice Bridge layer trust models fall into a small number of canonical patterns. The choice between them is not a matter of taste -- each pattern has a specific failure mode, and the institutional reader has to know which failure mode they are signing up for. | Pattern | How trust collapses | Where it has lived in practice | | ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Notarized witness multisig** | Honest-majority committee assumption. Failure when the committee is compromised, coerced, or jurisdictionally concentrated. | Ronin ($625M), Wormhole ($326M), Nomad ($190M), Multichain ($125M+), Harmony Horizon ($100M). **Where every major bridge exploit since 2021 has lived.** | | **Lock-and-mint vault** | Custody of the lock vault. Failure when the vault keys are compromised. | Many wrapped-asset designs. Same failure surface as multisig when the vault is held by a small set of keys. | | **Issuer-attested burn-and-mint** | The asset issuer is the trust root. Failure only on issuer credit risk or attestation infrastructure outage. **No bridge committee, no vault to drain.** | Circle CCTP V2 (USDC across 24+ chains, including XDC since September 2025). USDCx on Canton (Circle xReserve protocol, in production for institutional repo settlement). | | **Threshold-signature attestor network (FROST / TSS)** | Threshold cryptography over a distributed attestor set. Failure requires compromising the threshold simultaneously across geographically diversified operators. **No single key holder.** | cBTC on Canton (BitSafe, FROST over a distributed attestor network including Kiln and Figment, in production with BitGo qualified custody). | | **Light-client / zk** | The destination chain verifies the source chain's consensus directly. Failure only on cryptographic break or implementation bug in the verifier. | IBC across the Cosmos zone. Polymer / Succinct experimental EVM variants. Structurally hardest to apply to non-EVM destinations. | | **Subnet anchor (XDC-specific)** | Permissioned execution layer anchored to mainnet via header attestation. Failure on the subnet's permissioned validator set. | XDC Zero, in production for XDC Subnet ↔ XDC mainnet flows since September 2024. | The four patterns at the bottom -- issuer-attested, FROST attestor network, light-client, and subnet anchor -- are where institutional bridges should live. The two at the top are where retail bridges have repeatedly failed. **hstXDC's bridge layer uses a hybrid of the two best-fit patterns: issuer-attested for first-party-issued assets like USDC, and FROST attestor network for non-issuer assets like XDC.** Neither half of the hybrid is novel in isolation. Both halves are in production today on Canton, with regulated US qualified custody coverage. ### D3 -- Trust Topology Comparison (visual aid) **Purpose:** Show the institutional reader, in one image, why the architecture choice matters. Three panels side by side, one labeled as the failure-mode-by-construction pattern, two labeled as the patterns hstXDC uses. **Layout:** Three roughly equal-sized panels, left to right. Each panel is a small box-and-arrow diagram with a caption underneath. ``` ┌──────────────────────┐ ┌──────────────────────┐ ┌──────────────────────┐ │ ❌ AVOID │ │ ✅ USE FOR │ │ ✅ USE FOR │ │ Notarized witness │ │ ISSUER ASSETS │ │ NON-ISSUER ASSETS │ │ multisig │ │ (e.g. USDC) │ │ (e.g. XDC) │ │ │ │ │ │ │ │ Source chain │ │ Source chain │ │ Source chain │ │ ↓ │ │ ↓ burn │ │ ↓ │ │ ┌────────┐ │ │ ┌────────┐ │ │ ┌────────┐ │ │ │ 5-of-9 │ │ │ │ Issuer │ │ │ │ FROST │ │ │ │ multi- │ │ │ │ signs │ │ │ │ /TSS │ │ │ │ sig │ │ │ │ (Circle│ │ │ │ attest │ │ │ └────────┘ │ │ └────────┘ │ │ │ -or net│ │ │ ↓ │ │ ↓ attestation │ │ └────────┘ │ │ Destination chain │ │ Destination chain │ │ ↓ │ │ │ │ ↓ mint │ │ Destination chain │ └──────────────────────┘ └──────────────────────┘ └──────────────────────┘ Caption: Caption: Caption: "Where every major "No bridge vault. "Threshold crypto over bridge exploit lived: Trust collapses to a distributed Ronin $625M, the asset issuer. attestor set. cBTC Wormhole $326M, CCTP V2 pattern. on Canton uses this. Nomad $190M, In production on Production today." Multichain $125M+" XDC since Sept 2025" ``` **Visual punch:** ❌ multisig | ✅ issuer-attested | ✅ FROST attestor net. The right pattern depends on the asset class, and we use the right one for each. **Color suggestion:** keep the AVOID panel in a muted/grayed tone, the two USE panels in your normal palette. The visual contrast does half the work of the caption. ### Canton-side design constraint -- the authorized observer party Canton's privacy model adds a constraint that EVM↔EVM bridge designs do not have to think about. On Canton, a transaction can have multiple subtransactions, each visible only to authorized parties. A bridge contract that needs to *prove externally* that a state transition happened cannot rely on a global observer -- the relevant subtransaction may not be visible to anyone outside the parties to the burn. **The design rule that follows:** the bridge attestor network must be an explicitly authorized observer party on every contract whose state it needs to attest to. In practice this means: * The Canton-side `UserPosition` template (see sec4) lists the bridge attestor party as a stakeholder on every burn choice, ensuring the attestor network can observe the burn * The Canton-side `RedemptionRequest` template includes the attestor party in its signatory set, ensuring the redemption commitment is visible to the attestors who will eventually authorize the unstake on XDC * The attestor party's authority is constrained to *observation and attestation* -- it cannot move user assets, mint hstXDC outside the attested-deposit flow, or accelerate redemptions This is exactly the same architectural pattern that cBTC uses on Canton today. The cBTC contracts list the BitSafe attestor party as a stakeholder on the relevant Daml templates. The hstXDC vault contracts will follow the same pattern. ### XDC-side design constraint -- delegation lifecycle and unbonding The XDC side has a different constraint: the masternode delegation lifecycle is a property of the XDC consensus layer, not of the hstXDC contract. The bridge attestor network cannot accelerate XDC's standard unbonding window, and any architecture that pretends otherwise will be quickly adversarially probed. **The design rule that follows:** the bridge attestor network attests to *deposit events* and *unstake-completion events* on XDC, but does not attempt to attest to "redemption is ready before unbonding completes." The Canton-side `RedemptionRequest` contract carries the redemption commitment through the unbonding window; the attestor network confirms only when the XDC contract emits the actual `Unstaked` event. ### What's in design, what's resolved | Component | Status | | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Recommended architecture pattern | **RESOLVED** -- hybrid issuer-attested + FROST/TSS attestor network | | Issuer-attested side (USDC via CCTP V2) | **NO HELIX WORK NEEDED** -- already in production ecosystem-wide | | Authorized observer party model on Canton | **RESOLVED** -- mirrors cBTC's existing pattern, no novel design required | | FROST attestor set composition | **IN DESIGN** -- target is geographically and jurisdictionally distributed; named operators TBD | | FROST signing threshold | **IN DESIGN** -- target is `t-of-n` where `t ≥ floor(2n/3)+1`, exact `n` depends on attestor set composition | | Canton-side synchronizer choice | **IN DESIGN** -- options are (a) deploy on the Global Synchronizer Foundation production synchronizer, (b) deploy on a dedicated synchronizer operated by hstXDC's institutional partners | | XDC-side vault contract | **IN DESIGN** -- Solidity, immutable, on XDC mainnet (not in a Subnet for v1) | | Subnet deployment fallback | **OPTIONAL ALTERNATE** -- documented as a deployment variant for partners who prefer execution isolation; not the v1 default | | Bridge attestor software | **IN DESIGN** -- Rust implementation, FROST library selection TBD | ### What this section deliberately does not promise * **A novel bridge architecture.** Neither half of the hybrid is novel. Both halves have production deployments on Canton (cBTC for FROST, USDCx for issuer-attested) with BitGo qualified custody. The hstXDC contribution is the *combination* applied to a Canton↔EVM-L1 surface, not the invention of the underlying patterns. * **A specific attestor set or signing threshold.** Those are the parts of the architecture that depend on partner alignment and are deliberately under-specified in this document. They will be specified before mainnet, in a separate technical addendum, and presented to partners individually. * **A "first Canton↔external bridge" claim.** cBTC and USDCx are production Canton↔external bridges already. The hstXDC contribution sits in a more specific category: a Canton bridge to an EVM smart-contract platform with a KYC'd validator set. See the moat verdict in \[\[xdc-canton-bridge-prior-art]] for the honest framing. *** **sec5 ready for your read.** Three things worth flagging: 1. **D3 placement.** The visual aid is positioned right after the architecture-choice table, before the Canton-side / XDC-side constraint subsections. This puts the strongest visual punch early in the section, which is where it carries the most weight for a reader skimming. If you'd rather it land at the end of sec5 as a summary, say so and I'll move it. 2. **The "what this section deliberately does not promise" closing block.** This is a different shape from the "honest read" block I dropped from sec2 -- it's a scope-disclosure, not a self-DD checklist. Same kind-of-tone, though. If you want it dropped too for consistency, say so. My instinct is to keep it because it pre-empts the most common adversarial reader question ("you're claiming you invented something novel, right?") with a clean "no, we're not." 3. **No mention of attestor operator names.** I deliberately did not name candidate attestor operators (Kiln, Figment, IntellectEU, etc.) even as illustrative examples. The cBTC precedent names Kiln and Figment publicly, and you could lean on that as a "this kind of operator" reference -- but doing so on a public docs page risks looking like you're claiming a relationship that doesn't exist. Want to keep it neutral, or do you want a small "operators of this kind, e.g., institutional staking providers like the ones in the cBTC attestor set" gesture? sec6 (Cross-Chain Yield Composability with pCC) is next. That's the load-bearing institutional thesis section, where D2 lives, and where the SBI-shaped reader gets the institutional story without SBI being named. It's the most strategically important section in the entire gitbook XDC chapter -- worth slowing down on the framing pass when we get there.