If 2018 was the year of the hack for centralized crypto exchanges, decentralized blockchain bridges seem destined to claim that honor this year.
More than $1.9 billion was stolen in cross-chain hacks in the first half of 2022, according to a new blog post from crypto-analytics firm Chainalysis.
Cross-chain bridges have been criticized in recent weeks for their vulnerability. At their core, bridges allow users to exchange one token for another, say BNB
“Having this interoperability is crucial,” says Kim Grauer, research manager at Chainalysis.
But to work, decks must contain large amounts of both tokens. These pools of liquidity make them attractive to hackers. Bridges “allow blockchains to talk,” says Grauer. “But we also created these honeypots for malicious actors.”
“Regardless of how those funds are stored — locked in a smart contract or with a centralized custodian — that point of storage becomes a target,” she adds.
Their vulnerability may also be the result of DeFi growing too big and too fast. Cross-chain bridges, says Amit Dar, senior director of strategy at cybersecurity firm Active Fence, are “kind of an afterthought.”
“Efficient bridge design is still an unsolved technical challenge, with many new designs being developed and tested,” adds Grauer.
Yet bridges have become staples of decentralized finance, and as long as they remain vulnerable, hacks will also be commonplace.
“The promise of DeFi was that we could have finance without trust,” says Sam William, CEO of Arweave
As DeFi grows, this “painful lesson,” as Grauer puts it, is costing users unprecedented amounts of money. Thefts in the first half of this year increased by 58% compared to the corresponding period of 2021. “This trend does not appear to be reversing any time soon”, adds the report. Indeed, $190 million was hacked from the Nomad blockchain bridge in early August, after the report closing date.
According to Chainalysis’ Mid-Year Crypto Crime Update, most cross-chain hacks this year resulted from code exploits. Bridges, like all DeFi applications and uses, are open source projects built by developers and modified by programmers. The entire Bridges codes are available on GitHub, an open code hosting service where anyone can inspect them for vulnerabilities.
Open source advocates call it the key to community and decentralization. But it’s a double-edged sword. Just as developers, users, and communities have their eyes on the code, so do malicious actors. They can easily see bugs or flaws and use them to exploit the bridge itself. An earlier report by Chainalysis found that code exploits accounted for nearly 50% of value stolen from DeFi in the first quarter of the year. Narrated chain analysis Forbes he doesn’t have the data for Q2 yet.
Code exploits also represent some of the biggest blockchain bridge hacks of the year, taking Ronin, Wormhole, Harmony
and now Nomad. These hacks all suffered from exploits in which loopholes in the code led to compromised validator nodes approving flights.
Hackers, Williams says, find flaws in software that are widely deployable on every node. Blockchains rely on a series of computers called nodes to verify and validate transaction history. When a bug or a loophole in the code is discovered by hackers, they can use the bug to modify certain functions on each node.
According to a Twitter feed by samczsun, research partner and head of security at crypto research firm Paradigm, the Nomad hack comes from a faulty update. The blockchain bridge contained $197 million worth of cryptocurrencies before the hack.
A routine upgrade set the code to automatically approve every message, and therefore every transaction. The hackers then no longer needed to modify the code, they simply had to find a transaction that had previously worked, replace the address, and rebroadcast the information to steal the funds.
“Attackers abused it to copy/paste transactions and quickly emptied the deck in a frenzied melee,” he said. tweeted.
So where does DeFi go from here? Mimi Idada, founding partner of Open Web Collective, a blockchain incubator and venture capital fund, suggests that blockchain bridges use open source to their advantage. “So here is a great story where we have black hats doing malicious activities,” she says. “But when we have an idea, and when we know what’s going on, we can actually [enlist] our community, other developers, to help get some of that money out before it’s all gone.
Indeed, in the case of Nomad white hats, or hackers with good intentions, used the same method as the thieves to return part of the funds to the bridge. Although Nomad currently only holds $90,000 in cryptocurrencies, more than $36 million has been sent to the blockchain bridge recovery wallet address, according to data from Etherscan.io. Nomad also offered a 10% bonus to anyone returning at least 90% of the funds.
Regardless of benevolent hackers, Grauer says continued attacks will force DeFi “to a higher bar in terms of security.”
“God knows how many bugs there are in the code that are not being analyzed by the entire potential population at all times,” she says.