Hackers have stolen $1.4 billion this year using crypto bridges

Crypto investors have been hit hard this year by hacks and scams. One reason is that cybercriminals have found a particularly useful route to reach them: bridges.

Blockchain bridges, which tie together networks to enable the rapid exchange of tokens, are becoming increasingly popular as a way for crypto users to transact. But when using them, crypto enthusiasts bypass a centralized exchange and use a system that is largely unprotected.

A total of around $1.4 billion has been lost due to breaches of these cross-chain bridges since the beginning of the year, according to figures from blockchain analytics firm Chainalysis. The biggest single event was the record $615 million taken from Ronin, a bridge that supports the popular non-fungible token game Axie Infinity, which allows users to earn while playing.

There was also $320 million stolen from Wormhole, a crypto bridge backed by Wall Street high-frequency trading firm Jump Trading. In June, Harmony’s Horizon bridge suffered a $100 million attack. And last week, nearly $200 million was seized by hackers in a breach targeting Nomad.

“Blockchain bridges have become the low-hanging fruit for cybercriminals, with billions of dollars worth of cryptoassets locked up within them,” Tom Robinson, co-founder and chief researcher at blockchain analytics firm Elliptic, said in an interview. “These bridges have been breached by hackers in a number of ways, suggesting that their level of security has not kept pace with the value of the assets they hold.”

Bridge exploits are happening at an astonishing rate, considering that it is such a new phenomenon. According to Chainalysis data, the amount stolen in bridge heists accounts for 69% of funds stolen in crypto-related hacks so far in 2022.

A bridge is a piece of software that allows someone to send tokens out of one blockchain network and receive them on a separate chain. Blockchains are the distributed ledger systems that underpin various cryptocurrencies.

When an investor trades a token from one chain to another—such as by sending some ether from ethereum to the solana network—an investor inserts the tokens into a smart contract, a piece of code on the blockchain that allows deals to be executed automatically without human intervention intervention.

That crypto is then “stamped” on a new blockchain in the form of a so-called wrapped token, which represents a claim on the original ether coins. The token can then be traded on a new network. That could be useful for investors using ethereum, which has become notorious for sudden increases in fees and longer wait times when the network is busy.

“They usually have huge amounts of money,” said Adrian Hetman, technical director at crypto-security firm Immunefi. “These amounts of money, and the amount of traffic going through bridges, is a very tempting point of attack.”

The vulnerability of bridges can be partly traced to sloppy engineering.

For example, the hack of Harmony’s Horizon bridge was possible due to the limited number of validators needed to approve transactions. Hackers only needed to compromise two of a total of five accounts to obtain the necessary passwords to withdraw money.

A similar situation happened with Ronin. Hackers only needed to convince five out of nine validators on the network to hand over their private keys to gain access to crypto locked inside the system.

In Nomad’s case, the bridge was much easier for hackers to manipulate. Attackers were able to enter any value into the system and then withdraw money, even if there were not enough assets deposited in the bridge. They required no programming skills, and their exploits led to copycats piling in, leading to the eighth-largest crypto theft of all time, according to Elliptic.

Nomad offers hackers a bounty of up to 10% to retrieve user funds and says it will refrain from pursuing legal action against hackers who return 90% of the assets they took.

Nomad told CNBC that it is “committed to keeping the community updated as it learns more” and “appreciates all those who acted quickly to protect funds.”

Bridges are an important tool in the decentralized finance industry (DeFi), which is crypto’s alternative to the banking system.

With DeFi, instead of centralized actors calling the shots, the money exchange is managed by a programmable piece of code called a smart contract. This contract is written on a public blockchain, such as ethereum or solana, and is executed when certain conditions are met, negating the need for a central intermediary.

“We can’t just move these assets,” Hetman said. “That’s why we need blockchain bridges.”

As the DeFi space continues to evolve, developers must make blockchains interoperable to ensure that assets and data can flow smoothly between networks.

“Without them, assets are locked on native chains,” said Auston Bunsen, co-founder of QuikNode, which provides blockchain infrastructure to developers and companies.

But they are risky.

“They are effectively unregulated,” said David Carlisle, head of regulatory affairs at Elliptic. They are “very vulnerable to hacks, or to being used in crimes such as money laundering.”

Criminals have transferred at least $540 million worth of ill-gotten gains through a bridge called RenBridge since 2020, according to new research Elliptic provided to CNBC.

“A big question is whether bridges will be subject to regulation, since they act a lot like crypto exchanges, which are already regulated,” Carlisle said.

This week, the US Treasury Department’s Office of Foreign Assets Control, or OFAC, announced sanctions against Tornado Cash, a popular cryptocurrency mixer, banning Americans from using the service. Mixers are tools that mix a user’s tokens with a pool of other funds to hide the identity of the individuals and entities involved.

Carlisle said it’s becoming clear that “US regulators are prepared to go after DeFi services that facilitate illegal activity.”

SEE: Adrian Hetman of Immunefi explains how hackers stole $200 million