Recent exploitation of Blockchain Bridges highlights the need for cyber security in crypto and the risk of liability | Alston & Bird
According to recent media reports, there have been several cases of blockchain bridges being hacked this year, including reports on August 2 that one bridge lost close to $200 million to over 40 hackers who exploited a flaw in the protocol, and reports in June that another bridge lost $100 million to hackers who allegedly exploited a weakness in the bridge to seize a number of different tokens, including Ethereum, Binance Coin, Tether, and Dai.
A blockchain bridge is a protocol that connects two or more different blockchains, thereby allowing the blockchains to interact. Interaction can enable the exchange of information across blockchains, as well as the exchange of cryptocurrency or NFTs. In order for funds to be moved between blockchains via a bridge, the assets to be transferred are locked on one blockchain and minted on another. To achieve this, bridges often hold large stores of cryptocurrency; the maintenance of these large liquidity stores has made blockchain bridges a popular target for criminals. Successful attacks on blockchain bridges have become increasingly common as cryptocurrency grows in popularity and use. According to forensics firm Elliptic, more than $1 billion was stolen from bridges in the first half of 2022.
These hacks come in the wake of a Chainalysis report that found North Korean cybercriminals had a productive 2021, extracting nearly $400 million in digital assets through at least seven attacks on cryptocurrency platforms. These attacks primarily targeted investment firms and centralized exchanges, but highlight the issue of cybersecurity in the broader crypto community.
Consumers are also beginning to notice the alleged lack of security on some platforms. In a first-of-its-kind class action lawsuit filed earlier this year, Sarcuni et al said against bZx DAO et al. (SD Cal., May 2, 2022), plaintiffs allege that a decentralized autonomous organization (DAO) failed to implement security measures it knew were reasonably necessary to secure the decentralized finance protocol (DeFi). The alleged negligence resulted in the theft of $55 million from user accounts. Specifically, plaintiffs allege that the entire DAO itself, its co-founders, and its members are jointly and severally liable for negligence in failing to implement adequate security. DAOs typically lack legal formation or recognition, and decision-making authority is assigned to all holders of the token resident in the DAO (members), where the number of tokens a member holds correlates to the number of votes the member has. In Sarcuni, plaintiffs argue that members are jointly and severally liable because, although there is no legal formation or recognition, bZx DAO fits the definition of a partnership under the Uniform Partnership Act and is thus a general partnership among token holders.
[View source.]