Bridge Exploits, 2022’s Hacker Jackpot
2022 was the year of cross-chain bridge hacks. They totaled a staggering $1,9 billion in loss for 8 incidents, brought to their knees a slew of projects, and gained them the moniker “web3 weak link”.
Be they centralized or decentralized, cross-chain bridges make interoperability within the blockchain sphere possible.
Cross-chain bridge is a technology that connects independent blockchains and allows communication between them, like calling functions in contracts from other blockchains or transferring and swapping assets. Using a bridge, someone can access the equivalent amount of ETH to their BTC, for example.
Cross-chain bridges will not move BTC from the Bitcoin blockchain to the Ethereum blockchain per se. Instead, they wrap tokens(BTC) in a smart contract and issue native assets(ETH) that will represent an equivalent amount and are usable in the chosen blockchain(Ethereum).
Transferring and swapping assets takes less time and incur fewer fees than crypto exchanges, making cross-chain bridges immensely popular.
Consequently, they hold large amounts of cryptocurrency, making them prime targets for hackers.
What makes them even more enticing to hackers is the fact that bridges are particularly susceptible to exploits, due to multiple points of vulnerability and two significant issues.
Soft targets
Bridges are considered soft targets — a person or thing that is relatively unprotected or vulnerable(Oxford). For Coby Moran, lead investigator at Merkle Science,
“Bridges are not just vulnerable, but vulnerabilities.”
Cross-chain bridges are vulnerable because massive amounts of money are centralized in a storage point of funds, either locked up in a smart contract or with a centralized custodian. As a result, that storage point is the target of hackers.
By design, cross-chain bridges constitute a form of digital asset wallets that are permanently connected to the internet. “Hot wallets” whose funds are clicks away from being stolen instead of being secured in not-connected-to-the-internet “cold wallets” like crypto exchanges and crypto custody firms do.
With all of their funds hidden in one chest and an internet-shaped entry door that puts a target on them, cross-chain bridges need strong locks to keep hackers away. Unfortunately, according to web3 cybersecurity experts, overall cross-chain bridge security is not up to par with the massive amounts of funds they have to protect. Moreover, an in-depth look at cross-chain bridge hacks clearly shows they suffer from one fatal disease: bad coding.
Glaring coding errors and weaknesses in cross-chain bridges exist for mainly one reason. Either by lack of knowledge, awareness, or ethics, project founders of these bridges did and/or do not invest enough time and/or money in building a solid code that would be effective in stopping hackers from breaching it. A very bad habit has developed in the web3 ecosystem in those past years: slapping together a code and then passing it over to an auditing firm that would act as a stamp of secure approval. This over-reliance on auditing created the idea that a robust code could be substituted by the patch-up work done by auditing firms. When really, they just make the code less bad.
A screaming example of that would be the bad code update that cost Nomad bridge a loss of $190 million in August 2022. Hackers only needed to send as little as 0.1 bitcoin from one blockchain on Nomad, and they received as much as 100 bitcoin on another.
Instead of investing in building a strong team of developers who can secure and protect their cross-chain bridges, security that certainly should not be “outsourced” is. Auditing is integral to the securing process but can not be all of it. Outside of having developers that can thwart hackers, bug bounty programs need to be implemented, smart contract addresses must be continuously monitored, and so on and so forth.
Unfortunately for cross-chain bridges with wobbly security, cross-chain bridges suffer multiple points of vulnerability, putting them at a very high risk of losing it all.
Multiple points of vulnerability
Not only do Cross-chain bridges suffer from basic security threats that plague web3, like private key exploits that cost the Harmony bridge $100 million in June 2022, but they also have three additional points of access that were used aplenty by hackers in 2022 to access the booty hidden in the cross-chain bridges’ chests.
Validator Takeover. The Lazarus Group, a North Korean hacking team, used the validator takeover technique to commit the biggest cross-chain bridge heist of 2022 when they siphoned $625 million from the Ronin bridge. In some cross-chain bridges, a certain number of validators must approve cryptocurrency transfers through voting. If a hacker can control a majority of the votes, he can approve any transfers. In the Ronin Network hack, the attacker took over five of the bridge’s nine validators and approved his malicious transfers.
Faking a Deposit. In October 2022, the BNB Smart Chain saw hacker(s) get his hands on two batches of one million BNB, each worth about $570 million. That was possible because before performing any transfers, a cross-chain bridge will perform validation of a deposit or withdrawal. If a hacker can trick the bridge into believing that a deposit has been made, they can withdraw the value from the bridge. The BSC attacker(s) falsified proof of deposit by exploiting their vulnerable IAVL verification that the attacker was able to forge.
Validator Integrity Exploit. In February 2022, Wormhole lost $375 million to validator integrity exploit. Bridges have a set of “guardians” that will deposit validation before permitting transfers between chains. In the Wormhole hack, the hacker exploited a flaw in the digital signature validation. Roger Grimes, a data-driven defense evangelist for KnowBe4, reported: “The function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened. So, there was no integrity guaranteed in the integrity check.”
Many cross-chain bridges had a wake-up call after the 2022 rampage and are working on securing themselves more efficiently.
Nevertheless, the massive amount of funds and multiple inherent vulnerabilities they suffer paint a giant red target on them.
It is not far-fetched to expect hackers to keep their onslaught of attacks throughout 2023. Their ability to be successful in their endeavor will entirely depend on how far targeted cross-chain bridges will toughen up their security.
