🔐 Security Model (FROST & Invariants)
Cryptographic Foundations
FROST Threshold Signatures
KAT Bridge secures assets with FROST (Flexible Round-Optimized Schnorr Threshold) signatures.
Threshold: Only a quorum of relayers (M-of-N) can authorize a bridge action.
No Master Key: The full private key never exists. Each relayer holds a key share derived via distributed key generation (DKG).
Efficiency: Two-round signing protocol, optimized for asynchronous networks.
Rogue-Key Resistance: Binding factors ensure malicious relayers cannot bias signatures.
Why Not Traditional Multi-Sig?
Kaspa’s scripting model is not natively compatible with Kasplex’s KRC-20 transfer mechanism.
The Kasplex KRC-20 Data Insertion Mechanism requires a single public key at the top of the stack.
A “true” multi-signature wallet (with multiple public keys in the script) is therefore invalid for KRC-20 transfers.
To maintain decentralization while meeting this requirement, KAT Bridge implements FROST threshold signatures:
On-chain, there is still only one public key.
Off-chain, that key corresponds to M-of-N distributed signers.
This preserves compatibility with KRC-20 while ensuring robust threshold security.
Signing Domains
Each signature is domain-separated to prevent replay or cross-protocol misuse.
Kaspa L1 → L2 deposits: Hash includes Kaspa TXID, output index, KRC-20 ticker, amount, nonce, and expiry.
L2 → L1 withdrawals: Hash includes ERC-20 contract, chainId, burn amount, recipient, nonce, and expiry.
Coordinator Tagging: Each message includes a unique session ID to bind partial signatures.
Trust & Threat Boundaries
What a Single Relayer Can Do
✅ Observe deposits/withdrawals.
✅ Produce partial signatures for valid requests.
❌ Cannot move funds without threshold quorum.
❌ Cannot alter message content (domain-separated hashes enforced).
What a Colluding Minority Can Do
❌ Cannot forge withdrawals or mint tokens.
❌ Cannot override quorum logic.
✅ Could delay processing by refusing to sign.
What a Quorum Can Do
✅ Approve valid deposits and withdrawals.
✅ Halt bridge flow if quorum refuses to participate.
❌ Cannot steal funds outside valid protocol flow (since contracts validate signatures against public key).
Security Invariants
These must hold at all times; violation indicates a systemic failure.
Invariant 1: Threshold Required No action is possible without M-of-N FROST signatures.
Invariant 2: Domain Separation Each signed message is unique to the bridge context; replay outside its scope is impossible.
Invariant 3: Coordinator is Non-Authoritative The coordinator cannot generate signatures; it only aggregates valid shares.
Invariant 4: No Shared Secrets No relayer knows another’s key share, nor can shares be combined without the protocol.
Invariant 5: Replay & Idempotency Protection Nonces + expiries ensure duplicate or stale requests are rejected.
Mitigations Against Threats
Single relayer compromise
1 relayer
Harmless (needs quorum to act).
Minority collusion (t < M)
< quorum
Harmless (cannot assemble final sig).
Rogue-key attack
Malicious share
Prevented by DKG + binding factors.
Coordinator compromise
Full coordinator
Harmless (no shares, cannot sign).
Replay attack
Reuse old msg
Nonces + domain separation.
Chain reorg
Finality risk
Relayers wait for N/M confirmations.
Denial-of-service
Relayers offline
Liveness reduced, but funds safe.
Operational Safeguards
Rate Limits & Caps: Each bridge event subject to max transfer limits per token.
Timelocks: Optional withdrawal windows allow users to contest anomalies.
Rotation & Refresh: DKG re-run when signers are replaced or compromised.
Monitoring: Health, latency, and participation of relayers published in dashboards.
Formal Guarantees
Unforgeability: No adversary below threshold can produce a valid signature.
Transparency: Public verification key is hard-coded in contracts; any observer can validate signatures.
Accountability: Each relayer’s partial signature can be audited for correctness.