Flow provides the Cross-VM Bridge which enables the movement of
fungible and non-fungible tokens between Cadence & EVM. The Cross-VM Bridge is a contract-based protocol enabling the
automated and atomic bridging of tokens from Cadence into EVM with their corresponding ERC-20 and ERC-721 token types.
In the opposite direction, it supports bridging of arbitrary ERC-20 and ERC-721 tokens from EVM to Cadence as their
corresponding FT or NFT token types.
The Cross-VM Bridge internalizes the capabilities to deploy new token contracts in either VM state as needed, resolving
access to, and maintaining links between associated contracts. It additionally automates account and contract calls to
enforce source VM asset burn or lock, and target VM token mint or unlock.
Developers wishing to use the Cross-VM Bridge will be required to use a Cadence transaction. Cross-VM bridging
functionality is not currently available natively in EVM on Flow. By extension, this means that the EVM account bridging
from EVM to Cadence must be a CadenceOwnedAccount (COA) as this is the only EVM account
type that can be controlled from the Cadence runtime.
This FLIP outlines the architecture and implementation of the VM bridge.
This document will focus on how to use the Cross-VM Bridge and considerations for fungible and non-fungible token
projects deploying to either Cadence or EVM.
And below are the bridge escrow's EVM addresses. These addresses are COAs and are stored stored in the same Flow account
as you'll find the Cadence contracts (see above).
All bridging activity in either direction is orchestrated via Cadence on COA EVM accounts. This means that all bridging
activity must be initiated via a Cadence transaction, not an EVM transaction regardless of the directionality of the
bridge request. For more information on the interplay between Cadence and EVM, see How EVM on Flow
Works.
The Flow EVM bridge allows both fungible and non-fungible tokens to move atomically between Cadence and EVM. In the
context of EVM, fungible tokens are defined as ERC20 tokens, and non-fungible tokens as ERC721 tokens. In Cadence,
fungible tokens are defined by contracts implementing
the FungibleToken interface
and non-fungible tokens implement
the NonFungibleToken interface.
Like all operations on Flow, there are native fees associated with both computation and storage. To prevent spam and
sustain the bridge account's storage consumption, fees are charged for both onboarding assets and bridging assets. In
the case where storage consumption is expected, fees are charged based on the storage consumed at the current network
storage rate.
Since a contract must define the asset in the target VM, an asset must be "onboarded" to the bridge before requests can
be fulfilled.
Moving from Cadence to EVM, onboarding can occur on the fly, deploying a template contract in the same transaction as
the asset is bridged to EVM if the transaction so specifies.
Moving from EVM to Cadence, however, requires that onboarding occur in a separate transaction due to the fact that a
Cadence contract is initialized at the end of a transaction and isn't available in the runtime until after the
transaction has executed.
Below are transactions relevant to onboarding assets:
onboard_by_type.cdc
onboard_by_type.cdc
_56
import "FungibleToken"
_56
import "FlowToken"
_56
_56
import "ScopedFTProviders"
_56
_56
import "EVM"
_56
_56
import "FlowEVMBridge"
_56
import "FlowEVMBridgeConfig"
_56
_56
/// This transaction onboards the asset type to the bridge, configuring the bridge to move assets between environments
_56
/// NOTE: This must be done before bridging a Cadence-native asset to EVM
_56
///
_56
/// @param type: The Cadence type of the bridgeable asset to onboard to the bridge
_56
///
_56
transaction(type: Type) {
_56
_56
let scopedProvider: @ScopedFTProviders.ScopedFTProvider
Once an asset has been onboarded, either by its Cadence type or EVM contract address, it can be bridged in either
direction, referred to by its Cadence type. For Cadence-native assets, this is simply its native type. For EVM-native
assets, this is in most cases a templated Cadence contract deployed to the bridge account, the name of which is derived
from the EVM contract address. For instance, an ERC721 contract at address 0x1234 would be onboarded to the bridge as
EVMVMBridgedNFT_0x1234, making its type identifier A.<BRIDGE_ADDRESS>.EVMVMBridgedNFT_0x1234.NFT.
To get the type identifier for a given NFT, you can use the following code:
_10
// Where `nft` is either a @{NonFungibleToken.NFT} or &{NonFungibleToken.NFT}
_10
nft.getType().identifier
You may also retrieve the type associated with a given EVM contract address using the following script:
get_associated_type.cdc
get_associated_type.cdc
_16
import "EVM"
_16
_16
import "FlowEVMBridgeConfig"
_16
_16
/// Returns the Cadence Type associated with the given EVM address (as its hex String)
_16
///
_16
/// @param evmAddressHex: The hex-encoded address of the EVM contract as a String
_16
///
_16
/// @return The Cadence Type associated with the EVM address or nil if the address is not onboarded. `nil` may also be
_16
/// returned if the address is not a valid EVM address.
Any Cadence NFTs bridging to EVM are escrowed in the bridge account and either minted in a bridge-deployed ERC721
contract or transferred from escrow to the calling COA in EVM. On the return trip, NFTs are escrowed in EVM - owned by
the bridge's COA - and either unlocked from escrow if locked or minted from a bridge-owned NFT contract.
Below are transactions relevant to bridging NFTs:
bridge_nft_to_evm.cdc
bridge_nft_to_evm.cdc
_118
import "FungibleToken"
_118
import "NonFungibleToken"
_118
import "ViewResolver"
_118
import "MetadataViews"
_118
import "FlowToken"
_118
_118
import "ScopedFTProviders"
_118
_118
import "EVM"
_118
_118
import "FlowEVMBridge"
_118
import "FlowEVMBridgeConfig"
_118
import "FlowEVMBridgeUtils"
_118
_118
/// Bridges an NFT from the signer's collection in Cadence to the signer's COA in FlowEVM
_118
///
_118
/// NOTE: This transaction also onboards the NFT to the bridge if necessary which may incur additional fees
_118
/// than bridging an asset that has already been onboarded.
_118
///
_118
/// @param nftIdentifier: The Cadence type identifier of the NFT to bridge - e.g. nft.getType().identifier
_118
/// @param id: The Cadence NFT.id of the NFT to bridge to EVM
_118
///
_118
transaction(nftIdentifier: String, id: UInt64) {
_118
_118
let nft: @{NonFungibleToken.NFT}
_118
let coa: auth(EVM.Bridge) &EVM.CadenceOwnedAccount
_118
let requiresOnboarding: Bool
_118
let scopedProvider: @ScopedFTProviders.ScopedFTProvider
Any Cadence fungible tokens bridging to EVM are escrowed in the bridge account only if they are Cadence-native. If the
bridge defines the tokens, they are burned. On the return trip the pattern is similar, with the bridge burning
bridge-defined tokens or escrowing them if they are EVM-native. In all cases, if the bridge has authority to mint on one
side, it must escrow on the other as the native VM contract is owned by an external party.
With fungible tokens in particular, there may be some cases where the Cadence contract is not deployed to the bridge
account, but the bridge still follows a mint/burn pattern in Cadence. These cases are handled via
TokenHandler
implementations. Also know that moving $FLOW to EVM is built into the EVMAddress object so any requests bridging $FLOW
to EVM will simply leverage this interface; however, moving $FLOW from EVM to Cadence must be done through the COA
resource.
Below are transactions relevant to bridging fungible tokens:
bridge_tokens_to_evm.cdc
bridge_tokens_to_evm.cdc
_119
import "FungibleToken"
_119
import "ViewResolver"
_119
import "FungibleTokenMetadataViews"
_119
import "FlowToken"
_119
_119
import "ScopedFTProviders"
_119
_119
import "EVM"
_119
_119
import "FlowEVMBridge"
_119
import "FlowEVMBridgeConfig"
_119
import "FlowEVMBridgeUtils"
_119
_119
/// Bridges a Vault from the signer's storage to the signer's COA in EVM.Account.
_119
///
_119
/// NOTE: This transaction also onboards the Vault to the bridge if necessary which may incur additional fees
_119
/// than bridging an asset that has already been onboarded.
_119
///
_119
/// @param vaultIdentifier: The Cadence type identifier of the FungibleToken Vault to bridge
_119
/// - e.g. vault.getType().identifier
_119
/// @param amount: The amount of tokens to bridge from EVM
To maximize utility to the ecosystem, this bridge is permissionless and open to any fungible or non-fungible token as
defined by the respective Cadence standards and limited to ERC20 and ERC721 Solidity standards. Ultimately, a project
does not have to do anything for users to be able to bridge their assets between VMs. However, there are some
considerations developers may take to enhance the representation of their assets in non-native VMs. These largely relate
to asset metadata and ensuring that bridging does not compromise critical user assumptions about asset ownership.
Proposed in @onflow/flow-nft/pull/203, the EVMBridgedMetadata view
presents a mechanism to both represent metadata from bridged EVM assets as well as enable Cadence-native projects to
specify the representation of their assets in EVM. Implementing this view is not required for assets to be bridged, but
the bridge does default to it when available as a way to provide projects greater control over their EVM asset
definitions within the scope of ERC20 and ERC721 standards.
The interface for this view is as follows:
_20
access(all) struct URI: MetadataViews.File {
_20
/// The base URI prefix, if any. Not needed for all URIs, but helpful
_20
/// for some use cases For example, updating a whole NFT collection's
_20
/// image host easily
_20
access(all) let baseURI: String?
_20
/// The URI string value
_20
/// NOTE: this is set on init as a concatenation of the baseURI and the
_20
/// value if baseURI != nil
_20
access(self) let value: String
_20
_20
access(all) view fun uri(): String
_20
_20
}
_20
_20
access(all) struct EVMBridgedMetadata {
_20
access(all) let name: String
_20
access(all) let symbol: String
_20
_20
access(all) let uri: {MetadataViews.File}
_20
}
This uri value could be a pointer to some offchain metadata if you expect your metadata to be static. Or you could
couple the uri() method with the utility contract below to serialize the onchain metadata on the fly. Alternatively,
you may choose to host a metadata proxy which serves the requested token URI content.
The key consideration with respect to metadata is the distinct metadata storage patterns between ecosystem. It's
critical for NFT utility that the metadata be bridged in addition to the representation of the NFTs ownership. However,
it's commonplace for Cadence NFTs to store metadata onchain while EVM NFTs often store an onchain pointer to metadata
stored offchain. In order for Cadence NFTs to be properly represented in EVM platforms, the metadata must be bridged in
a format expected by those platforms and be done in a manner that also preserves the atomicity of bridge requests. The
path forward on this was decided to be a commitment of serialized Cadence NFT metadata into formats popular in the EVM
ecosystem.
For assets that do not implement EVMBridgedMetadata, the bridge will attempt to serialize the metadata of the asset as
a JSON data URL string. This is done via the SerializeMetadata
contract which
serializes metadata values into a JSON blob compatible with the OpenSea metadata standard. The serialized metadata is
then committed as the ERC721 tokenURI upon bridging Cadence-native NFTs to EVM. Since Cadence NFTs can easily update
onchain metadata either by field or by the ownership of sub-NFTs, this serialization pattern enables token URI updates
on subsequent bridge requests.
It's also recognized that the logic of some use cases may actually be compromised by the act of bridging, particularly
in such a unique partitioned runtime environment. Such cases might include those that do not maintain ownership
assumptions implicit to ecosystem standards.
For instance, an ERC721 implementation may reclaim a user's assets after a month of inactivity. In such a case, bridging
that ERC721 to Cadence would decouple the representation of ownership of the bridged NFT from the actual ownership in
the defining ERC721 contract after the token had been reclaimed - there would be no NFT in escrow for the bridge to
transfer on fulfillment of the NFT back to EVM. In such cases, projects may choose to opt-out of bridging, but
importantly must do so before the asset has been onboarded to the bridge.
For Solidity contracts, opting out is as simple as extending the BridgePermissions.sol abstract
contract which
defaults allowsBridging() to false. The bridge explicitly checks for the implementation of IBridgePermissions and
the value of allowsBridging() to validate that the contract has not opted out of bridging.
Similarly, Cadence contracts can implement the IBridgePermissions.cdc contract
interface.
This contract has a single method allowsBridging() with a default implementation returning false. Again, the bridge
explicitly checks for the implementation of IBridgePermissions and the value of allowsBridging() to validate that
the contract has not opted out of bridging. Should you later choose to enable bridging, you can simply override the
default implementation and return true.
In both cases, allowsBridging() gates onboarding to the bridge. Once onboarded - a permissionless operation anyone
can execute - the value of allowsBridging() is irrelevant and assets can move between VMs permissionlessly.