Skip to content
Switchboard
· Switchboard Team comparisonwormholesecurity

Wormhole guardians vs the single-clock model

Wormhole's 19-guardian quorum and Switchboard's single Solana coordinator are two answers to the same question. Here is why we picked the second one — and where the first one is still the right call.

Cross-chain messaging has two open architectures that have been load-bearing for years: a quorum of named attestors (Wormhole, Axelar, most of the LayerZero DVN configurations) and a single-coordinator chain (Switchboard, and historically things like the IBC relayers that lean on Tendermint finality).

Both work. Both have been hit by bad days. The trick is understanding the failure modes you are signing up for.

The Wormhole approach in one paragraph

Wormhole runs 19 guardian nodes operated by 19 distinct organizations. When a message is emitted on a source chain, each guardian observes the event and signs a VAA — a Verifiable Action Approval. Once 13 of 19 signatures are collected, the VAA is considered valid and can be submitted to the destination chain, where the on-chain contract verifies the threshold signature.

The guarantees:

  • Liveness under any 6-of-19 failure. As long as 13 guardians are honest and online, the system makes progress.
  • Safety under any 6-of-19 collusion. As long as 7+ guardians are honest, no forged message can be accepted.
  • Per-chain verification that does not depend on any other chain’s finality.

The cost:

  • 19 sets of ops. 19 phone trees. 19 audits. 19 sets of incentive math.
  • Latency proportional to the slowest of (13 picked out of 19) guardians.
  • A governance surface (who is in the set, who replaces a node, what software they run) that has to be actively managed.

The Switchboard approach in one paragraph

Switchboard has a single coordinator program running on Solana. When a message is emitted on a source chain, the Switchboard Core Engine commits a record to the coordinator program in the next Solana slot. Destination chains verify by reading the Solana state — via a light-client proof where they can, or via a BLS threshold signature from the Switchboard relayer pool where they cannot.

The guarantees:

  • One finality clock. Every chain that watches the coordinator agrees on the order and timing of events.
  • Sub-400ms end-to-end because the Solana slot is the limiting factor, not a multi-org signing process.
  • A simpler trust model to audit: one Anchor program, one source repo, one set of upgrade keys.

The cost:

  • A Solana liveness dependency. If Solana halts, the coordinator halts, and routes fail according to the per-route policy.
  • A single program with a multisig upgrade authority — which is a smaller blast radius than a 19-org guardian set but a more concentrated one.
  • Reliance on per-chain light clients (or, on chains without them, on our relayer BLS quorum, which puts us partway back toward the Wormhole model).

The two failure modes side by side

It helps to write down what can actually break in each model.

Wormhole catastrophic failures:

  1. 7+ guardians collude. (Mitigated by organizational diversity.)
  2. A bug in the guardian software lets a forged VAA through 13 honest guardians. (Happened once, the famous February 2022 incident, $325M.)
  3. A bug in a per-chain on-chain contract verifying VAAs. (Same incident, technically.)

Switchboard catastrophic failures:

  1. The coordinator program is exploited. (Mitigated by audits + a small attack surface — the program is ~1,500 lines of Rust.)
  2. The Switchboard upgrade authority is compromised. (Mitigated by a 4-of-7 multisig held by separate operators.)
  3. Solana experiences a long-running consensus failure that breaks the finality clock. (Mitigated by per-route fail-closed/fallback policy.)

The interesting comparison is not “which has fewer failure modes” — they have roughly the same number — but “which failure modes are easier to detect and respond to.” A guardian set compromise can be silent for hours. A Solana halt is immediately visible. A bug in our Rust coordinator is in a much smaller codebase than the union of 19 guardian implementations.

We picked the side of detectability.

Where Wormhole still wins

Three places, and they are real:

Battle-tested ops. Wormhole has been running production traffic since 2021. It has been attacked, has had incidents, and has come out the other side with hardened ops. We have one year of mainnet on the current architecture. Time is the one variable we cannot fake.

Diverse organizational signers. If your threat model includes “an organization could be compelled to sign,” 19 organizations are harder to compel than one. We do not pretend otherwise.

Ecosystem footprint. Wormhole has wrapped tokens, NTT, and a deep set of partners. If your project is downstream of one of those, Wormhole already speaks your language.

Where Switchboard wins

Latency. Median 250ms vs Wormhole’s 30s–60s VAA window. This is not a small delta.

Operational simplicity. Two services and a Solana program vs a guardian network with software diversity and an attestation gossip layer.

Per-route policy. Each Switchboard route declares its own finality, retry, and fallback behavior. The Wormhole equivalent is “what the VAA contract on each chain implements,” which is the same policy for everyone.

A worked example: a perp DEX

Imagine a perp DEX that wants to settle a position liquidation across three chains: the orderbook lives on Arbitrum, the collateral lives on Ethereum, and the user’s wallet is on Base.

On Wormhole, the liquidation flow looks like: liquidator triggers on Arbitrum → emit VAA → wait for 13 guardian signatures (~30s) → submit on Ethereum to seize collateral → emit second VAA → wait again → submit on Base to credit the wallet. End-to-end: roughly 60–90 seconds. In a fast market, the price has moved, and the liquidator is now underwater.

On Switchboard, the same flow: liquidator triggers on Arbitrum → Switchboard commits the multi-chain transaction to the Solana coordinator → destination submissions race in parallel → all three chains see consistent state within ~400ms. End-to-end: under one second. The liquidator gets paid, the protocol stays solvent, the user gets a clean execution.

That is not “faster is better in the abstract.” That is “the product works at one latency budget and does not work at the other.”

The bottom line

Wormhole and Switchboard answered the same architectural question with different bets. Wormhole bet on a diverse, decentralized attestor set. Switchboard bet on a single high-speed coordinator and a small, auditable program.

If your application is patient — wrapped-token bridges, governance messages, treasury moves — Wormhole is mature and proven and you should consider it seriously. If your application is impatient — orderbooks, liquidations, real-time game state, multi-chain auctions — the latency math leaves no real choice.

Either way, do not take our word for it. Wire both up. Measure your real workload. The numbers will tell you which is the right pick.

← Back to blog