This week, Nomad bridge suffered a $190 million exploit called the “first decentralized crypto looting,” since funds were drained by multiple actors, who treated the cracked protocol as an open buffet. “This vulnerability was so severe that even unsophisticated attackers could weaponize it, instantly,” crypto security firm Zellic explained in a Twitter thread. “All they had to do was change the address of the recipient.”
The bewildering amount of crypto that hackers managed to get away with was enough for Nomad to qualify as the third-largest exploit of 2022 and the fifth largest in the history of decentralized finance. What’s perhaps even more staggering is that the first, second, and third place in the ranking, which is maintained by crypto news website Rekt, also belong to exploited cross-chain bridges, Axie Infinity’s Ronin, Poly Network, and Ethereum’s Wormhole, respectively.
Read also: Poly Network suspends its services after a July 2 hack
Unfortunately, for now, everything indicates that successful attacks on blockchain bridges become more and more common. What are the reasons behind such a worrying trend?
What are cross-chain bridges, anyway?
According to blockchain analytics firm Chainalysis, in 2022 alone, $2 billion in cryptocurrency has been stolen from cross-chain bridges across 13 separate hacks. Attacks on bridges account for 69% of the total value stolen so far this year.
“Even more troubling is that bridges are now a top target for North Korean-linked hackers, who – according to our estimates – have stolen approximately $1 billion worth of cryptocurrency so far this year, entirely from bridges and other DeFi protocols,” Chainalysis wrote in its blog post.
Cross-chain bridges are protocols specifically designed to connect two blockchains that otherwise would have been unable to communicate. With the help of bridges, users can move their digital assets from one chain to another, linking together different networks into one integrated crypto economy. For instance, the Nomad bridge connected Ethereum, Avalanche, Evmos, Moonbeam, and Milkomeda.
To transact between different chains, bridge users typically “wrap” their crypto. They send one type of coin to the bridge protocol, where it’s temporarily locked in a contract. The users then receive an equal amount of funds in a different cryptocurrency issued by the chain the protocol bridges to. Wormhole, for example, spits out Wormhole-wrapped ETH after being sent Ether, which is held as collateral.
What makes cross-chain bridges so vulnerable to attacks is that they serve as a central point of storing people’s funds, which naturally attracts many malicious actors. Additionally, bridge technology is still relatively new and optimal design is yet to be found.
The uncertain future of blockchain bridges
Vitalik Buterin has long pointed out that bridges suffer from fundamental security limits and predicted that the future will be multi-chain, not cross-chain. In his January 2022 Reddit post, he outlined his main concerns regarding blockchain bridges and warned that the security risks will only increase over time.
According to Vitalik, storing assets directly on-chain offers a strong degree of security, as even a 51% attack won’t take away users’ assets.
“Suppose that you have 100 ETH on Ethereum, and Ethereum gets 51% attacked, so some transactions get censored and/or reverted,” wrote Buterin. “No matter what happens, you still have your 100 ETH. Even a 51% attacker cannot propose a block that takes away your ETH, because such a block would violate the protocol rules and so it would get rejected by the network.”
The same is true for Ethereum Layer 2s like Arbitrum and Optimism and Ethereum-based applications, where account balances could not be lost in a result of a 51% attack. However, the same level of security doesn’t apply to cross-chain bridges.
“The attacker deposited a bunch of their own ETH into Solana-WETH and then reverted that transaction on the Ethereum side as soon as the Solana side confirmed it. The Solana-WETH contract is now no longer fully backed, and perhaps your 100 Solana-WETH is now only worth 60 ETH.”
What’s even more concerning is that one chain compromised can lead to a system-wide contagion due to a great degree of interdependence. And such security risks will only increase alongside the further adoption of cross-chain bridges.
“There are fundamental limits to the security of bridges that hop across multiple ‘zones of sovereignty’,” Buterin said, although leaving room for cautious optimism about the “multi-chain blockchain future.”