Risk Management Network

The Risk Management Network (RMN) is an independent network that continuously monitors and validates the behavior of CCIP, providing an additional layer of security by independently verifying cross-chain operations for anomalous activity. The RMN independently reconstructs the batches of cross-chain messages from source chains, then blesses valid messages and authorizes them for execution on destination chains. Its core job today is to bless committed cross-chain messages offchain, ensuring they match what was observed on the source blockchain.

The RMN utilizes a separate, minimal implementation of the Chainlink node software, creating a form of client diversity for increased robustness while also minimizing external dependencies to prevent supply chain attacks. Specifically, the RMN was written in a different programming language than the primary CCIP system, developed by a different internal team, and uses a distinct non-overlapping set of node operators compared to the CCIP DONs. The Risk Management Network is a wholly unique concept in cross-chain interoperability that builds upon established engineering principles (N-version programming).

Process

The verification process of the RMN can be detailed as follows:

  1. Observing Merkle Roots

    • When the Committing DON posts a merkle root of new cross-chain messages on the destination blockchain, each RMN node independently fetches the underlying messages from the source blockchain.
    • If the node's locally reconstructed merkle root matches the merkle root posted on the destination chain, it signs an RMN observation stating that the commit is valid.

  2. Assembling Offchain Reports

    • The Committing DON collects identical observations from a sufficient number of RMN nodes, and those nodes produce a final signed RMN report.
    • This report consists of cryptographic signatures proving that most RMN nodes have confirmed the commit's integrity.

  3. Verification in Final Onchain Commit

    • The Committing DON attaches these RMN signatures to its final onchain commit.
    • On EVM-based blockchains, the OffRamp contract checks the RMN signatures via the RMNRemote contract, ensuring the Executing DON can only finalize merkle roots with sufficient RMN blessings. A similar verification mechanism applies on non-EVM blockchains, tailored to their specific contract or program model.

RMN Configuration

Although the RMN primarily acts offchain, it does rely on certain onchain configurations:

  • RMNHome: Deployed on a home chain (e.g., Ethereum), this contract stores global RMN settings, such as node identities, chain selectors, and public keys.
  • RMNRemote: Deployed on each destination blockchain (including the home chain), this contract verifies RMN node signatures whenever the Committing DON submits its final commit. Only commits carrying valid RMN blessings proceed to complete execution.

Cursing

While the RMN focuses on blessings, there are ways to address anomalies:

  1. Monitoring and Alerting: Suspicious activity is monitored, such as replayed messages or potential double-executions.
  2. Propose a Pause: If needed, a "curse" transaction can be proposed to pause CCIP on a specific blockchain.
  3. Investigation and Resolution: Once the root cause is addressed, the pause can be lifted.

Get the latest Chainlink content straight to your inbox.