Blockchain bridges continue to be attacked. Here’s how to prevent it

Cross-chain bridges make interoperability possible in the blockchain sphere. They enable protocols to communicate with each other, share data, and create exciting new use cases that help propel Web3 to new frontiers. But like this month BNB Smart Chain Exploit reminds us that they are vulnerable to attack.

If we want to exploit the potential of bridges, we must learn to protect them.

Bridges have deservedly earned the reputation of Web3 weak link after a series of exploits this year. Just as thieves prefer to target assets while they’re being transported in vans (rather than locked away in bank vaults with sophisticated security systems), hackers have realized that tokens in transit are everything. also vulnerable.

Coby Moran is the Principal Investigator of Merkle Science, a Web3 predictive risk and intelligence platform. He previously served as an analyst for the United States Federal Bureau of Investigation.

They also know that substantial funds flow through these intersections. With total assets estimated at more than $54 billion, decentralized finance (DeFi) presents a particularly attractive target. Even before the BNB attack, crypto bridges figured in more than $1.6 billion of the $2 billion stolen from DeFi protocols in 2022. The scale and regularity of these exploits show why fallen bridges are gaining notoriety. .

In my experience, I have led analysts on the trail of stolen funds (as in the recent Wintermute feat), it is clear that prevention and defense are where the blockchain community should focus its collective efforts.

See also: Calling a hack an exploit minimizes human error | Opinion

The Federal Bureau of Investigation has warned investors that cybercriminals take advantage of “the complexity of cross-chain functionality.” This certainly fits with current narratives that bridges are not just vulnerable, but vulnerabilities.

But there are ways to prevent exploits. As a former FBI analyst with time on the Cybercrime Task Force in Washington, DC, I can say that exploits are rarely fiendishly clever or sophisticated (the type you might see in a Hollywood movie). Rather, they are predictable security vulnerabilities.

Sticking to the world of bridges, which are normally exploited as a result of introduced code bugs or leaked cryptographic keys, is often reasonably sophisticated but predictable. Take feats such as these:

  • Fake deposits: Bridges monitor deposit events on one blockchain to initiate a transfer to another. If a bad actor is able to generate a deposit event without making an actual deposit, or makes a deposit with a worthless token, they can withdraw value from the bridge on the other side. Qubit Finance raid in January is a good example, tricking protocol into thinking the attackers had deposited money when they hadn’t.

  • Validator faults: Bridges also validate deposits before authorizing transfers. Hackers can try to create fake repositories that can thwart this process. This happened in the Wormhole hack, where a flaw in digital signature validation was exploited. Technically, this was an example of a familiar smart contract exploit. But, as we learn, if it happens on a bridge, the bridge is to blame.

  • Validator support: This scenario relies on supporting a number of validators initially set up to vote yes or no on a cryptocurrency transfer. By controlling the majority of votes, the attacker can approve any transfer. In the Ronin network hack, for example, five of the bridge’s nine validators had been compromised in this way.

As these examples suggest, focusing on bridge shortcomings while failing to consider ground-level safety measures is not the way to go. The bridges themselves aren’t the problem; technology is, after all, agnostic. The most common factor in exploits is human error. Post-hack investigations and subsequent patches often serve to highlight our age-old tendency to close the barn door only after a horse has run away.

Human issues

When conducting investigations, we often speak with members of a project’s team, as they are often the targets of exploits. Hackers rarely do something totally new with every exploit, instead relying on a series of age-old tricks.

Social engineering, or targeting people to gain access to privileged accounts, is a classic example. People can befriend each other and let their guard down or be pestered with enough questions to reveal a secret.

Take the Ronin Bridge, an Ethereum sidechain designed for Axie Infinity that allowed users to transfer assets to the Ethereum mainnet. Five of the bridge’s nine validator nodes were compromised by a phishing attack. Subsequently, Ronin announced plans to increase this number, tweeting that “the root cause of our attack was the small set of validators that made it easy to compromise the network.”

Here are those barn doors closing.

We also find that human limitations impact the ability to create fit-for-purpose code. A class shortage of developers means that there are simply not enough experts capable of building and analyzing bridges. Looking again at the Wormhole incident, we see that it was abetted by a coding glitch that allowed hackers to set up a set of fraudulent signatures that allowed transactions to mint Ether (ETH).

If this had been discovered earlier, this avenue of attack could have been closed. It goes without saying that Wormhole had a reduced number of contributors. (For the reverse here, please note that Ethereum, with its many large developer teams, has so far avoided a major hack.)

See also: Are Blockchain Bridges Safe? Why bridges are the target of hacks

Bridges are soft targets – central points where large sums are stored without robust protection – and will continue to be attacked. But we have to keep in mind that it’s not just the bridges that are vulnerable; blockchains on both sides are endangered by poorly protected connections. It’s time to train and get audited.

Education:

  • Consider taking a certified blockchain security course.

  • Keep up to date with space news.

  • When an exploit makes headlines, do your own research. What can you learn that could benefit your own project?

Audit:

  • Ensure that new bridge code is audited before release and then tested afterwards.

  • Increase the number of validators.

  • Regularly check for fake deposit events.

  • Set up a staff working group to focus on safety

  • Consider bringing in experts to undertake an audit. Ask if they use the latest cross-channel tracking tools.

  • Offering bug bounties will help you cover more ground.

  • Make sure smart contract addresses are continuously monitored.

The bottom line is that crypto as a whole takes a reputational and financial hit every time an exploit makes waves. The answer is to learn from the mistakes hackers repeatedly teach us, becoming more proactive in our efforts to prevent repeat performance.

Bridges are vital parts of the Web3 infrastructure that we currently cannot live without. And we need to defend them more effectively.

Comments are closed.