14-of-20 Multi-Sig Bridge v2
Enhanced cross-chain security with adaptive validator consensus. Second-generation EVM bridge architecture with optimistic verification, fraud proofs, and reduced gas costs for institutional-grade transfers between JIL L1 and 10 target chains.
When the bridge cannot reach quorum, it pauses. No funds are at risk.
Users' locked tokens remain safely in the bridge contracts on source chains. This is the correct behavior: it is always better to halt than to process an unauthorized withdrawal. The v2 architecture enhances the original 14-of-20 model with adaptive validator consensus, where the threshold adjusts dynamically based on the number of healthy validators while never dropping below 70% BFT.
The second-generation bridge deploys the same JILBridge.sol lock-and-mint contract to every EVM-compatible chain. Because these chains share identical smart contract standards (Solidity ABI), address formats (0x-prefixed, 20-byte), and JSON-RPC interfaces, only network-specific configuration changes (RPC endpoint, chain ID, finality depth) are required. Every bridge instance inherits the full 14-of-20 BFT security model - no delegation to third-party relayers, no optimistic verification windows, and no single-key authority. The bridge authority executor is consensus-gated and cannot mint or release assets without validator quorum approval. Asset wrapping is optional: users can hold tokens natively on their source chain and only bridge when cross-chain access is needed.
Multi-validator attestation is now required for both deposits (minting) and withdrawals (releasing). There is no single-key mint authority - the bridge authority executor is gated by validator consensus and cannot act unilaterally. Each deposit must be independently verified and attested by a 14-of-20 threshold of validators before wrapper tokens are minted. Proof-of-reserves checks enforce that total_minted ≤ total_deposited - total_withdrawn on both minting and withdrawal operations, ensuring the bridge can never become undercollateralized in either direction. Asset wrapping is optional - users can hold assets natively on source chains and only wrap when they need cross-chain liquidity. Circuit breakers include: per-asset daily outflow caps, automatic bridge pause on any reserves mismatch, and a global bridge pause mechanism triggered by any 3 validators. When a circuit breaker fires, all bridge operations halt until 14-of-20 consensus authorizes resumption.
Five attack vectors. Five defenses. Zero compromises.
Every known bridge attack vector has been analyzed and addressed at the architecture level. The 14-of-20 threshold creates a security barrier that scales with geographic and jurisdictional diversity.
Key Compromise Attack
Attack: Adversary compromises validator signing keys to forge withdrawal signatures.
- Must compromise 14 keys across 5+ jurisdictions
- All attestations logged on-chain - anomalous signing triggers alerts
- Governance can rotate keys via ceremony-gated process
- Emergency pause halts withdrawals within 1.5 seconds
Deposit Spoofing / Unauthorized Minting
Attack: Submit forged deposit proofs or compromise bridge authority key to mint unbacked tokens.
- Multi-validator attestation gate: minting requires 14-of-20 validator attestations - no single-key mint authority exists
- Bridge authority executor is gated by validator consensus and cannot mint unilaterally
- Each validator independently verifies deposit via source chain RPC before attesting
- Deterministic deposit hash signed by each validator (chain, tx, logIndex, amount, recipient)
- Proof-of-reserves enforced on both minting and withdrawals: auto-pauses bridge if total_minted exceeds total_deposited minus total_withdrawn
- Per-asset daily outflow caps provide additional circuit breaker protection against rapid drain attacks
Replay Attack
Attack: Replay a valid withdrawal signature to drain funds multiple times.
- Every bridge operation has a unique nonce
- Bridge contract tracks processed nonces and rejects duplicates
- Nonces are chain-specific - Ethereum withdrawal cannot replay on Avalanche
Validator Collusion
Attack: A cartel of validators conspires to approve fraudulent withdrawals.
- Requires 14 of 20 colluding - a supermajority of the entire set
- Must span 5+ legal jurisdictions
- 100% stake slashing plus permanent removal for detected collusion
- Protocol-level insurance fund covers users
Eclipse / Network Partition: Isolating validators from the real chain state requires partitioning nodes across multiple cloud providers, bare metal servers, and geographic locations simultaneously. Validators connect to multiple independent RPC endpoints per chain, and source chain data is cross-validated against block explorers and other validators' observations - making eclipse attacks impractical at scale.
Minimum necessary authority. No single entity can modify bridge parameters.
Bridge governance ensures no single entity - including JIL Sovereign Technologies, Inc. - can unilaterally modify bridge parameters.
| Action | Requirement | Timelock |
|---|---|---|
| Emergency pause | Any 3 validators | Immediate |
| Resume after pause | 14-of-20 consensus | 1 hour minimum |
| Add/remove validator | 14-of-20 consensus + Foundation approval | 7 days |
| Change threshold (t) | 14-of-20 consensus + Foundation approval | 14 days |
| Contract upgrade | 14-of-20 consensus + security audit | 30 days |
| Key rotation (single) | Validator self-service + ceremony | 24 hours |
| Full key rotation (all) | 14-of-20 consensus | 7 days |
No Proxy Patterns
Bridge contracts are not upgradeable via proxy. Contract upgrades deploy a new contract and migrate via governance vote with 30-day timelock.
Transparent Timelocks
All governance actions are visible on-chain during their timelock period. Anyone can verify pending changes before they take effect.
No Admin Keys
There is no "admin" or "owner" key that bypasses the multi-sig. The bridge authority executor is gated by 14-of-20 validator consensus and cannot act unilaterally. The Foundation participates in governance but cannot override validator consensus.
Seven EVM chains. One contract. Full BFT security on every deployment.
The same JILBridge.sol lock-and-mint contract deploys natively to every EVM-compatible chain with only network-specific configuration changes. Every bridge instance inherits the full 14-of-20 BFT security model.
| Chain | Chain ID | Deposit Finality | Contract | Status |
|---|---|---|---|---|
| Ethereum | 1 | ~12 min | JILBridge.sol | Live |
| Arbitrum One | 42161 | ~10-15 min | JILBridge.sol | Live |
| Base | 8453 | ~10 min | JILBridge.sol | Live |
| Avalanche | 43114 | ~2 sec | JILBridge.sol | Live |
| Polygon | 137 | ~2 sec | JILBridge.sol | Live |
| Hedera | 295 | ~3-5 sec | JILBridge.sol (HSCS) | Live |
| XDC Network | 50 | ~6 sec | JILBridge.sol | Live |
Ethereum Mainnet is the primary bridge corridor. Users lock JIL on L1 and receive wrapped JIL (wJIL) as an ERC-20 on Ethereum. Asset wrapping is optional - users can hold JIL natively on L1 and only bridge when cross-chain liquidity is needed. Deposits require 64-block finality confirmation (~12 minutes) plus 14-of-20 validator attestation before wrapper tokens are minted. Withdrawals also require 14-of-20 validator consensus with proof-of-reserves verification, typically completing under 30 seconds once consensus is reached. The bridge authority executor cannot approve any operation unilaterally - every mint and release is gated by validator quorum.
Arbitrum One and Base are Ethereum's leading L2 rollups. JIL bridge deposits route through their respective inboxes with 10-15 minute confirmation. Withdrawals bypass the standard 7-day challenge period entirely - JIL's 14-of-20 validator attestation provides instant finality independent of the rollup's dispute mechanism.
Avalanche C-Chain uses Snowman consensus for sub-second finality - deposits confirm in roughly 2 seconds, making it the fastest EVM bridge corridor. Primary use case: institutional DeFi access, as Avalanche hosts major RWA tokenization and institutional lending protocols.
Polygon PoS offers ~2 second block times with periodic checkpoints to Ethereum. Ideal for high-frequency, low-value settlements - micro-transactions, retail payments, and gaming asset bridges.
Hedera (via HSCS) provides full Solidity 0.8.x support on top of Hashgraph's asynchronous BFT consensus (3-5 second finality). Hedera's governing council includes Google, IBM, Boeing, and Deutsche Telekom, making it a natural bridge partner for enterprise and government settlement use cases.
XDC Network is built specifically for trade finance and enterprise settlement. Its XDPoS 2.0 consensus provides ~6 second finality. Key differentiator: native ISO 20022 financial messaging compatibility via the Impel protocol, enabling interoperability with SWIFT-connected banks.
Three non-EVM chains. Purpose-built native protocol adapters.
Non-EVM chains cannot run Solidity contracts, so each requires a purpose-built native protocol adapter. These adapters implement the same lock-verify-mint / burn-verify-release flow but speak the target chain's native transaction format. All adapters enforce the same security model: 14-of-20 validator consensus for every bridge operation, proof-of-reserves checks on both minting and withdrawals, per-asset daily outflow caps, and automatic pause on reserves mismatch. No adapter has a single-key authority that can bypass validator consensus.
| Chain | Language | Finality | Adapter Type | Status |
|---|---|---|---|---|
| XRPL | TypeScript | 3-5 sec | Gateway (Trust Lines) | Live |
| Stellar | TypeScript | ~5 sec | Custom Asset Issuer | Live |
| Cosmos (IBC) | Go | ~6 sec | ICS-20 Transfer Module | Live |
XRP Ledger (XRPL)
Ripple's payment-focused ledger achieves 3-5 second finality at approximately $0.0002 per transaction. The JIL bridge adapter uses the xrpl.js SDK with a 14-of-20 signer list. Use case: cross-border payments, remittance corridors, and CBDC settlement interoperability.
Stellar Network
Stellar's SCP provides 5-second finality at ~$0.00001 per transaction - the lowest-cost target in JIL's bridge network. The bridge's Stellar account is secured with a multi-sig configuration (14-of-20 Ed25519 signers). Use case: humanitarian remittances and micro-settlement.
Cosmos IBC
JIL operates a purpose-built adapter zone (Cosmos SDK module in Go) that speaks IBC natively using ICS-20 fungible token standard. Access to 60+ IBC-enabled chains including Osmosis, Cosmos Hub, Injective, Sei, Noble (USDC), and dYdX.
The broadest institutional bridge network with the strongest security guarantees.
JIL's 14-of-20 multisig bridge v2 connects 7 EVM chains and 3 non-EVM networks - all secured by the same Byzantine fault-tolerant validator consensus across 13 jurisdictions. No single-key authority, proof-of-reserves on every operation, and circuit breakers that halt the bridge before any funds are at risk.