A few years ago, criminal hackers targeted cryptocurrency exchanges with abandon, extracting millions of dollars’ worth of digital currencies. Today, with exchanges doing a better job of fortifying their networks, thieves are going after cross-chain bridges—tools for swapping different cryptocurrencies across blockchains.
And unlike the previous spate of crypto assaults, many of these latest robberies are draining billions from accounts and are—perhaps unfairly—shaking trust in blockchain security itself.
Consider this: Chainalysis, a blockchain analysis firm, estimates an astounding “$2 billion in cryptocurrency has been stolen across 13 separate cross-chain bridge hacks,” with most of that taken this year. Attacks on bridges accounted for 69% of total funds stolen in 2022, the company said. Even more troubling, Chainalysis estimates that about $1 billion of these thefts have been from North Korean linked hackers.
Some of the more notorious cross-chain bridge cryptocurrency thefts of 2022 include: Poly Network, $611 million (mostly returned); Nomad, $200 million; Harmony, $100 million; Ronin Network/Axie Infinity, as much as $625 million; and Wormhole, $325 million (restored to user accounts).
Such staggering heists should have corporate security executives worried. A host of big-name companies across a wide range of industries have been launching blockchain initiatives to capitalize on the trend toward decentralized Web 3.0 services. Some companies, like banks, are using their own proprietary enterprise blockchains to facilitate payments, while gaming companies have used them to manage transactions within games. The security of the underlying bridges that connect all these platforms will prove increasingly vital long after the crypto-craze has fizzled.
How cross-chain bridges work
To understand why attacks on cross-chain bridges are increasing in severity and impact, it’s helpful to understand how they relate to blockchains, how they work, and how they interact with crypto exchanges.
For one thing, blockchains themselves are nothing more than irrefutable digital ledgers for recording the existence of digital things. They’re considered almost impenetrable and highly secure. Each cryptocurrency, whether it’s bitcoin, ether, or something else, has a distinct blockchain.
As soon as there’s a concentration of value, the attackers will move in. It’s a honeypot for them.
If you want to exchange a digital currency—say a bitcoin for ether, or even a dollar—then cross-chain bridges are used to translate between different blockchain languages.
That’s where things get riskier. Unlike the physical world, where you might step into a bank or up to the foreign exchange counter at an airport to swap hard currency, in the digital world you must go through a series of technical hoops to exchange cryptocurrency. The process starts with parking the funds you want to trade at the virtual entrance to a cross-chain bridge. Once there, the funds, often known as cryptocurrency tokens, are locked into a smart contract, which is a self-enforcing agreement embedded in computer code managed by a blockchain. (Smart contracts are also hackable.)
Tokens based on the “exchange rate” defined in the contract are then sent across the bridge and exchanged with tokens on the other blockchain. How that happens technically is a matter for a separate discussion—or a Ph.D. thesis.
Momentary centralization: a weak spot
Blockchain platforms are certainly not 100% secure, despite claims they are unhackable. Indeed, cybercriminals launched a series of so-called “51% attacks” in 2019, in which they gained control of more than half the computing power of a cryptocurrency blockchain—and then rewrote the blockchain’s allegedly immutable transaction history to steal cryptocurrency.
Blockchain platforms are certainly not 100% secure, despite claims they are unhackable.
But 51% attacks are unlikely to happen often because they are technically hard to pull off. It’s also expensive for one entity to control that much computing power, since the cost of such powerful hardware would run about $752,000 an hour. As such, cybercriminals concentrate on attacking soft-target technologies running adjacent to blockchains, including digital wallets used to store cryptocurrencies and, most recently, cross-chain bridges.
Cross-chain bridges are theoretically secure. But if hackers discover coding flaws in tools at either end of the transaction, they can do all sorts of sketchy things—like stealing tokens before or after they move through the bridge, minting currency before it’s been replicated, or seizing funds traveling across the bridge.
This systemic vulnerability has stoked some debate about the fundamental advisability of technologies that serve as a bridge between blockchains. If cryptocurrency is meant to be a decentralized finance (DeFi) system that counteracts the centralization of traditional finance (TradFi), parking crypto at either end of a bridge, in essence, reeks of centralization to crypto purists.
“As soon as there’s a concentration of value, the attackers will move in,” says Tara Annison, creator of the Game Against Cryptocurrency and co-author of the The Bitcoin ABC Book (which isn’t just for kids). “It’s a honeypot for them, and right now bridges are the flavor of the moment.”
Victor Young agrees. The founder and chief architect of Analog, a decentralized blockchain transaction platform, compares the system to having large sums of money in an armored truck that’s robbed while traveling between different banks. “All these bridges are extremely centralized by putting liquidity in one place,” he says. “That’s the problem you have when you have a centralized custodian for funds. It’s a single point of failure that must be solved.”
Moving too fast?
Neil Ford, director of growth for Big Dog Mining and marketing specialist at CoinGeek, an online publication following the blockchain industry, adds that he is “unsure why we need cross-chain tokens” at all. He worries that while the code running many cross-chain bridges is written about as robustly as it can be, some newer entrants to the space are more interested in prioritizing growth over security.
Everyone needs to slow down, recognize this is a marathon and not a race, and put a high priority on cybersecurity.
“You’re seeing these vulnerabilities and vectors where people are just throwing this code out there, and [it has] not been fully tested,” he says. “You really need to have that cross-chain bridge bulletproof if you’re going to move millions or billions of dollars in crypto across it.”
Stephen Tong, co-founder of Zellic, a blockchain security audit startup, says a large part of the problem involves cross-chain bridge companies that saw so much potential for huge profits during the recent mania for cryptocurrency that they moved too fast for their own good. “I do find that in this ecosystem, there is a ‘ship now and ask questions later’ culture, which is understandable given the extremely competitive market landscape,” Tong says.
Young argues that’s a recipe for trouble, though, because the faster cross-chain bridge companies roll out code, the more likely it is to be flawed. “The fact is, there are a lot of amateurs out there in this brave new Web 3.0 world,” he says. “[Cryptocurrency and cross-chain bridge] companies really have to go back to basics. Everyone needs to slow down, recognize this is a marathon and not a race, and put a high priority on cybersecurity.”
Making cross-chain bridges more secure won’t be easy, however. In fact, some industry insiders, such as Ethereum co-founder Vitalik Buterin, are skeptical it can be done. But experts nonetheless have advocated a few approaches to making the entire blockchain ecosystem more secure.
Some suggest moving away from exchanging cryptocurrency altogether. But that’s a little like telling someone they can avoid having their computer hacked by disconnecting it from the internet. It’s not likely to happen. Humans like to trade.
Barring that, Buterin and others have advocated moving toward multichain blockchain approaches, in which cryptocurrency projects are deployed across numerous chains instead of one or two.
“With centralization, there’s one point of attack, like when all your money is in one bank and someone just comes along and blows the safe,” explains Annison, the author, game maker, and global crypto-asset subject matter expert. “But if it’s held in multiple banks, that means there’s multiple banks someone has to try and hit, which makes it more complex for hackers.”
Others argue that one of the best options would be to go back to basics and emphasize better design and coding practices, conduct more audits, and hold engineers and developers accountable for avoidable mistakes.
With centralization, there’s one point of attack, like when all your money is in one bank and someone comes along and blows the safe.
Tong of Zellic, who makes his living conducting audits, cautions this would go only so far. He says many hacks occur after code is audited and later changed, introducing critical vulnerabilities that were not caught because there was no subsequent audit.
“I’ve seen a lot of bugs that follow-up audits would have caught—a lot of stupid bugs that should have never made it to production,” he says. “There’s a difference between getting hacked when you’ve done everything in your power to avoid it from happening and situations where you get hacked because you didn’t test to make sure your code was solid.”
Blockchains are not crashing
Annison says that even with all the recent hacks, it’s important to recognize that the sky is not falling. People need to take a breath and realize that emerging technologies suffer growing pains. Blockchains themselves remain widely useful and are largely secure foundations of digital commerce, she says.
“The blockchain will survive,” she says. “There will be some unhappy investors, but the blockchain isn’t going to collapse because the price of cryptocurrency suddenly went down or there was a hack involving a centralized or decentralized exchange.”