Aug 9 (Portal) – Another day, another hack – and another blockchain bridge burned.
When thieves stole an estimated $190 million from US crypto firm Nomad last week, it was the seventh hack in 2022 to target an increasingly important cog in the crypto machine: blockchain “bridges” — chains of code that help do it to move crypto coins between different applications. Continue reading
So far this year, hackers have stolen about $1.2 billion worth of crypto from bridges, data from London-based blockchain analytics firm Elliptic shows, already more than doubling last year’s total.
“This is a war that the cybersecurity firm or the project cannot win,” said Ronghui Hu, a professor of computer science at Columbia University in New York and co-founder of cybersecurity firm CertiK.
“We have so many projects to protect. For them (hackers), if they look at a project and there are no bugs, they can just move on to the next one until they find a single vulnerability.”
Currently, most digital tokens run on their own unique blockchain, essentially a public digital ledger that records crypto transactions. This risks isolating projects using these coins, reducing their chances of widespread use.
Blockchain bridges aim to break down these walls. Supporters say they will play a fundamental role in “Web3” – the much-touted vision of a digital future where crypto is entangled in online life and commerce.
But bridges can be the weakest link.
The Nomad hack was the 8th biggest crypto theft of all time. Other bridge thefts this year include a $615 million heist at Ronin, which was used in a popular online game, and a $320 million heist at Wormhole, which was used in so-called decentralized finance applications. Continue reading
“Blockchain bridges are the most fertile ground for new vulnerabilities,” said Steve Bassi, co-founder and CEO of malware detector PolySwarm.
Nomad and other companies making blockchain bridge software have found support.
Just five days before the hack, San Francisco-based firm Nomad said it had raised $22.4 million from investors including major exchange Coinbase Global (COIN.O). Pranay Mohan, CEO and co-founder of Nomad, called his security model the “gold standard”.
Nomad did not respond to requests for comment.
It has said it is working with law enforcement and a blockchain analysis firm to track down the stolen funds. Late last week it announced a bounty of up to 10% for returning funds hacked from the bridge. It said Saturday it has recovered over $32 million of the hacked funds so far.
“The most important thing about crypto is community, and our number one goal is to recover bridged user funds,” Mohan said. “We will treat as white hats any party that returns 90% or more of the funds exploited. We will not prosecute white hats,” he said, referring to so-called ethical hackers.
Several cybersecurity and blockchain experts told Portal that the complexity of bridges means they could pose an Achilles’ heel for projects and applications that use them.
“One reason hackers have been targeting these cross-chain bridges lately is the immense technical sophistication involved in building these types of services,” said Ganesh Swami, CEO of Vancouver-based blockchain data firm Covalent who had some cryptos stored on Nomad’s bridge when it was hacked.
For example, some bridges create versions of crypto coins that make them compatible with different blockchains and keep the original coins in reserve. Others rely on smart contracts, complex agreements that do business automatically.
The code involved in all of these may contain bugs or other bugs that might leave the door open to hackers.
So what’s the best way to tackle the problem?
Some experts say audits of smart contracts could help protect against cybertheft, as could “bug bounty” programs that encourage open-source reviews of smart contract code.
Others are calling for less concentration of control over the bridges by individual companies, which they say could increase the code’s resilience and transparency.
“Cross-chain bridges are an attractive target for hackers because they often use centralized infrastructure, most of which has assets locked down,” said Victor Young, founder and chief architect of US blockchain firm Analog.
Reporting by Tom Wilson in London and Medha Singh in Bengaluru; Editing by Pravin Char
Our standards: The Trust Principles.