FABRKNT
GitHub
Cross-Chain Bridges — From CCIP to Light Clients
Reading Real Bridges
Lesson 5 of 7·CONTENT14 min40 XP

Treat this page as a workbench, not a blog post. The goal is to extract a reusable mental model from the source and carry it into the rest of the Fabrknt stack.

Course
Cross-Chain Bridges — From CCIP to Light Clients
Lesson role
CONTENT
Sequence
5 / 7

Lesson 5 — Wormhole and IBC — multi-chain message protocols

Question

Wormhole connects Solana, Aptos, Sui, Ethereum, and 20+ other chains. IBC connects every Cosmos chain (~100 chains). They solve the same problem with different trust models — Wormhole = 19-validator guardian set, IBC = on-chain light clients. Read both, see the design space.

Principle (minimum model)

  • Wormhole architecture. 19 Guardians (professional validators — Jump Crypto, Certus, Figment, etc.) observe messages on the source chain, sign attestations (VAAs — Verified Action Approvals), the destination chain verifies 13-of-19 signatures.
  • The 2022 Wormhole hack ($325 M). A signature-verification bug allowed the attacker to forge a guardian quorum and mint wrapped ETH on Solana for free. Jump Crypto refunded users. Patched, but the architecture-level trust assumption (guardians honest) didn't change.
  • IBC (Inter-Blockchain Communication) architecture. Each Cosmos chain runs on-chain light clients of every chain it communicates with. Trust-minimised — cryptographic only.
  • IBC flow. Source chain → Tendermint header → IBC light client on destination → Merkle proof verification → message accepted. Native to Tendermint chains because Tendermint has instant finality.
  • Why IBC works only on Cosmos. Tendermint finality is single-slot → light client updates are cheap. Ethereum sync committee updates every 27 h → expensive on-chain. EVM-to-Cosmos IBC bridges (e.g. Polymer) are emerging but require optimistic rollup-style mechanisms.
  • Polymer / Composable IBC. Adapt IBC to EVM by running IBC clients as on-chain contracts plus optimistic challenge windows. Gold-standard cryptographic message-passing, retrofitted to chains that don't have native instant finality.
  • Design-space summary. Wormhole = federated trust (15 of 19) + fast + chain-agnostic. IBC = trust-minimised + fast (within Cosmos) + native-only. Both legitimate; pick by your trust tolerance.

Worked example + steps

Wormhole and IBC — multi-chain message protocols

If CCIP is the bridge a regulated Tempo merchant uses, Wormhole is what every Solana DeFi protocol used in 2022 to reach Ethereum — fast, cheap, and held together with a 19-key multisig that's been hacked once. IBC is what every Cosmos chain has used since 2019 — slower, more secure, and structurally unable to leave the Cosmos ecosystem. Two production protocols, very different audiences, both important to understand because they bracket the trust spectrum CCIP sits in the middle of.

1. Wormhole — the multisig that scales

wormhole-foundation/wormhole is a guardian-based bridge. Architecture:

  • 19 Guardian nodes, each running validators
  • Guardians observe source-chain events
  • Each guardian signs an attestation: "I saw event X on chain Y"
  • 13-of-19 guardian signatures → message is valid
  • Destination chain verifies the signature aggregate

Wormhole supports 30+ chains including Solana, Ethereum, Sui, Aptos, Bitcoin (via wrapping). The 13-of-19 multisig is the single trust assumption.

1.1 Wormhole's attack history

February 2022: an attacker walked away with $325M of Wormhole-bridged ETH. The bug was not a stolen key — it was a missing check in the Solana program that verifies guardian signatures. The attacker forged a valid-looking signature against a contract that didn't actually verify the signer.

Takeaway: multisig bridges fail at the verification logic as often as at the keys. 19 guardians don't help if the contract checking them has a bug.

f = ⌊(19-1)/3⌋ = 6 Byzantine tolerance. But the real failure mode isn't Byzantine collusion — it's operational compromise (keys stolen) or verification bugs (Wormhole 2022). Adding more guardians doesn't help if your contract has a bug.

1.2 Wormhole for Tempo

Could Tempo use Wormhole? Yes, technically. But:

  • Wormhole's risk profile (multisig + history) is less acceptable for regulated payments
  • CCIP has better Solana support
  • Wormhole's developer focus has been on Solana-Ethereum, less on emerging L1s

For Tempo merchant settlement: CCIP is preferred. Wormhole could be a fallback if CCIP becomes unavailable, but not the primary.

2. IBC — the gold standard for Cosmos

cosmos/ibc-go is the Inter-Blockchain Communication protocol. It powers all bridges between Cosmos chains (Osmosis, Juno, etc.).

2.1 How IBC works

flowchart LR
    A["Cosmos Hub<br/>(source)"] -->|1. Send packet| AClient["IBC client<br/>on source"]
    AClient -->|2. Commit + sign| Relayer["IBC Relayer<br/>(off-chain)"]
    Relayer -->|3. Relay headers + proofs| BClient["IBC client<br/>on destination"]
    BClient -->|4. Verify against header| B["Osmosis<br/>(destination)"]

Each chain runs a light client of the other chain. The relayer (anyone — permissionless) submits:

  • Source chain headers (verified against destination's light client)
  • Proofs of source-chain state changes (verified against the verified headers)

If the proof is valid, the destination chain executes the cross-chain action. Pure cryptography, no multisig.

2.2 Why IBC is restricted to Cosmos

To run an IBC light client of chain X on chain Y, chain Y needs to verify chain X's consensus rules. For Cosmos chains, all use Tendermint, so the same light client code works.

For Ethereum, you'd need a Solidity contract implementing Tendermint verification — expensive and complex. For Solana, you'd need an Anchor program for the same. Cross-ecosystem IBC is theoretically possible but practically rare because of the implementation cost.

There's progress: Polymer is building an IBC hub that connects Cosmos to Ethereum via a rollup. For Tempo (a Reth-based EVM chain), IBC is not a natural choice — it would require building a Tempo light client in CosmWasm + a Tendermint light client on Tempo (Solidity). Possible, but at high cost for limited benefit.

3. Wormhole + IBC + CCIP: when each wins

Use caseBest choiceWhy
Solana ↔ EthereumCCIP or WormholeBoth have mature Solana support
Cosmos chains (e.g., Osmosis ↔ Juno)IBCTrustless, no other choice
EVM L1 ↔ EVM L1 (e.g., Tempo ↔ Polygon)CCIP, LayerZeroBoth general EVM-EVM
L2 ↔ L1 (within OP Stack)OP Standard BridgeTrustless
Bitcoin ↔ EVMWormhole (via wrapping)Few alternatives
Permissionless arbitrary chainsWormholeMost ecosystem reach

For Tempo's needs (merchant settlement): CCIP is the answer. For ecosystem expansion (e.g., connecting to Cosmos chains in future), Polymer or similar adapters could bridge Tempo↔IBC.

4. The trust spectrum revisited

From Lesson 1, the trust spectrum:

[Multisig] → [Optimistic] → [PoS bridge] → [Light client] → [ZK light client]

Where each protocol sits:

ProtocolPosition
WormholeMultisig (13-of-19)
CCIPPoS bridge (DON + RMN)
OP StandardOptimistic + rollup consensus
IBCLight client (Tendermint)
Future ZK light clientsZK light client

As trust models improve, complexity and cost increase. IBC requires running a full light client of the source chain on the destination. ZK light clients require proving consensus inside zkVMs.

5. For your projects

mppsol (Reth/REVM ↔ Solana)

  • Today: CCIP primary, Wormhole as alternate
  • Future: ZK light client when EVM↔non-EVM zk infrastructure matures

soltempo (merchant settlement via Tempo→Solana)

  • Today: CCIP exclusively
  • Reason: CCIP has on-chain risk management (RMN can pause), regulatory comfort

Telos (Tempo↔HL intent matching)

  • Tempo↔HL bridge doesn't exist publicly yet
  • Likely either: HyperLiquid bridge (custom multisig) or future shared sequencer / ZK proof
  • This is the bridge gap — neither Wormhole, CCIP, nor IBC currently spans Tempo↔HL with full feature set

6. Reading list

7. Practice

  1. Browse Wormhole's Solana program — find the signature aggregation logic
  2. Browse ibc-go — find the light client interface
  3. Compare: how many lines of code is "verify a cross-chain message" in each system?

Final check: in one sentence, why are Wormhole and IBC complementary rather than competing? If your answer doesn't reference "different ecosystems with different trust appetites," re-read §3.

Summary (3 lines)

  • Wormhole = 19-Guardian federated signing (13-of-19 quorum) connecting 20+ chains. The 2022 hack ($325 M) was a signature-verification bug, not an architecture failure — but the federated trust assumption remains.
  • IBC = on-chain light clients between every Cosmos chain. Trust-minimised; works because Tendermint has single-slot finality. Polymer / Composable extend it to EVM via optimistic rollup-style adaptations.
  • Design space: federated trust (Wormhole) vs cryptographic (IBC). Both have legitimate use cases; the trust tolerance picks the design. Next lesson builds a minimal bridge with light-client-verified messaging.
← Previous
Lesson 4 — Chainlink CCIP — the cross-chain rail Tempo uses
Next →
Lesson 6 — Building a minimal bridge on Reth — light-client-verified messaging