Bridge and cross-chain security
Understand where DALP controls end in bridge, wrapper, redemption, and XvP designs, and which external-route evidence an operator must own before production.
DALP owns the local asset workflow on configured EVM networks. A bridge, wrapper, exchange route, redemption path, or external-chain leg is a separate route with its own risk owner, evidence pack, and incident process.
Use this page to decide whether a design is single-chain DALP issuance, XvP coordination, or an external bridge/wrapper pattern. DALP can enforce local token permissions, compliance, signing, settlement, indexing, and transaction records. It does not provide a proprietary bridge, validator set, message relay, liquidity network, or proof that an external representation is fully backed.
The practical review question is simple: which system controls the value movement? If DALP controls the local EVM asset, use DALP's local controls and event records as evidence. If another route moves or represents value outside DALP, the route owner must supply the bridge, wrapper, reserve, redemption, liquidity, finality, and incident-response evidence.
System context
Position
| Area | DALP position |
|---|---|
| Bridge operation | DALP does not provide a proprietary bridge protocol, bridge validator set, or lock-and-mint network. |
| Network support | DALP works with EVM-compatible networks configured for the deployment. Each network has its own chain ID, RPC configuration, contract addresses, and indexing state. |
| Cross-chain settlement | DALP can coordinate XvP settlement workflows that use hashlock coordination. Local legs execute on the current chain; external legs are coordinated, not bridged. |
| Route selection | The issuer, operator, or integrating party chooses the bridge, native network path, exchange route, or redemption path under its risk policy. |
| External-chain risk | DALP can make the split explicit and enforce local asset controls. It cannot make an external bridge, relay, exchange, or chain safe. |
What DALP provides
DALP provides the asset lifecycle, compliance, custody-routing, transaction execution, and indexing layers for configured EVM networks.
For cross-chain scenarios, DALP provides the parts it can verify and execute on the configured EVM network:
- Network configuration for each enabled EVM chain: chain ID, RPC endpoints, contract addresses, finality settings, and monitoring context.
- Per-chain asset controls through SMART Protocol contracts, identity-based compliance, role-based administration, and custody-provider signing policy.
- XvP settlement coordination for workflows that need local atomic execution and optional hashlock coordination with external-chain legs.
- Operational visibility into DALP managed transactions, chain indexing, transaction status, and configured network health.
- API and event surfaces that external systems can use for reconciliation, redemption, distribution, and operator review.
What DALP does not provide
DALP does not provide:
- A proprietary bridge protocol.
- A bridge validator, sequencer, oracle, or message-relay network.
- A lock-and-mint contract set that mints wrapped assets on another chain.
- A liquidity network, market maker, exchange, or routing service.
- A guarantee that an external chain, bridge, exchange, custodian, or liquidity venue will execute correctly.
- Legal, insolvency, reserve, or redemption guarantees for assets moved or represented outside the DALP-controlled contracts.
These exclusions are intentional. Bridge security depends on the selected network, bridge design, validator set, message verification model, admin controls, liquidity venue, and operating process. Those decisions belong in the deployment's risk assessment.
Direct answers for bridge architecture reviews
DALP does not use a proprietary burn-and-mint or lock-and-mint bridge model. DALP issues and operates assets on configured EVM networks. If a deployment uses a burn-and-mint route, a lock-and-mint wrapper, an exchange route, or a redemption process, that route is selected and controlled outside the DALP local asset contract.
DALP's cross-chain mechanism is XvP coordination, not bridge execution. A settlement can contain a local DALP leg and an external leg. The local leg uses DALP contracts, local approvals, escrowed ERC-20 transfers, and an optional hashlock gate. The external leg records the external chain and asset data needed for review, but DALP does not mint wrapped supply, release bridged reserves, or operate the external chain transaction.
The deployment boundary is the control point. DALP can show the configured EVM network, local token contracts, local transaction state, local finality policy, and XvP settlement state. DALP cannot prove the security of an external bridge validator set, wrapper admin key, reserve account, liquidity venue, or destination-chain compliance model. If the operating model requires supply parity across chains, reconcile DALP local token supply against the external wrapper, reserve, burn, redemption, and custody records owned by that route.
For the supported network boundary, start with Supported networks. For conditional settlement, use the XvP settlement flow.
Pattern selection
Choose the pattern from the control you need, not from the number of chains in the diagram. A bridge moves or represents value across domains. XvP coordinates settlement conditions. An external-token record lets DALP observe or reconcile a token that DALP does not control.
| Pattern | When it fits | What DALP covers | What stays outside DALP |
|---|---|---|---|
| Single-chain issuance and transfer | Asset issuance, servicing, and holder transfers stay on one configured EVM network. | Token lifecycle, compliance checks, custody-routed signing, indexing, and transaction status. | Chain consensus, RPC provider behaviour, and custody-provider control-plane decisions. |
| Native network bridge | The selected L1 or L2 provides an official deposit, withdrawal, or canonical bridge path. | The DALP-side token, compliance, and transaction workflow on the configured network. | Native bridge contracts, proof system, challenge period, sequencer behaviour, and withdrawal finality. |
| Third-party bridge | An external bridge or liquidity network moves value or messages between chains. | DALP integration points, local asset controls, and reconciliation data for the DALP managed network. | Bridge validator set, relayers, message verification, liquidity depth, routing, fees, and incident response. |
| Wrapped asset model | A representation of an asset exists on another chain through lock-and-mint or custodial issuance. | The original DALP managed asset lifecycle when the source asset is inside DALP. | Wrapper contract security, mint/burn authority, reserves, redemption process, and destination-chain controls. |
| Exchange or distribution route | An exchange, broker, custodian, or treasury process distributes exposure outside the DALP workflow. | Asset records, holder events, transaction records, and API data needed for reconciliation. | Exchange custody, off-chain matching, settlement timing, fees, liquidity, sanctions screening, and disputes. |
| XvP hashlock coordination | Two or more parties need coordinated exchange across local and external-chain legs. | Local settlement contract, local approvals, local atomic execution, hashlock reveal gate. | Matching external HTLC or settlement workflow, external token movement, timelock design, and chain finality. |
| Redemption path | A holder exits on one chain and receives value through off-chain payment, reserve release, or reissue. | DALP-side burn, transfer, role, compliance, and event records when configured in the asset workflow. | Payment rail, reserve account, off-chain ledger, external issuance, operational approvals, and legal process. |
Bridge, XvP, or external token
This decision belongs before solution design because each option places compliance and operational risk in a different system.
Start from Supported networks for the EVM operating boundary. Use the XvP settlement flow when the requirement is conditional settlement instead of token movement through a bridge.
| Design choice | Use it when | Compliance implication | Verification before production |
|---|---|---|---|
| Keep the asset on one chain | The regulated asset, holders, and settlement process can stay on one configured EVM network. | DALP-managed token contracts can enforce the configured identity, role, transfer, and compliance rules on that network. | Confirm the network, custody policy, finality settings, issuer roles, and holder verification rules in the supported-network setup. |
| Use XvP coordination | A DALP-side token leg must settle conditionally against another leg. | DALP enforces only the local leg. External-flow fields record the external chain, asset, amount, and decimals for review. | Confirm at least one local flow, the secret or 32-byte hashlock for external flows, timelock ordering, and each leg's finality rule. |
| Use an external bridge | Value or messages must move through a bridge, liquidity network, canonical withdrawal path, or wrapper. | The bridged or wrapped asset may no longer carry DALP's local compliance rules unless the destination asset has its own controls. | Review bridge contracts, validator or relay security, admin keys, liquidity, withdrawal timing, replay controls, and incident response. |
| Track an external token | An institution needs visibility or reconciliation for a token that exists outside DALP-managed contracts. | DALP can use records and integration data for review, but DALP does not impose compliance rules on that external token contract. | Confirm who owns the external token contract, which system is authoritative, and how DALP events reconcile to external records. |
The conservative default for regulated assets is single-chain DALP issuance unless the business process needs a separate external leg. Use XvP when the problem is conditional settlement. Use a bridge only when the business accepts the bridge or wrapper risk outside DALP's control scope.
Where the token and compliance controls live
A cross-chain design must name the chain where the regulated token contract lives. DALP applies identity, role, transfer, signing, and compliance controls to DALP-managed contracts on the configured EVM network. If a token is represented on another chain through a bridge, wrapper, exchange route, or custodial process, that external representation needs its own issuer authority, holder controls, reserve accounting, and incident process.
| Question | DALP answer |
|---|---|
| Where do you issue the regulated token? | Issue the token on the configured EVM network where DALP deploys and operates the asset contracts. |
| Where do DALP compliance rules execute? | DALP compliance rules execute on the DALP-managed token contract for that network. External-chain representations do not inherit those rules. |
| Can the same DALP token move natively? | No. DALP does not make one token contract native to multiple chains. Each configured EVM network has its own chain ID, contracts, and index state. |
| Can DALP coordinate an external leg? | Yes, when the workflow uses XvP settlement with at least one local flow and an external flow recorded for reconciliation. |
| Who validates the external bridge or wrap? | The issuer, operator, bridge provider, custodian, or integrating system that owns that external route. |
For stablecoin-style assets, use this page to separate the DALP-managed source asset from any external representation. DALP can help enforce local mint, burn, transfer, compliance, signing, transaction, and event records. DALP does not prove that a wrapped or bridged representation is fully backed. The selected bridge or redemption design must prove burn-before-mint behavior, reserve coverage, supply reconciliation, and incident handling.
Cross-chain settlement split
XvP settlement can coordinate cross-chain workflows without turning separate chains into one transaction. Every XvP settlement still needs at least one local DALP flow. External flows add coordination data for another chain; they do not let DALP execute that external leg.
The practical control answer is simple: DALP does not hide bridge exposure behind a generic "cross-chain" label. A settlement leg is either local to the configured DALP network or recorded as external. Local legs use DALP contracts, local approvals, escrowed ERC-20 transfers, and the configured network's finality policy. External legs carry the external chain and asset information needed for review, but the bridge, HTLC, exchange, or redemption process remains an integration and operating-risk decision outside the local DALP contract.
The local DALP settlement can require approvals, enforce local token transfers atomically, and wait for the correct hashlock secret. It does not execute the external leg. The party operating the external leg must lock, release, bridge, redeem, or distribute value through the selected external process.
Settlement creation checks
When an operator or API client creates an XvP settlement, DALP validates the local/external split before queueing the transaction:
- At least one flow must be local to the configured DALP network.
- Local-only settlements can be created without a hashlock.
- Any settlement with an external flow must include either the raw secret or a 32-byte hashlock.
- External flows record the external chain ID and asset decimals so the operator can reconcile the other leg with the chosen bridge, HTLC, exchange, or redemption route.
- Settlement factories with identity registration also require the settlement country code.
The settlement contract then enforces the on-chain execution rules: an external flow cannot target the same chain ID as the local execution chain, and local execution only proceeds after required local approvals are in place. For external-flow settlements, the correct hashlock secret must also be revealed.
These checks make the DALP side explicit. They do not validate the external-chain contract, bridge route, reserve account, or liquidity venue.
Who owns what
| Control or decision | DALP platform | Issuer or operator | Bridge or external network | Custody provider | Notes |
|---|---|---|---|---|---|
| EVM network enablement | Accountable | Consulted | Responsible for chain | Consulted | DALP needs chain ID, RPC, contracts, and finality configuration for each enabled network. |
| Asset compliance configuration | Accountable | Accountable | Not involved | Consulted | Compliance rules apply to DALP managed token contracts on the configured network. |
| Bridge or liquidity provider selection | Not provided | Accountable | Accountable | Consulted | Selection must be governed by the deployment's risk policy and approval process. |
| Bridge validator or relay security | Not owned | Accountable | Accountable | Not involved | DALP cannot attest to a third-party validator set, multisig, oracle, or relay network. |
| Wrapped asset mint, burn, and reserve model | Not owned | Accountable | Accountable | Consulted | Wrapper authority and reserve controls must be reviewed outside the DALP token contract. |
| Local XvP settlement execution | Accountable | Accountable | Not involved | Responsible | DALP executes local flows atomically after local approvals and hashlock conditions are met. |
| External-chain HTLC or settlement execution | Not owned | Accountable | Accountable | Consulted | External contracts, timelocks, and finality rules are selected and operated outside DALP. |
| Redemption and off-chain payment | Integration | Accountable | Optional | Optional | DALP can expose records and workflow actions; the payment or reserve process is external. |
| Incident response for bridge failure | Supports data | Accountable | Accountable | Consulted | DALP can help isolate DALP-side activity, but bridge remediation belongs to the bridge path. |
Risk register
| Risk | Why it matters | What DALP covers | Required operating control |
|---|---|---|---|
| Validator or bridge quorum compromise | A compromised bridge signer or validator set can release assets or messages incorrectly. | DALP does not run the bridge quorum. Local DALP contracts still enforce their own roles and rules. | Review validator model, quorum design, upgrade authority, insurance position, and emergency controls. |
| Trusted-root or admin compromise | A bridge admin, proxy owner, or trusted root can change verification logic or recovery authority. | DALP owns DALP contract roles; external admin keys stay outside DALP. | Require admin-key inventory, multisig or custody policy, change control, and recovery procedure. |
| Oracle or message-relay failure | Cross-chain messages can be delayed, censored, replayed, or falsely accepted by an external protocol. | DALP does not verify external bridge messages unless a selected integration is built for that path. | Define message finality, replay protection, failure handling, and manual halt criteria. |
| Liquidity shortfall or routing failure | Liquidity networks and exchanges can fail to fill, delay settlement, or route through unexpected paths. | DALP records DALP-side asset events; external liquidity execution is outside the platform. | Approve liquidity venues, limits, slippage policy, reconciliation cadence, and exception handling. |
| Wrapped asset reserve mismatch | A wrapped token can diverge from backing reserves or redemption capacity. | DALP does not guarantee the backing of third-party wrapped assets. | Reconcile mint, burn, reserve, and redemption records; assign reserve attestation ownership. |
| Replay or reorg risk | Chains differ in finality and can reorganize blocks or replay transactions across domains. | DALP uses configured finality and transaction tracking for each EVM network it operates. | Set confirmation depth, finality tags, chain-specific replay controls, and operational wait periods. |
| Timelock mismatch in HTLC workflows | Incorrect expiry ordering can let one side claim while the other side times out. | DALP enforces the local settlement expiration; external timelocks are outside the local contract. | Design staggered timelocks, pre-approve cutoffs, and rehearse expiry handling before production settlement. |
| Operational monitoring gap | Operators can miss bridge pauses, chain stalls, stuck withdrawals, or delayed external finality. | DALP monitors configured network and DALP transaction state, not every external bridge condition. | Monitor bridge status, chain health, liquidity venue status, custody approvals, and reconciliation breaks. |
Security assessment requirement
For bank security reviews, the direct answer is that DALP does not certify, audit, or operate a bridge protocol. Any selected bridge, relay, wrapper, exchange route, or cross-chain messaging protocol needs its own security assessment before production.
DALP's mechanism is local enforcement. DALP enforces EVM-network asset controls, custody routing, role checks, transaction approval, XvP state, configured-network finality data, and DALP-side event records for the DALP deployment. These controls still apply to the DALP-managed token contract when a business process also uses an external bridge. They do not secure the bridge validator set, bridge message-verification contract, wrapped-token contract, destination-chain compliance model, reserve account, liquidity venue, or off-chain redemption process.
The deployment evidence sits with the route owner. The route owner must hold the bridge audit pack, route approval, change notification, and incident-response evidence. Independent bridge-contract audit evidence is mandatory before production, before a new bridge route or material contract version is used, and after security-relevant upgrades. After go-live, the recurring audit cadence follows the bank's vendor-risk, technology-risk, or third-party-risk policy. If that policy requires annual review, the bridge route must be reviewed annually; if it requires event-driven reassessment after upgrades or incidents, those reassessments are also required before continued use.
Before a new bridge route, wrapper contract, relay, or material contract version is integrated, the route owner must notify the bank through the agreed change-control process. The notification should identify the route, bridge or wrapper contracts, affected networks, audit status, upgrade authority, finality assumptions, incident-response owner, and planned activation date.
Package the DALP route decision with the selected route's audit reports, approval record, and change notification evidence. The DALP side of the pack should point reviewers to this bridge and cross-chain position, the selected network configuration, and local asset controls. If the design uses an XvP leg, include the DALP settlement evidence for that local leg. The external route owner supplies the bridge, wrapper, relay, reserve, redemption, or liquidity evidence that DALP does not operate.
The external route assessment should cover:
- Independent smart contract audit reports for the bridge, wrapper, relay, and upgrade contracts that the deployment depends on.
- Validator, relayer, oracle, signer, and administrator key models, including quorum rules and emergency authority.
- Signature verification, message-domain separation, replay protection, nonce handling, trusted-root updates, and chain-finality assumptions.
- Upgrade controls, timelocks, pause controls, incident-response procedures, and bank notification paths before a new route or contract version is used.
- Compliance ownership on the destination route: whether the destination representation has its own identity, transfer, sanctions, holder-eligibility, and freeze controls, or whether those controls remain only on the DALP-managed source asset.
- Reserve, mint, burn, wrapper, redemption, and reconciliation evidence when the external route represents value on another chain.
DALP can provide local asset events, local transaction status, configured-network finality data, and XvP state for reconciliation. The external route owner must provide the external control evidence.
Exploit scenarios and DALP controls
Bridge exploit reviews should separate local DALP controls from external bridge controls. DALP can prevent unauthorized local asset actions inside the configured EVM deployment. It cannot prevent a third-party bridge, wrapped asset contract, relay network, or external chain from accepting an invalid message or releasing external value incorrectly.
| Exploit pattern | Where the failure sits | DALP-side answer | Required external control |
|---|---|---|---|
| Validator key compromise, as seen in the Ronin bridge exploit | Bridge signer or validator quorum | DALP custody routing, wallet verification, role checks, and transaction approval protect DALP-managed local transactions. They do not control an external bridge validator set. | Independent review of the bridge quorum, key custody, signer policy, emergency pause, and incident response path. |
| Signature verification bypass, as seen in the Wormhole bridge exploit | Bridge message verification contract | DALP local contracts still enforce local roles and compliance rules before DALP-managed mint, burn, transfer, or settlement actions. DALP does not validate external bridge proofs unless a selected integration explicitly implements that verification. | Bridge contract audit, proof-verification testing, upgrade control, replay tests, and monitoring for invalid messages. |
| Trusted-root or admin reset, as seen in the Nomad bridge exploit | Bridge upgrade, trusted root, or admin control | DALP can keep the DALP-managed asset contract separate from the bridge wrapper and expose local transaction records for reconciliation. It does not make an external trusted root safe. | Change control for bridge admin keys, time-delayed upgrades, independent audit before upgrades, and a halt procedure before new bridge routes go live. |
For regulated stablecoin or reserve-backed designs, keep the reserve and supply invariant outside bridge assumptions. If value must exist on more than one chain, the institution needs a written model for whether each representation is native issuance, burn-and-mint, lock-and-mint, wrapped exposure, exchange inventory, or redemption and reissue. DALP does not supply a native bridge model or reserve-attestation system for those external representations.
During an active bridge incident
An exploit-class review should start by classifying which system accepted the bad state. DALP can help isolate DALP-managed token activity and settlement records on the configured EVM network. The external route owner must prove what happened in the bridge, wrapper, relay, destination chain, reserve account, exchange, or redemption process.
| Incident question | DALP-side evidence | Evidence the external route owner must provide |
|---|---|---|
| Did unauthorized DALP-side mint, burn, transfer, or settlement execution occur? | DALP token events, role-gated action records, transaction status, local settlement state, and configured-network finality data. | Not applicable unless the external route also triggered a DALP-side action. |
| Did an external bridge accept an invalid message, replay, proof, or signer approval? | DALP can show whether any corresponding local transaction was requested, approved, executed, cancelled, or expired. | Bridge contract events, message identifiers, nonce or domain-separation evidence, signer approvals, proof-verification logs, and pause or halt actions. |
| Did a wrapped representation exceed backing or redemption capacity? | DALP local supply, burn, transfer, and holder event records for DALP-managed contracts. | Wrapper mint and burn records, locked reserve balances, redemption queue, custody approvals, reserve attestations, and reconciliation exceptions. |
| Did an XvP or HTLC flow leave one side exposed? | Local approval state, local expiry, secret reveal state, cancellation state, and withdraw-after-expiry records for the DALP settlement. | External HTLC state, external timelocks, external finality, bridge or payment confirmation, and the operator action log for the other leg. |
Do not treat a clean DALP local ledger as proof that the external route is safe. It proves only the DALP-managed side of the workflow. The production evidence pack needs both sides before the route returns to service.
Review checklist
Before a deployment depends on a bridge, external liquidity network, wrapped asset, or redemption path, confirm:
- The deployment remains on a DALP-supported EVM network.
- The selected external route has an accountable owner, risk approval, independent audit evidence, a recurring audit cadence, and an incident-response path.
- DALP managed token contracts and external representations have separate role, upgrade, and reserve reviews.
- The bridge assessment covers validator keys, message verification, admin or trusted-root changes, upgrade authority, route-change notification to the bank, and independent audit evidence.
- Finality, confirmation depth, withdrawal timing, domain separation, nonce handling, and replay protection are documented for every chain involved.
- XvP or HTLC workflows have staggered timelocks and tested secret-reveal procedures.
- Reconciliation can connect DALP events, bridge events, custody approvals, and off-chain payment or reserve records.
- The operating model states which party can pause, unwind, redeem, notify stakeholders, or escalate when the external path fails.
Where to go next
- Supported networks for EVM network configuration and finality settings
- XvP settlement for local settlement contracts, hashlocks, roles, and failure modes
- XvP settlement flow for the step-by-step local and external-leg coordination flow
- Custody providers for signing controls and custody-provider policy ownership
- Operational integration patterns for reconciliation, event, ledger, and self-hosted operations