Exploring Open Challenges and Future Research Avenues in Cross-Chain [2024]
This article belongs to a series of articles analyzing the state of security and privacy in cross-chain protocols.
Access the paper below👇👇👇
In the rapidly evolving landscape of blockchain technology, blockchain interoperability has emerged as a critical research topic, enabling seamless communication and asset transfer between disparate blockchain networks. However, with innovation comes inherent risks, and ensuring the security of cross-chain systems has become paramount in safeguarding against malicious actors and vulnerabilities. Check out our previous article motivating the need for studying cross-chain protocols. This article sheds light on vulnerabilities, privacy leaks, attacks, and recommendations for operators to fortify their systems.
Motivation
Since May 2021, bridge hacks have led to losses exceeding USD 3.2B, a concerning trend depicted in Figure 1. Cross-chain bridge hacks have become prominent in the DeFi space, frequently targeted by cybercriminals and dominating the list of major incidents (see a leaderboard here). The situation remains grim, with reports of widespread hacks. Consequently, the total value locked (TVL) in cross-chain bridges has plummeted from USD 58B in early 2022 to just USD 10B by March 2024.
Relevant Security Layers
The security of a cross-chain system can be delineated into several layers, as illustrated in Figure 2.
- At the foundation lies the Network Layer, represented by the underlying systems or networks forming the basis of a cross-chain solution. These may encompass distributed ledgers or centralized databases, with the chosen consensus mechanism and smart contract engines shaping security considerations within this layer.
- The Protocol Layer addresses the architectural decisions involved in constructing a cross-chain protocol, delineating actors’ roles and responsibilities, and ensuring the provision of requisite security and performance attributes.
- The Implementation Layer encompasses the entirety of the implementation lifecycle, incorporating both off-chain elements (such as relayers, oracles, and incident response systems) and on-chain components (including smart contracts and protocols) essential for facilitating interoperability and executing business logic.
- Finally, at the top, the Operational Layer focuses on ensuring the operational viability and adaptability of cross-chain solutions post-design and implementation. This layer is tasked with defining deployment, maintenance, and upgrade procedures for both on-chain and off-chain elements, addressing management protocols, infrastructure monitoring, code updates, and response mechanisms to external or internal anomalies.
Uncovering Vulnerabilities and Leaks
We have identified 45 vulnerabilities across different security layers of cross-chain systems and 5 privacy leaks, highlighting critical areas for improvement. Each vulnerability is explained in detail in the paper, from page 15.
Security Leaks
We have identified 45 vulnerabilities across different layers: 3 in the network layer, 22 in the protocol layer, 17 in the implementation layer, and 3 in the operational layer. Many studies focus on common vulnerabilities (e.g., V13, V18, V19), while specific bug reports highlight more specific issues (e.g., V14, V40). Surprisingly, we found fewer vulnerabilities in the operational layer, which plays a significant role in cross-chain hacks. Additionally, this might suggest that academia needs to address industry-relevant issues adequately because the same vulnerabilities are continuously occurring.
Privacy leaks
We have also discovered four theoretical privacy leaks. From our analysis, no privacy leak has been reported in cross-chain systems. Therefore, we could not cross-reference this information with past incidents. In a future article, we will dive deep into privacy in cross-chain, stay tuned!!
Future Research Directions
We point the reader to some topics that should be further explored in cross-chain:
- Empirical assessments of protocol performance and associated costs: this involves conducting empirical assessments to evaluate the performance and associated costs of cross-chain protocols in real-world scenarios.
- Proactive monitoring of cross-chain systems: establishing proactive mechanisms to continuously monitor action on multiple chains enabling early detection and mitigation of potential integrity breaches.
- Working on privacy-preserving mechanisms for guaranteeing user privacy and data confidentiality. The trade-off between user/operator accountability and the privacy level offered is definitely worth exploring.
- Comprehensive incident response frameworks for generic cross-chain systems: developing comprehensive incident response frameworks tailored specifically for generic cross-chain systems, ensuring swift and effective responses to security incidents and breaches.
- Design patterns across interoperability solutions. Each solution employs a different architecture, making the process too ad-hoc: identifying and standardizing design patterns across different interoperability solutions to promote consistency and interoperability among diverse architectures.
- Maximal Extractable Value (MEV) as a defense strategy for interoperability projects: exploring the concept of Maximal Extractable Value (MEV) and its potential application as a defense strategy for interoperability projects to mitigate the risks associated with attacks.
- There is room for contributions in major standardization bodies such as ISO, and IETF: the opportunity for contributions to major standardization bodies such as ISO (International Organization for Standardization) and IETF (Internet Engineering Task Force) to shape and influence the development of standards for blockchain interoperability and related technologies. One example is the Secure Asset Transfer Protocol (SATP) — see the specification here.
A special thanks to Rafael Belchior for reviewing and making suggestions that improved this post.
Additional relevant resources:
