Every privileged role on BridgeRouter and BridgeVault is held by a Safe multisig. Both contracts are non-upgradeable (no proxy), so the deployed bytecode cannot change. For the relayer path, we plan to migrate from a Safe multisig to MPC threshold signing later, where no single device ever holds a full private key.
Contract roles — BridgeVault
| Role | Holder | What it can do |
|---|---|---|
DEFAULT_ADMIN_ROLE | Admin Safe multisig | setRouter: choose which router contract can call deposit and release |
setDailyWithdrawLimit: configure or disable the per-day ETH release cap | ||
sweep: rescue ETH or accidentally sent ERC-20 tokens | ||
| Grant and revoke all roles on the vault | ||
| Router (address check, not a role) | Router contract | deposit: accept ETH and generate a messageId |
release: transfer ETH to a recipient (withdrawal finalization) |
The vault admin can swap the router via setRouter but cannot directly move bridged ETH. The only admin path to vault ETH is sweep, which is there for stuck funds, not normal operations. dailyWithdrawLimit caps how much ETH the router can release per UTC day.
Contract roles — BridgeRouter
| Role | Holder | What it can do |
|---|---|---|
DEFAULT_ADMIN_ROLE | Admin Safe multisig | collectFee: withdraw accumulated protocol fees |
sweepTokens: rescue stuck ETH or ERC-20 tokens from the router | ||
| Grant and revoke all roles on the router | ||
MANAGER_ROLE | Manager Safe multisig | setFees: configure cryptoFee and protocolFeeBps |
setMinAmount: set minimum deposit amount | ||
setDestination: configure destination chain ID and Canton token identifier | ||
addToWhitelist / removeFromWhitelist: manage depositor whitelist | ||
pauseDeposits / unpauseDeposits: emergency pause for EVM → Canton | ||
pauseWithdrawals / unpauseWithdrawals: emergency pause for Canton → EVM | ||
RELAYER_ROLE | Relayer Safe multisig | finalizeWithdraw: submit Canton-to-EVM withdrawal releases |
DEFAULT_ADMIN_ROLE can also call everything MANAGER_ROLE can (the modifier checks both).
Multisig configuration
Admin, manager, and relayer each use a separate Safe multisig. Each signer is a distinct EOA on independent infrastructure.
| Multisig | Purpose |
|---|---|
| Admin Safe | Vault admin + router admin. Controls setRouter, sweep, role grants. Most sensitive, used infrequently. |
| Manager Safe | Router operational config. Controls fees, pausing, whitelist, destination config. |
| Relayer Safe | Holds RELAYER_ROLE. Co-signs finalizeWithdraw transactions proposed by the relayer backend. |
Why three separate multisigs?
Compromising the Manager Safe cannot move funds — it can only change fees, pause the bridge, or edit the whitelist. The Relayer Safe, in turn, has no access to configuration at all. Each Safe has its own on-chain proposal and execution log.
Protections against key compromise
A single compromised signer cannot do anything on its own. Every fund-moving operation requires multisig approval.
The two paths to vault ETH — sweep and fake withdrawals via finalizeWithdraw — each need approval from a different multisig. sweep requires the Admin Safe; fake withdrawals require the Relayer Safe. Even with a fully compromised Relayer Safe, dailyWithdrawLimit caps how much can leave per day, and admin or manager can pause withdrawals. sweep is monitored and we plan to add a timelock.
Swapping the router to a malicious contract also requires the Admin Safe. The backend watches for RouterUpdated events, so a rogue swap would be flagged immediately.
The manager-only vectors (pausing the bridge, setting fees to 100%) cannot cause fund loss. Pausing is just downtime until another Safe unpauses. Fee changes are capped at protocolFeeBps up to 10000 and tracked via FeesUpdated events.
What limits the damage
The roles do not overlap: the relayer key cannot touch configuration, the manager key cannot move funds, and admin is only used for infrastructure changes.
dailyWithdrawLimit on the vault caps how much ETH the router can release per UTC day, so even a fully compromised Relayer Safe cannot drain the vault in one go. Manager or admin can pause withdrawals to stop it. Deposits (EVM → Canton) and withdrawals (Canton → EVM) can be paused independently — halting one direction does not block the other.
Both contracts are deployed without a proxy, so the bytecode cannot change. A compromised admin cannot alter contract logic. Replay protection (processedMessages) lives in the vault, not the router, so swapping the router via setRouter does not reset which messages have already been processed.
The backend monitors all contract events: config changes (RouterUpdated, FeesUpdated, DailyWithdrawLimitUpdated, pause toggles) and fund movements (Deposit, Withdraw, Swept).
Relayer signing
The relayer proposes finalizeWithdraw transactions to the Relayer Safe multisig but cannot finalize on its own. Other signers co-sign via the Safe interface or API before the transaction goes on-chain. Key rotation happens through Safe signer management today; the planned MPC migration applies to this relayer signing path.
Future: MPC migration
We plan to replace the Relayer Safe multisig with MPC threshold signing. The admin and manager roles remain on Safe multisigs. No device would hold a complete private key for relayer signing — key-share holders cooperate in a distributed signing protocol instead. Key shares can be refreshed without changing the on-chain address, which also removes the gas overhead of multisig proposal and confirmation transactions.