The largest thefts of cryptocurrencies have recently occurred as a result of attacks on bridges connecting various blockchains. According to experts, they have yet to mature.
The attackers stole about $320 million worth of cryptocurrency from Wormhole in March, $650 million from Ronin in May and $200 million from Nomad in August. This is not the plot of Hollywood movies with gangster characters, but bridges between different blockchains. For example, between Ethereum and Bitcoin.
“These are revolutionary technologies that connect the seemingly unconnected, but that’s where their complexity lies – they are young, still developing and therefore subject to security issues,” said David Stensel, technical director of the crypto investment company Fumbi.
According to the data by Coinmarketrate.com, cryptocurrency bridges can be centralized or decentralized. Each of them has potential risks, and it is impossible to say which is better. In any case, it’s about trust.
According to David Stensel of Fumbi, this applies to bridges, as well as the entire ecosystem of decentralized finance, of which they are a part. This is a very young area, fraught with pitfalls and risks, but they will gradually disappear and pass.
The evolution of blockchain technologies
Blockchain applications and services, like other technology industries, go through various stages of evolution. However, each new innovation is also accompanied by new specific risks that are not always easy to detect.
Currently, there are several large blockchain networks on the cryptocurrency scene, which host hundreds of decentralized applications. The potential of these applications, as well as the networks themselves, is very limited if they cannot interact with each other. Therefore, the efforts of many development teams are focused on ensuring easy interaction between blockchains, the so-called interoperability.
Although today different blockchains can communicate with each other, in the past this was not quite the case. Networks such as Bitcoin or Ethereum worked as independent blockchains that could not communicate with each other, which meant it was impossible to spend Bitcoin on the Ethereum blockchain and vice versa.
For example, if someone owns Bitcoin, they cannot become part of a decentralized financial system known as DeFi and participate in its activities and projects, because the Bitcoin protocol does not directly support such interaction.
However, the so-called inter-chain bridges (or cross-chain) solved this problem. These are protocols that allow independent blockchains to communicate with each other and give users the ability to transfer assets and information between different platforms without going beyond the original blockchain.
This whole mechanism works according to the lock-mint-burn system. This means that if, for example, the Bitcoin owner wants to interact with DeFi, he first sends Bitcoin to the specified address in the Bitcoin blockchain. Information about the receipt of the payment is transmitted to the bridge, which blocks the BTC data, and issues the so-called wBTC tokens (wrapped bitcoin) on the Ethereum blockchain, with which this user can already move freely in the Ethereum ecosystem.
If the user wanted to withdraw his Bitcoins, he had to send wBTC for burning, in exchange for which his embedded tokens would be unlocked.
There is no denying that inter-chain bridges are revolutionary. However, their design is often vulnerable, and, especially recently, more and more attackers are exploiting these flaws.
You’ve probably noticed recent hacks related to Ronin Bridge, Wormhole or Nomad Bridge, from which hundreds of millions of dollars were stolen. What are the main risks associated with the use of bridges?
The main risks of cross-chain
The first, and probably the most significant— is the custody risk. From this point of view, bridges can be divided into two main categories – centralized and decentralized.
Centralized bridges require a centralized organization or a group of intermediaries to manage and process all transactions related to the deposit, issuance and burning of tokens. A centralized structure usually deals only with the smooth processing of transactions and does not cover activities related to the identification of potentially fraudulent transactions and actions.
Centralization, in particular, is a frequent target of attackers seeking to find a point of failure or gain access to a central asset repository to control the resources of a given bridge.
In addition, centralized bridges are based on trust. Interacting with this bridge, you must trust the central structure so that it securely stores your coins and gives you tokens on another blockchain and vice versa. It is this centralization and trust in other organizations that is a common point of failure.
The second category is decentralized bridges. The functioning of these bridges depends on smart contracts that perform all actions related to depositing, issuing and burning tokens.
However, smart contracts are inanimate entities and are only as good as their developer is. Every flaw and error in the source code of a smart contract can be a godsend for hackers, and deprive bridge users of all their funds.
One of the significant risks is the risk of the DeFi protocol. DeFi platforms automate various financial services using smart contracts. The dynamics of these protocols is very important, but any, even a tiny, error in their code can turn into a disaster. For example, a flaw in the Alchemix lending protocol allowed borrowers to repay collateral on loans worth more than six million dollars without paying them off.
However, a successful transfer of assets across the bridge is not a guarantee that your funds are 100 percent safe. Hacking another platform may cause you to be unable to burn and unlock your collateral.
In practice, there are also risks associated with the use of browser-based crypto wallets, mobile devices or software. Each user connects to the crypto bridge most often through a web wallet, which itself is subject to a number of risks.
One of the latest wallet hacks is the Slope Wallet attack, during which attackers managed to gain access to users’ private keys. The attackers were able to sign transactions and steal more than eight million dollars from eight thousand wallets.
Although there are still assumptions about what the real reason for the hack was, one of the versions is that Slope Wallet stored the so-called “seeds” of users on centralized servers that were hacked.
However, some of the risks are not only directly related to the use of bridges. One of the significant risks is the risk of the protocol. This risk is associated with the failure of the blockchain itself, since most DeFi applications have a certain level of infrastructure dependence on the underlying blockchain. Risk aspects such as attacks on consensus mechanisms on specific blockchains can transform into vulnerabilities of DeFi protocols running on this platform.
Decentralized finance on blockchain is a promising area that rebuilds the work of the financial system as we know it today. However, despite its promising potential, it is still a very young area, fraught with pitfalls and risks. As you have already understood, a lot depends on the developer. There are cross-chains that I do not doubt from security experts. A striking example of this is the Decimal Chain blockchain project, with the native DEL token. In addition to the fact that it functions flawlessly as a cryptocurrency bridge, it perfectly copes with the task as a constructor platform for creating any coins, including NFT and stablecoins.
So, as you can see for yourself, there are problems where there is no impeccable approach of developers to the issue of security and risks. Over time, they will gradually decrease as the maturity of the entire ecosystem increases.
In any case, we have something to wait for.