Hackers take advantage of crypto weak links and even Binance is not spared

A total of 2 million Binance Coin – equivalent to nearly $US570 million ($895 million) – were effectively minted and taken by the hacker. Binance said in a statement that the incident was isolated to the BNB Chain, over which it has no control. About $100 million of the stolen funds were not recovered, while the rest was frozen, according to the statement. No user funds were lost, Binance added.

The inability to make bridges secure – Chainalysis estimates that US$2 billion ($3.1 billion) worth of tokens have been looted from 13 separate attacks, most of which were stolen this year – poses a fundamental dilemma because without such platforms, major blockchains from Ethereum to Solana remain largely separate from each other.

The vision behind web3, billed by its protagonists as the Internet’s next iteration, rests in part on tokens that flow freely between different ecosystems.

Underscoring the demand for this technology, protocols built around cross-chain bridges and interoperability have raised about $US347 million ($545 million) across 30 deals since 2021, according to Kunal Goel, a research analyst at Messari.

LayerZero had the biggest deal where it raised $US135 million ($212 million), but most of the deals have been seed rounds, Goel said.

But even well-funded bridges built specifically to be “safety first” have not been spared. In August, one such bridge called Nomad – which uses a method to verify transactions that it says is more secure than those used by other cross-chain platforms – was hit by a $US200 million ($315 million) hack.

One of the major challenges in building secure bridges is their complexity, which gives hackers many potential entry points. And there are few qualified experts who can build and secure them, say security analysts and blockchain developers.

Bread developers must not only be deeply knowledgeable about how the software works, but also about the function of the various blockchains it connects to. It is not easy to find someone with this knowledge, according to analysts and programmers.

“I’ve studied distributed computing and consensus, and yet I have to say I don’t understand bridges very well,” said Paul Frambot, CEO of crypto startup Morpho Labs, which developed a new protocol. “This is very difficult to understand well and therefore even more difficult to build secure.”

Bridges are open source software, so their code is available for anyone to see. This is a double-edged sword: it makes them more inherently vulnerable to hacks than traditional financial networks, such as the private ones run by banks, but also allows more individuals to contribute to improving the code, experts said.

“In the short term, the code that is open source allows malicious actors to discover vulnerabilities in libraries and packages that are recently built and developed,” said David Kroger, a digital data scientist at Cowen Digital.

“But being open source allows communities to come together and expose attack surfaces early to be taken care of before they become harmful.”

Another problem with bridges is that most operate with a small set of managers or entities such as validators responsible for securing the network. This makes them vulnerable as they sacrifice decentralization in order to operate at scale.

Pesky Bugs

Bugs are also common on bridges, in part because the technology used is very new, security experts said. But there is a silver lining.

“Safe bridge design remains a technical challenge that the industry is trying to solve through trial and error,” said Adrian Hetman, technical lead for triaging at bug bounty hunter site Immunefi. “For every new hack and security flaw found, we can learn from the mistakes and build better solutions.”

Developers still don’t have many tools to create, debug or support bridge software, nor basic operating standards, Chase Devens, a research analyst at Messari, wrote in a July report.

In addition to technical challenges, developers who build bridges face more dangerous enemies. Lazarus, a North Korean state-backed hacking group, was identified as the attacker behind the Ronin Bridge hack and the $100 million Horizon Bridge theft in June.

To fend off seasoned hackers with vast resources and prove they can be more than a costly headache for the sector, bridges may be left with no choice but to step up their game, security experts said.

“We’re still in the infancy stage,” says Mudit Gupta, head of information security at Ethereum scaling solution Polygon. – There is much more work that needs to be done.

Bloomberg

Bloomberg

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *