Fintech

Crypto bridges are coming under attack

Linking blockchains together is a key part of the industry. But bridges are vulnerable to hackers and confusing for consumers.

Crypto bridges are coming under attack
X-Men: The Last Stand (2/5) Movie CLIP - Magneto's Bridgework (2006) HD

One of the challenges for the crypto industry is how many blockchains there are and how complex it is to move across them. This has led to the growth of bridges for people to send tokens across chains. But these bridging tools have come under attack by hackers, leading to major losses.

Because crypto has become a multichain industry, bridges have become a key part of the infrastructure. Attacks on them can have “cascading effects” across chains, as Chainalysis researchers recently put it. Some of the largest DeFi hacks to date have involved bridges.

Bitcoin is singular: It has one token which is held on one blockchain. But many of the blockchains that followed are designed to support multiple tokens, and many cryptocurrencies aim to ride on more than one blockchain. USDC trades on eight blockchains, while chains like Solana and Ethereum are designed with support for multiple currencies in mind.

Many in the industry believe it’s inevitable that there will be multiple blockchains that develop, each emphasizing different strengths such as gaming, trading, NFTs, mobile or payments.

There are two main kinds of hacks on bridges: code attacks, which exploit vulnerabilities in smart contracts, and attacks on the design of a network, often accomplished through social engineering. These types of hacks are not specific to bridges; instead, they’re part of the continuing challenge of hacking and phishing attacks in crypto.

“You see hacks not just in bridges, but everywhere; there are DeFi protocols getting hacked a lot as well,” said Rishabh Khurana, CEO at startup Socket.

In one smart-contract-related incident, hackers exploited a security problem in the Wormhole bridge’s code to make off with $325 million. Wormhole bridges blockchains like Ethereum, Solana and Polygon, enabling people to deposit tokens from one chain and get the equivalent on a different chain. In the incident, a hacker minted 120,000 wrapped ether, or WETH, on the Solana blockchain without putting in the equivalent on the Ethereum side.

The recent $100 million hack of Harmony’s Horizon Bridge was apparently the result of social engineering to obtain the required electronic signatures to authorize a transaction.

Why do these bridge hacks have such a big impact? Bridges can quickly spread the effects of a hack across multiple chains. “The implication could be that the price of ETH on Solana could drop and people could start getting liquidated,” Khurana said.

With $325 million worth of ether missing from Wormhole, people who held WETH would not be able to convert it back into ETH or could have seen their holdings liquidated if the value of WETH dropped. Jump Trading, Wormhole’s parent company, replaced the stolen ether, which seems to have prevented these worst-case scenarios from occurring.

In Axie Infinity’s Ronin bridge, a hacker took control of five of the nine validator nodes that handle transactions. Four of those five nodes were controlled by Axie developer Sky Mavis, a flaw in its design, Khurana said. Social engineering allowed hackers to take control of those four nodes: An Axie engineer applied for a fake job on LinkedIn and opened a fake job offer document that contained spyware. A fifth node was hacked through a third-party validator managed by the Axie DAO.

The code apparently worked as designed, but the design of the network, with multiple nodes under one party’s control, made it easier for hackers to take over.

There are trade-offs for crypto bridges between speed, cost and security. Some bridges are very fast and cheap but are not as secure, while others are much more secure but may be slow to execute a transaction, Khurana said. His startup, Socket, makes technology that protocols use so that they don’t have to build separately for each different blockchain.

Crossing chains is still a user-interface nightmare. Even if consumers can get past the trust issues, given past hacks, they need wallets on both chains to use a bridge, and some technical sophistication.

That may be the ultimate challenge for bridges, even if security ends up mostly solved. Until bridging across different chains becomes easier, widespread crypto adoption will be hindered.

Some Web3 companies are working on ways to make bridging easier. Transak is aiming to make it seamless for users who hold one token, say, ether, to play a game on the Solana blockchain without having to bridge tokens, doing the necessary conversions behind the scenes. The ultimate crypto bridge could be one that consumers don’t need to know they crossed.
Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins