Cybersecurity is a cat-and-mouse game that only seems to intensify as any given technology develops. No sooner have developers and IT professionals identified a vulnerability and fixed it, a new update or innovation gives rise to another set of weaknesses for hackers to exploit.
We’ve seen this play out in crypto over the years as fraudsters have moved from attacking centralized exchanges and user wallets to more sophisticated methods of hacking. According to a report compiled by Chainalysis, the DeFi summer of 2020 saw a spate of flash loan attacks and security breaches. However, in 2021, attackers moved on to the source code in the underlying smart contract infrastructure. They targeted apps, including Poly Network, which could have resulted in losses of over $600 million had the hacker not later returned the assets, and Badger DAO, which ended up losing $120 million.
This year, blockchain bridges have become the target of choice for hackers. In August, Chainalysis published a special report highlighting that attacks on bridges accounted for around $2 billion in stolen crypto so far in 2022, or close to 70% of all hacked digital assets. This was before the October hack on the BNB Smart Chain that resulted in losses of $100 million.
What makes bridges such an attractive target? Hackers are always seeking out the next most vulnerable place where digital value is stored, and bridges fit the bill. The precise mechanics of blockchain bridges can vary, but the principle is largely the same. When someone wants to send tokens from one blockchain to another, the bridge will “lock” the tokens coming from the source blockchain and mint a new version of them on the destination blockchain, typically referred to as a “wrapped” token or similar.
For the duration of the time the tokens exist on the destination chain, the source chain tokens are effectively in the custody of the bridge.
Therefore, how these tokens are transferred and held in a bridge is a matter of cybersecurity. As is typical in a blockchain setup, a group of validators or sentinels monitors bridge transactions; however, the size of the group and the degree of decentralization is critical, as we will discover. In examining some of the bridge exploits that have happened over recent years, we can begin to understand how hackers are breaching the virtual fence.
Solana’s Wormhole bridge was among the first to be hit this year when hackers drained 120,000 Wrapped Ether (wETH) tokens in February. At the time, their value was around $321 million. This was a particularly sophisticated hack from a technical perspective, as Wormhole operates based on a complex set of smart contracts.
In summary, researchers found that the attacker was able to manipulate one of the smart contracts into triggering a transaction as if a validator had signed off on it, when no valid signature was present. This vulnerability allowed the attacker to mint 120k wETH on Solana and transfer them into Ethereum, where they could be redeemed for regular ETH.
Axie Infinity’s Ronin bridge to Ethereum was one of the next to fall victim, resulting in losses of $625 million in March this year. In a more straightforward attack, hackers managed to obtain access to five of the nine validator private keys.
The key problem here is that Axie Infinity operator Sky Mavis operated four of the nine validator nodes, creating a significant vulnerability when attackers were able to extract all four private keys through a social engineering attack. Once they managed to obtain a fifth, they had control of enough keys to sign transactions. In this case, the North Korean cybercrime syndicate, the Lazarus Group, carried out the attack. Law enforcement officials have been able to recover around $30 million to date.
Lazarus is thought to be behind another similar attack on the Harmony Horizon bridge in June, where hackers took over $100 million in various crypto assets. In this case, just two out of five signatures were needed to approve transactions, meaning it was even easier for hackers. The Harmony team has since upgraded the protocol to a four-of-five signature quorum.
BNB Chain Becomes the Latest High-Profile Target
Binance is allegedly still working with law enforcement to track down the identity of the hacker who managed to steal tokens worth $100 million in early October. In this case, the attack could have been much worse. The bridge in question is the BSC Token Hub, which connects the BNB Beacon Chain and the BNB Smart Chain, both part of the BNB Chain stack. A hacker discovered a bug that allowed them to forge arbitrary messages that could be verified as transaction proofs by bridge validators.
Thankfully, bridge validators were savvy enough to realize something was amiss and took coordinated action to halt chain activity until the issue could be resolved. This timely action meant that the hacker could not make off with the $570 million worth of tokens they had intended to steal but instead limited the damage to $100 million – still a substantial loss by any measure.
Tackling the Issue
These are just a select few of the many bridge attacks that have taken place this year. So with hackers circling, what can the industry do to address the problem?
Firstly, it’s important to remember that a hack doesn’t necessarily entail a total loss of funds. In some cases, hackers voluntarily return funds; in others, law enforcement has proven successful at recovering some of the losses. Furthermore, the crypto community is becoming more agile in its responses by coordinating to block known hacker addresses from using exchanges and privacy services.
However, this isn’t a remedy, and there’s a recognition that the industry needs to implement more robust security regarding bridges.
A fundamental problem here is also the relatively new nature of blockchain bridge technology. There are no technical or design standards, and each implementation has a slightly different variation on the setup and its execution under the hood. Nevertheless, some of the attacks have resulted from a markedly lax approach to security. As a general principle in the blockchain sector, decentralization implies security, and operating a small validator set where key control is centralized into just a few parties creates a fundamental point of weakness. Therefore, distributing keys and authority among a larger set of validators could improve security.
Just as DeFi app developers realized that code audits could protect their projects from hackers, bridge operators need to ensure their code has undergone robust review by experts to ensure it doesn’t introduce any inadvertent loopholes that hackers can exploit. As more bridge operators demonstrate that their code has been audited, it becomes a matter of competitive edge and, thus, an industry standard.
In the meantime, for users and app developers dependent on blockchain bridges, proceed with caution and minimize the amount of time your tokens spend locked in bridges to mitigate the risk.