Why Hackers Are Always Hitting Blockchain Bridges
One of the biggest cryptocurrency robberies ever occurred in March 2022 when hackers used a malicious assault to steal almost $625 million worth of cryptocurrencies from the Ronin Bridge protocol. Harmony One’s Horizon Bridge suffered a $100 million loss due to an attack in June. As a result of an exploit of a flaw in the Nomad Bridge’s core technology, smart contracts, another $200 million was lost from it in August. According to Chainalysis, just in 2022, digital assets worth more than $2 billion were stolen from blockchain bridges. This statistic represents approximately 69% of the stolen cryptocurrency funds for the year.
Because of how frequently they occur, these bridge hacks are now both a cautionary indicator for users and a danger to the growth of blockchain technology confidence. The industry is under increasing pressure to remedy the loopholes that have allowed these exploits as bitcoin adoption increases.
In this post, we’ll examine the importance of blockchain bridges in the cryptocurrency ecosystem, the distinction between trust-based and trustless bridges, and potential flaws in each architecture that could allow for fund syphoning by hackers.
— MGB Systems (@mgb_systems) August 12, 2022
Blockchain bridges: what are they?
A tool created to address the interoperability between blockchains is a blockchain bridge, sometimes referred to as a network bridge or a cross-chain bridge. Bridges are now an essential part of the blockchain industry since, as things stand, blockchains cannot work in separate silos and communicate with one another.
In contrast to fiat currencies and credit cards, which various providers can use, this might be considered a significant drawback. Users cannot, for instance, utilize ether (ETH) on the Ethereum blockchain or bitcoin (BTC) on the Ethereum blockchain. Therefore, if a user (let’s call him Billy) wishes to pay another user (let’s call her Ethel) for something but Ethel only accepts ETH, Billy runs into a problem. Ethel cannot receive BTC from him directly. BTC cannot be transmitted straight to Ethel, but he can take further measures to purchase ETH or exchange some of his BTC for ETH.
Blockchain bridges are designed to solve this problem.
Even though each blockchain bridge is unique in its design, most of them let customers lock in a certain number of digital assets on a single blockchain. The protocol will then credit or mint the equal number of holdings on another blockchain, similar to the locked-in funds, as payment in return.
These new assets are referred to as “wrapped” token variations. A user who locks in their ether (ETH) on one blockchain, for instance, will get a “wrapped” ether (wETH) on another blockchain. As a result, Billy can send wrapped bitcoin (wBTC), which operates on the Ethereum blockchain, to Ethel more easily through a bridge.
Blockchain bridges with or without trust
Bridges can be divided into two categories from a security perspective: trustworthy (also known as custodial) and trustless (noncustodial). An asset is a single point of failure if it is entirely under the control of one business. Trusted platforms operate as custodians of the bridging assets while relying on third parties to validate transactions. For instance, BitGo is the custodian of all wrapped bitcoin. The crypto in custody is at risk if the company is dishonest, goes bankrupt, or has other fundamental issues.
For example, the Ronin Bridge protocol required nine validators, of which the Sky Mavis team possessed four. The bulk of these validator nodes (five or more nodes) is necessary for the Ronin Bridge to initiate any withdrawal or deposit to preserve its security. However, the attackers only required one more node to seize control because they could breach all four nodes that the Sky Mavis team had. By doing this, they could remove $625 million from the protocol under the guise of a “confirmed” withdrawal.
Binance Bridge, Polygon POS Bridge, Avalanche Bridge, Harmony Bridge, and Terra Shuttle Bridge are more instances of trust-based bridges. On the other hand, platforms that exclusively use algorithms and smart contracts to store custody assets are referred to as trustless bridges. The integrity of its underlying code is where its restrictions lie.
In February 2022, a flaw in the smart contract led to an exploit of the Wormhole blockchain bridge technology. Wormhole, for instance, is a platform that enables cross-bridge transactions between Ethereum and Solana. As a result, the attackers could evade its verification procedures, leading to a compromise valued at approximately $326 million. The Rainbow Bridge, Polkadot’s Snowbridge, and Cosmos IBC are other instances of trustless bridges.
How secure are blockchain bridges?
Approaches that are both trusted and trustless may be flawed on a fundamental or technical level. To be more exact, a trustless bridge is susceptible to vulnerabilities from the program and the underlying code, but the centralization feature of a trusted bridge exhibits a fundamental defect. If the smart contract has a fault, parties with ulterior motives will almost certainly try to exploit it. Unfortunately, the industry’s problem hasn’t yet found a perfect answer. Both trustworthy and trustless platforms have design faults that jeopardize the blockchain bridge’s security differently.
Additionally, hackers are becoming more skilled as the industry’s value and user base continue to rise. Traditional hacks like phishing and social engineering have been modified to target centralized and decentralized protocols in the Web3 narrative.
A comprehensive source code audit before the bridge is deployed on the blockchain can be an excellent first step in addressing the security vulnerabilities on blockchain bridges, even though it is not perfect. Since all it takes is one slip-up with a poor line of code for hackers to gain access, this must be a from-the-ground-up check to minimize any weaknesses.
Because of this, users must exercise caution before engaging with any bridge ecosystem, which includes examining the documentation, the code, and the system’s maturity. This is a way for them to keep their cryptocurrency safe while the creators figure out how to get beyond the constraints of the existing blockchain bridge protocols.