On February 3rd, just as we were celebrating the New Year, the Crypto industry suffered another sky-high hacking incident. The cross-chain protocol Wormhole was hacked and the loss was as high as 120,000 wETH (about 320 million US dollars). After the largest theft in DeFi history, it is the second largest incident of theft.
Coincidentally, the largest and second largest theft cases in the history of DeFi happened on cross-chain projects, which made everyone worry about whether cross-chain is necessary, or, for security, there should be no Cross-chain. Such worries can easily remind everyone of Buterin’s view that caused a lot of discussion some time ago: “The future will be multi-chain, and we are pessimistic about cross-chain applications.”
What is going on in this theft incident, will the cross-chain really be like V God? How the practitioners of Polkadot ecology will view this theft incident, let us come together one by one.
Theft is not a cross-chain crime, and the cross-chain market still has prospects
So what happened to the Wormhole theft? Does the Wormhole theft mean the end of the “cross-chain” market? Before explaining these two questions, let’s review what exactly is Wormhole?
Wormhole is Solana, Ethereum’s first two-way cross-chain bridge. Wormhole allows users to lock ERC20 tokens in Ethereum smart contracts and mint corresponding SPL tokens on Solana. As the largest cross-chain bridge on Solana, Wormhole also has NFT certification tools, which can send Ethereum and Solana’s NFTs across the chain, including CryptoPunks, one of the hottest NFTs.
The current locked value of Wormhole exceeds $1 billion and supports six major public chains including Terra, Solana, Ethereum, Binance Smart Chain, Avalanche and Polygon. As a high-profile star project, Wormhole’s future seemed bright until this theft.
Overnight, 120,000 wETH was stolen, worth about $300 million, making it the second-largest hack in DeFi history.
The Wormhole incident and the PolyNetwork incident both happened on the cross-chain protocol. Does it mean that the cross-chain protocol is the original sin? Let’s do a simple restore of events.
At first, the attacker minted 0.1 Wormhole ETH on Solana, obtained the “post_vaa” function in the “transfer message” contract, and then bypassed the signature check contract by loading an external contract, generating the required Wormhole function “complete_wrapped” parameters, and then infinite minting was carried out. And the root cause of all this is that Wormhole uses outdated system contracts without the latest upgrades to the contracts required by the parameters.
In a word, the hacker obtained a function through a small amount of attempts, and bypassed Wormhole’s protocol verification through an external contract to defraud 120,000 ETH (wETH), and successfully transferred 93,750 ETH and the remaining wETH. Was urgently locked in Solana. And this not only brings losses to Wormhole, but may even lead to the devaluation of wETH, and eventually lead to the insolvency of some projects based on this.
The Wormhole incident once again raised the alarm for us, and pushed the security issue of cross-chain protocols to the stage of history. This sparked a heated discussion in the community. At the beginning of the year, V God’s judgment on “cross-chain” was once again turned over from the old papers, which seemed to be a divine prophecy.
Buterin stated in his Reddit post, “Imagine what would happen if you moved 100ETH to a bridge on Solana to get 100Solana-WETH, and then Ethereum was 51% attacked
? Deposit your own ETH into Solana-WETH, then resume that transaction on the Ethereum side as soon as the Solana side confirms. The Solana-WETH contract is no longer fully supported now, maybe your 100Solana-WETH is only worth 60ETH now. Even with a perfect Based on ZK-SNARK bridges to fully validate consensus, it remains vulnerable to theft from such 51% attacks.”
But is it really so? But in fact the question raised by Buterin has nothing to do with the Wormhole incident.
Buterin pointed out that due to the generation of many interdependent DApps across chains, when any chain is attacked by 51%, it may lead to systemic infection, which in turn threatens the economy of the entire economic system. He believes that applications on Ethereum should be closely connected to each other, and applications on Avax should be closely connected to each other, not cross-chain. Cross-chain makes the entire blockchain system less resistant to 51% attacks.
There is no 51% attack in the Wormhole incident, nor is it stolen due to systemic infection, but only a contract loophole. Theft is not a cross-chain crime.
While we have to admit, “It’s always better to hold Ethereum-native assets on Ethereum or Solana-native assets on Solana than to hold Ethereum-native assets on Solana or Solana-native assets on Ethereum. Safety.”
After all, there is no perfect code in this world, and cross-chain protocols need to be continuously upgraded and extended. However, the existence of cross-chain markets is still very important. With the rapid development of the DeFi track, we need cross-chain protocols to meet the rapidly expanding capital volume.
Behind the incident of the theft of cross-chain assets is not the crime of cross-chain, but its rapidly developing lock-up volume and complex process. The huge amount of funds and the challenging cracking process attract the attention of hackers like a huge cake.
The Wormhole event and the PolyNetwork event are caused by loopholes in the contract, which further makes the project party think about the need to be more careful in the verification of cross-chain transaction events and the design of contract authority management.
How does the ecology view this cross-chain theft?
Then Polkadot, as one of the most well-known cross-chain projects, must be very concerned about the situation of Polkadot. We kindly invited Chen Xiliang, co-founder of Acala, Yuki of Moonbeam Chinese community, and Song Mingshi, head of Astar Chinese area, to see See how they view this cross-chain theft. Note: The following are just personal opinions.
Chen Xiliang, co-founder of Acala:
At present, it is generally believed that the future blockchain ecosystem will be a multi-chain ecosystem. Because different blockchains can be optimized differently for their respective application scenarios, it should be technically impossible for a single chain to outperform all other chains from an all-round perspective.
Each chain is like a server, although it can run a variety of applications, but we can have today’s Internet, literally, because each server is directly interconnected.
A cross-chain bridge is one of the technologies that enables the interconnection of different blockchains. Including Wormhole, mainstream bridges are semi-centralized technology based on threshold signatures. If the signers cooperate maliciously, or the private key is leaked, or the signature verification scheme has loopholes (this Wormhole loophole), the attacker can almost Unlimited additional cross-chain assets, resulting in serious losses.
So what does this mean? Is it not the Wormhole team’s technology? Why do almost all mainstream cross-chain bridges still use this technology, knowing that this semi-centralized cross-chain technology has such a big security risk?
The main reason is that, including Bitcoin and Ethereum, many L1s themselves are not designed with cross-chain compatibility in mind, making it very difficult to implement a more secure cross-chain technology.
Mainstream L1 is an EVM environment, and the encryption algorithms supported by EVM are very limited, and directly using EVM to implement encryption algorithms that require a lot of computation will result in very high gas, even exceeding the maximum gas supported by a block. This makes the simple and easy-to-implement multi-signature bridge the most cost-effective option.
A multi-signature bridge like Wormhole may be the optimal solution at present, but it does not mean that this will be the most suitable long-term solution.
Polkadot’s shared security design solves one of the most difficult problems in handling cross-chain messages from the consensus level: rollback attacks. If you want to roll back a parachain, you must roll back the Polkadot main chain, and then all other parachains will be rolled back at the same time. If everyone rolls back together, there will be no data inconsistency.
W3F also designed and implemented the general format of XCM cross-chain messages for Polkadot, laying the foundation for more complex cross-chain interactions, including cross-chain contract calls, cross-chain messages of more than two chains, etc., providing cross-chain technology. A solid foundation.
The Acala team was the first to participate in the design and testing of the XCM version, and was the first to implement cross-chain transfers in the test. Karura was also the first network to implement cross-chain functions in Kusama.
At present, Karura has launched a secure cross-chain transfer through XCM and Kusama, Statemine, Bifrost and other chains, and has also realized a fully decentralized cross-chain pledge derivative product LKSM through XCM, allowing users to enjoy Kusama pledge While earning, you can participate in various DeFi protocols on Karura through LKSM.
With the maturity and improvement of cross-chain technology, we will see more different types of cross-chain applications in the Polkadot ecosystem, truly realizing the vision of the blockchain Internet in Web3.
Yuki, Moonbeam Chinese Community Manager:
The information silos between blockchains are gradually weakening, and developers are quickly realizing the opportunities of cross-chain bridges in a multi-chain world. Users have an increasing demand for using assets across blockchains. As a “diplomat” that crosses different ecosystems and carries asset flows, cross-chain bridges ensure that users can obtain and use cross-chains under the premise of safety and low cost. key elements of assets.
In the Moonbeam ecosystem, we are very happy to see many cross-chain bridge developers working on security and interoperability, such as Nomad, Axelar, Cbridge, Multi-chain, Connext and other teams. We look forward to more solutions to users’ practical needs in the future The cross-chain bridge project required to improve the interoperability and security performance between different chains.
Song Mingshi, head of Astar China:
The Wormhole cross-chain theft incident was caused by hackers minting wETH on Solana by deceiving the guardian’s signature and unlocking and stealing ETH assets on Ethereum, which once again sounded the alarm on cross-chain security.
At present, the most common cross-chain solution is still a heterogeneous cross-chain bridge realized by a notary mechanism. It is realized by locking assets on chain A and issuing new assets by 1:1 mapping on chain B. The mainstream cross-chain bridges include Multichain, cBridge, etc. all use notary schemes.
However, there are many high-risk steps in the project implementation of the notary scheme, including the vulnerability of the deposit contract permission, the multi-signature verification vulnerability, the notary trust issue, and so on. From the theft of Wormhole, what we see is not “cross-chain is a pseudo-demand”, but the contradiction between the growing cross-chain demand and the security risk of heterogeneous cross-chain bridges.
The security risk of heterogeneous cross-chain bridges is essentially due to the inconsistency of different security states of chain A and chain B. In contrast, Polkadot’s XCMP cross-chain mechanism completely eliminates such problems.
The security between Polkadot parachains is shared. Messages and asset transfer information between parachains will be packaged into input and output queues by parachain collectors, and then verified by relay chain validators. The whole process is guaranteed by the same group of validators at the same time. The correctness of cross-chain messages and the security of the chain do not require trust in third-party validators and do not involve security differences. From this perspective, Polkadot’s cross-chain mechanism can well solve the dilemma of interoperability and cross-chain security in the context of multiple chains.
Frustration cannot stop the wheel of history
Although there have been many incidents of theft of cross-chain projects, and the amount is huge, and because it involves multiple chains and applications, the impact is very wide, but from the perspective of technological progress and business development, there has never been a hacking problem in history. and hinder the progress of development.
Hacking incidents are due to loopholes in the design mechanism or code level, which are exploited by hackers and cause property damage. It is a man-made accident, not because of a dilemma that cannot be broken through technical bottlenecks, so there are many ways to digest and deal with such problems. Mainly pre-prevention, post-event remediation and new solutions.
Code auditing is already a step that the current project party must go through before officially launching the project. It can find and solve most of the low-level errors and avoid loopholes that have appeared before, so as to greatly improve the security of the project.
However, code auditing is mainly based on defense and experience. In the face of some emerging technical solutions, hackers who are often on the offensive side can find some new loopholes in the code that has been audited, but the maturity of technology often Through continuous polishing and iteration, when more and more vulnerabilities are discovered and solved, and a technology is mature enough, the probability of hacking incidents will be much reduced.
Of course, one of the most important prerequisites is that this market is real and effective, and will not be destroyed by hacking incidents. As long as the demand is still there, there will still be applications developing in this direction. On the basis of predecessors, it is better and safer. Only in this way can the technology become more mature.
Remedy after the fact
- Direct and effective, solved with money
Remedy after the fact, although a little bit of an afterthought, but if you look at it from another angle, it can be seen as it is not too late to make amends.
At the beginning of Alipay, because the technology was relatively new and there were many loopholes, thefts often occurred. At that time, Alipay adopted the money method, so that everyone can use it with confidence. If there is any loss, they will pay full compensation, which is equivalent to using money To ensure that this technology can safely pass the novice stage and become mature, today’s Alipay has built a huge security fortress, which is impregnable.
In the same way, in the face of theft incidents in the Crypto field, if there is no problem with your own business, and the market is large, and losses due to loopholes have occurred, then if you pay for these losses and repair the loopholes, you can naturally continue. operated.
The same method was used to solve the $320 million hack of the cross-chain protocol Wormhole. Just after the attack, Jump Crypto, the crypto investment arm of Jump Trading, stepped in in time to replenish 120,000 ETH out of its own pocket, and the Wormhole bridge was back online just one day later.
- Solve with technology
The project party can roll back the blockchain to the point before it was attacked, so as to avoid hackers from succeeding. For example, Haven Protocol, a privacy stablecoin protocol based on Monero, solved the impact of hacking by rolling back and repaired the coinage loophole.
Another example is the most classic Ethereum “The DAO” hacking incident. In the end, by hard forking the Ethereum at that time and rolling back the transaction, the stolen assets were recalled, but the Ethereum was split into two. Different projects Ethereum Classic (ETC) and now known as Ethereum (ETH).
- by way of governance
At present, each public chain is moving towards decentralized governance to manage the future development of the chain and handle related affairs. For example, EOS once set up an ECAF organization (The EOS Core Arbitration Forum, EOS Core Arbitration Organization) to deal with stolen funds.
Therefore, on-chain governance will be a very worthwhile direction to explore, and will even become an important part of the future blockchain field. How to arbitrate some behaviors in a decentralized way, and actively intervene in some bad behaviors, so as to ensure the healthy development of the ecology, this will be a big problem, but once there is a successful and feasible plan, it will be It quickly spread to various blockchains, escorting the development of each chain.
- Unleash the power of the community
The theft caused by hacker attacks is harmful to all Crypto practitioners, so often after encountering these incidents, many practitioners will actively participate in it and mobilize all forces to solve the impact of the theft.
For example, some encrypted assets are issued through the endorsement of centralized institutions, such as USDT, then the stolen funds can be frozen by contacting these institutions. Or use some governance forces outside the circle, such as the police and other administrative forces, to put pressure on the hackers or even track the hackers, so as to force the hackers to return the funds, or catch the hackers and so on.
The largest theft case in the history of DeFi, PolyNetwork, can be solved smoothly, and the strength of the community is indispensable.
There are problems with the old solutions, but the technology is still improving, and maybe the previous problems will become less difficult with the introduction of new technologies. For example, the more decentralized cross-chain interaction method launched by Polkadot is worth tracking.
For another example, in terms of mechanism design, it is not necessary to have only “decentralization theory”, and many semi-decentralized technical solutions can also be considered, or the governance parties of multiple public chains can be jointly used in the design. Provide some governance funds to build some insurance fund pool mechanisms, or establish some similar joint processing plans (for example, if cross-chain theft occurs, it will be rolled back at the same time).
Again, as long as the market still exists, it cannot stop the wheel of history. The problem of hacking is not just a problem in the blockchain field. As long as there are new technologies, it will follow suit. However, it is precisely because of the occurrence of these events that we will be more active in iterating technologies. I believe that the blockchain world will eventually become It will definitely develop into a mature technology that is impregnable.
Referring to Gavin’s new upgrade to XCM a few days ago, it is mentioned that Polkadot cross-chain related technologies are constantly iterating, and it is necessary to pay close attention to its development.
Last week, Polkadot founder Gavin Wood shared Polkadot’s latest technical progress on Twitter. He said that the infrastructure of the XCM v3 version bridge is almost ready, which means that parachains on Polkadot can send XCM to each other , can also be sent to parachains on Kusama.
We know that XCM is an important part of the Polkadot cross-chain protocol, and its technical development difficulty should not be underestimated. XCM is the abbreviation of Cross-Consensus Message Format, which is the cross-consensus message format. In short, the definition of XCM is like a Like a generalized language, as long as the basic definition of the language is the same, anyone (referring to the blockchain network) can realize the cross-chain under this module, whether it is information or assets, it can be seamlessly connected.
Therefore, Polkadot’s cross-chain may bring new stories to cross-chain development. After all, there are some security issues that cannot be ignored in cross-chain at this stage, but we have reason to believe that with the improvement of XCM, the cross-chain process will also There will be a change. This is what we need to pay attention to and look forward to in the development of blockchain technology, not just the Crypto market itself. After all, it often takes time to balance the value and price.
Of course, events like Wormhole may still happen. In addition to technological progress and development, participants in the entire blockchain industry are also required to join the security protection camp. After all, there is no airtight wall in the world, only common Efforts to build this security wall can ensure the asset safety of industry participants and promote better development of the industry.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/is-another-cross-chain-project-wormhole-stolen-and-cross-chain-really-a-false-proposition/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.