Over the past year $1.1 billion in cryptocurrencies has been looted by hackers, including the biggest heists in blockchain history by exploiting a major vulnerability in the blockchain and DeFi ecosystem — crypto bridges.
Blockchain bridges are connections that allow the transfer of tokens or coins from one blockchain to another, for interoperability between blockchains. So, bridges are vital for interactions between different blockchain networks and are the missing link for the future of web3 which is a multi-chain ecosystem.
The most recent bridge hack was a theft of $100 million on the Horizon bridge, which is owned and operated by Harmony, supposedly one of the fastest networks, with EPOS or effective proof of stake consensus mechanism. This isn’t the first-time hackers have exploited crypto bridges. Over the past year, multiple major bridge attacks have proved that bridges are the single largest potential point of failure in crypto right now. Hackers stole more than $300 million from the Wormhole bridge in February and about $620 million in March from the Ronin Bridge, which is linked to the play-to-earn video game Axie Infinity.
In addition to hacks, bridges have proven to be vulnerable to other unique problems. Last year, the Optics bridge on the Celo network ended up being inoperable after its bridge development team effectively lost control of the project. bridge technology is still in its infancy.
Centralised bridges, or on-chain? The most important factor that makes bridges vulnerable is that most of them aren’t on the blockchain network and are in fact centralised. This means that there is a person or an entity behind the bridge running it, unlike smart contracts which have a code as their backbone. “This is not really a blockchain. these are ‘web2’ servers.” , says Ronghui Gu, CertiK founder. CertiK is the leading security-focused ranking platform to analyse and monitor blockchain protocols and DeFi projects. Moreover, bridges handle several complex requests and hold a lot of currency at a point since they’re still quite slow.
Bridges are particularly tempting targets because of all the complex code, creating lots of opportunities for exploitable bugs. Ronghui Gu explains: “If you’re trying to create a bridge between N different cryptocurrencies, the complexity of that is N squared,” — which means N more chances for bugs to creep in. Ethereum co-founder Vitalik Buterin warned in January that bridges have “fundamental security limits.” Buterin advocates holding native assets on each blockchain they were designed for to keep them safe.
Despite all this, the need for bridges is evident for mass adoption of web3. The underlying security issues must be addressed urgently. Although it does look like a colossal train wreck, hope is not lost. Bridges are the most vulnerable point in blockchain technology right now
An alternative to the presently centralised bridge architecture are bridges that work on a smart contract, which is the “on-chain” alternative. It’s less likely for hackers to subvert the code on an on-chain network through social networking, making it less vulnerable. But this too comes at a cost, smart contracts are highly complex, and bugs can be hard to update before hackers get to it. Historically, Wormhole used an on-chain system, and the big theft occurred after hackers spotted security updates that were uploaded to GitHub but had not been deployed to the live smart contract.
Fixing things: Fixing these hacks might lie in both technology evolution, as well as more rigorous code auditing. Large projects such as Wormhole and Ronin have teams working across different programming languages and computing environments, making their work more prone to bugs which can be exploited. Continuous external audit of the code will help in bringing more robustness. Bug bounties are another way incentivizing programmers to cross check code and look for any bugs or glitches. This helps create synergy between the community and web3 platforms. White hackers play a vital role in identifying vulnerabilities before malicious attackers do. For instance, Sky Mavis (Owner of Axie Infinity) has recently launched a $1 million bug bounty program to strengthen its ecosystem.
Protocols working in the application layer of blockchains in the DeFi ecosystem need foolproof bridging solutions for a seamless multichain architecture & for composability.The current cooled down state of crypto markets conversely also provide a time to revisit primitives and get back to the drawing board to fix fundamental technology loopholes. Bridges deserve attention now. Developers, engineers, and the crypto community will take charge now in solving for a multi-chain ecosystem, and make bridge technology evolve and mature.
