ASAS-BridgeAMM: Trust-Minimized Cross-Chain Bridge AMM with Failure Containment
Shengwei You, Aditya Joshi, Andrey Kuehlkamp, Jarek Nabrzyski
TL;DR
ASAS-BridgeAMM introduces Contained Degradation, a risk-aware bridge mechanism that treats cross-chain message latency as an operational signal. By coupling a Latency-aware AMM with a three-state governance model (Normal, Restricted, Halted), it bounds potential losses, preserves liquidity, and delivers strong liveness guarantees even under Byzantine relayer conditions. The approach is formally specified, with proofs of Safety (bounded debt), Liveness (settlement completion), and Manipulation Resistance, and is validated through 18 months of historical replay and 100,000 Monte Carlo simulations, achieving a solvency probability above $0.9999$ and a per-epoch bad debt cap below $0.2\%$. Empirically, ASAS reduces worst-case insolvency by $73\%$ while attaining $104.5\%$ of baseline volume during stress, underscoring that graduated, risk-aware security can be both safer and economically viable for cross-chain liquidity.
Abstract
Cross-chain bridges constitute the single largest vector of systemic risk in Decentralized Finance (DeFi), accounting for over \$2.8 billion in losses since 2021. The fundamental vulnerability lies in the binary nature of existing bridge security models: a bridge is either fully operational or catastrophically compromised, with no intermediate state to contain partial failures. We present ASAS-BridgeAMM, a bridge-coupled automated market maker that introduces Contained Degradation: a formally specified operational state where the system gracefully degrades functionality in response to adversarial signals. By treating cross-chain message latency as a quantifiable execution risk, the protocol dynamically adjusts collateral haircuts, slippage bounds, and withdrawal limits. Across 18 months of historical replay on Ethereum and two auxiliary chains, ASAS-BridgeAMM reduces worst-case bridge-induced insolvency by 73% relative to baseline mint-and-burn architectures, while preserving 104.5% of transaction volume during stress periods. In rigorous adversarial simulations involving delayed finality, oracle manipulation, and liquidity griefing, the protocol maintains solvency with probability $>0.9999$ and bounds per-epoch bad debt to $<0.2%$ of total collateral. We provide a reference implementation in Solidity and formally prove safety (bounded debt), liveness (settlement completion), and manipulation resistance under a Byzantine relayer model.
