Bifrost security model

Overview

Bifrost's security model is built on multiple complementary layers, protecting both staked assets and network integrity.

1. Polkadot Shared Security

Bifrost-Polkadot and Bifrost-Kusama are parachains. Their security and resistance to reorganization are guaranteed by the relay chain.

How it works:

• Polkadot randomly assigns validators to parachains and verifies their blocks

• Parachain blocks are included in relay chain blocks, providing data availability

• Parachains do not need their own validator sets — they inherit security from Polkadot

Bifrost-Polkadot currently has 8+ collator nodes, which is more than sufficient for network availability and censorship resistance.

2. Cross-Chain Communication: XCM

All cross-chain communication within Polkadot uses XCM — a native, trustless protocol.

How XCM works:

1. Cross-chain messages enter the Egress (exit queue) of the sending chain

2. Collators of the target chain collect messages from other chains' Egress and place them in their Ingress (entry queue)

3. Messages are included in relay chain blocks and finalized, then executed by the target chain

This provides fast, secure, ordered, and cost-effective cross-chain message delivery — without external bridges.

Note: Snowbridge is used for Ethereum and L2 connections where XCM is not available. Bifrost acknowledges this infrastructure is maturing and retains SLP modules on Ethereum and Kusama as a precaution.

3. Non-Custodial + Open Source

• All staking processes are executed through decentralized on-chain contracts and runtime — no human intervention required

• No third party, including the Bifrost team, can control user funds

• All on-chain code is open source and publicly auditable

• Code has been audited by: Beosin, SlowMist, TokenInsight, Common Prefix, BlockDeep

• Since inception in 2019, Bifrost has maintained a flawless security record

See Audit Reports for all reports.

4. Secure Validator Set + Slash Protection

Validator Selection: Bifrost evaluates validators on:

• Profitability

• Self-stake ratio (leverage ratio)

• Historical credibility and slash history

• Commission rate

• Nominator slot availability

Proactive Node Switching: In the event of a slash risk, Bifrost can immediately switch to a different validator — a capability individual stakers typically lack.

vToken Vault (Insurance Pool):

• 5% of protocol revenue is automatically allocated to the vToken Vault (slash insurance pool)

• If slashing occurs, this pool compensates vToken holders for losses

• If no slashing occurs, the pool accumulates over time, increasing coverage

What happens if a slash occurs?

1. The public insurance treasury (funded by 20% of all vToken commission fees) is used first

2. If insufficient, the protocol reserve (4,000,000 BNC) is tapped

3. If both are insufficient, the vToken exchange rate is adjusted downward, socializing the loss across all vToken holders

5. Governance Security

• No Sudo key — Bifrost removed the superadmin key from day one (unlike some parachains)

• All token-related functions require Root origin, which can only be called through:

  • Root Track: ~14-day voting period

  • Whitelisted Caller Track: requires positive approval from ≥2/3 of rank-3+ fellowship members

• Even if an attacker controlled all fellowship members' keys, BNC holders could still oppose a malicious referendum

• A Whitelisted Caller proposal requires 100–50% positive votes with 50–2% of total BNC participating

This makes governance attacks practically impossible.