On March 23rd, the Ronin network was hit with a hack that saw the attackers walk away with $625 million incryptocurrencies.
The largest amount of money that had ever been stolen from the type of service called abridge, which connects one blockchain to another so that value can be sent between them, was the result of the Ronin hack. More than $600 million was stolen from another cross-chain bridge about six months before that, and less than two months before that, another bridge platform called Wormhole was exploited for close to $325 million. The hacker returned Poly's stolen funds in a surprising twist.
Bridges are the weakest point in a lot of cryptocurrencies, and they are being targeted for more than $1 billion in little over a year. It's worth explaining what they are, why they're important, and how they can plug the billion-dollar hole in their pockets.
If you don't have time to read further, the answer is that they are vulnerable but not so over time.
If you don't know what a blockchain is, you can start here.
Users can exchange one kind of coin or token for another on the system. Everycryptocurrencies has its own ledger, and there are newer ones like Solana. There is no simple way to send and receive currency transactions on the different blockchains.
Developers have built a bridge to make that crossing a little easier. If you want to sign up for a game, you can send your ETH into a bridge, get SOL in return, and use the same method to convert back when you're done.
There is no standard for how they keep everything secure because they are handling a lot of complex requests and holding a lot of currency.
Imagine a bridge between two islands. You can't drive your car from one side of the island to the other, because each island has different rules about the type of car you can drive. You can drive up to one side of the bridge, leave your vehicle in a parking garage, walk across, and pick up a rental car on the other side. When you're done driving around the other island, you bring your rental back to the bridge, walk across, and they give you the keys to your car.
That means for every CarRentals CarRentals CarRentals there is another CarRentals CarRentals CarRentals in the garage. The company that operates the bridge has to keep them all safe because some are stored for hours, others for days, and others for months. Other people know how many cars are in the garage and are looking for ways to steal them.
“If you’re trying to create a bridge between N different cryptocurrencies, the complexity of that is N squared.”
Bridges are receiving incoming transactions in one type of currency, locking it up as a deposit, and releasing an equivalent amount of currency on another platform. The attacker can withdraw money from one side of the bridge without putting anything in the other side.
There are lots of opportunities for exploitable bugs in the complex code of bridges. If you are trying to create a bridge between N different cryptocurrencies, the complexity of that is N squared, which means more chances for bugs.
Different cryptocurrencies are written in different programming languages and deployed in different virtual environments. Figuring out how these things should interact is very difficult, especially for on-chain bridges.
Probably not. The industry has done a good job of securing the rest of the system, which is why attackers are targeting the weakest point. Kim Grauer, director of research at Chainalysis, told The Verge that bridge hacks are taking the place of the previous generation of damaging hacks against exchanges.
“If you looked at our ecosystem just a few years ago, centralized exchanges were the main target of hacks.”
The main target of hacks a few years ago were centralized exchanges. Centralized exchange goes down again, and the industry worked hard to have solutions that allowed us to overcome these hacking problems. The industry can grow if the rate at which this hacking is happening continues.
The problem is that many bridges aren't on the ledger. The Ronin bridge is an off-chain system that exists on other server that are not part of the blockchain. These systems are fast, flexible, and relatively lightweight, but can be hit with the same type of hacks that affect web services anywhere on the internet.
The Ronin bridge relied on nine validators which were compromised through a combination of code hacks and social engineering.
“This is not really blockchain. These are ‘Web2’ servers.”
There are other bridge systems that operate as smart contracts. It is less likely that an attacker could subvert the code of an on-chain system through social engineering, and that majority power over the network is very unlikely. It can be hard to update the system in a timely way if there are bugs in the smart contracts. The big theft occurred after hackers spotted security updates that were uploaded to GitHub but had not been deployed to the live smart contract.
It is hard. Code auditing is a type of work where a project's development team might be working across different programming languages and computing environments. A large number of projects don't have an auditor listed.
“I wouldn’t call it necessarily a bubble, but it’s certainly a gold rush.”
The director of assurance practice at Trail of Bits said that the market has sprung up quickly. The pressure to grow, scale, and build new features can sometimes come at the expense of security work.
I wouldn't call it a bubble, but it's certainly a gold rush. The code audit comes in because there is a lot of things they are not looking at.