Arkstream Capital: How to Fortify the Security Defense of Merlin Chain’s $3 Billion TVL

Merlin Chain, launched by the renowned BRC-420 Blue Box and Bitmap development team, supports a variety of native Bitcoin assets and is a ZK Rollup Bitcoin Layer 2 network compatible with the Ethereum Virtual Machine (EVM). From a market perspective, BRC-420 and Bitmap have shown excellent data performance in their early stages.

BRC-420 introduces a new protocol within the Bitcoin ecosystem, with Blue Box as its asset, targeting the BRC-20 protocol and ORDI inscriptions respectively. With a total of 10,000 Blue Boxes and a floor price of 0.6 BTC, its total trading volume is nearly 480 BTC, and the current market cap stands at 400M. Bitmap, an Ordinals protocol for the metaverse, is produced with each Bitcoin block, adding 144 new Bitmaps daily. It has a trading volume of around 600 BTC, equivalent to 40M, with a floor price of 0.0037558 BTC and a total supply of 833.2K, amounting to a market cap of about 200M.

The success of BRC-420, Blue Box, and Bitmap has already garnered significant community consensus for Merlin Chain. In early February of this year, Merlin’s Seal, emphasizing a Fair Launch and Community First approach, surpassed $3 billion in TVL in less than a month. Its collaborators include Cobo (a MPC wallet service), Meson and Stakestone (staking services), Layer2 ZKFair, the veteran Bitcoin data service platform GeniiData, the multi-chain DeFi data platform Defillama, and others. Within this $3 billion TVL, Bitcoin assets account for over 50%, with ETH and stablecoin assets each around $100 million, plus significant staking volumes in other quality Bitcoin ecosystem assets like BRC420, Bitmap, ORDI, and SATS.

While celebrating the achievements of Merlin’s Seal, it’s crucial to understand that Merlin’s Seal is not directly equivalent to Merlin Chain. For example, the assets contributing to the impressive TVL of Merlin’s Seal are not yet directly linked to Merlin Chain. Additionally, since L2Beat does not list Merlin Chain, a manual tally of Merlin Chain’s BTC assets yields a TVL of approximately 500+ BTC, or about 32.5M, according to L2Beat’s methodology.

The following sections delve into Merlin’s account structure, asset types, security solutions, and ecosystem development to explore the project’s prospects.

Chain-Agnostic Account Abstraction

Bitcoin’s mainstream wallet address formats include Legacy-P2PKH, Nested SegWit-P2SH-P2WPKH, Nested SegWit-P2WPKH, and Taproot-P2TR. These formats are derived from the same private key calculated through the Elliptic Curve Digital Signature Algorithm (ECDSA), then processed according to different coding rules. Bitcoin’s mnemonic phrases are a product of HD wallets (Hierarchical Deterministic Wallet), allowing a single mnemonic phrase to derive multiple private keys, controlling multiple public key addresses and corresponding formats. Ethereum’s wallet, public key, and private key systems are similar to Bitcoin’s, with the main difference being Ethereum’s choice of a different encoding hash function (Keccak-256). For EVM compatibility, adopting Ethereum’s existing public-private key address scheme in Merlin Chain is the simplest approach, making the entry barrier virtually non-existent for users familiar with the EVM ecosystem. The challenge is mapping Bitcoin’s public-private key addresses into this framework.

The solution can be found in the official documentation: Particle Network’s BTC Connect, where a Bitcoin public key can calculate an EVM’s EOA address, then use this EOA to control smart contract accounts for on-chain interactions (refer to BTC Connect’s architecture diagram for details). It’s bold and forward-thinking to not directly use Bitcoin public keys for EOA addresses but to later incorporate smart accounts implementing the ERC-4337 protocol. The advantage is the swift upgradeability and iteration of features like signature abstraction, Paymaster, Bundler, and future Social Login functions. The downside is the need to optimize and adapt foundational infrastructure (wallets and blockchain explorers) and for dApp developers in the ecosystem to undertake synchronous modifications. This represents a substantial learning curve for users, requiring adjustments to their usage habits.

Below are some notes from using the OKX Wallet (BTC):

1. The default is to use P2TR for calculating the EVM’s EOA address (account abstraction address), with the BTC wallet authorizing control over the abstract address during interactions.
2. When initiating transactions on MerlinSwap, it’s directly called with the OKX Wallet (BTC) signature. At this point, it’s not possible to view or edit Gas fees, and the content of the transaction cannot be confirmed immediately.
3. The block explorer shows that the Smart Account acts as the transaction initiator, not our EOA address. The function called is handleOps, with parameters encapsulating the real interaction’s functionalities.
4. Since OKX Wallet is a multi-chain supported wallet, even though we only use the BTC wallet, OKX Wallet also calculates the associated EVM addresses in the background. This could be different from the EOA address generated by Merlin Chain, making it easy to assume that the BTC bridged assets have not arrived (Merlin_BTC).

Bitcoin Native Asset Ingress and Egress

Whether it’s Layer2, homomorphic or heteromorphic blockchains, the core issue always revolves around security when dealing with native asset ingress and egress. Let’s explore some of the indelible memories within the circle.

• On August 10, 2021, the cross-chain protocol Poly Network was attacked, with over $600 million stolen. Fortunately, the hacker chose to return the funds for some reason.
• On February 2, 2022, the cross-chain protocol Wormhole was attacked, resulting in the loss of about 120,000 wETH. On February 25, 2023, Jump Crypto and MakerDAO’s Oasis collaborated in a counterattack to retrieve the stolen funds from the hacker’s Vault.
• On March 29, 2022, the game sidechain Ronin’s multi-signature validator system was breached, losing over $600 million.
• On June 24, 2022, the shard-focused public chain Harmony’s official bridge, Horizon, had its multi-signature system compromised, losing about $100 million.
• On August 2, 2022, the cross-chain bridge Nomad experienced a robbery attack, losing about $150 million.

The tumultuous year of 2022 saw not only the collapse of LUNA, the bankruptcy of 3AC, and the implosion of FTX but also numerous on-chain hacker attacks. It’s often said that when an ecosystem handles billions in funds, the vast wealth is accompanied by a thriving ecosystem but also the Damocles’ sword lurking in the dark forest.

Understanding the official bridge of Merlin Chain and how it handles native asset ingress and egress is crucial for further analyzing asset security. Currently, Merlin Chain supports only BTC assets, not emerging assets like BRC-20, EVM series tokens, or NFTs. Merlin Chain uses a unified Bitcoin network receiving address, bc1qgxdqf7837dxe8xkhvctgc499kwh5xw7ap3uwhs, for users bridging UTXOs, controlled by a single signature address without a direct multi-signature mechanism. The handling of Merlin’s Seal’s BTC assets is suspected to utilize Cobo’s MPC co-management solution.

The asset bridging module on Merlin Chain, responsible for minting and burning assets, is managed by the BTCLayer2Bridge contract. The minting logic function, unlockNativeToken, requires input of a double-spending-proof txHash, recipient address, and amount. After authentication and double-spending verification, bridging asset minting is achieved. The process for burning bridged assets is yet to be fully experienced. The BTCLayer2Bridge contract reveals the burning function, lockNativeToken, focuses on handling bridging fees, but the specific code for transferring bridged assets into a black hole is still undiscovered.

Furthermore, the BTCLayer2Bridge already includes ERC20 and ERC721 minting and burning code, indicating that Merlin Chain might soon support bridging for ETH and EVM series assets.

The data display on Merlin Chain’s official bridge transfer page is user-friendly, allowing users to easily find the required address and TxId. The associated blockchain explorer provides accurate information, although it may suffer from DDoS attacks, leading to indexing delays.​

After experiencing Merlin Chain’s official bridge, Meson’s Bridge was also tested. Transferring BTCB from BNB Chain to Merlin Chain via Meson was smooth, with significantly lower fees than the official bridge. Meson’s fee is 0.0009BTC (about 5–7U), while the official bridge charges a fixed 0.0003BTC plus dynamic fees, roughly over 20U. Notably, Meson’s bridged assets utilize its smart contract deployed on Merlin Chain, and assets are only visible on Meson’s official platform after initiating a directRelease transaction on-chain, requiring some time before confirmation on platforms like MerlinSwap.

Inheriting Bitcoin’s Security

Merlin Chain, developed by the Lumoz team using the Polygon CDK framework, is a zkEVM Layer2. The official website describes the sequencer as sending Layer 2 transaction data to the Bitcoin network via a decentralized oracle. This approach is explored through Polygon CDK and Lumoz’s documentation. In the Polygon CDK architecture, Rollup and Validium are two types of structures, with Merlin Chain adopting the CDK Validium model. CDK Validium is described by Polygon as a combination of Polygon zkEVM + DAC, employing a multi-signature form on the Ethereum chain for validity proofs.

This aligns with Bitcoin’s Taproot support for multi-signature forms, meaning Merlin Chain’s decentralized oracle acts as a DAC. The Merlin Chain sequencer collects and packages user transactions, verifying them before handing them over to the ZKP proof aggregator and Prover (handled by Lumoz’s ZK-POW function). The decentralized oracle sends the packaged Layer 2 transaction data, hash, and signature to the Bitcoin network.

This solution considers both the Bitcoin and Ethereum communities, maintaining EVM compatibility for rapid ecosystem development while quickly maximizing Bitcoin’s security inheritance. Technical details, such as adapting the EVM account model to the Bitcoin UTXO model and the sequencer’s decentralization path, are not extensively disclosed yet. Further information is anticipated from official documentation updates.

A Pristine Ecosystem

Perhaps due to the need for compatibility with Bitcoin and EVM’s abstract accounts, or because of Bitcoin’s native Gas feature, Merlin Chain’s ecosystem development faces more challenges and difficulties compared to pure EVM Layer2s.

As of now, Merlin Chain’s ecosystem overview on DefiLlama features only MerlinSwap as a mainstream dApp, contributing nearly all TVL at 14M. No lending, derivatives platforms, or NFT Marketplaces have been discovered yet. However, official social media and various AMAs reveal that the ecosystem’s collaborations extend beyond a single project, including wallets, infrastructure, and DeFi.

Focusing on projects with Bitcoin-specific innovative mechanisms and a native community atmosphere, such as bitSmiley, is preferred. Analyzing the protocol mechanism, bitSmiley can be understood as a combination of the stablecoin protocol MakerDAO and the lending protocol Compound. To accommodate the BRC-20 protocol and overcome Bitcoin block confirmation time limitations, bitSmiley proposed an extended version of bitRC-20 and a unique liquidation insurance mechanism (bitInsurance and CDP, see whitepaper and other materials). As a key ecosystem product for releasing Bitcoin liquidity, bitSmiley is promising. Previously, bitSmiley launched its OG Pass black card through whitelist and public Free Mint, granting cardholders priority access to bitSmiley products and protocols, plus future points bonus rights. Further shares on bitSmiley’s progress will be provided.

To avoid security risks, projects are usually checked for audits and endorsements by security companies or collaborations on Bug bounty platforms when experiencing public chains or Layer2 ecosystems. Though not catastrophic, such considerations are vital for ecosystem stability and user asset safety. Merlin Chain’s recent formation of the Merlin Security Council, in collaboration with renowned security companies (SlowMist, BlockSec, Salus, Secure3, ScaleBit), indicates thoughtful preparations for subsequent ecosystem development and construction.

Based on the above research, greater attention should be paid to Merlin Chain, especially considering Merlin’s Seal’s TVL alone demonstrates its potential, with its TVL expected to reach billions. After understanding Merlin Chain’s account system, asset bridging, and security, experiencing its ecosystem might be the best journey alongside its development.

References

Particle Network’s BTC Connect：https://developers.particle.network/reference/introduction-to-btc-connect

Polygon CDK：https://docs.polygon.technology/cdk/architecture/cdk-validium-option/

Lumoz：https://docs.lumoz.org/miners-pow/set-up-prover/polygon-zkevm

Merlin’s Seal’s TVL data and details：https://geniidata.com/ordinals/index/merlin

bitSmiley’s White Paper：https://github.com/bitSmiley-protocol/whitepaper/blob/main/BitSmiley_White_Paper.pdf

Founder Twitter: https://twitter.com/BitmapTech

Geek Web3：https://twitter.com/eternal1997L

@0xcryptowizard：https://twitter.com/0xcryptowizard

@lilyanna_btc：https://twitter.com/lilyanna_btc