{"id":497,"date":"2023-04-05T10:42:00","date_gmt":"2023-04-05T08:42:00","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=497"},"modified":"2025-02-17T18:00:49","modified_gmt":"2025-02-17T16:00:49","slug":"how-to-develop-secure-cross-chain-apps-on-axelar","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/how-to-develop-secure-cross-chain-apps-on-axelar\/","title":{"rendered":"How to develop secure cross-chain apps on Axelar"},"content":{"rendered":"

Communication between multiple chains has become more and more important. Although the major security responsibility and trust are on the selected bridge protocol, bad cross-chain app implementation on top of these bridges can lead to catastrophic consequences. This guide covers the main threats, mistakes, and best practices for developing secure cross-chain apps on the Axelar protocol.<\/a><\/p>\n

Axelar Architecture<\/h2>\n

We will focus mainly on the application layer and gateway, but it is good to have basic knowledge of the whole architecture.<\/p>\n

Axelar has deployed\u00a0AxelarGateway<\/code>\u00a0contracts on every chain, which acts as a middle layer between applications and Axelar network and provides communication between these layers. On the source chain, the gateway sends messages (as events) to validators and eventually burns\/locks tokens. On the destination chain, the gateway is responsible for received message validations and eventually minting\/unlocking tokens. Axelar network consensus is achieved by a set of\u00a0validators<\/a>\u00a0using delegated proof-of-stake.<\/p>\n

\n
\n
\"\"<\/picture><\/div>\n<\/div>\n<\/figure>\n

Axelar General Message Passing protocol<\/h2>\n

Axelar GMP is the fundamental feature of Axelar network, which provides developers an easy way to send tokens and call functions across supported chains. What does the message flow look like?<\/p>\n

    \n
  1. Application on the source chain calls one of these gateway functions:
    \n–\u00a0sendToken<\/code> to send only tokens,
    \n–\u00a0callContract<\/code> to execute a payload<\/code>\u00a0on the destination chain,
    \n–\u00a0callContractWithToken<\/code>\u00a0to send tokens and execute a call.<\/li>\n
  2. Gateway emits an event with all parameters.<\/li>\n
  3. Validators validate the message and notify the destination gateway.<\/li>\n
  4. The execute function is called in the app on the destination chain.<\/li>\n<\/ol>\n
    \n
    \n
    \"\"<\/picture><\/div>\n<\/div>\n<\/figure>\n

    GMP Express<\/h2>\n

    Privileged clients (protocols) can be allowed by Axelar to use the Express version of the messaging protocol. A standard message can take several minutes for the Axelar network to fully approve the message and pass it to the final destination. The express message will still go through the Axelar network, but GMP Express Service will lend any sent tokens to the destination address while approval is happening. Once the complete approval is done, tokens are paid back to the GMP Express service. This process can speed up the cross-chain transfer more than ten times. The crucial part of GMP Express is complete trust between the privileged protocol and Axelar. The privileged protocol MUST implement the logic for token returns when a standard message is received. Otherwise, the privileged protocol will receive 2x more tokens.<\/p>\n

    How to start<\/h2>\n

    Developing apps on Axelar is simple and straightforward, using Axelar GMP SDK. Just add\u00a0@axelar-network\/axelar-gmp-sdk-solidity<\/a>\u00a0dependency to your Solidity project, and you are good to go.<\/p>\n

    Application is AxelarExecutable<\/h2>\n
    @axelar-network\/axelar-gmp-sdk-solidity\/contracts\/executables\/AxelarExecutable<\/span>.sol<\/span><\/span><\/pre>\n
    Every application built on Axelar Network has to inherit from\u00a0AxelarExecutable<\/code><\/a> contract, which implements IAxelarExecutable<\/code><\/a> interface and handles received messages.<\/p>\n
    contract YourApp is AxelarExecutable {\n\n\nIAxelarGasService public immutable gasService;\n\n\nconstructor(\naddress gatewayAddress_,\naddress gasServiceAddress_,\n) AxelarExecutable(gatewayAddress_) {\nif (gatewayAddress_ == address(0)\n|| gasServiceAddress_ == address(0)\n) revert ZeroAddress();\ngasService = IAxelarGasService(gasServiceAddress_);\n}\n}<\/code><\/pre>\n
    <\/span>Receiving messages<\/h3>\n
    The following internal functions are intended to be overridden in the application to handle received messages or\/and tokens. This is also a critical part of application security. Pay maximum attention to avoid any reentrancies, logic bugs, or miscalculations.<\/p>\n
    function _execute(\n       string calldata sourceChain,\n       string calldata sourceAddress,\n       bytes calldata payload\n   ) internal virtual<\/code><\/pre>\n
    If the source chain calls\u00a0sendToken<\/code> or callContractWithToken<\/code> function on the gateway, then in the app on the destination chain\u00a0_executeWithToken<\/code> function gets called. Minting\/unlocking tokens is handled automatically by\u00a0gateway.validateContractCallAndMint<\/code>\u00a0function.<\/p>\n
    function _executeWithToken(\n       string calldata sourceChain,\n       string calldata sourceAddress,\n       bytes calldata payload,\n       string calldata tokenSymbol,\n       uint256 amount\n   ) internal virtual<\/code><\/pre>\n
    Sending messages<\/h3>\n
    For sending messages, there is\u00a0IAxelarGateway<\/code><\/a> the interface of Axelar gateway, which is used to send tokens and messages.<\/p>\n
    @axelar-network\/axelar-gmp-sdk-solidity\/contracts\/interfaces\/IAxelarGateway<\/span>.sol<\/span><\/span><\/pre>\n
    Function\u00a0sendToken<\/code> provides multichain token transfer. The destination chain is identified by string id, the destination address is also a string. Depending on the type of token (internal\/external), it gets burned\/locked on the source chain and minted\/unlocked on the destination chain.<\/p>\n
    function sendToken(\n       string calldata destinationChain,\n       string calldata destinationAddress,\n       string calldata symbol,\n       uint256 amount\n   )<\/code><\/pre>\n
    <\/span>For sending the cross-chain message (payload), use callContract<\/code> function.<\/p>\n
    function callContract(\n       string calldata destinationChain,\n       string calldata destinationContractAddress,\n       bytes calldata payload\n   )<\/code><\/pre>\n
    <\/span>And if you need to send both (message and tokens), there is a callContract<code class="er lu lv lw lx b">WithToken<\/code><\/code> function.<\/p>\n
    function callContractWithToken(\n       string calldata destinationChain,\n       string calldata destinationContractAddress,\n       bytes calldata payload,\n       string calldata symbol,\n       uint256 amount\n   )<\/code><\/pre>\n
    <\/span>How to pay gas on Axelar?<\/h3>\n
    There are two ways to pay gas for cross-chain calls. The preferred one is AxelarGasService<\/code><\/a>\u00a0 contract, which works as a prepay on the source chain for transactions on the destination chain.<\/p>\n
      \n
    1. Using\u00a0AxelarJS SDK<\/a> call estimateGasFee<\/code><\/a> function on the destination chain to calculate the gas fee.<\/li>\n
    2. Pass the calculated gas fee as\u00a0msg.value<\/code> from the smart contract to AxelarGasService<\/code><\/a> contract on the source chain using one of these functions:
      \n– payGasForContractCall<\/code>
      \n– payGasForContractCallWithToke<\/code>
      \n– payNativeGasForContractCall<\/code>
      \n– payNativeGasForContractCallWithToken<\/code>The user\/app on the destination chain can also pay gas fees manually. For detailed information about paying gas fees, see this article in Axelar       documentation<\/a>.<\/li>\n<\/ol>\n
      Example of an Axelar cross-chain app<\/h2>\n
      We\u2019ve prepared a sample cross-chain app for sending messages and tokens through the Axelar network\u00a0here on GitHub<\/a>. The project also includes\u00a0Wake<\/a>\u00a0tests.<\/p>\n
      Upgradability<\/h3>\n
      For upgradable contracts, it\u2019s recommended to inherit from Axelar\u2019s Upgradable<\/code> contract, which implements IUpgradable<\/code> interface.<\/p>\n
      @axelar-network\/axelar-gmp-sdk-solidity\/contracts\/upgradables\/Upgradable<\/span>.sol<\/span><\/span><\/pre>\n
      Then define a unique contractId<\/code>\u00a0constant, which needs to stay the same across the contract versions. ThecontractId<\/code>\u00a0is a hash of app\/component name e.g. keccak256("your-app")<\/code>. During every upgrade, theUpgradable<\/code> implementation logic checks if the contractId<\/code> of the new implementation matches thcontractId<\/code> of the Proxy. If not, the upgrade fails.<\/p>\n
      We implemented a\u00a0detector<\/a>\u00a0for\u00a0Wake static analyzer<\/a>, which checkscontractId<\/code>\u00a0constant. It warns if a proxy for implementation is missing or if more than one proxy contract with the samecontractId<\/code>\u00a0exists.<\/p>\n
      Things to be aware of<\/h3>\n
      Besides the awareness of common vulnerabilities of Solidity\/EVM, cross-chain app development brings more topics to be cautious about. Let\u2019s dive deeper into the six most important ones.<\/p>\n
      Inherit from AxelarExecutable<\/h3>\n
      AxelarExecutable<\/code> contract contains important checks against the Axelar Gateway to validate contract calls. Bypassing these checks (e.g. implementing IAxelarExecutable<\/code> interface directly) could lead to critical vulnerabilities. Since the execute function is not protected by any modifier, everyone would be able to call it with any payload and execute any function on the destination chain.<\/p>\n
      So, ensure that your execute function validates the calls using this gateway function <code class="er lu lv lw lx b">validateContractCall<\/code><\/code>\u00a0, which checks that Axelar validators confirmed the message\u2019s source and payload are valid.<\/p>\n
      if (!gateway.validateContractCall(commandId, sourceChain, sourceAddress, payloadHash))\n            revert NotApprovedByGateway();<\/code><\/pre>\n
      <\/span>A similar approach applies to executeWithToken<\/code> function, but using validateContractCallAndMint<\/code>.<\/p>\n
       if (!gateway.validateContractCallAndMint(\n                commandId,\n                sourceChain,\n                sourceAddress,\n                payloadHash,\n                tokenSymbol,\n                amount\n            )\n        ) revert NotApprovedByGateway();<\/code><\/pre>\n
      Axelar components\u2019 addresses<\/h3>\n
      Axelar gateway is a fundamental part of the protocol security, so it\u2019s very important to double-check the gateway address passed to the app during the deployment. A malicious gateway would be able to manipulate message checks. This is also important from the user\u2019s perspective. Always check that the application uses the\u00a0official Axelar gateway and Gas Service addresses<\/a>.<\/p>\n
      Also, the application should not contain a gateway address setter. This would decrease the trust in the application. If the owner can control the gateway address, he also would be able to manipulate cross-chain messages in many ways.<\/p>\n
      Destination chain and address validations<\/h3>\n
      Before sending the message to another chain, do data validations of\u00a0destinationChain<\/code>\u00a0and destinationAddress<\/code>. Sending tokens to a non-existent chain or address means a loss of funds.<\/p>\n
      Validate the source address on the destination chain<\/h3>\n
      It is important to avoid receiving messages from any source address. For this purpose, deploying the app to the same address on multiple chains is a good practice. Axelar provides for this purpose utils\u00a0ConstAddressDeployer<\/code><\/a> and Create3Deployer<\/code>. Then, you can simply validate the source address in your _execute<\/code> and _executeWithToken<\/code> functions using this condition.<\/p>\n
      if (sourceAddress.toAddress() != address(this)) revert InvalidSourceAddress()\n<\/code><\/pre>\n
      Express GMP data validations<\/h3>\n
      If you decide to use ExpressExecutable<\/code><\/a> contract, be extra careful of the receiving messages data validations. Functions execute<\/code> and executeWithToken<\/code> are external and aren\u2019t protected by any modifier, so anyone can call them and potentially exploit the contract in many ways using malicious payload. Message validations using the Axelar gateway are also missing in the ExpressExecutable<\/code><\/a>. Keep this in mind and implement robust data validations here.<\/p>\n
      NFT doubling<\/h3>\n
      When implementing NFT cross-chain transfers, ensure the user\u2019s NFT is properly locked in the contract and the user cannot own it on both chains simultaneously.<\/p>\n
      Static analysis, unit testing, and fuzzing<\/h3>\n
      Contract development doesn\u2019t end with programming itself. Quality assurance has to be your top priority when protocols operate with users\u2019 funds or other valuables. There steps that development teams can and should perform internally before assigning a\u00a0security audit<\/a>.<\/p>\n
      Static analysis<\/h3>\n
      Detecting possible vulnerabilities during the development using classic static analysis tools like Slither, MythX, Mythrill\u2026 can be helpful and also painful because of many false positive findings. Our\u00a0Wake static analyzer<\/a>\u00a0goes deeper into this rabbit hole. Our target is to minimize false positive detections and achieve high precision while we accept a lower recall. Check out\u00a0Tools For Solidity<\/a>\u00a0extension that shows the static analysis results directly in VSCode.<\/p>\n
      Unit testing Axelar<\/h2>\n
      It is very important to test the application properly. Unit tests are useful for testing all use cases, and high test coverage is essential for basic security.<\/p>\n
      Since apps on Axelar operate on multiple chains, it brings additional complexity to the system, and cross-chain testing definitely should be part of a development pipeline. We recommend our easy-to-use testing framework Woke, for this purpose. It provides a complete set of tools for\u00a0cross-chain testing<\/a>\u00a0and even\u00a0fuzzing<\/a>. See the\u00a0documentation<\/a>\u00a0for more information. Also, don\u2019t miss the article\u00a0Testing Axelar contracts using open-source tools<\/a>.<\/p>\n
      Unit and fuzz\u00a0test coverage<\/a>\u00a0is also calculated by\u00a0Wake<\/a>\u00a0and is displayed in the\u00a0Tools For Solidity<\/a>\u00a0extension as well. In the case of fuzzing, the coverage is calculated realtime.<\/p>\n
      \n
      \n
      \"\"<\/picture><\/div>\n<\/div>\n<\/figure>\n
      Fuzzing Axelar<\/h2>\n
      Fuzzing is a technique for testing software that involves providing invalid, unexpected, or random data as inputs to a computer program. Learn more about Ackee Blockchain<\/a>‘s fuzzing tools and methods here<\/a>.<\/p>\n
      Unit tests mostly cover the system\u2019s intended behavior and strictly defined use cases. On the other hand, fuzz tests can test a wide range of unpredictable, random scenarios and discover even hidden vulnerabilities like inconsistent calculations.<\/p>\n
      Summary<\/h2>\n
      Axelar provides developers with a powerful platform and tools to develop cross-chain applications. Axelar cross-chain applications inherit the bridge\u2019s security, but it doesn\u2019t mean the applications are safe. There are still potential pitfalls during the implementation of the app logic.<\/p>\n
      Even if the bridge is bulletproof, it doesn\u2019t mean that the application is too, and that the user funds are safe. Always do intense internal testing and independent external security audits<\/a>\u00a0to achieve high-security standards and one of the most important things in Web3 \u2014 community trust.<\/p>\n","protected":false},"excerpt":{"rendered":"
      Communication between multiple chains has become more and more important. Although the major security responsibility and trust are on the selected bridge protocol, bad cross-chain app implementation on top of these bridges can lead to catastrophic consequences. This guide covers the main threats, mistakes, and best practices for developing secure cross-chain apps on the Axelar protocol. Axelar Architecture We will focus mainly…<\/p>\n","protected":false},"author":17,"featured_media":499,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[61,10,80,63,103],"tags":[72,90,71,24,88,68,102,104],"class_list":["post-497","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education","category-ethereum","category-solidity","category-tutorial","category-wake","tag-axelar","tag-cross-chain","tag-dapps","tag-ethereum","tag-how-to","tag-solidity","tag-tutorial","tag-wake"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/04\/1_-9a6-SAyaWE_sVaSx1LJng-600x400.webp","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/04\/1_-9a6-SAyaWE_sVaSx1LJng-600x600.webp","author_info":{"display_name":"Stepan Sonsky","author_link":"https:\/\/ackee.xyz\/blog\/author\/stepan\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/497","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=497"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/497\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/499"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=497"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=497"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}