Skip to main content

How mass exit works

Mass exit serves as a critical emergency mechanism in the Chromia token bridge, safeguarding user funds when a crisis threatens the network's integrity.

Under normal conditions, Chromia validators on the Chromia side sign blocks, and once a commitment is submitted, a 72‑hour challenge window gives the bridge operator time to detect any fraudulent behavior and block unauthorized withdrawals.

However, if a supermajority of validators were ever to become compromised and begin signing invalid blocks, the bridge operator can trigger mass exit mode. In that mode, pre‑taken snapshots of account states are used to facilitate a secure exit for all users.

When to use mass exit

Use mass exit only as a last-resort mechanism in extreme situations, such as:

  • Discovering collusion or compromise among validators
  • Observing suspicious behaviors from validators that jeopardize bridge funds
  • Experiencing an irrecoverable security incident that affects consensus integrity
note

In these scenarios, the bridge owner or a designated multisig or governance-controlled administrator initiates a mass exit by referencing a previously signed block known to be valid.

What happens in mass exit mode

Once you trigger mass exit:

  • Deposits are blocked
  • Standard withdrawals are blocked
  • Users must withdraw funds using snapshot proofs derived from the last known valid block

This approach ensures that the system does not accept any transactions after a compromise. Users can then recover their recorded balances at a secure checkpoint.

Security assumptions

Mass exit relies on these trust and architectural principles:

  • Validators are recognized, staked participants with strong economic incentives to behave honestly.
  • The bridge owner operates as a separate entity, ideally in the form of a multisig or DAO contract.
  • It is highly unlikely that both the bridge owner and a supermajority of validators will be compromised simultaneously.

Relationship to other bridge operations

You do not need to implement mass exit in regular bridging scenarios.

You must explicitly enable and configure it using contracts that support snapshots and the appropriate chain setup. If you do not plan to utilize this feature, you can safely omit it.