One of the challenges for the crypto industry is how many blockchains there are and how complex it is to move across them. This has led to the growth of bridges for people to send tokens across chains. But these bridging tools have come under attack by hackers, leading to major losses.
Because crypto has become a multichain industry, bridges have become a key part of the infrastructure. Attacks on them can have “cascading effects” across chains, as Chainalysis researchers recently put it. Some of the largest DeFi hacks to date have involved bridges.
Bitcoin is singular: It has one token which is held on one blockchain. But many of the blockchains that followed are designed to support multiple tokens, and many cryptocurrencies aim to ride on more than one blockchain. USDC trades on eight blockchains, while chains like Solana and Ethereum are designed with support for multiple currencies in mind.
There are two main kinds of hacks on bridges: code attacks, which exploit vulnerabilities in smart contracts, and attacks on the design of a network, often accomplished through social engineering. These types of hacks are not specific to bridges; instead, they’re part of the continuing challenge of hacking and phishing attacks in crypto.
“You see hacks not just in bridges, but everywhere; there are DeFi protocols getting hacked a lot as well,” said Rishabh Khurana, CEO at startup Socket.
In one smart-contract-related incident, hackers exploited a security problem in the Wormhole bridge’s code to make off with $325 million. Wormhole bridges blockchains like Ethereum, Solana and Polygon, enabling people to deposit tokens from one chain and get the equivalent on a different chain. In the incident, a hacker minted 120,000 wrapped ether, or WETH, on the Solana blockchain without putting in the equivalent on the Ethereum side.
The recent $100 million hack of Harmony’s Horizon Bridge was apparently the result of social engineering to obtain the required electronic signatures to authorize a transaction.
Why do these bridge hacks have such a big impact? Bridges can quickly spread the effects of a hack across multiple chains. “The implication could be that the price of ETH on Solana could drop and people could start getting liquidated,” Khurana said.
With $325 million worth of ether missing from Wormhole, people who held WETH would not be able to convert it back into ETH or could have seen their holdings liquidated if the value of WETH dropped. Jump Trading, Wormhole’s parent company, replaced the stolen ether, which seems to have prevented these worst-case scenarios from occurring.
In Axie Infinity’s Ronin bridge, a hacker took control of five of the nine validator nodes that handle transactions. Four of those five nodes were controlled by Axie developer Sky Mavis, a flaw in its design, Khurana said. Social engineering allowed hackers to take control of those four nodes: An Axie engineer applied for a fake job on LinkedIn and opened a fake job offer document that contained spyware. A fifth node was hacked through a third-party validator managed by the Axie DAO.
The code apparently worked as designed, but the design of the network, with multiple nodes under one party’s control, made it easier for hackers to take over.
There are trade-offs for crypto bridges between speed, cost and security. Some bridges are very fast and cheap but are not as secure, while others are much more secure but may be slow to execute a transaction, Khurana said. His startup, Socket, makes technology that protocols use so that they don’t have to build separately for each different blockchain.
Crossing chains is still a user-interface nightmare. Even if consumers can get past the trust issues, given past hacks, they need wallets on both chains to use a bridge, and some technical sophistication.
That may be the ultimate challenge for bridges, even if security ends up mostly solved. Until bridging across different chains becomes easier, widespread crypto adoption will be hindered.Some Web3 companies are working on ways to make bridging easier. Transak is aiming to make it seamless for users who hold one token, say, ether, to play a game on the Solana blockchain without having to bridge tokens, doing the necessary conversions behind the scenes. The ultimate crypto bridge could be one that consumers don’t need to know they crossed.