Cryptoverse: Blockchain Bridges Fall in Troubled Waters

Aug 9 (Reuters) – Another day, another hack – and another blockchain bridge burned.

When thieves stole an estimated $190 million from US crypto firm Nomad last week, it was the seventh hack in 2022 to target an increasingly important cog in the crypto machine: Blockchain “bridges” — strings of code that help move cryptocurrencies between different applications. read more

So far this year, hackers have stolen about $1.2 billion worth of crypto from bridges, data from London-based blockchain analytics firm Elliptic shows, already more than double last year’s total.

“This is a war where the cybersecurity firm or project cannot be a winner,” said Ronghui Hu, a professor of computer science at Columbia University in New York and co-founder of cybersecurity firm CertiK.

“We have to protect so many projects. For them (hackers) when they look at one project and there are no bugs, they can simply move on to the next one until they find a weak spot.”

Currently, most digital tokens run on their own unique blockchain, essentially a public digital ledger that records crypto transactions. There is a risk that projects using these coins will become silos, reducing the possibilities for widespread use.

Blockchain bridges aim to tear down these walls. Backers say they will play a fundamental role in “Web3” — the much-hyped vision of a digital future where crypto is intertwined with online life and commerce.

Yet bridges can be the weakest link.

The Nomad hack was the eighth largest crypto theft on record. Other thefts from bridges this year include a $615 million theft of Ronin, used in a popular online game, and a $320 million theft of Wormhole, used in so-called decentralized finance applications. read more

“Blockchain bridges are the most fertile ground for new vulnerabilities,” said Steve Bassi, co-founder and CEO of malware detector PolySwarm.

ACHILLES HEEL

Nomad and other companies creating blockchain bridge software have attracted support.

Just five days before it was hacked, San Francisco-based Nomad said it had raised $22.4 million from investors including major exchange Coinbase Global ( COIN.O ). Nomad’s CEO and co-founder Pranay Mohan called the security model “the gold standard”.

Nomad did not respond to requests for comment.

It has said it is working with law enforcement agencies and a blockchain analytics firm to trace the stolen funds. Late last week, it announced a bounty of up to 10% for the return of funds hacked from the bridge. It said on Saturday that it had recovered over $32 million of the hacked funds so far.

“The most important thing in crypto is community, and our first goal is to restore bridged user assets,” Mohan said. “We will treat any party that returns 90% or more of leveraged funds as a white hat. We will not prosecute white hats,” he said, referring to so-called ethical hackers.

Several cybersecurity and blockchain experts told Reuters that bridges’ complexity meant they could represent an Achilles’ heel for projects and applications that used them.

“One reason hackers have targeted these cross-chain bridges lately is because of the enormous technical sophistication involved in creating these types of services,” said Ganesh Swami, CEO of Vancouver-based blockchain computing firm Covalent, which had some crypto stored at Nomad’s. bridge when it was hacked.

For example, some bridges create versions of cryptocoins that make them compatible with different blockchains, keeping the original coins in reserve. Others rely on smart contracts, complex agreements that execute agreements automatically.

The code involved in all of these can contain bugs or other errors, potentially leaving the door open to hackers.

BUG BOUNTIES

So how best to solve the problem?

Some experts say audits of smart contracts can help protect against cyber theft, as well as “bug bounty” programs that incentivize open-source review of smart contract code.

Others are calling for less concentration of control over the bridges by individual companies, which they say could strengthen resilience and transparency in the code.

“Cross-chain bridges are an attractive target for hackers because they often exploit a centralized infrastructure, most of which locks assets,” said Victor Young, founder and chief architect at US blockchain firm Analog.

Reporting by Tom Wilson in London and Medha Singh in Bengaluru; Editing by Pravin Char

Our standards: Thomson Reuters Trust Principles.

Opinions expressed are those of the author. They do not reflect the views of Reuters News, which is committed under its fiduciary principles to integrity, independence and freedom from bias.