Bolide Banner

Blockchains Bridges Are the New Favorite Target of Crypto Hackers.

By ssaurel | In Bitcoin We Trust | 18 Aug 2022


Inviolable, unfalsifiable, immutable … If Blockchain technology has many advantages over centralized servers, the Blockchain ecosystem is vulnerable to some hacking, and especially one in particular: the attack via bridges.

According to the specialized firm Chainalysis, 2 billion dollars have been stolen via these bridges since the beginning of 2022. A bridge is a computer protocol that allows two Blockchains to interact with each other.

The vast majority of Blockchains operate in silos in isolated environments: each has its own rules, mechanisms, and assets, often incompatible with other Blockchains. The multiplication of Blockchains (Bitcoin, Ethereum, Solana, Polygon…) and the lack of interoperability between them make the existence of these bridges necessary, which allows a dialogue between the different Blockchains.

In concrete terms, bridges establish bridges between networks and allow smart contracts, data, and tokens to be transferred from one chain to another.

For developers of decentralized applications (dApps), bridging also allows them to take advantage of the strengths of each blockchain. Cryptocurrency investors can also use bridges to try out different networks and choose the one that offers them the most benefits. Transaction fees can vary from one Blockchain to another. So can interest rates. So it’s tempting to move your assets to another Blockchain, without having to buy or sell another cryptocurrency.

More than $2B has been stolen via bridges in 2022

But these bridges are particularly vulnerable to computer attacks. Since the beginning of 2022, attacks have been on the rise. According to Chainalysis, 69% of crypto funds stolen in 2022 were stolen via various hacks that targeted bridges.

In January 2022, $326 million was siphoned off via the Wormhole bridge linking Solana to Ethereum. In March 2022, 600 million dollars were stolen via the Ronin protocol. In June, it was the Horizon protocol bridging the Harmony blockchain and Ethereum that was targeted by hackers, for an estimated loss of 100 million dollars.

On Monday, August 1, 2022, the hackers made a new victim. Nomad, the cross-chain bridge allowing the dialogue between Ethereum, Avalanche, and Moonbeam was stolen 190 million dollars of cryptos. The money was taken in several tranches through different accounts. The company said it has launched an investigation to “identify the accounts involved and trace the funds for recovery.

When a bridge transfers a cryptocurrency to a Blockchain that the crypto is not compatible with, it uses wrapping. This technique consists of tokenizing the cryptocurrency, i.e. transforming it into a new asset that will be compatible with the destination Blockchain.

The value of the wrapped crypto is usually backed by that of the original crypto, and the holder of the funds can exchange one for the other at any time.

For example, some investors use Wrapped Bitcoin (WBTC), a token that is compatible with the Ethereum blockchain, whose value is indexed to that of Bitcoin, which is not compatible with Ethereum. This allows them to benefit from the speed of the Ethereum Blockchain, as well as lower fees (sometimes).

When a bridge wraps a cryptocurrency, it collects a pool of cryptocurrencies from investors to which the wrapped cryptos are backed. The funds are held in escrow in a smart contract (digital contracts that are automatically executed when predetermined conditions are met) and act as the underlying assets. It is this pool that is targeted by hackers.

A bridge is a real honeypot. When everyone puts their money in the same address, it’s easier to attack. In the case of Nomad, a flaw in the smart contract allowed bridge users to withdraw escrow funds that did not belong to them. A code error allowed all transactions to be validated.

Ironically, the flaw had been reported during an audit but had not been corrected. Part of the funds ($32 million as of August 6, 2022) was recovered by “white hat” users who detected the flaw and decided to seize part of the funds before malicious “black hat” users siphoned off all the deposits stored in the bridge. On Friday, August 5, 2022, the platform promised that anyone who returned at least 90% of the stolen funds would be considered a “white hat” and could keep the remaining 10% as a reward.

Flaws everywhere, due to these Blockchains bridges

The complexity of the software used by bridges can lead to errors and that makes them vulnerable to attack,” Mudit Gupta, Polygon’s head of security, told Bloomberg. Bridges multiply attack surfaces and lower security. By creating bridges between all the blockchains, vulnerabilities have been created everywhere.

Some people try to reassure themselves by seeing these hacks as evil for a good: as time goes by, coders learn from their mistakes. A sort of Darwinian process that would allow improving security as we go along, but at what price …

The bridge technology is very recent, which explains the mistakes for the lovers of these bridges. For its part, Chainalysis recommends to the sector actors to make “extremely rigorous” audits of their lines of code. And above all, to apply the corrections recommended at the end of these audits. This would have avoided for example the Nomad hack …


Some reading

How do you rate this article?


58

1

ssaurel
ssaurel Verified Member

Entrepreneur / Developer / Blogger / Author.


In Bitcoin We Trust
In Bitcoin We Trust

In Bitcoin We Trust is a place where Bitcoin believers share their ideas about the upcoming revolution. Blockchain and cryptocurrencies are also covered in this publication.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.