Intro to Cross-chain bridges and its security
Blockchain enables various opportunities for its users. There are many takes on how blockchain should behave and what it should offer. We see many blockchain networks in active use, like Ethereum, Polygon, NEAR, Avalanche, BSC, or Solana, each with its own value proposition. As users (and money) pour into DeFi, there is an exploding demand for blockchains with low transaction fees and fast confirmations/finality. To meet this demand, there has been a proliferation of L2 scaling solutions and sidechains. However, these solutions aren’t (usually) able to interoperate and talk to each other. Many DeFi protocols are native to different chains. For example, Aave is native to Ethereum but PancakeSwap is native to BSC.
The same goes for the exploding NFT space, where we see a substantial amount of collections not only launching on Ethereum, but also on Polygon and Solana. But what if we want to move our precious NFTs or valuable tokens from one chain to another? The answer to that question is blockchain bridge technology.
The demand for moving tokens gained/earned on one network to another increases every day. The amount flowing through bridges is enormous. Just looking at data from https://defillama.com/ there is currently over $62B in TVL (total locked value) in many DeFi projects.
Users interact with cross-chain bridges by sending funds to the bridge protocol, where those funds are then locked by the bridge smart contract. The bridge protocol issues the user an equivalent asset on the second network from the second bridge smart contract.
When a user wants to send Ether from Ethereum to Solana, the Ether will be locked by the bridge protocol on Ethereum side, and the user can redeem equivalent tokens from the bridge on Solana. For every dollar moved from one chain to another, the bridge has to hold that dollar on its “native” chain in case the user wants to move the money back. As you can imagine, this accumulates a lot of money.
Bridge Security incidents
In the history of DeFi, there have been a few notable bridge hacks; like PolyNetwork, hacked last year for $610m; or Wormhole, hacked in February for $321M. Each of these hacks, including the Ronin hack, was different in underlying vulnerability and in the way the attack was executed.
The Wormhole bridge hack occurred because they used a deprecated function for verifying signatures during redemption of tokens on the Solana side. The contract didn’t check whether the signature verification routine originated from the system address. The attacker was able to mint over 120k weETH tokens by substituting their own verification routine that always says the signature is valid (even if it isn’t).
The PolyNetwork hack happened because of mismanagement of the access rights to two important protocol smart contracts. The two exploited contracts were responsible for setting and managing a list of public keys of the maintainers. Hacker managed to force the system to add their own public key as a maintainer key, and was able to use that to empty the Poly wallet.
Ronin network also had an issue with the mismanagement of the validators keys. The private keys of Ronin validators went into the hands of the sponsored-stated hackers from The Lazarus Group. Hackers then were able to call the privileged function of a smart contract to drain the funds from the Ronin bridge contract ($625m).
Nomad Bridge was a smart contract-enabled hack that led to $193m in stolen funds. Issue was in the process function which processes the withdrawal of the funds on Ethereum side. The attacker managed to spoof the
message inside the function to trick the smart contract into giving more money than it should and to anyone. In this case, there wasn't a singular malicious actor exploiting the vulnerability. Rather, there were many different people and MEV bots involved.
Horizon Bridge hack as-well as Ronin bridge hack, was also targetted by The Lazarus group and as Ronin, their validotors keys were also stolen. Hackers managed to use these keys to steal over $100m from the bridge itself
If you look into the areas of these hacks, they all (apart from Nomad Bridge) exploited signing key and access control issues that led to gaining access to functions that normal users shouldn’t be able to call.
Decentralization is hard to achieve. It’s hard to get it right. And bridges need to have a decentralized way of managing funds and the bridge itself. As we can see, only from these five hacks, over 1.85 billion dollars were stolen. The larger the money flows through one point, more skilled hackers are looking at it. It’s just the matter of who will win, the blackhats, or the whitehats.
Security teams need to be right all the time. Blackhats needs to be right only once. To bridge that gap (pun intended) I'm the big advocate of the large bug bounties. We need to incentivize hackers to report the bug to the project and get paid big, clean money, instead of looking over your shoulder all your life after a hack.
Thanks for reading, and if you like to read more articles like this one, you can find subscription box below 👇
Check out other socials like my Twitter @adrianhetman, where I post and share exciting news from the Web3 world and security.
Also I post explainers and vlogs on TikTok https://www.tiktok.com/@adrianhetman