The case for canonical asset bridging: Why are bridge hacks so common?

Tldr; Many cross-chain bridge hacks involve third-party bridges using representative assets. Using canonical assets is the only trustless way to transfer value. Across uses only canonical assets and is able to offer low costs without making security trade-offs. It does this by incentivizing a network of relayers to fulfill user intents.

Key takeaways:

• Cross-chain bridge hacks account for a significant portion of crypto thefts.
• Third-party bridges that use representative assets frequently suffer from hacks because the complexity of their design makes for a huge attack vector.
• Using canonical assets is the only way to trustlessly transfer value between chains.
• Across uses canonical assets delivered by relayers fulfilling user intents, which lowers costs without making security trade-offs.

CCross-chain interoperability is showing huge promise, but bridge hacks are still a big elephant in the room holding the space back. Of the billions of dollars worth of crypto assets stolen in recent years, a significant portion has been looted in targeted bridge attacks. What’s more, many of the biggest crypto thefts ever have been from bridges.

While every bridge hack differs in scope and methodology, they often have one thing in common. Many hacks involve third-party bridges that use representative assets. This is unsurprising given the complexity they require.

As we explained in our previous feature in this blog series, using canonical assets instead of representative assets is the only trustless way to transfer value through the cross-chain ecosystem.

In this piece, we examine some of the major attacks associated with third-party bridges using representative assets. We also explain why Across’ design, which uses canonical assets through an intents-based framework, is the optimal one from a security and user experience perspective.

Why third-party lock-and-mint bridges are prone to hacks

Bridges adopt different designs to enable cross-chain interoperability but they can be divided into two categories:

• Using canonical assets
• Using representative assets

Third-party bridges use representative assets to transfer value. When users move funds through a third-party bridge, they have to lock up their assets and then mint a representative asset to use at the destination.

Representative assets are trusted assets because users have to trust them when they lock up their funds.

While third-party bridges do not require external liquidity, they adds trust assumptions. Users have to trust the bridge that they’ll be able to redeem their native assets. When a bridge uses external liquidity, LPs or relayers commit capital. With third-party bridges, users lock up their assets, which means they take on security risk.

Bridges may lock hundreds of millions of dollars at a time without anyone paying for security. This has a “honeypot” effect where there is a high incentive for hackers to attack bridges.

Hackers frequently target bridges by attacking the system’s minting rights. This attack method involves sending messages to artificially inflate the supply of a token and then steal the newly minted tokens.

Third-party lock-and-mint bridges are honeypots for hackers.

Bridge hacks can be complex, and they’re not always comparable to one another. However, as major incidents of the past few years have revealed, they often have one thing in common:

Bridge hacks frequently involve third-party bridges that use representative assets because these solutions make major security trade-offs.

The risks of using representative assets are twofold. There’s risk associated with the minted asset itself, and the user takes on that risk when they receive the asset, for as long as they hold it. Additionally, there’s risk in validating messages associated with representative assets as a message’s value could mint infinite tokens, making its value unbounded. This explains why mint hacks are so common: the likely profit of corruption from attacking the system is greater than the cost of corruption.

Revisiting the cross-chain space’s biggest bridge hacks

Almost all of the biggest bridge hacks in crypto history have involved third-party lock-and-mint bridges that use representative assets.

In February 2022, Wormhole was hacked for $320 million after an attacker minted 120,000 wETH (Wormhole-ETH) tokens. The attacker tricked the bridge into thinking its guardians had verified a 120,000 wETH deposit and then unwrapped the stolen funds for ETH. This attack exploited Wormhole’s message validation system to falsely mint representative assets and then convert them to ETH.

The Ronin Network exploiter steals 173,600 wETH. They also stole 25.5 million USDC in a separate transaction (Source: Etherscan)

In March 2022, Ronin Network was drained of around $590 million, making it one of the biggest attacks in crypto history. The attacker took control of five of the bridge’s nine validators to sign off malicious withdrawals. They stole 173,600 wETH and 25.5 million USDC across two transactions. This hack occurred because the attacker was able to take control of a majority of the validators. But the attacker made off with such a huge sum because Ronin used representative assets. As the bridge locked nine figures worth of funds from Ethereum with representative assets minted on Ronin, it created a honeypot for the attacker.

In June 2022, hackers looted $100 million from Harmony’s Horizon bridge. The incident occurred after the attackers compromised private keys and then validated a series of withdrawals. Horizon lets users lock assets from Ethereum in the bridge and then receive representative assets on Harmony. This incident was primarily caused by poor security management, but it was extremely profitable for the hackers because the bridge uses lock-and-minting and representative assets.

In August 2022, attackers stole around $190 million from Nomad in a “crowdsourced” attack. In this incident, attackers exploited a contract bug to automatically prove messages, tricking the bridge into unlocking funds. Multiple attackers used the exploit to drain the bridge. As with Wormhole and Ronin, Nomad lets users lock funds in the bridge and receive representative assets at a destination.

Each of these incidents slightly differed from one another. However, it’s easy to see the link between them. Every bridge used a lock and minting mechanism with representative assets. Put another way, they were hacked because they created a “honeypot effect,” where attackers were highly incentivized to target them.

Next-generation lock-and-mint designs

As the cross-chain space has grown, various forms of representative assets have emerged. They include LayerZero’s OFTs, which aim to make different types of token composable throughout the cross-chain ecosystem. The OFT standard lets users mint a Bitcoin representative called $BTC.b and then use it on Ethereum, Avalanche and so on.

More recently, Connext introduced xERC20, which aims to be the cross-chain space’s first canonical bridged token standard. xERC20 proposes letting users lock canonical assets in a “Lockbox” to receive xTokens at the origin, and then they can unwrap their xTokens when they return to the original destination. This creates an open standard for lock-and-mint, which is safer than a proprietary model like LayerZero’s. Unlike OFTs, xERC20s are validated by a set of entities rather than one single actor. For this reason, xERC20s take a better approach than OFTs. While xERC20s are less secure than canonical assets, using them could make sense in certain cases.

Connext’s xERC20 uses an immutable contract called a “Lockbox” that wraps tokens 1:1 for xERC20 (Source: xERC20)

Both of these new standards aim to unify liquidity. But there are risks to using both OFTs and xERC20s because they introduce isolated security standards and require users to wrap up canonical tokens for a representative asset. No one pays for security; the user simply locks up their funds and takes on the risk. This is no different to how third-party lock-and-mint bridges work.

Why canonical asset bridging is the only trustless way to transfer value

The number of severe hacks involving third-party lock-and-mint bridges highlights the risks of using representative assets.

There is an alternative approach to enabling cross-chain value transfer: bridges can use canonical assets, which don’t ask the user to trust a new asset at the destination.

While third-party bridges lock up user funds and let users mint a representative asset, bridges that use canonical assets use external liquidity to fill orders quickly. This approach relies on third parties to put up capital.

Canonical asset bridging does not ask users to trust a new asset or burden them with risks. This approach is the only trustless way to transfer value.

How Across lets users trustlessly transfer value at a low cost

Using canonical assets to transfer value has a cost. This is because someone has to put up liquidity.

Besides native bridges and stablecoin bridges, which use lock-and-minting with canonical assets, bridges use canonical assets through liquidity pools. There are two possible approaches to this: delivery-vs-payment (DvP) or intents bridging.

The DvP method is gas-intensive because it requires onchain verification, and transfers can be slow as the origin and destination need to reach finality.

Intents bridging offers many benefits, and it’s the approach Across takes. In Across’ system, relayers front their assets to fulfill users’ intents. That means relayers carry risk on behalf of users. When they take this risk, they place trust in UMA’s optimistic oracle, which verifies relayer repayments. They do this knowing that UMA only needs one honest actor to dispute invalid transactions.

In exchange for carrying risk, relayers expect a return on their assets. They effectively make a short-term loan and then wait for their return.

In this system, users can trustlessly transfer value without taking on risk. Across users express their intent when they make a deposit and relayers step in to fill their order as quickly as possible. Relayers take a risk when they fill an order because they receive interest on their loan, and they trust UMA to ensure that they’ll be repaid promptly.

Across offers users higher speeds and lower costs than third-party lock-and-mint solutions, without burdening users with risk.

If a relayer lends out their assets for an hour at a 10% rate, the cost of the loan is just 0.1 basis points. So while there is a trade-off, the cost is extremely low, and there are no increased trust assumptions burdened on the user.

Across also makes other optimizations, such as bundled relayer repayments to save on gas and capital-efficient protocol level rebalancing.

As a result, Across offers users higher speeds and lower costs than third-party lock-and-mint solutions, without burdening users with risk. Across does not mint any representative assets; it lets users express their intent, while relayers step in to fill their orders.

Canonical assets and the future of cross-chain interoperability

Demand for cross-chain interoperability is growing. That means demand for bridges is also growing. But as many bridges use lock-and-minting with representative assets, they are a major security risk.

Some of the biggest crypto thefts of recent years have involved bridges that use representative assets, and it’s likely that more will occur in the future. There is a solution to this problem. Due to the risks third-party lock-and-mint bridges present, cross-chain users should avoid them altogether. Canonical asset bridging is the only trustless way to transfer value, and the ecosystem will establish stronger foundations when such solutions are widely adopted over riskier alternatives.

As an intents bridge that uses canonical assets, Across is poised to support a healthy cross-chain ecosystem in the future. Across users benefit from high speeds and low costs due to its intents-based framework, and they do not need to trust a new asset because the relayer carries the risk. We believe this is the right solution to support the cross-chain future. In many years to come, canonical asset bridging should completely replace representative asset bridging because it is more secure. That should also significantly reduce the number of bridge hacks.

This piece was compiled with contributions and editing from Ryan Carman, Across Product Lead and Clayton Roche, Across and UMA Content Strategist.

References

• Blockchain bridge Wormhole confirms that exploiter stole $320 million worth of crypto assets [TechCrunch]
• Hackers Steal About $600 Million in One of the Biggest Crypto Heists [Bloomberg]
• Hack Analysis: Nomad Bridge, August 2022 [Immunefi]
• Harmony identifies $100M Horizon bridge theft [@harmonyprotocol]
• Introducing Bridged USDC Standard [Circle]
• The intents bridge: Cross-chain value transfer and the future of interoperability [@dreamsofdefi for Across]
• The intents bridge: How Across optimizes for gas efficiency [@dreamsofdefi for Across]
• The intents bridge: How Across uses optimistic verification to lower costs [@dreamsofdefi for Across]
• Vulnerabilities in Cross-chain Bridge Protocols Emerge as Top Security Risk [Chainalysis]
• Why Is Financial Engineering Important in Bridging? Episode 2 [@kevin-uma for Across]