Why are hackers taking advantage of the Blockchain Bridges Problem?
The robbery, which is one of the biggest in bitcoin history, targeted a service called the Ronin Bridge and drained funds from it. According to the company, attackers stole $540 million worth of Ethereum and USDC stablecoin from Ronin’s cryptocurrency network. Successful attacks against “blockchain bridges” have been more regular in recent years, and the scenario with Ronin serves as a reminder of the problem.
Blockchain bridges allow users to transfer digital assets from one blockchain to another. Because cryptocurrencies are often categorized and unable to communicate with one another—for example, you can’t do a transaction on the Bitcoin blockchain using Dogecoins—bridges have emerged as a critical mechanism, almost a missing link, in the cryptocurrency economy.
To convert one sort of cryptocurrency into another, bridge services “wrap” it. It’s similar to a gift card or a cheque in that it reflects the stored value in a different format. So, if you bridge to use another currency, such as Bitcoin (BTC), the bridge will spit out bitcoins wrapped in paper (WBTC). To finance all those wrapped currencies, bridges need a reserve of bitcoin coins, and that stockpile is a prime target for hackers.
“Any capital on-chain is vulnerable to assault 24 hours a day, seven days a week. Therefore blockchain bridges will always be a popular target,” says James Prestwich, a researcher, and developer of cross-chain communication protocols. “People will always want the ability to join new ecosystems. Thus bridges will continue to grow.” Over time, we’ll become more professional, develop best practices, and more individuals will be able to build and analyze bridge code. Because bridges are so new, there aren’t many experts.”
Aside from the Ronin theft, attackers took $80 million in bitcoin from Qubit Bridge at the end of January, $320 million from Wormhole Bridge in February, and $4.2 million from Meter.io Bridge a few days later to that. Last August, nearly $611 million in cryptocurrency was stolen from the Poly Network bridge, but the attacker returned the assets later. Hackers used software weaknesses to siphon funds in these attacks, but the Ronin Bridge attack featured a unique flaw.
This Ronin bridge hack is wild! Over $600m in #crypto drained 🤯
As we saw with the Wormhole exploit a few weeks ago, bridges are easy targets…
— Coin Bureau (guy.eth) (@coinbureau) March 29, 2022
Sky Mavis, the Vietnamese company behind the successful NFT-based video game Axie Infinity, created Ronin. In the case of this bridge hack, it appears that attackers employed social engineering to gain access to the secret encryption keys required to verify network transactions. Furthermore, the way these keys were used to validate transactions was not as rigorous as it should have been, allowing attackers to authorize their fraudulent withdrawals.
“As we’ve seen, Ronin is not immune to exploitation. This attack has highlighted the necessity of prioritizing security, being attentive, and mitigating all dangers,” the business said.
Ronin discovered the intrusion the next day, although the platform’s “validator nodes” had been hacked on March 23. The thieves made off with 173,600 Ethereum and 25.5 million USDC. Since then, Ronin Bridge has been down, and users have been unable to do transactions on the site.
The Ronin bridge has been exploited for 173,600 Ethereum and 25.5M USDC.
The Ronin bridge and Katana Dex have been halted.
— Ronin (@Ronin_Network) March 29, 2022
Prestwich says, “This attack is so disturbing since it appears that the team failed to follow well-known basic security measures.” “The attack went unreported for several days, implying that the team did not have basic system monitoring—standard security measures would include automatic email and SMS notifications for unusual occurrences or substantial fund movements.”
Given that the Ronin breach relied on a classic social engineering assault and targeted security design concerns rather than a specific software vulnerability, as most other bridge hacks do, it may constitute an evolution of bridge hacks. Other assaults have focused on flaws in how bridges implement “smart contracts,” which are small blockchain programs designed to run at precise times and under specific conditions—basically, a contract that executes itself. However, using social engineering to access privileged target accounts is a common attacker approach, even in decentralized banking.
“Social engineering and associated private key compromises have always been a vector of attack for DeFi platforms, not just bridges,” says Arda Akartuna of blockchain analytics and compliance startup Elliptic. “However, they have been observed far less frequently than coding attacks.” There’s no evidence that social engineering-based vulnerabilities are becoming more widespread, while the Ronin incident’s success may serve as an inspiration to future hackers.”
As the Bitcoin gold rush plays out, the services converging to form the backbone of this new financial ecosystem are being tested. As the underlying technologies expand and mature, security vulnerabilities have plagued cryptocurrency platforms, and the decentralized finance movement. Blockchain Bridges attacks may be the new cryptocurrency exchange hacks. Still, they target the same problems, with high-stakes platforms that keep enormous sums of value built together hastily to satisfy new demands.
Services that connect previously obscure platforms can’t be slapped together without thorough and ongoing testing. More control and audit of the platforms’ sophisticated code will be required to better secure bridges, according to Akartuna. However, he notes that an external source causes some bridge security concerns.
“Blockchain Bridges deal with lesser-known or obscure blockchains where security auditing is not yet widely available,” Akartuna says. “In comparison to DeFi platforms that operate only on more well-known blockchains, the likelihood of unpatched security vulnerabilities in their protocols is higher.”