Every bridge is different in how they operate and how they are designed. That means there isn't any one clear way to create and maintain such a bridge. We don't have any standards that the industry can use and copy. We're in the uncharted waters where new designs are being built and tested. With such an approach mistakes can happen. But that also means in the future we may see a secure bridge, or at least much more secure than what we see now.
As Chainalysis correctly reported, centralized exchanges were having the same difficulties as bridges, as they were frequently targeted by hackers. Nowadays it's not that often when we hear about CEX being hacked. I hope the same will happen with the bridges as protocols will prioritize security.
Why are bridges hard to secure?
It's worth noting that all the bridges that were hacked are cross-chain bridges, meaning they connect two different blockchains. Such bridges are really hard to secure and protect against hacks as there are many components of which a bridge is constructed. That makes the surface area of a potential attack much larger than for a standard Web3/DeFi application.
The problem with bridges is that they often hold a lot of funds in storage, like smart contracts or some centralized custodian. This makes it an enticing target for hackers.
Additionally, bridge designs are different from each other in how they operate and work. Secure bridge design is still a technical challenge industry is trying to resolve by trial and error. With every new hack and security bug found, we can learn from the mistakes and build better solutions.
How to make bridges more secure?
In order to stand against malicious attacks from such sophisticated groups as Lazarus, you need to have a bulletproof code. And the only way to achieve it is to conduct code audits and have as many eyes on your project as possible so they can constantly review and test your code for bugs. It is important to do audits whenever there is a change in the code and it is recommended to launch a bug bounty program with rewards proportional to funds at risk to incentivize whitehat hackers to spend their time and energy searching for vulnerabilities in the project’s code. Hackers should be motivated to disclose the bug responsibly instead of exploiting the issue.
The surface area of an attack is large and as we saw in the case of the Ronin bridge and other hacks, humans are a way in for nation-state hackers like Lazarus. Educating employees on social engineering, teaching about phishing, how to recognize it and what to do when such an attack is discovered, should be a standard across the industry. Not only developers, but every employee in every department, such as marketing, sales, and others, should be aware of all possible attacks
Security is only as strong as its weakest link. Sadly, people are often the weakest link in an organization.
Thanks for reading, and if you like to read more articles like this one, you can find subscription box below 👇
Check out other socials like my Twitter @adrianhetman, where I post and share exciting news from the Web3 world and security.
Also I post explainers and vlogs on TikTok https://www.tiktok.com/@adrianhetman