Cross-chain bridges make interoperability within the blockchain sphere possible. They enable protocols to communicate with one another, share data and build exciting new use cases that are helping propel Web3 into new frontiers. But as this month’s BNB Smart Chain exploit reminds us, they are vulnerable to attack.
If we are to harness the potential of what bridges offer, we need to learn how to protect them.
Bridges have rightly earned a reputation as Web3’s weak link after a string of exploits this year. Just as robbers prefer to target assets while they are transported in vans (as opposed to being locked in bank vaults with sophisticated security systems), hackers have realized tokens in transit are similarly vulnerable.
Coby Moran is the lead investigator at Merkle Science, a predictive Web3 risk and intelligence platform. He previously served as an analyst for the U.S. Federal Bureau of Investigation.
They also know substantial funds are crossing these intersections. With total assets estimated at more than $54 billion, decentralized finance (DeFi) presents an especially attractive target. Even before the BNB attack, crypto bridges featured in more than $1.6 billion of the $2 billion stolen from DeFi protocols in 2022. The magnitude and regularity of these exploits demonstrates why fallen bridges are gaining notoriety.
- February: Wormhole – $375 million
- March: Ronin Bridge – $624 million
- August: Nomad Bridge – $190 million
- September: Wintermute – $160 million
From my experience leading analysts on the trail of stolen funds (like in the recent Wintermute exploit), it’s clear that prevention and defense are where the blockchain community should be focusing its collective efforts.
See also: Calling a Hack an Exploit Minimizes Human Error | Opinion
The Federal Bureau of Investigation has warned investors that cybercriminals are taking advantage of “the complexity of cross-chain functionality.” This certainly aligns with current narratives that bridges are not just vulnerable, but vulnerabilities.
But there are ways we can prevent exploits. As a former FBI analyst with time on the cybercrime task force in Washington, D.C., I can say exploits are rarely fiendishly clever or sophisticated (the type you might see in a Hollywood movie). Rather, they're often predictable security breaches.
Sticking to the world of bridges, which are normally exploited following the introduction of code bugs or leaked cryptographic keys, are often reasonably sophisticated but foreseeable. Take exploits such as these:
- False deposits: Bridges monitor for deposit events on one blockchain to initiate a transfer to another. If a bad actor is able to generate a deposit event without making a real deposit, or makes a deposit with a valueless token, they can withdraw value from the bridge on the other side. The Qubit Finance raid in January is a good example, tricking the protocol into thinking attackers had deposited money when they had not.
- Validator flaws: Bridges also carry out deposit validation before permitting transfers. Hackers may try to create fake deposits capable of defeating this process. This happened in the Wormhole hack, where a flaw in the digital signature validation was exploited. Technically, this was an example of a familiar smart contract exploit. But, as we’re learning, if it happens on a bridge then the bridge gets blamed.
- Validator takeover: This scenario relies on taking over a certain number of validators originally set up to vote yes or no on a cryptocurrency transfer. By controlling a majority of the votes, the attacker can approve any transfers. In the Ronin Network hack, for example, five of the bridge’s nine validators had been compromised in this way.
As these examples suggest, focusing on the shortcomings of bridges while failing to address ground-level security measures is not the way forward. Bridges per se are not the problem; technology is, after all, agnostic. The most common factor across exploits is human error. Post-hack investigations and subsequent fixes often serve to highlight our age-old tendency to close the barn door only after a horse has bolted.
When conducting investigations we often talk things through with a project's team members – because, often, they're the target of exploits. Hackers rarely do anything totally new with every exploit, but instead rely on a series of age-old tricks.
Social engineering, or targeting people in order to gain access to privileged accounts, is a classic case in point. People can be befriended and let their guard down or badgered with enough questions that they reveal a secret.
Take the Ronin Bridge, an Ethereum sidechain built for Axie Infinity that enabled users to transfer assets to the Ethereum mainnet. Five of the bridge's nine validator nodes were compromised in a phishing attack. Afterwards, Ronin announced plans to boost this number, tweeting that “the root cause of our attack was the small validator set which made it easier to compromise the network.”
There go those barn doors, closing.
We also see human limitations impacting the ability to create code fit for purpose. An ongoing developer shortage means there are just not enough experts capable of building and analyzing bridges. Looking again at the Wormhole incident, we see it was abetted by a coding glitch that let hackers set up a fraudulent signature set authorizing transactions to mint ether (ETH).
Had that been discovered earlier, this avenue of attack could have been closed down. It goes without saying that Wormhole had lean contributor numbers. (For the inverse here, please note that Ethereum, with its numerous large teams of developers, has so far avoided a major hack.)
Bridges are soft targets – central points where large sums are stored without the robust protection – and will continue to be attacked. But we should bear in mind, it’s not just the bridges that are vulnerable; blockchains on both sides are put at risk by poorly guarded connections. It’s time to get educated and audited.
- Consider taking a certified class in blockchain security.
- Keep up to date with current affairs in the space.
- When an exploit hits the news, do your own research. What can you learn that might benefit your own project?
- Ensure new bridge code is audited before release and then tested afterwards.
- Increase validator numbers.
- Check regularly for false deposit events.
- Set up a staff task force to focus on security
- Consider using experts to undertake an audit. Ask if they use the latest cross-chain tracking tools.
- Offering bug bounties will help you cover more ground.
- Ensure smart contract addresses are continuously monitored.
The bottom line is that crypto as a whole takes a reputational and financial hit every time an exploit makes waves. The answer is to learn from the mistakes hackers teach us time and again, becoming more proactive in our efforts to prevent repeat performances.
Bridges are vital pieces of Web3 infrastructure we cannot currently do without. And we need to defend them more effectively.