DeFi is unbearable: cross-chain bridges have become “cash machines for hackers”

While gaming DApps like Axie Infinity and DeFi Kingdoms maintain entire ecosystems like Ronin and Harmony, network protocols like Fantom or Avalance are already making a fortune in the DeFi wave. These blockchains have become a great alternative to Ethereum gas fees and relatively slow transaction times. It is more urgent than ever to want an easy way to move assets between protocols on different blockchains.

This is where the blockchain cross-chain bridge was born.

Due to the application of multi-chain scenarios, the total locked value of all DeFi DApps has soared. The industry’s TVL is estimated at $111.28 billion as of May 2022. The sheer amount of assets locked and bridged in these DeFi DApps has attracted the attention of malicious hackers, and the latest trends suggest that attackers may have found weak links in blockchain bridges.

DeFi is unbearable: cross-chain bridges have become "cash machines for hackers"

According to the Rekt database, $1.2 billion in crypto assets was stolen in the first quarter of 2022, accounting for 35.8% of historically stolen funds, according to the same source. Interestingly, at least 80% of lost assets in 2022 are stolen from Chain Bridge.

DeFi is unbearable: cross-chain bridges have become "cash machines for hackers"

One of the worst attacks occurred in March, when the Ronin bridge was hacked, costing $540 million. Before that, Solana Wormhole and BNB Chain’s Qubit Finance bridge had more than $400 million stolen in 2022. The largest hack in crypto history occurred in August 2021, when $610 million was stolen from the PolyNetwork bridge, but the stolen funds were recovered.

Chain bridges are one of the most valuable tools in the blockchain industry, but their interoperability presents significant challenges for the projects that build them.

Understanding Blockchain Bridges

Similar to the Manhattan Bridge , a blockchain bridge is a platform that connects two different network protocol networks, enabling cross-chain transfer of assets and information from one blockchain to another. In this way, cryptocurrencies and NFTs are not isolated in their own chains, but can be “bridged” across different blockchains, thereby increasing the avenues for utilization of these assets.

Thanks to the existence of Chain Bridge, Bitcoin can be used in smart contract based networks for DeFi purposes or for NFL, NFTs to bridge from Flow to Ethereum for subdivision or as collateral.

Of course, there are a few other different ways to transfer assets. For example , Lock-and-Mint, as the name implies, the bridge works by locking the original asset in the sender’s smart contract, while the receiving network mints a copy of the original token on the other side. If ether is bridged from Ethereum to Solana, the ether in Solana is just a copy, not in the token itself.

DeFi is unbearable: cross-chain bridges have become "cash machines for hackers"

Locking and Minting Mechanism | Source: MakerDAO

While the Lock-and-Mint method is currently the most popular bridging method, there are other ways to accomplish asset transfers, such as “burn-and-mint” or atomic swaps that are executed by smart contracts themselves to exchange assets between the two networks . Connext (formerly xPollinate) and cBridge are chain bridges that rely on atomic swaps.

From a security perspective, chain bridges can be divided into two broad categories: trusted and trustless. A trusted bridge is a platform that relies on a third party to verify transactions, but more importantly, it can act as a custodian of bridged assets. Examples of trusted bridges can be found in almost all blockchain-specific bridges, such as Binance Bridge, Polygon POS Bridge, WBTC Bridge, Avalanche Bridge, Harmony Bridge, Terra Shuttle Bridge, and Multichain (formerly Anyswap) or Tron’s DApps such as Just Cryptos.

Instead, platforms that rely purely on smart contracts and algorithms to host assets are trustless bridges . The security factor of a trustless chain bridge is related to the underlying network where the asset is bridged, i.e. where the asset is locked. Trustless bridges can be found in platforms like NEAR’s Rainbow Bridge, Solana’s Wormhole, Polkadot’s Snow Bridge, Cosmos IBC, and platforms like Hop, Connext, and Celer.

At first glance, trustless bridges appear to offer a safer option for transferring assets between blockchains. However, both trusted and trustless bridges face different challenges.

Limitations of Trusted and Trustless Chain Bridges

The Ronin Chain Bridge operates as a centralized trusted platform that uses a multi-signature wallet to host bridge assets. Simply put, a multi-signature wallet is an address that requires two or more cryptographic signatures to approve transactions. In Ronin’s case, the sidechain has nine validators and requires five different signatures to approve deposits and withdrawals.

Other platforms use the same approach, but with a little better spread of risk. For example, Polygon relies on 8 validators and requires 5 signatures. These five signatures are controlled by different parties. In the case of Ronin, the Sky Mavis team alone holds four signatures, creating a single point of failure. After the hackers took control of four Sky Mavis signatures at once, only one signature was needed to approve the withdrawal of assets.

On March 23, the attackers took control of the Axie DAO’s signature, the last piece needed to complete the attack. In the second largest crypto attack ever, 173,600 ETH and 25.5 million USDC were lost from Ronin’s escrow contract in two separate transactions. It’s also worth noting that the Sky Mavis team only discovered the hack nearly a week later, suggesting at least some imperfection in Ronin’s monitoring mechanisms, and revealing a flaw in the trusted platform.

While there is a fundamental flaw in centralization, trustless bridges are also vulnerable due to bugs and vulnerabilities in software and coding.

DeFi is unbearable: cross-chain bridges have become "cash machines for hackers"

Solana Wormhole, a platform that enables cross-bridge transactions between Solana and Ethereum , was attacked in February 2022, with $325 million stolen due to a bug in Solana’s escrow contract. A vulnerability in the wormhole contract allowed hackers to design cross-chain validators. The attacker sent 0.1 ETH from Ethereum to Solana to trigger a set of “transfer messages” that tricked the program into approving the transfer of a putative 120,000 ETH deposit.

The Wormhole hack follows the theft of $610 million from the Poly Network in August 2021 due to flaws in contract classification and structure. Cross-chain transactions in this DApp are approved by a centralized group of nodes called “Guardians” and verified on the receiving network through a gateway contract. In this attack, the hacker was able to gain privileges as an administrator to trick the gateway by setting its own parameters. Attackers repeat the process in Ethereum, BinancDe, Neo, and other blockchains to extract more assets.

All bridges lead to Ethereum

Ethereum remains the dominant DeFi ecosystem in the industry, accounting for nearly 60% of industry TVL. At the same time, the rise of these different network protocols as Ethereum DeFi DApp alternatives has also sparked cross-chain activity in blockchain bridges.

The largest bridge in the industry is the WBTC Bridge, hosted by BitGo, Kyber, and Republic Protocol, the teams behind RenVM. Since Bitcoin tokens are technically incompatible with smart contract-based blockchains, the WBTC bridge “wraps” native Bitcoin, locks it in a bridge escrow contract, and mints its ERC-20 version on Ethereum. The bridge was hugely popular during DeFi Summer (the DeFi market has experienced phenomenal growth since the summer of 2020, hence the name “DeFi summer”) and now holds about $12.5 billion worth of Bitcoin. WBTC allows BTC to be used as collateral for Dapps such as Aave, Compound, and Maker, or to generate revenue or earn interest in various DeFi protocols.

Multichain, formerly Anyswap, is a DApp that provides cross-chain transactions to more than 40 blockchains via a built-in chain bridge. Multichain holds $6.5 billion on a network based on all connections. However, Ethereum’s Fantom bridge is by far the largest pool with $3.5 billion locked. In the second half of 2021, the Proof-of-Stake network has become a popular DeFi space with attractive yield farms including FTM, various stablecoins or wETH like found on SpookySwap.

DeFi is unbearable: cross-chain bridges have become "cash machines for hackers"

Unlike Fantom, most L1 blockchains use separate direct bridges to connect the network. The Avalanche bridge is primarily hosted by the Avalanche Foundation and is the largest L1<>L1 bridge. Avalanche is one of the strongest DeFi sectors as it has Dapps including Trader Joe, Aave, Curve, and Platypus Finance.

Binance Bridge also stood out with $4.5 billion in locked assets, followed by Solana Wormhole with a TVL of $3.8 billion.

Likewise, scaling solutions like Polygon, Arbitrum and Optimism are one of the most important bridges in terms of TVL. The Polygon POS bridge, the main entry point between Ethereum and its sidechains, is the third bridge, hosting nearly $6 billion. At the same time, the liquidity of the chain bridges of popular L2 platforms such as Arbitrum and Optimism is also on the rise.

Another bridge worth mentioning is the Near Rainbow bridge, which aims to solve the famous interoperability trilemma (decentralization, scaling, security). This platform that connects Near and Aurora with Ethereum could provide a valuable opportunity to implement the security of a trustless chain bridge.

How to improve cross-chain security

As two methods of hosting bridging assets, trusted bridging and trustless bridging are prone to fundamental and technical flaws. Still, there are ways to prevent and reduce the impact of malicious breaches of blockchain by hackers.

In the case of a trusted chain bridge, there is a clear need to increase the proportion of required signers, while also having multi-signatures distributed across different wallets. While trustless chain bridges remove the risks associated with centralization, there are still risky scenarios of vulnerabilities and other technical limitations, as shown in the Solana Wormhole or Qubit Finance exploit cases. Therefore, it is necessary to implement off-chain actions to protect the cross-chain platform as much as possible.

Cooperation between agreements is necessary. The Web3 space is characterized by its community federation, so getting the brightest minds in the industry to work together to make the space a safer place is beyond the reach . Animoca Brands, Binance and other Web3 brands have raised $150 million to help Sky Mavis reduce the financial crisis of the Ronin bridge due to hacking. Collaboration by working together can take interoperability to a new level for a multi-chain future.

Likewise, coordination with the chain analytics platform and CEX helps track and mark stolen tokens. This situation may disincentivize criminals in the medium term, as gateways to cash cryptocurrencies into fiat should be controlled by KYC procedures in established CEXs. Last month, two 20-year-olds were hit with the law after committing scams in the NFT space. It is only fair that the same punishment should be demanded of an identified hacker.

Audits and bug bounties are also another way to improve the security posture of any Web3 platform, including chain bridges. Certification organizations like Certik, Chainsafe, Blocksec, etc. help make Web3 interactions more secure. All chain bridge activities should be audited by at least one certification organization.

At the same time, the bug bounty program creates synergies between the project and its community. White hackers play a vital role in identifying vulnerabilities before other hackers conduct malicious attacks. For example, Sky Mavis recently launched a $1 million bug bounty program to strengthen the security of its ecosystem.

in conclusion

The proliferation of L1 and L2 solutions as a whole blockchain system challenges the ecosystem of Ethereum DApps, and their proliferation has created the need to move assets between networks via cross-chains. This is the essence of interoperability and one of the pillars of Web3.

Nonetheless, the current interoperability scenario relies on cross-chain protocols, rather than a multi-chain approach, Vitalik addressed the situation earlier this year. While the need for interoperability in space is clear, stronger security measures are required in such platforms.

DeFi is unbearable: cross-chain bridges have become "cash machines for hackers"

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-05-21 10:09
Next 2022-05-21 23:21

Related articles