Fintech

Crypto bridges are coming under attack

Linking blockchains together is a key part of the industry. But bridges are vulnerable to hackers and confusing for consumers.

X-Men: The Last Stand (2/5) Movie CLIP - Magneto's Bridgework (2006) HD

One of the challenges for the crypto industry is how many blockchains there are and how complex it is to move across them. This has led to the growth of bridges for people to send tokens across chains. But these bridging tools have come under attack by hackers, leading to major losses.

Because crypto has become a multichain industry, bridges have become a key part of the infrastructure. Attacks on them can have “cascading effects” across chains, as Chainalysis researchers recently put it. Some of the largest DeFi hacks to date have involved bridges.

Bitcoin is singular: It has one token which is held on one blockchain. But many of the blockchains that followed are designed to support multiple tokens, and many cryptocurrencies aim to ride on more than one blockchain. USDC trades on eight blockchains, while chains like Solana and Ethereum are designed with support for multiple currencies in mind.

Many in the industry believe it’s inevitable that there will be multiple blockchains that develop, each emphasizing different strengths such as gaming, trading, NFTs, mobile or payments.

There are two main kinds of hacks on bridges: code attacks, which exploit vulnerabilities in smart contracts, and attacks on the design of a network, often accomplished through social engineering. These types of hacks are not specific to bridges; instead, they’re part of the continuing challenge of hacking and phishing attacks in crypto.

“You see hacks not just in bridges, but everywhere; there are DeFi protocols getting hacked a lot as well,” said Rishabh Khurana, CEO at startup Socket.

In one smart-contract-related incident, hackers exploited a security problem in the Wormhole bridge’s code to make off with $325 million. Wormhole bridges blockchains like Ethereum, Solana and Polygon, enabling people to deposit tokens from one chain and get the equivalent on a different chain. In the incident, a hacker minted 120,000 wrapped ether, or WETH, on the Solana blockchain without putting in the equivalent on the Ethereum side.

The recent $100 million hack of Harmony’s Horizon Bridge was apparently the result of social engineering to obtain the required electronic signatures to authorize a transaction.

Why do these bridge hacks have such a big impact? Bridges can quickly spread the effects of a hack across multiple chains. “The implication could be that the price of ETH on Solana could drop and people could start getting liquidated,” Khurana said.

With $325 million worth of ether missing from Wormhole, people who held WETH would not be able to convert it back into ETH or could have seen their holdings liquidated if the value of WETH dropped. Jump Trading, Wormhole’s parent company, replaced the stolen ether, which seems to have prevented these worst-case scenarios from occurring.

In Axie Infinity’s Ronin bridge, a hacker took control of five of the nine validator nodes that handle transactions. Four of those five nodes were controlled by Axie developer Sky Mavis, a flaw in its design, Khurana said. Social engineering allowed hackers to take control of those four nodes: An Axie engineer applied for a fake job on LinkedIn and opened a fake job offer document that contained spyware. A fifth node was hacked through a third-party validator managed by the Axie DAO.

The code apparently worked as designed, but the design of the network, with multiple nodes under one party’s control, made it easier for hackers to take over.

There are trade-offs for crypto bridges between speed, cost and security. Some bridges are very fast and cheap but are not as secure, while others are much more secure but may be slow to execute a transaction, Khurana said. His startup, Socket, makes technology that protocols use so that they don’t have to build separately for each different blockchain.

Crossing chains is still a user-interface nightmare. Even if consumers can get past the trust issues, given past hacks, they need wallets on both chains to use a bridge, and some technical sophistication.

That may be the ultimate challenge for bridges, even if security ends up mostly solved. Until bridging across different chains becomes easier, widespread crypto adoption will be hindered.

Some Web3 companies are working on ways to make bridging easier. Transak is aiming to make it seamless for users who hold one token, say, ether, to play a game on the Solana blockchain without having to bridge tokens, doing the necessary conversions behind the scenes. The ultimate crypto bridge could be one that consumers don’t need to know they crossed.
Climate

How GM plans to make its ambitious EV goals reality

The automaker's chief sustainability officer is optimistic that GM is well-positioned to rapidly scale up the EV side of its business.

"I think everything that’s been put in place to support the transition will be a real positive for the industry and for the country."

Photo: Eva Marie Uzcategui/Bloomberg via Getty Images

Automakers are on the cusp of an entirely new era.

The transition to electric vehicles is quickly becoming more than just theoretical: More models are coming onto the scene every day. This week, the Inflation Reduction Act was signed into law, enshrining a new structure for EV tax credits and offering a boost to domestic critical mineral mining. The transition isn’t coming a moment too soon, given that the transportation sector makes up the largest share of greenhouse gas emissions in the U.S.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

As management teams at financial institutions look for best practices to make part of their regular toolkit, they are reaching most for the ones that increase the speed and reduce the risk of large-scale change.

That forward-thinking approach can lead financial institutions to leverage AI technology, which can help give decision-makers trusted tools to solve integral challenges vital to the health of the business. One of the leading providers of AI and machine-learning software, DataRobot continues to attract clients in financial services who want to de-risk their AI investments and rapidly scale AI to almost every part of their operations, resulting in improved productivity and higher customer satisfaction.

Keep Reading Show less
David Silverberg
David Silverberg is a Toronto-based freelance journalist, editor and writing coach. He writes for The Washington Post, BBC News, Business Insider, The Toronto Star, New Scientist, Fodor's, and several alumni magazines. He also writes for brands such as 23andme, Shopify and Bold Commerce. He has served as editor of B2B News Network, Canada's only B2B news magazine, and Digital Journal, a leading pioneer in citizen journalism. Find more about him at www.davidsilverberg.ca
Entertainment

How Embracer Group bought ‘Lord of the Rings’ rights for a bargain

The Swedish holding company, known best for its gaming acquisitions, bought the rights to “The Lord of the Rings.” But the deal is much more complicated than it seems.

Who really owns LOTR's rights?

Photo: New Line/WireImage

A new stakeholder has entered the complex licensing web of “The Lord of the Rings,” and the landmark deal has further complicated the already messy media empire surrounding author J.R.R. Tolkien’s fantasy epic.

The buyer, the acquisition-hungry Swedish gaming conglomerate known as Embracer Group, has purchased Middle-earth Enterprises, and with it the associated film, video game, board game, merchandise, theater production and theme park rights to the core LOTR book trilogy and “The Hobbit'' from its previous owner, The Saul Zaentz Company. Formerly Tolkien Enterprises, Zaentz’s holding group has held onto the rights since purchasing them from United Artists in 1976. (Tolkien initially sold them to UA in 1969, four years before his death.)

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

Fintech

Upstart has a new plan to sell Wall Street on its loans

The AI-powered lender will hold some loans on its balance sheet as it seeks partners for long-term capital.

Despite the current struggles, Upstart views the marketplace model as the best way to write to keep its loan business growing.

Photo: Upstart

After a revenue drop its CEO called “unacceptable,” the leadership at fintech lender Upstart is making a bet on the strength of its ability to underwrite loans with AI.

The San Mateo company is planning to leave some loans on its balance sheet that investors do not want to buy, as concerns about the economy shift Wall Street away from backing riskier consumer debt. Rather than pull back on its lending in response, the company said it will hold some loans as it seeks longer-term capital partners.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at rdeffenbaugh@protocol.com.
Enterprise

Does your boss sound a little funny? It might be an audio deepfake

Voice deepfake attacks against enterprises, often aimed at tricking corporate employees into transferring money to the attackers, are on the rise. And at least in some cases, they’re succeeding.

Audio deepfakes are a new spin on the impersonation tactics that have long been used in social engineering and phishing attacks, but most people aren’t trained to disbelieve their ears.

Illustration: Christopher T. Fong/Protocol

As a cyberattack investigator, Nick Giacopuzzi’s work now includes responding to growing attacks against businesses that involve deepfaked voices — and has ultimately left him convinced that in today's world, "we need to question everything."

In particular, Giacopuzzi has investigated multiple incidents where an attacker deployed fabricated audio, created with the help of AI, that purported to be an executive or a manager at a company. You can guess how it went: The fake boss asked an employee to urgently transfer funds. And in some cases, it’s worked, he said.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.

Latest Stories
Bulletins