Hacks have equated to losses of nearly $3 billion this year, as developers and founders learn the hard way about vulnerabilities in their tech — with 13 separate cross-chain bridge hacks accounting for just over $2 billion of the total sum.
Most recently, on August 1, we witnessed the third-largest bridge hack of the year when the Nomad Bridge was exploited for just over $190 million. In what’s being called the first “decentralised robbery”, thousands of hackers took advantage of a loophole that allowed users to ‘fake’ transactions and withdraw funds that weren’t theirs.
Less than 24 hours after the hack made headlines, blockchain analytics firm Chainalysis published a new report sharing all the ugly bridge-related details from the year so far.
Earlier this year, the crypto industry was rocked by the largest bridge hack to date, when hackers exploited the Ronin Bridge, draining $650 million worth of ETH and USDC from the Axie Infinity ecosystem.
The second largest bridge hack of the year occurred just two months prior, when the Wormhole Bridge was exploited and $320 million in wrapped ETH (wETH) was drained from the Solana network.
But why bridges? Cross-chain probs
If you’re still wondering, “How the fu*k are these bridges getting hacked all the time?” — worry no more.
Cross-chain bridges — the piece of virtual infrastructure designed to securely transfer cryptocurrencies from one blockchain network to another — are the vulnerability point.
According to the Chainalysis report, the reason that bridges are such a popular target with hackers is because they don’t actually transfer the physical asset. Instead, bridge protocols ‘lock up’ the digital assets in a secure location and then issue the equivalent tokens on the other blockchain. This means that there is often a single, centralised location where massive sums of cryptocurrency are stored.
“Regardless of how those funds are stored — locked up in a smart contract or with a centralised custodian — that storage point becomes a target,” the report stated.
Wen safe interoperability?
Despite the ugly numbers, the Chainalysis team stressed that these hacks can be avoided providing developers and founders invest heavily in proper security.
A few short years ago, major crypto exchanges were the most popular targets for hackers. Due to industry-wide security upgrades, however, exchange exploits are now extremely rare.
The best first step for increasing bridge security would be to enshrine extremely rigorous and regular code audits as industry standard practice and consistently build additional security from the most successful protocols over time.
While these recent hacks have no doubt spurred developers into being more cautious with bridge security, Nomad founder James Prestwich thinks that airtight cross-chain bridge security might still be quite some time away.
In a video posted to Nomad’s Twitter a little more than a week before the hack occurred, Prestwich said that it may be “at least another year or two” until there’s enough expertise in chain security models to build an industry-standard security baseline against attacks, as “most developers” still don’t understand the full breadth of security protocols.
How can we make bridges more secure?
Speaking to The Chainsaw, Jay Freeman, head of technology at Orchid Protocol and the developer of iPhone jailbreak software Cydia, echoed Pretwich’s sentiment, saying that cross-chain bridges are vastly complex when it comes to security for a host of technical reasons.
“These [cross-chain bridging] services are extremely difficult to secure as the ecosystem is currently designed at a level of abstraction that doesn’t have any way to do rollbacks, so this is one of the most complicated security challenges in the industry,” he said.
While Freeman agrees with Chainalysis that code auditing is important, he believes it is necessary for the industry to go beyond such measures if it wants to achieve secure interoperability between blockchain networks.
“I’d agree that auditing is important, but I’d go much further — I think we need to see investment in formal models and proof assistants,” he said.
“I would claim that the biggest impediment to building secure solutions in this space is that we’ve standardised on programming languages that make it very difficult to develop ‘correct’ software, requiring almost unobtainable attention to detail to avoid making serious mistakes.”
Bridge hack probs: Patience makes perfect
Ultimately, Freeman believes that while the bridge security issue may gradually improve, he expressed concern at the lack of patience and low prioritisation of security in bridging protocols.
“I do feel like they will get better over time… but it has been somewhat demoralising that the industry doesn’t really have the tool[s] to build secure software and has been charging ahead with building and deploying critical systems without the use of even basic things like proof assistants,” he said.
“I’ve even seen some of these companies have very little in the way of in-house security experts, which I would have expected to be table stakes.”
For context, proof assistants are a type of software that help to validate complex strings of code.
As of August 24, white hat hackers — the good kind of hackers — have returned $9 million to Nomad network, claiming they intentionally exploited the protocol to keep funds safe until security issues were resolved.