The Calimero blockchain bridge connects Near and Calimero. It can bridge two types of assets: FTs (Fungible Tokens) and NFTs (Non-Fungible Tokens). Additionally, it can perform Cross-Shard Contract Calls, where a smart contract on one chain can call smart contracts on the opposite chain and receive callbacks. These three ways of using the Calimero blockchain bridge share some smart contracts (most importantly, the permissions contract) and all off-chain Calimero bridge components. For more information, please refer to the official doc.
The Calimero console deploys three components separately. After installing a specific blockchain bridge, setting the correct bridging permissions becomes crucial for its successful operation. By default, the installation of any (FT/NFT/XSC) bridge denies all bridging.
All three bridges (FT, NFT, and XSC) manage permissions based on the Account ID that initiates bridging on the source side. For example, on the Near side for Near-to-Calimero bridging. Additionally, for the XSC connector, managing permissions is based on the Contract ID of the smart contract that the user is trying to call on the destination side.
The bridge permissions protect Calimero shard users and organizations from malicious actors. We will list the most important security risks that we mitigate by properly setting blockchain bridge permissions:
As described above, the installation of the FT or NFT bridge denies bridging for all accounts. Permissions for assets bridging are always managed on the permissions contract on the source side. For example on Near for bridging FTs from Near to Calimero. Connectors, which are the smart contracts responsible for bridging, consistently verify with the permissions smart contract. This ensures that bridging adheres to the established permissions. Each connector (FT, NFT, and XSC) has its own set of permissions to manage.
By default, bridging is forbidden for all accounts. If the Calimero shard admin decides to grant bridging permissions to a particular account or a specific group of accounts, the admin can add a new allow regex rule (or rules) that matches the approved accounts for asset bridging.
Let us assume that the shard admin added an allow regex rule .*\.john\.testnet for the FT connector. Now let us look at a few examples of bridging attempts:
Note here that Account IDs that do not match at least one allow regex rule can't bridge any assets, while all Account IDs that match at least one allow regex rule can bridge any asset.
Cross-shard contract calls are trickier than FT and NFT bridging. If administrators don't set those permissions correctly, a malicious actor can initiate a cross-shard contract call from the public Near side and access sensitive information on the private Calimero shard.
Because of this, we decided to implement an extra layer of protection through permissions management. We manage permissions for the XSC bridge as follows:
Let us assume that the shard admin added an allow regex rule .*\.john\.testnet for the XSC connector. Admin also added a deny rule pair (.*, .*sensitive.*) in format (Account ID, Contract ID). Now let us look at a few examples of bridging attempts:
For a more detailed overview of the Calimero blockchain bridge permissions please refer to the official documentation.