# Fraxferry

## Summary

A 24-48hr token bridging solution designed and implemented by the Frax team.

<figure><img src="https://1160856619-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJQZW1mSg2O5N7HXHo0-1972196547%2Fuploads%2FQ6DWLt8e6nmw5PSh2eok%2Fimage.png?alt=media&#x26;token=627b274e-d073-45be-9529-31d6bf3dd55f" alt=""><figcaption></figcaption></figure>

## Motivation

* Too many bridge hacks from bugs, team rugs, anon devs, etc.
* Risks of infinite mints.
* Some chains have slow bridges, especially on return trip back to Ethereum (e.g. Arbitrum, Optimism, etc).

<figure><img src="https://1160856619-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJQZW1mSg2O5N7HXHo0-1972196547%2Fuploads%2FLax1A0Uq4Ptt28IG8IfK%2Ffraxship_SVG.svg?alt=media&#x26;token=b69d71f0-a261-4564-b059-355f233f08f9" alt=""><figcaption><p>Fraxferry</p></figcaption></figure>

## Benefits

* Risk is capped by token amounts in bridge contracts. No risk of infinite mints.
* Slower transactions give more time for bad batches to be caught and stopped, assuming they are not cancelled automatically by bots.
* Crewmembers can pause contracts so any issues can be investigated.

## Risks

* Captain is tricked into proposing a batch with a false hash AND all crewmember bots are offline/censured/compromised AND no one disputes the proposal.
* Reorgs on the source chain. Avoided, by only returning the transactions on the source chain that are at least one hour old.
* Rollbacks of optimistic rollups. Avoided by running a node.
* Operators do not have enough time to pause the chain after a fake proposal. Avoided by requiring a minimal amount of time between sending and executing the proposal.
* Centralization

## Process

1. User sends tokens to the contract. This transaction is stored in the contract. `embark()`, `embarkWithRecipient()`, or `embarkWithSignature()`.
2. Captain queries the source chain for transactions to ship.&#x20;
3. Captain sends batch (start, end, hash) to start the trip. `depart()`
4. Wait at least 24 hrs.
5. Crewmembers check the batch and can dispute it if it is invalid. `disputeBatch()` or `do nothing`.
6. Non disputed batches can be executed by the first officer by providing the transactions as calldata. User receives their tokens on the other chain. `disembark()`
7. Hash of the transactions must be equal to the hash in the batch.&#x20;
8. In case there was a fraudulent transaction (a hacker for example), the owner can cancel a single transaction, such that it will not be executed. `jettison()`, `jettisonGroup()`, `removeBatches()`.
9. The owner can manually manage the tokens in the contract and must make sure it has enough funds.