CCIP Service Responsibility - Shared Accountability Model
The Chainlink Cross-Chain Interoperability Protocol (CCIP) is a secure, reliable, and easy-to-use interoperability protocol for building cross-chain applications and services. The use of CCIP involves application developers, blockchain development teams, token developers and Chainlink node operators, among others. These participants share responsibility for ensuring that operation and performance match expectations. Please note that CCIP support of a particular blockchain, application, or token does not constitute endorsement of such blockchain, application, or token. Please review the CCIP Service Limits which provides important additional information.
Application Developer Responsibilities
Application developers are responsible for the correctness, security, and reliability of their application. This includes:
- Code and application audits: Developers are responsible for auditing their code and applications before deploying to production. Developers must determine the quality of any audits and ensure that they meet the requirements for their application.
- CCIP upgrades and best practices: Developers are responsible for following CCIP documentation regarding implementing CCIP upgrades and best practices for integrating CCIP in their applications.
- Code dependencies and imports: Developers are responsible for ensuring the quality, reliability, and security of any dependencies or imported packages that they use with Chainlink CCIP, as well as reviewing and auditing these dependencies and packages.
- Code quality and testing: Developers are responsible for ensuring that their application code, onchain and offchain, meets the quality expectations and has undergone rigorous testing.
- Application monitoring and alerting: Developers must monitor their applications, inform their users of any abnormal activity, and take appropriate action to restore normal operations.
- Blockchain risk assessment: Developers are responsible for the risk assessment of any blockchain network where they choose to deploy their application on or decide to interoperate with, when using Chainlink CCIP. This includes reviewing the time-to-finality formally documented by a blockchain's development team, understanding how CCIP uses it to determine finality, the nuances in the different types of deterministic finality, and being aware of the risks when CCIP uses block depth to determine chain finality.
- Token risk assessment: Developers are responsible for the risk assessment of any tokens they choose to support or list in their application and expose to their users.
- Risk communication: Developers must clearly articulate and communicate identified risks to their users.
- Manual execution: Developers must monitor their CCIP transactions and take action when transactions require manual execution. For example, informing their users and directing them to the appropriate page on the CCIP Explorer.
- Risk Management Network coverage: Developers must check the deployment status of the Risk Management Network on the chains they build on, such as via the CCIP Directory. If the Risk Management Network is not yet active on a chain, developers must validate that its absence conforms to the requirements of their application's specific use case.
Blockchain Development Team Responsibilities
Blockchain development teams are responsible for the correctness, security, and reliability of their blockchain software. This includes:
- Block finality: Blockchain development teams must ensure that blocks with a commitment level of finalizedare actually final. The properties of the finality mechanism, including underlying assumptions and conditions under which finality violations could occur, must be clearly documented and communicated to application developers in the blockchain ecosystem. The documented time-to-finality informs how long CCIP waits for finality for outbound transactions from that chain; however, an additional buffer may be added.
- Governance model: Blockchain development teams are responsible for setting up a clear and effective governance model and communicating its participants and processes clearly to its stakeholders and application developers.
- Fixes and upgrades: Blockchain development teams must communicate availability of fixes immediately and announce planned upgrades as much in advance as possible so blockchain validators and application developers can prepare themselves accordingly.
- Incident management: Blockchain development teams are responsible for clearly articulating and communicating any security, reliability and availability incidents to their community. This includes root cause analysis, post-mortem details and a clear plan of action to recover and prevent from happening in the future.
- Blockchain liveness: Blockchain development teams must take appropriate action to ensure their blockchain maintains a high degree of liveness and aligns with set expectations towards their community members and applications developers.
- Data availability: The blockchain network must ensure that complete historical data remains consistently accessible through standard RPC interfaces. This includes block headers, transactions, and emitted logs. This includes ensuring that nodes can serve past blocks and logs even after temporary downtime or restarts. Failure to provide reliable access to historical logs can result in stuck or failed transactions.
Token Developers Responsibilities
Token Developers may enable token transfers on CCIP for the tokens that they administer. Enabling token transfers on CCIP allows users to transfer tokens between supported blockchains using either Burn and Mint, Lock and Mint, or Lock and Unlock processes. Token Developers who choose to enable token transfers on CCIP are responsible for the correctness, security, and reliability of their token pools, token configurations, and token contracts. This includes:
- 
Code and application audits: Token Developers are responsible for auditing their token contract code and token pool contract code. Developers must determine the quality of any audits and ensure that they meet the requirements for their use cases. 
- 
Configuration of CCIP contracts: Token Developers are responsible for maintaining the correct token pool and token administrator for their token in all applicable TokenAdminRegistry contracts. Users are responsible for maintaining control of the address which is set as the token administrator. This token administrator is the only role authorized to map a token to the corresponding token pool on the same network. 
- 
CCIP upgrades and best practices: Token Developers are responsible for following CCIP documentation regarding implementing CCIP upgrades and best practices for enabling token transfers on CCIP for their token. 
- 
Code dependencies and imports: Token Developers are responsible for ensuring the quality, reliability, and security of any dependencies or imported packages that they use with their token contracts, token pools, or configurations including the TokenAdminRegistry. Token Developers are responsible for reviewing and auditing these dependencies and packages. 
- 
Token Developers must retain access to the token administrator account after it has accepted this role in the TokenAdminRegistry. Neither Chainlink Labs nor the Chainlink Foundation is responsible for any loss of access to these token pools, loss of funds, or disruption to applications due to loss of access to these required functions. 
- 
Blockchain risk assessment: Token Developers are responsible for the risk assessment of any blockchain network where they choose to deploy their tokens, token pools, and tokens enabled for transfer using Chainlink CCIP. 
- 
Risk communication: Token Developers must clearly articulate and communicate identified risks to the users of those tokens including any risks specific to the configuration of tokens enabled for transfer using Chainlink CCIP. 
- 
Authorization: Token Developers must verify that they are authorized to create token pools for a given token. Although anyone may create a token pool, the token developer must properly register that token with Chainlink CCIP. Token Developers must also properly configure the TokenAdminRegistry. 
- 
Token pool configurations for Rebasable Tokens: Token Developers must properly write the logic in their token pool for burning and minting tokens based on the rebasing mechanism. 
- 
Token transfer rate limits: Token DeveloperToken Owners must select and configure appropriate token transfer rate limits for tokens on each lane where they choose to enable their token. 
- 
Token transfer types: Token Developers must select appropriate token transfer type for their tokens; either Burn and Mint, Lock and Mint, or Lock and Unlock. Token Developers are responsible for implementing the burn and mint functions, lock and mint functions or lock and unlock functions in their token contracts correctly on all applicable chains. 
- 
Migration between CCIP versions: Token Developers who wish to adopt future versions of CCIP are responsible for all migration tasks required to adopt new features and functionality. 
- 
Best Practices: Token Developers are responsible for following the appropriate best practices for creating, managing, and enabling transfers of their tokens on Chainlink CCIP. 
- 
Risk Management Network coverage: Token Developers must check the deployment status of the Risk Management Network on the chains they build on, which can be found on the CCIP Directory page. If the Risk Management Network is not yet active on a chain, Token Developers must validate that its absence conforms to their requirements. 
- 
Token Developer Attestation: Token Developers are responsible for ensuring the quality, reliability, and security of their associated attestation endpoint(s). Token Developers are responsible for adhering to Chainlink-defined specifications and maintaining an up-to-date implementation. Neither Chainlink Labs nor the Chainlink Foundation are responsible for the development, maintenance, or operation of Token Developer Attestation endpoints. - Following implementation specifications: Failure to adhere to design specifications for the Chainlink-defined Token Developer Attestation endpoint can result in stuck or failed transactions for users, incorrect accounting of token supply, and/or potential loss of tokens.
- Maintenance: Failure to maintain up-to-date compatibility with the Chainlink-defined design specifications may result in downtime or unreliable attestations.
- Reliability: Attestation endpoints must be built to handle user demand, both in terms of transactional capacity and uptime. Failure to respond to attestation requests may result in stuck or failed transactions for users and/or potential loss of tokens.
 
- 
Liquidity Management: Token Developers who choose the Lock and Mint or Lock and Unlock mechanism must ensure their token pools have sufficient liquidity when releasing tokens. Failure to maintain adequate liquidity can result in stalled or failed cross-chain transfers, causing a degraded user experience. Token Developers are responsible for: - Ensuring sufficient liquidity: Continuously monitor transaction volumes and add liquidity to the pool before it is depleted to avoid having user funds stuck in transit.
- Avoiding fragmented liquidity: Where possible, minimize the use of Lock and Unlock across multiple blockchains to reduce operational complexity and prevent liquidity from being split across multiple pools.
- Monitoring liquidity health and automating alerts: Implement monitoring and alerting systems that notify Token Developers when liquidity drops below certain thresholds, allowing for proactive liquidity management before user transfers fail.
- Proper use of provideLiquidity and withdrawLiquidity: Only authorized entities (such as a trusted liquidity manager) should manage liquidity. Ensure all access controls are in place to prevent unauthorized manipulation of the token pool.
 
Although Token Developers may request that their tokens be added to Transporter, tokens may be added to Transporter at any time even if it has not been explicitly requested.
Chainlink Node Operator Responsibilities
High-quality Chainlink node operators participate in the decentralized oracle networks (DONs) that power CCIP and the Risk Management Network using a configuration specified in the Chainlink software. As participants in these deployments, Node Operators are responsible for the following components of Chainlink CCIP and the Risk Management Network:
- Node operations: Chainlink node operators must ensure the proper configuration, maintenance, and monitoring of their nodes participating in the Chainlink CCIP and Risk Management Network DONs.
- Transaction execution: Chainlink node operators must ensure that transactions execute onchain in a timely manner and that they apply gas bumping when necessary.
- Blockchain client: Chainlink node operators are responsible for selecting and properly employing blockchain clients, including latest fixes and upgrades, to connect to supported blockchain networks.
- Consensus participation: Chainlink node operators must maintain continuous uptime and active participation in OCR consensus.
- Infrastructure security: Chainlink node operators must follow infrastructure security best practices. These include access control, configuration management, key management, software version & patch management, and (where applicable) physical security of the underlying hardware.
- Software version: Chainlink node operators are responsible for ensuring that Chainlink node deployments are running the latest software versions.
- Responsiveness: Chainlink node operators must respond to important communication from Chainlink Labs or from other node operators in a timely manner.