Burn-and-Mint Bridges Explained

• Burn-and-mint bridges are cryptoeconomic protocols transferring assets across blockchains by burning tokens on the source chain and minting equivalents on the destination.
• ASAS-BridgeAMM couples a burn-and-mint bridge with an automated market maker using a trinary state machine to dynamically adjust risk parameters based on latency and market conditions.
• Empirical evaluations show that dynamic risk pricing reduces insolvency risk by 73% and maintains liquidity provider engagement even during volatile market events.

Burn-and-mint bridges are cryptoeconomic protocols enabling asset transfer between distinct blockchains by destroying (burning or locking) tokens on the source chain and minting synthetic equivalents on the destination. The systemic risk posed by such systems derives from their cross-chain consensus dependencies, operational latency, adversarial frontiers, and discrete failure modes. ASAS-BridgeAMM, as exemplified in "ASAS-BridgeAMM: Trust-Minimized Cross-Chain Bridge AMM with Failure Containment" (You et al., 18 Jan 2026), advances this lineage by coupling a burn-and-mint bridge to an automated market maker (AMM) with a formally specified mechanism for graceful degradation, quantifying bridge-induced risk and dynamically pricing it within the protocol.

1. Formal State Machine and Contained Degradation

ASAS-BridgeAMM models bridge operation as an atomic state machine $\mathcal{M} = (S, \Sigma, \delta, s_0)$ with three states:

• $S_N$: Normal
• $S_R$: Restricted (Contained Degradation)
• $S_H$: Halted

Transitions are determined by cross-chain latency $\tau$, health index $\mathcal{H}$, and oracle price deviation $\delta$. The start state $s_0$ is $S_N$, and the transition function $\delta: S \times \Sigma \to S$ enforces state change based on quantifiable risk parameters. Transition guards such as $\tau > T_{\mathrm{thresh}}$ or $\mathcal{H} < \mathcal{H}_{\mathrm{safe}}$ trigger $S_R$, while $\tau > T_{\mathrm{crit}}$, $\mathcal{H} < \mathcal{H}_{\mathrm{crit}}$, or excessive oracle deviation lead to $S_H$. Recovery to $S_N$ requires all risk metrics returning within thresholds. This trinary model contrasts with legacy bridge architectures that admit only "operational" vs. "compromised" states, introducing the possibility of limited, risk-priced outflows under stress rather than total halt or unbounded capital extraction (You et al., 18 Jan 2026).

2. Latency as Quantifiable Execution Risk

ASAS-BridgeAMM elevates observed cross-chain message latency, $\tau = t_{\mathrm{dest}} - t_{\mathrm{src}}$, as a first-class risk metric. Under non-adversarial conditions, $$\tau \sim \mathrm{LogNormal}(\mu=5.7, \sigma=2.0)\,\text{sec}$$ empirically. This latency directly informs protocol parameters:

• Dynamic Haircut $h(\tau)$: Funds transferred are subject to a haircut increasing with latency:

$$h(\tau) = \begin{cases} h_{\min} & \tau \le T_{\min}\ h_{\min} + \frac{\tau - T_{\min}}{T_{\max} - T_{\min}} (h_{\max} - h_{\min}) & T_{\min} < \tau < T_{\max}\ h_{\max} & \tau \ge T_{\max} \end{cases}$$

With $h_{\min}=0.3\%$, $h_{\max}=5\%$, $T_{\min}=15$ min, $T_{\max}=4$ h.

• Slippage Bound $s(\tau)$: Enforced per state—$s_0 \approx 1\%$ in $S_N$, doubled in $S_R$, infinite (all swaps revert) in $S_H$.
• Withdrawal Limit $w(\tau)$: Caps maximum withdrawal per epoch by state—up to $20\%$ of pool in $S_N$, $5\%$ in $S_R$, $0$ in $S_H$.

This explicit risk-pricing approach throttles user flows in proportion to growing uncertainty, mitigating contagion from bridge liveness/finality delays.

3. Automated Market Maker (AMM) Coupling and Price Invariant

The bridging process consists of users locking assets on the source chain via IngressVault.sol; cross-chain messages communicate lock events via a relayer/oracle "Hub", culminating in synthetic asset minting on the destination chain within BridgeAMM.sol. The on-chain AMM uses a risk-adjusted constant-product invariant:

$$k_{\mathrm{adj}} = x y (1 - h(\tau)) \qquad \Delta y = \frac{y\,\Delta x\,(1 - h(\tau))}{x + \Delta x (1 - h(\tau))}$$

where $(x, y)$ represent pool reserves. The dynamic haircut $h(\tau)$ reduces effective liquidity during latency-induced uncertainty, increasing slippage and price impact. During $S_N$ standard Uniswap-style execution applies; in $S_R$ haircuts and slippage caps adjust upward and withdrawal caps tighten; in $S_H$ swaps revert and withdrawals are locked via CircuitBreaker.sol.

4. Safety, Bounded Bad Debt, and Liveness

Safety is established in the presence of a Byzantine Relayer adversary (permitting delays, reordering, censorship, and front-running but not signature forgery):

• Theorem 1 (Bounded Bad Debt):

$B \leq h_{\max} C_{\text{total}}$

Proof sketch: each swap contracts the AMM invariant by at most $1-h_{\max}$, and with per-epoch withdrawal throttling, cumulative loss per epoch is capped. The circuit breaker precludes subsequent loss epochs.

• Liveness (Theorem 2): If $\tau < 2 T_{\max}$, oracle deviations $<\theta_{\mathrm{price}}$, and oracle integrity holds, then honest swaps eventually finalize since the protocol remains in $S_N$ or $S_R$, both of which allow settlement.

These properties are formally proven, ensuring bounded insolvency and settlement completion with high confidence, even under adversarial delay or natural market volatility.

5. Manipulation Resistance and Adversarial Robustness

Let $V$ be attack size, $\delta$ the oracle distortion, and $\tau$ the induced delay. Adversarial profit function:

$$\Pi(\delta, \tau, V) = \delta V - s(V) V - h(\tau) V$$

Whenever $\delta \geq \theta_{\mathrm{price}}$ or $\tau > T_{\mathrm{crit}}$, the circuit breaker nullifies profit $(\Pi=0)$ by halting swaps. Monte Carlo simulation (100,000 runs) demonstrates $\mathrm{p}_{99}$ per-epoch bad debt of 0.189% ($<0.2\%$), and solvency probability $>0.9999$ over stress regimes (0–50% price crash, up to 60 min latency, (You et al., 18 Jan 2026)).

6. Empirical Evaluation and Practical Results

Two primary evaluation tracks were used:

• Historical Replay (18 months, Ethereum + 2 auxiliary chains): 54,700 bridge swaps under observed network and price variability, including high-volatility events. Found worst-case bridge-induced insolvency reduced by 73% relative to baseline lock-and-mint models and transaction volume retention of 104.5% (liquidity providers remained during stress).
• Monte Carlo Stress Testing: System maintained $\mathrm{P}(\text{solvent}) = 1.0$ under diverse adversarial and market scenarios, including up to 50% asset price drawdown and 30 min cross-chain latency.

Metrics, replay methodology, and code-level instrumentation adhere precisely to the stated protocol and analysis criteria.

7. Core Contract Modules

Key modules are implemented in Solidity-style pseudocode:

• IngressVault.sol: Manages collateral lock on source chain.
• Hub.sol: Aggregates latency attestations and oracle pricing.
• BridgeAMM.sol: Implements AMM, state machine, and risk adaptation.
• CircuitBreaker.sol: Automates pausing and reinitialization during critical events.

A summary of implementation details is provided below:

Module	Role	Key Interface
IngressVault.sol	Source chain deposit and lock tracking	lock(address asset, uint256 amt)
Hub.sol	Cross-chain latency and price aggregation	attestLatency(uint256 t_src), aggregatePrice(...)
BridgeAMM.sol	Stateful AMM, enforces slippage, haircuts, limits	swap(uint256 dx), checkState(...)
CircuitBreaker.sol	Protocol halt and recovery	trigger(), reset()

Contained degradation is enforced at the contract layer via mode checks and dynamic parameterization, directly implementing the state machine and risk response logic in executable code.

---

ASAS-BridgeAMM transforms burn-and-mint bridges from brittle, binary-fail systems into "safe-to-fail" cryptonetworks by embedding dynamic risk-based controls at the protocol level. This architecture formally bounds bad debt, preserves user settlement under adverse conditions, and empirically demonstrates enhanced insolvency resistance and capital efficiency, as established through both simulation and historical chain replay (You et al., 18 Jan 2026).