|
| 1 | +# Cross-Chain Asset Consolidation via Delegated Automation |
| 2 | + |
| 3 | +## Non-Technical Overview |
| 4 | + |
| 5 | +## Problem Statement |
| 6 | + |
| 7 | +We need to automatically move assets (like USDC) from our multisig wallets on multiple blockchain networks back to Ethereum mainnet on a regular basis. Currently, this requires manual coordination of multiple signers for each transfer, which is inefficient and doesn't scale well. |
| 8 | + |
| 9 | +## Solution Overview |
| 10 | + |
| 11 | +We've designed a secure automated system that moves funds across chains without requiring multisig signers to approve each individual transfer. The key innovation is that we create a **one-time permission slip** (called a "delegation") that gives an automated service very limited powers—it can only do exactly what we want it to do, nothing more. |
| 12 | + |
| 13 | +Think of it like giving someone a key to your house, but the key only works on one specific door, only during certain hours, and can only be used to move items to one specific location. Even if someone steals that key, they can't do anything harmful. |
| 14 | + |
| 15 | +**Key Points**: |
| 16 | + |
| 17 | +- Automation service only TRIGGERS the transaction (redeems permission slip) |
| 18 | +- MULTISIG EXECUTES the action (calls bridge contract) |
| 19 | +- Tokens flow directly from Multisig → Bridge → Treasury |
| 20 | +- Automation service never holds or controls tokens |
| 21 | + |
| 22 | +## How It Works (Simple Explanation) |
| 23 | + |
| 24 | +### The Setup (One-Time Process) |
| 25 | + |
| 26 | +1. **Multisig wallets hold the funds**: Our company's multisig wallets (requiring multiple signatures to control) hold assets on various blockchain networks. |
| 27 | + |
| 28 | +2. **Create a permission slip**: The multisig signers come together **one time** to create a special permission slip. This permission slip says: "An automated service is allowed to move funds, BUT only if it follows these strict rules..." |
| 29 | + |
| 30 | +3. **The rules are enforced by the blockchain**: These rules are written into smart contracts on the blockchain itself. The blockchain checks every single transaction to make sure the rules are followed—no exceptions. These rules are permanent and enforced by the blockchain. Once setup is complete, multisig keys can be stored in cold storage and never needed again for routine operations. |
| 31 | + |
| 32 | +### The Rules (What the Automation Can and Cannot Do) |
| 33 | + |
| 34 | +The permission slip includes strict rules that are checked by the blockchain before any transfer happens: |
| 35 | + |
| 36 | +- ✅ **Can only call the bridge contract** (the approved service for moving funds between chains) |
| 37 | +- ✅ **Can only use approved bridge functions** (specific methods we've approved) |
| 38 | +- ✅ **Can only send to our mainnet treasury address** (funds always go to the correct destination) |
| 39 | +- ✅ **Has spending limits** (can only move a certain amount per transaction and per time period) |
| 40 | +- ✅ **Has time restrictions** (only valid during certain time windows) |
| 41 | + |
| 42 | +Even if someone steals the automation service's key, they **cannot**: |
| 43 | + |
| 44 | +- ❌ Send funds to any address other than our treasury |
| 45 | +- ❌ Call any contracts other than the approved bridge |
| 46 | +- ❌ Exceed the spending limits we've set |
| 47 | +- ❌ Access the multisig funds directly |
| 48 | +- ❌ Bypass any of these rules (they're enforced by the blockchain itself) |
| 49 | + |
| 50 | +### Daily Operations |
| 51 | + |
| 52 | +Once set up, an automated service monitors the multisig wallets. When it detects that funds should be moved (based on thresholds we configure), it uses the permission slip to execute the transfer. The blockchain automatically checks all the rules before allowing the transfer to proceed. |
| 53 | + |
| 54 | +**Important Security Point**: The automation service only triggers the transaction by redeeming the permission slip. Once the delegation is redeemed and validated by the blockchain, **the multisig wallet itself executes the action**—it calls the bridge contract directly. The tokens flow directly from the multisig wallet to the bridge contract, and then to the mainnet treasury. The automation service never holds or controls the tokens, and it doesn't execute the action—the multisig does. |
| 55 | + |
| 56 | +## Security Model (Why This Is Safe) |
| 57 | + |
| 58 | +### The Most Important Security Feature |
| 59 | + |
| 60 | +**Multisig keys are only needed once during setup.** After creating the permission slip, the multisig signers can store their keys in cold storage (offline, highly secure storage) and never touch them again for routine operations. |
| 61 | + |
| 62 | +### Two Types of Keys, Two Levels of Risk |
| 63 | + |
| 64 | +1. **Multisig Keys** (High Security Required) |
| 65 | + |
| 66 | + - Only used once to create the permission slip |
| 67 | + - Can be stored in cold storage after setup |
| 68 | + - These are the keys that actually control the funds |
| 69 | + |
| 70 | +2. **Automation Service Key** (Lower Security Risk) |
| 71 | + - Used continuously by the automated service |
| 72 | + - Even if this key is stolen, the worst an attacker can do is: |
| 73 | + - Trigger a transfer early (but funds still go to the correct destination) |
| 74 | + - Spend some gas tokens (which can be mitigated with additional protections) |
| 75 | + - **Cannot access multisig funds directly** |
| 76 | + - **Cannot send funds anywhere except our treasury** |
| 77 | + - **Cannot exceed spending limits** |
| 78 | + |
| 79 | +**Security Model Summary**: Multisig keys are used once during setup, then stored in cold storage. They create a permission slip (one-time delegation with strict rules) that grants limited access to the automation service key. The automation service key must use the permission slip, and the blockchain enforces the rules—these cannot be bypassed by anyone. |
| 80 | + |
| 81 | +### Why the Automation Key Is Safe Even If Compromised |
| 82 | + |
| 83 | +The blockchain itself enforces the rules. When the automation service tries to make a transfer, the blockchain checks: |
| 84 | + |
| 85 | +- Is it calling an approved contract? (No → transaction rejected) |
| 86 | +- Is it sending to the approved address? (No → transaction rejected) |
| 87 | +- Is it within spending limits? (No → transaction rejected) |
| 88 | +- Is it within the time window? (No → transaction rejected) |
| 89 | + |
| 90 | +These checks happen automatically on the blockchain—they cannot be bypassed, even if someone has the automation key. If ANY check fails, the transaction is rejected. All checks must pass for the transaction to be allowed, at which point the multisig executes the transfer and funds move to the treasury. |
| 91 | + |
| 92 | +### Emergency Controls |
| 93 | + |
| 94 | +If something goes wrong, we can immediately: |
| 95 | + |
| 96 | +- Stop the automated service |
| 97 | +- Disable the permission slip on the blockchain (instant, no multisig coordination needed) |
| 98 | +- All future attempts to use the permission slip will be rejected |
| 99 | + |
| 100 | +## Operational Flow |
| 101 | + |
| 102 | +1. Automated service checks how much money is in each multisig wallet |
| 103 | +2. Service evaluates if conditions are met (enough funds, within time windows, under spending limits) |
| 104 | +3. If conditions are met, automation service redeems the permission slip (triggers the transaction) |
| 105 | +4. Blockchain validates the permission slip and checks all rules |
| 106 | +5. If all checks pass, **the multisig wallet itself executes the bridge transfer** (multisig calls the bridge contract directly) |
| 107 | +6. Tokens flow directly from multisig wallet to bridge contract (never through automation service) |
| 108 | +7. Funds arrive at our mainnet treasury wallet |
| 109 | +8. Everything is recorded on the blockchain for audit purposes |
| 110 | + |
| 111 | +**Key Points**: |
| 112 | + |
| 113 | +- Automation service only TRIGGERS (redeems permission slip) |
| 114 | +- MULTISIG EXECUTES the action (calls bridge contract) |
| 115 | +- Tokens flow directly: Multisig → Bridge → Treasury |
| 116 | +- Automation service never holds or controls tokens |
| 117 | + |
| 118 | +## Key Security Benefits |
| 119 | + |
| 120 | +**Separation of Concerns**: The rules are enforced on the blockchain (can't be changed without multisig approval), while the decision-making logic runs off-chain (can be updated quickly if needed). |
| 121 | + |
| 122 | +**Minimal Attack Surface**: Even if the automation service is compromised, the attacker can only do what we've explicitly allowed—move funds to our treasury within our limits. |
| 123 | + |
| 124 | +**No Ongoing Multisig Coordination**: After initial setup, routine transfers happen automatically without requiring multiple signers to coordinate. |
| 125 | + |
| 126 | +**Complete Audit Trail**: Every transfer is recorded on the blockchain, providing full transparency. |
| 127 | + |
| 128 | +## Risks and How We Mitigate Them |
| 129 | + |
| 130 | +**Bridge Risk**: If the bridge service has problems or is compromised, funds could be affected while in transit. |
| 131 | + |
| 132 | +- _Mitigation_: We can immediately stop the automation and disable the permission slip. We can also configure different limits per chain to isolate risk. |
| 133 | + |
| 134 | +**Automation Key Compromise**: If someone steals the automation service's key, they could try to use it. |
| 135 | + |
| 136 | +- _Mitigation_: The blockchain rules prevent them from doing anything harmful. They can only trigger transfers that send funds to our treasury (the correct destination) within our spending limits. The worst case is they trigger transfers early or spend some gas tokens, which can be mitigated with additional protections. |
| 137 | + |
| 138 | +**Configuration Errors**: If we misconfigure the thresholds or limits, transfers might happen at wrong times or amounts. |
| 139 | + |
| 140 | +- _Mitigation_: We use code review processes, test changes in stages, and all configuration is visible on the blockchain for verification. |
| 141 | + |
| 142 | +**Multisig Signer Changes**: If we need to change who can sign for the multisig, the old permission slip becomes invalid. |
| 143 | + |
| 144 | +- _Mitigation_: This is expected behavior. We simply create a new permission slip as part of our standard process when signers change. |
| 145 | + |
| 146 | +## Summary |
| 147 | + |
| 148 | +This system allows us to automate cross-chain fund transfers securely by: |
| 149 | + |
| 150 | +1. Creating a one-time permission slip with strict rules |
| 151 | +2. Having the blockchain enforce those rules automatically |
| 152 | +3. Requiring multisig keys only once during setup |
| 153 | +4. Limiting what the automation can do, even if its key is compromised |
| 154 | +5. Providing emergency controls to stop operations instantly |
| 155 | + |
| 156 | +The security comes from the blockchain itself enforcing the rules—no one can bypass them, not even someone with the automation key. |
0 commit comments