Over $2 billion stolen this year in Blockchain Bridge hacks exposes DeFi’s Achilles heel
If 2018 was the year of the hack for centralized crypto exchanges, decentralized blockchain bridges look set to win that honor this year.
Over $1.9 billion was stolen in cross-chain hacking in the first half of 2022, according to a new blog post from crypto analytics firm Chainalysis.
Chain-link bridges have come under fire in recent weeks for their vulnerability. At its core, bridges allow users to exchange one token for another, says BNB
“Having that interoperability is critical,” says Kim Grauer, research director at Chainalysis.
However, to work, bridges must contain large amounts of both tokens. Such pools of liquidity make them tempting for hackers. Bridges “allow blockchains to talk,” Grauer says. “But we’ve also made these honeypots for malicious actors.”
“Regardless of how those funds are stored — locked in a smart contract or with a centralized custodian — that storage point becomes a target,” she adds.
Their vulnerability could also be a result of DeFi growing too much, too fast. Cross-chain bridges, says Amit Dar, senior director of strategy at cybersecurity firm Active Fence, are “kind of an afterthought.”
“Effective bridge design remains an unsolved technical challenge, with many new models being developed and tested,” adds Grauer.
Yet the bridges have become staples of decentralized finance, and as long as they remain vulnerable, hacking will also be common.
“The promise of DeFi was that we could have trustless finance,” says Sam William, CEO of Arweave
As DeFi grows, this “painful lesson,” as Grauer puts it, is costing users untold amounts of money. Theft in the first half of this year was up 58% from the same period in 2021. “This trend does not appear to be reversing anytime soon,” the report adds. In fact, $190 million was hacked from blockchain bridge Nomad in early August, after the report’s expiration date.
According to Chainalysis’ mid-year cryptocrime update, most cross-chain hacks this year have stemmed from code exploits. Bridges, like all DeFi applications and uses, are open source projects built by developers and modified by programmers. Bridges’ entire codes are available on GitHub, an open source hosting service where anyone can inspect them for vulnerabilities.
Defenders of open source label this as the key to community and decentralization. But it is a double-edged sword. Just as developers, users, and the community have eyes on the code, so do malicious actors. They can easily see faults or errors and use them to exploit the bridge itself. A previous report by Chainalysis found that code exploitation accounted for nearly 50% of the value stolen from DeFi in the first quarter of the year. Chain analysis told Forbes it does not yet have data for Q2.
Code exploits also account for some of the biggest blockchain bridge hacks of the year, catching Ronin, Wormhole, Harmony
Hackers, Williams says, find the flaws in the software that are widely distributed across every node. Blockchains rely on a series of computers known as nodes to verify and validate transaction history. When a bug or gap in the code is found by hackers, they can use the bug to change certain functions on each node.
According to a Twitter thread by samczsun, research partner and head of security at crypto research firm Paradigm, the Nomad hack stemmed from a botched update. Blockchain Bridge had $197 million worth of cryptocurrencies before the hack.
A routine upgrade set the code to automatically approve each message, and thus each transaction. Hackers then didn’t need to change any of the code, they simply had to find a transaction that had already worked, replace the address and rebroadcast the information to steal the funds.
“Attackers abused this to copy/paste transactions and quickly emptied the bridge in a crazy free-for-all,” he tweeted.
So where does DeFi go from here? Mimi Idada, founder of the Open Web Collective, a blockchain incubator and venture fund, suggests that blockchain bridges use open source to their advantage. “So here’s a beautiful story where we have some black hats doing nefarious activity,” she says. “But when we get a feel for it, and when we know what’s going on, we actually can [enlist] our community, the other developers, to help extract some of the money before it’s all drained.”
In fact, in the case of Nomad, white hats, or hackers with good intentions, used the same method as the thieves to return some of the funds to the bridge. Although Nomad currently only has $90,000 in cryptocurrencies, over $36 million has been sent to the blockchain bridge’s recovery wallet address, according to data from Etherscan.io. Nomad also offered a 10% bounty to anyone who returned at least 90% of the funds.
Regardless of the benevolent hackers, Grauer says continued attacks will force DeFi “to hit a higher bar in terms of security.”
“God knows how many bugs there are in the code that aren’t being analyzed by the entire potential population every moment,” she says.