Perilous Bridges: Crypto’s Achilles’ Heel

Posted on

By Crypto Canuck & Crypto Crier

Hacked! Millions of Dollars were lost! These headlines are often the only crypto-related ones the mainstream media will publish. I can’t say I blame them. “Everything is functioning as it should” is not exactly an attention grabber. Action movies do well in theatres because they are exciting, not accurate.

Many people want crypto to fail. “I knew that fake internet money was a scam all along”. People are afraid of what they do not understand. Since crypto can be scary, many people would rather see it crash and burn. Seeing other folks get rich and not understanding how can cause a kneejerk reaction for many people. Sociologists call this the crabs in a bucket theory. K-os wrote a hit song about it.

When it comes to crypto, however, many of these headlines are true. Catastrophic failures have occurred, and millions of dollars have been stolen. Though it is not for the reasons many people think or have been led to believe. Layer 1 blockchains themselves continue to be secure.

Layer 1 blockchains have an insatiable desire for liquidity. They need liquidity to turn their chain into a thriving ecosystem. They often become vampires to attract this liquidity. However, much in the same way cars require bridges to cross a river, liquidity requires a bridge to cross from one blockchain to another. Under these bridges are where the trolls lurk.

What is a bridge?

Like a traditional bridge, a crypto bridge connects two blockchains. When bridges were first invented, people questioned how safe they were. We are finding out disastrously how insecure they truly are.

When a token or coin is “bridged”, the asset isn’t transferred. The original asset is held in custody, and a new version token is created on the other side. The new token functions similar to an IOU or certificate of deposit on the new chain.

Let’s use a simple example: I have 5 Eth on the Ethereum network, which I want to bridge to the Harmony network. The bridge takes custody of my 5 Eth. It then issues me five of a new token (which is called 1Eth on the Harmony Network). I now have my 5 x 1Eth tokens in my Harmony wallet. This is my IOU from the bridge that they owe me 5 Eth. When I “bridge back”, the 1Eth tokens are burnt, and my 5 Eth returns to my Ethereum wallet. Easy peasy.

Custody

Custody is the key to crypto. This is where bridges get tricky and vulnerable. The custodied crypto, which backs the value of the tokens, is what hackers target. In many ways, it is a pot of leprechaun gold. If the Eth tokens the bridge is holding in custody are lost or stolen, the underlying value of my 1Eth tokens disappears. Even though the Harmony blockchain where my tokens reside was not hacked. A critical piece to understand in this quagmire.

In 2022 over a billion dollars has been hacked between 3 chains. These hacks were possible due to the centralized nature of bridges. All current bridges rely on multi-sig wallets and smart contracts. These all have human error in the mix. The large pools of money (custodied crypto) paint a large target on their backs.

Axie Infinity

On March 23rd, a hacker was able to gain access to the Ronin network, which powers the Axie Infinity game. Through a promotion from the team, Axie Infinity was paying for gas transactions and used a gas-free node. hackers gained access to 4 private key on the server by exploiting this node. Using these keys, the hackers were able to validate a withdrawal of 173,000 Ethereum and 25.5 million USDC. The team did not realize this hack had happened for over 6 days. It wasn’t until an individual tried to withdraw Ethereum and was denied due to lack of liquidity the devs realized what happened.

The Solana chain was hacked in a similar manner. $320 million was falsely minted on Solana through an exploit in the mint function of the bridge. The attacker was able to trick the bridge into believing they had sent the contract 120,000 Ethereum and minted the bridge equivalent. The attacker then used the bridge to send 93,000 Ethereum back onto Ethereum. Though this money was replaced by Jump Crypto, it highlights the many angles bridges can be attacked.

The layer 1 blockchains have never been hacked or compromised. It was only the bridges. However, a blockchain with no liquidity is about as useful as a car with no tires.

Who gives permission?

So what is permission anyway? Who gives it? Who takes it away? On the blockchain, this may be the next $10 trillion question. Permissionless means anyone can use it. Permissioned means just that, you need permission. One of the most obvious ways we see permission right now is through the use of KYC. This topic is why CBDC (central bank digital currencies) are in hot debate on the legislative floors of governments worldwide. Fiat currency offer governments control through our central banking system. Bitcoin avoids this control.

Bridges are similar. Does someone need to grant you permission to use the bridge? Is your transaction subject to a toll? Can you transfer from one chain to the next without having to file a KYC? It is fair to say, we currently have more questions than answers. Most of us degens would prefer a decentralized option, free of KYC. This does require us to assume a higher level of risk. A decentralized environment means you can not run to the authorities for help. We call them perilous bridges for a reason.

What to look for in a bridge?

So, you’ve heard about the hacks. You now know just how risky these bridges are. What do you need to look out for? As of right now, there is no perfect bridge, but not all bridges are created equal. Looking for more decentralization is important for a bridge. Avalanche has not been compromised yet and has revamped its bridge 2 times in the last year. Looking for flaws and upgrading is very important to have top-notch security. Usually, the chains getting hacked are more centralized than other competitors.

Uptime is another factor. The longer the bridge is active without exploits, the safer it becomes. These contracts are often under attack due to the value they hold. We think that time plays into the security of the bridge here.

The bridge of the future

To onboard the masses, bridges need to be simple and secure. Very few people are willing to risk their retirement savings when they do not feel secure. Deposits at a local bank come with piece-of-mind and FDIC insurance. Insurance is one of the benefits of a permissioned and centralized system. There have been a few companies willing to offer insurance for contract exploits, such as bridge mutual, but these are far from consumer-ready and pricy.

With this in mind, Developers are hard at work trying to solve the bridging problem. Liquidity needs an easy, safe path to follow. We are multi-chain investors and were among those impacted by the Harmony incident. This is a topic near and dear to our hearts and our wallets. This is a risk we were willing to take at the time, but again the more human error involved, the less secure these platforms are. Permissionless bridges and liquidity structures between chains can’t come soon enough, but this topic is still in its infancy. Right now, these are risky plays, but in the future, security should be at the forefront of mainstream adoption.

2 thoughts on “Perilous Bridges: Crypto’s Achilles’ Heel

  1. Pingback: Mass adoption - Non-Refungible Network
  2. Pingback: DFK Sails to Klaytn - Non-Refungible Network

Leave a Reply

Your email address will not be published. Required fields are marked *