LlamaRisk is in communication with BotanixLabs and would like to share our preliminary findings. Further updates (and a recommendation) will be posted as more information becomes available.
Summary
LlamaRisk supports the deployment of an Aave V3 instance on the future BotanixLabs Spiderchain. Although not live yet and with a plan to slowly decentralize over time, the Spiderchain’s technical architecture proposes innovative features like full-EVM compatibility, a decentralized bridging mechanism, and forward secrecy to limit attack vectors. The protocol has received support from several DeFi protocols like Chainlink with CCIP and AvalonLabs, as well as from Bitcoin whales. If successful, the Spiderchain could become the most decentralized and liquid source of BTC on the market.
That being said, we identified some risks in the technical design. The use of BTC as a gas and reward token for its Proof-of-Stake consensus, which implies a lack of base reward for stakers, begs the question of the sustainability of its economic security. Furthermore, until the amount of staked BTC on the Spiderchain reaches a high enough share of the BTC supply, a hostile whale could bridge and obtain most of the staking share on the Spiderchain and put the security of the Spiderchain at risk.
With the Federated EVM Sidechain yet to go live, we cannot perform any qualitative assessment for now. The Spiderchain client is open-source but has yet to be audited, nor is any bug bounty available. Once live and stable, a second assessment will be needed to determine safe lending parameters.
Details
Introduction
The Botanix Spiderchain is a Bitcoin L2 scaling solution that provides an EVM environment for DeFi applications. By abstracting away the traditional UTXO accounting system of Bitcoin and providing an accounting system like Ethereum, it offers full EVM compatibility through the Spiderchain node client, a fork of the reth execution client initially developed by Paradigm. All decentralized applications currently deployed on Ethereum will be deployable on the Spiderchain.
Source: Spiderchain documentation, November 17th, 2024
Federated EVM Sidechain
According to the roadmap, the Spiderchain has completed a first testnet deployment (testnet v0) and is now on track for a second permissioned testnet (testnet v1) called the Federated EVM Sidechain. This new testnet allows users to bridge their BTC over to the Spiderchain and will support multiple dApps in which users can use and exchange their bridged BTC. However, this version will only support some of the features and decentralization qualities of the final technical design.
The Federated EVM Sidechain will propose blocks using a permissioned set of 15 orchestrators with a Round-Robin Proof-of-Authority consensus. They will also form an 11/15 bridge multisig for users to deposit and withdraw BTC from the Spiderchain L2. BotanixLabs and third-party partners will operate those orchestrators and be selected based on their expected uptime, security practices, and geographic locations. The Federated EVM Sidechain will include any staking and slashing features later. Users can run a Spiderchain node using the modified reth client but won’t be able to participate as orchestrators.
It is important to note that the Federated EVM Sidechain will act as the foundation upon which the Spiderchain mainnet will be built. The Federated EVM Sidechain is a stepping stone, and the protocol will gradually decentralize over time.
Future Protocol Overview
In its final iteration, the Spiderchain will switch from Proof-of-Authority to Proof-of-Stake. Anyone can become an orchestrator by posting a bond in BTC. Correctly behaving orchestrators will be rewarded through yield on their locked BTC, while misbehaving orchestrators will be sanctioned by taking part of their stake away. They will have multiple responsibilities, including:
- Managing the different FROST multisigs
- Bridging BTC to the Spiderchain (Pegging-in)
- Bridging BTC out of the Spiderchain (Pegging-out)
- Proposing blocks
Economic Security
Because the Spiderchain uses native BTC as its native currency and gas token, no base reward will be offered, and the staking yield will be solely dependent on the transaction fees. This introduces a security risk for the Spiderchain and could result in a death spiral scenario: fewer transaction fees would make staking unprofitable, resulting in fewer validators and, therefore, less security for the chain. Less security and trust could lead to less usage and, hence, less transaction fees. This is why other Proof-of-Stake chains commonly have a staking base reward (which implies a potentially inflationary token) to maintain a minimum level of economic security.
Another way through which the economic security of the Spiderchain could be at risk is the potential for a bad actor to gain more than 1/3 of the Spiderchain staking share. Given the relatively low share of BTC that will be bridged over to the Spiderchain initially, and for the foreseeable future, a whale could easily bridge and stake more than 1/3 of the current staking share to corrupt the chain. Although this risk is mitigated by the forward secrecy guarantee of the multisig setups, the funds of the multisig corresponding to the block with a hostile majority could still be at risk.
Bridging through FROST multisigs
Bridging to the Spiderchain will be achieved through a set of multisigs whose signers will be a random subset of orchestrators. At each block, a subgroup of orchestrators will be randomly selected to secure a new multisig. This process is verifiably random, using the current Bitcoin block hash produced by the Proof-of-Work consensus as an entropy source. Those orchestrators use the FROST (Flexible Round-Optimized Schnorr Threshold Signatures) scheme to exchange signer keys securely. The created multisig will be used to receive BTC deposits to the Spiderchain for the next block duration. Subsequent blocks will have their multisig and set of signer keys.
Source: Botanix documentation, November 18th, 2024
After 6 Bitcoin block confirmations, orchestrators will mint the deposited amount of BTC in the Spiderchain for users to use. Notably, deposits to a given multisig will be limited in duration to the block they correspond to. This characteristic is known in cryptography as forward secrecy, and together with LIFO (Last-In-First-Out) withdrawals, guarantees that deposits from previous blocks are safe even though a hostile actor gained a 1/3 majority in the current block. However, funds deposited to the multisig in the current block would still be at risk if a hostile majority were present.
Disclaimer
This review was independently prepared by LlamaRisk, a community-led non-profit decentralized organization funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.
The information provided should not be construed as legal, financial, tax, or professional advice.