Crypto Bridges — What are they, why they became a global hacking target, and are there alternatives?
Mind the Gap — exploits of cryptocurrency bridges are on the rise. An estimated $2bn was stolen from bridging solutions in 2022 alone. But what are Crypto Bridges, why have they become such a target, and are there any alternatives?
Cryptocurrency exploits are certainly nothing new, but while historically centralized exchanges were the focus of attackers, a new trend seems to emerge; the exploit of so-called Crypto Bridges.
Latest Victim, the prominent BNB Chain
But to understand why they are increasingly targeted, we need to understand the mechanics of bridges in the first place, what purpose they serve and what vulnerabilities they have.
What are Crypto Bridges?
Crypto Bridges, in essence, try to solve the interoperability problem between blockchains. Since the emergence of Bitcoin, we have over 100 active public blockchains, each with unique features and traits. However, most of them are unable to communicate with each other. These interoperability issues stem from the fact that Layer-1 blockchains are closed ecosystems, i.e., tokens issued on one chain can not be transferred to another as the underlying protocol would not recognize them, rendering them useless.
This leads to a silo approach in the industry where each chain runs by itself, hampering the overall technology’s adoption, development, and usability.
Similar to the real world, assets need to be able to flow from one economy to the other to unlock their full potential. The less friction and barriers, the higher the unlocked value.
Assume you are holding Bitcoin. Apart from holding value and making payments, it has no other use case. The Ethereum network, on the other hand, offers attractive utilities such as DeFi, smart contracting, and staking. But unless you are willing to sell your BTC in exchange for some ETH, there is no way to participate in the Ethereum ecosystem.
Enter the Crypto Bridge — a tool that enables you to use your Bitcoin on another chain without transferring or exchanging your Bitcoins, which is a costly procedure.
Simply put, by using a bridge, you lock assets on chain A and receive an equivalent amount of A-Tokens, which are compatible with chain B. This procedure is known as token wrapping. You can now deploy these wrapped tokens on the new blockchain ecosystem. And when you’re done, you simply change your wrapped tokens back into the native version.
This is somewhat similar to going to the casino, where you deposit fiat currency in return for chips. You play with them as long as you deem fit and cash them out when leaving.
Use case scenarios
For a better understanding, let’s look at some real-life use cases for wrapped tokens;
- Leverage; A user can deposit his BTC with Bridge and receive wBTC (an ERC-20) token in return. He then can use the w BTC as collateral to draw a loan in another token to make additional investments.
- Lower transaction fees; Certain chains can have very high gas fees for transacting. By bridging a Layer 1 token onto Layer 2, users can profit from lower gas fees on the second layer.
- DApps on other chains; Let’s say token A provides a better interest rate on an alternative chain; bridging can be used to optimize the return of your assets.
By providing a solution to solve the interoperability issue, crypto bridges help to build a network of networks. The below attempt to visualize the impact of bridges shows the magnitude of the concept.
What kinds of Crypto Bridges are there?
Crypto Bridge classification by Purpose
While crypto bridges come in various shapes and designs, they fundamentally classify into four types, each with a specific purpose:
Asset-Specific
These bridges are designed to handle one specific asset. The most prominent example here would be Bitcoin which has several bridges specifically targeting BTC users for bridging their assets to other chains such as Ethereum. Asset-specific bridges are relatively light and simple in design but offer limited functionality.
Chain-Specific
Similar to asset-specific bridges but they cover all assets of an underlying chain. A good example is Polygon’s PoS bridge which allows users to bridge nearly any ERC-20 token to Polygon (and vice versa). As the name suggests, chain-specific bridges are limited to communication between two chains. While the complexity remains limited, the two-chain approach hampers scalability.
Application-Specific
Unlike the first two, application-specific crypto bridges focus on linking two or multiple chains to use the same application. Instead of setting the application up on multiple chains simultaneously, the protocol can interact with multiple chains simultaneously by bridging from and to the application. The downside of application-specific bridges is that they are tied to the underlying application and must be replicated for each application. A use case for application-specific bridging are cross-chain lending protocols.
Generalized Bridges
A protocol that aims to transfer information across multiple chains and applications. Although this sounds like the perfect solution, the concept of a generalized crypto bridge is highly complex and thus has to compromise speed, security, or centralization. Rings a bell? Yes, even bridges face the blockchain trilemma.
Crypto Bridge classification by Design
Crypto bridges can also be classified by their security mechanism. This approach is helpful when analyzing the risks of bridges rather than their complexity.
Trusted Bridges
- Depend on a central entity or system.
- Users are required to lock their tokens with this centralized entity.
- Security is based on a trust assumption into a third party, similar to a CEX.
Trustless Bridges
- Use of smart contracts and algorithms.
- Through smart contracts, users remain in control of their funds. No centralized custody is required.
- The security relies entirely on the underlying blockchain.
Insured Bridges
- Deposited funds are insured; thus, an attack is supposed to have less effect on users.
- Malicious actors would be required to deposit collateral before an exploit and thus become liable for misbehavior.
- Insured bridges can accept a variety of assets as collateral, independent from the bridged asset.
Bonded Bridges
- Similar to insured bridges, it requires participants to deposit collateral. However, the collateral protects the bridge and not the user itself.
- In the case of an exploit, bondholders will be reimbursed based on their collateral, thus partially protecting their capital.
- Bonding is supposed to provide safety for the ecosystem.
- The risk here is that the bond capital is a native bridge token. In the case of an exploit, users tend to cash in on their bonds, which diminishes the token’s value.
Like many other things, it’s not always black or white. Many crypto bridges use varying degrees of trustlessness. And while the goal of this approach is to achieve the best of all worlds, this can be somewhat confusing for the user when it comes to comparing bridges for the safety aspects.
Why are Crypto Bridges targeted?
While crypto bridges offer an alternative to centralized exchanges to unlock additional features of networks and tokens and thus eliminate some centralization issues, they increasingly become targets of hackers.
Increased adoption and publicity of blockchain technology are leading to vast amounts of money accumulating and circulating in tokens. And while the adoption of blockchain assets grows, so does the need for inter-network communication. The need for these cross-communication solutions resulted in a vast amount of bridges being deployed. Many of which were cobbled together hastily, often sacrificing speed and usability for security. Their open-source nature allows malicious actors to study the code and find loopholes to exploit.
Since 2021 funds stolen from DeFi protocols skyrocketed, amounting to more than $2bn at the time of writing.
While crypto exchange exploits were the leading factor in the early days, the sentiment is now geared towards bridges. Over 60% of stolen crypto funds in 2022 were drained from crypto bridges topping a whopping $1.6 billion!
Most notable crypto bridge exploits in 2022
September 2022
- BNB Chain $100m (est. 10–07–2022)
August 2022
- Nomad $156m
- Poly Network $611m
March 2022
- Ronin Network $540m
February 2022
- Wormhole $325m
One of the reasons is that centralized exchanges have learned from past exploits and increasingly deploy vast amounts of assets to secure their platforms.
Crypto Bridges, on the other hand, are often open source and allow hackers to study the code for loopholes and flaws they can utilize to their advantage.
What are the Risks of using Crypto Bridges?
Looking at the number of exploits and attacks, it’s fair to say crypto bridges still have to prove their worth regarding safety and security.
Both categories, trusted and trustless bridges, present their sets of risks. Below you can find some of the risks embedded in either. But remember, many crypto bridges combine trusted and trustless protocols, making them vulnerable to a culmination of risk factors.
- Smart Contract Risk; the risk of a flaw in the code that leads to a loss of funds, even if there is no external influence.
- Technology Risk; software failure or bugs that leave the bridge vulnerable to attacks by hackers and malicious protocols.
Trusted crypto bridges also incorporate risks associated with centralized entities, such as;
- Censorship Risk; A bridge operator can interfere and prevent users from using the bridge.
- Custodial Risk; Centralized custody leads to a single point of attack.
Insured and Bonded bridges present an additional subset of risks linked to their collateral;
- Collateral as Target; Collateralized assets are registered with the bridge and can become targets of attack themselves.
- Undercollateralization; In a worst-case scenario, the collateral can be insufficient to cover losses.
- Loss of Collateral Value; Bridge native tokens as collateral (for bonded bridges) diminish in value in case of an attack.
How are Crypto Bridges hacked?
Based on the methods used on the Qubit, Wormhole, and Ronin bridges, we can identify three popular attack vectors:
- Validator Takeover; When crypto bridges use a validator setup, and an attacker gains access to the majority of validator nodes, he can use this control to validate fake and malicious transactions. This happened to Ronin, where attackers took over 5 out of 9 validator nodes.
- False Deposits; Crypto bridges monitor the deposit of assets on one side to validate the release of wrapped tokens on the other. If an attacker can trick the protocol into accepting nonexisting deposits, he can drain wrapped tokens on the other end. Qubit suffered from such a false deposit event.
- Fake Deposits; Similar to a false deposit attack, the attacker generates a fake deposit, using a false signature, tricking the validation process into the release of funds. The attack on the Wormhole bridge was executed using fake deposits.
What are the Implications of Crypto Bridge exploits?
While it may not be meaningful to state the obvious, such as overall reputational and financial consequences, there are other, less visible effects of exploits.
- Dual impact; Since bridges fill the gap between otherwise separated environments, an attack on a bridge tends to impact both involved chains. Imagine a false deposit attack. One chain is left with a spending transaction that never existed, while the other chain finds itself with tokens that should not have been issued in the first place.
- Tracking illicit tokens; Wrapped tokens tend to have a higher degree of complexity, making it more challenging to track illegal funds post a successful bridge exploit.
- Arbitrary impact on token pricing; An illicit transaction can lead to the decline of a token on one chain but not the other, thus creating an arbitrage opportunity. This arbitrage opportunity is then presented to all users, not just the attacker. Meter.io suffered from precisely this arbitrage issue after a successful hack in early 2022.
How can users and protocols protect themselves?
Although there is never a guarantee, there are means to reduce the risks when using crypto bridges.
For users, the first thing that would spring to mind here is DYOR — do your own research!
Make sure you understand the bridge you intend to use. You can do this by asking a few simple yet effective questions:
- What degree of centralization does the crypto bridge have?
- What is the history of the protocol?
- Who is behind the project?
- Is the project code audited?
- What security measures are in place?
- Is the protocol trustworthy?
- Are the underlying chains reliable?
Crypto bridges and developers, on the other hand, will have to get to work on how they operate and what measures they put in place to protect their users;
- They need to ask themselves the question of whether it is worth making a sacrifice of security over speed.
- Like any other software, bridge protocols will require constant adjustment and tweaks to remain ahead of malicious participants.
- Before being deployed to the public, bridge protocols must undergo rigorous testing and bug hunts.
- Using external auditors can help to find hidden flaws and establish a common ground for security standards.
Are there alternatives to Crypto Bridges?
The answer to this question pretty much comes down to the question of the intended use case.
If you simply want to transfer your token from one chain to another, let’s say for staking, then crypto bridges are probably the most convenient solution.
When you look for scalability solutions in general, crypto bridges are just one more way, and you might want to consider other solutions, such as layer-2 and layer-3 protocols or distributed ledgers. Going into detail on each of these solutions would exceed the scope of this article, but let’s look at a layer-2 solution example for multi-chain trading.
Yellow.com is currently working on a layer-2-based scaling solution that lets brokers trade tokens across multiple blockchains using state channel technology. By moving the trading off-chain, brokers can exchange tokens without sitting on the same native chain. Since trading happens, off-chain transactions are not dependent on the speed of the underlying chains and can happen at a fraction of the cost.
And although this might not remove the need for bridges in all instances, it definitely presents an exciting alternative for specific use cases.
Conclusion
In essence, the risks and problems associated with crypto bridges are not new to the blockchain world and, in many cases, are similar to the ones we know from centralized exchanges. However, their relative infancy, combined with a lack of willingness to study the bridge set up by users, is a dangerous combination. The issue with decentralized scalability solutions such as bridges is that they can rarely be held accountable for exploits.
The increasing amount of attacks on crypto bridges is indeed concerning, and they show a clear need for improvement in security and reliability. Scaling and interoperability solutions have to be foremost secure; otherwise, they risk compromising the very idea of the blockchain. Reliability is crucial for adoption, especially for large, regulated institutions.
Creating industry standards, rules and regulations would certainly be a good start. Secondly, crypto bridge protocol developers must accept that they carry great responsibility and that the protocol’s security must prevail over all other aspects. Rigorous testing, auditing, and constant modifications are the keywords here.
A word from the Author
Thanks for reading! If you liked the article, make sure to tap that clap 👏 button and subscribe for more stories from the Yellow Network Blog!
I hope you had a good read on this independent analysis by Inside the Block for the Yellow Network. Feel free to contact me or kickstart a conversation in the comments!
Disclaimer: Any information in this article is based on my personal experience, out of personal interest, and to my best knowledge and ability. This article has no promotional purpose, does not represent investment advice, and any names, brands, and tickers mentioned in this article are for illustrative purposes only. Use any of the associated links with care and at your own risk. Always do your own research.
Discover Web3 and Dive into DeFi with Yellow Network!
Yellow powered by Openware is developing an unprecedented worldwide cross-chain P2P liquidity aggregator Yellow Network, designed to unite the crypto industry and provide global remittance services actually helpful to people.
Are you a crypto developer? Check out the OpenDAX v4 white-label cryptocurrency exchange software stack on GitHub, designed to launch market-ready crypto exchange brokerage platforms with a built-in liquidity stream.
Join the Yellow Community and dive into the most product-oriented crypto project of this decade:
- Follow Yellow Twitter
- Join Yellow Telegram
- Check out Yellow Discord
Stay tuned as Yellow Network unveils the development, technology, developer tools, crypto brokerage nodes software, and community liquidity mining!