Web3 won’t go mainstream until there’s seamless blockchain integration: With more and more bridging attacks, what does this mean?
Back in March 2022, the cryptocurrency network Ronin revealed that it had fallen victim to one of the biggest hacks of all time, suffering a breach that allowed attackers to stealing more than 540 million dollars value of Ethereum and USD coins. The incident saw hackers exploit a vulnerability in a service known as Ronin Bridge. It is one of a number of successful attacks on “blockchain bridges” recently that have drawn attention to their inherent security inefficiencies.
Blockchain bridges, sometimes called network bridges, are services that enable crypto holders to move their digital assets from one blockchain to another. They provide an important role, because cryptocurrencies are often siled and lack interoperability, which means you can send Bitcoin to an Ethereum wallet address, for example. Because of this siled nature, bridges have emerged as a key mechanism in the crypto-economy.
Bridge services do not actually transfer one type of digital asset to another chain. Rather, what they do is “wrap” cryptocurrency tokens to convert them into a new asset on the other chain. So if a user wants to bridge Bitcoin to Solana, the bridge will essentially freeze the original BTC by locking it in a wallet address, before spitting out what is known as wrapped BTC (WBTC) that can be used on the other chain. It can be thought of as a kind of gift card that gives exactly the same monetary value, which can only be used in a specific store.
Because of the way they work, bridges therefore have significant reserves of cryptocurrency tokens locked in smart contracts, and these reserves make them particularly attractive to hackers.
As crypto-faithful know all too well, any value held on-chain is vulnerable to attack at any time of the day. The internet never goes offline, meaning tokens held by any bridge are always available.
Ronin Hack shows the danger of centralization
The attack on the Ronin Network was one of the biggest DeFi heists ever in terms of dollar value. Ronin is an Ethereum sidechain that enables cheaper transactions at much faster speeds than the main network. It was the bridge of choice for the popular play-to-earn cryptocurrency game Axie Infinity, meaning it constantly processed millions of dollars in crypto and stablecoins.
Sidechains are a blockchain scaling solution that requires a bridge to connect to other chains. With Ronin, users are able to unlock their ETH and mint-packaged ETH on alternate networks. Transactions are processed and approved via a consensus algorithm for proof of authority. With this model, 5 out of 9 validators must agree on a transaction for consensus to be reached. However, four of Ronin’s validators were run by one company – Sky Mavis, the developer of Ronin.
It was a highly centralized setup that resulted from Axie Dao’s decision to set up a gasless RPC node in November 2021 to try to fix network congestion. DAO-approved Sky Mavis keys to sign transactions on their behalf. It was only supposed to be a temporary arrangement, but the permit list was never lifted. This created an opening for the attackers – said to be the North Korea-sponsored Lazarus Group – used social engineering techniques to compromise Sky Mavis’ four keys. The hackers then discovered a vulnerability in the RPC code, which gave it control over a fifth validator and allowed it to make an illegal withdrawal.
The main problem was that Ronin’s multi-signature system for signing transactions was compromised due to a lack of decentralization. It illustrates the weaknesses of security mechanisms where the majority of control is concentrated in the hands of a single entity.
Vulnerabilities in smart contracts persist
The Ronin hack was not a one-off incident, but rather the latest in a series of high-profile attacks on blockchain bridges that have resulted in the loss of millions of dollars worth of assets. A month earlier, attackers made off with around $80 million worth of Ethereum after an attack on the Qubit Bridge.
It is a service powered by the Qubit Finance platform, which enables users to lend and borrow digital assets across the Ethereum and Binance Smart Chain networks. For example, it makes it possible to deposit an ERC-20 token and receive a BEP-20 coin in exchange, which can then be used on the Binance chain.
The Qubit Bridge was hacked due to what was said to be a “logical error” in the smart contract’s code. The vulnerability allowed the hacker to manipulate the bridge using malicious data, allowing him or her to withdraw BSC tokens without making any Ethereum deposit. An autopsy of the attack found that the QBridge smart contract did not correctly confirm that the required amount of ETH was locked. Instead, the hacker could show fake proof of a non-existent deposit.
The incident served to highlight how vulnerabilities in smart contracts remain a persistent problem in DeFi, and especially for blockchain bridges. The vast majority of bridging attacks target errors in smart contracts, which are automated contracts that self-execute when certain conditions are met.
Bridges are key to expanding crypto’s reach
Crypto platforms have been subject to an endless stream of attacks ever since the nascent industry began to gain popularity. Proponents of DeFi say it can provide a more accessible and fair alternative to traditional financial services, but as the space has evolved, it has been subjected to what is essentially a litmus test. Attacks on bridges have become as common as cryptocurrency exchanges and DeFi protocol heists. The problem is that bridges, like exchanges and protocols, are high-stakes platforms that hold enormous amounts of value, and any of them can be vulnerable to errors in the underlying code.
It is widely believed that crypto and DeFi will never achieve widespread adoption without a proper solution to the risk of attack. The vast majority of the world’s assets are held by institutional investors, such as investment banks and large hedge funds. Such organizations prioritize compliance and the safety of their funds over potential profits. So DeFi and crypto are unlikely to become much more than a niche investment industry until the security issues can be resolved.
Bridge safety is of particular importance. The siled nature of blockchains is a serious handicap that limits the potential reach of any decentralized application. A dApp built on Ethereum cannot talk to others based on different blockchains. It cannot trade with Bitcoin, the world’s most valuable and most widely used cryptocurrency, meaning that BTC holders have no way to interact with the DeFi ecosystem. If crypto is ever going to become ubiquitous, users need to have a secure way to communicate with different chains.
Build better bridges
The good news is that there are those in the industry who recognize the importance of secure blockchain connectivity. An exciting prospect is AllianceBlock’s very promising AllianceBridgewhich supports major networks including Ethereum, Binance Smart Chain, Avalanche, Polygon, Arbirtrum, Optimism and Energy Web with a unique infrastructure that is more decentralized and provides faster and more secure performance.
Unlike centralized bridges, which rely on a single or only a few entities to verify that transactions are legitimate, decentralized bridges are based on the same principles as the blockchain itself. There are several operators that use well-structured consensus mechanisms to determine the validity of transactions. AllianceBridge is a decentralized bridge that has developed a unique method to ensure consensus.
As with others, AllianceBridge locks the tokens it receives in a smart contract and then issues wrapped tokens on the target blockchain. The wrapped tokens will exist on the other chain until the user decides to redeem them on the original network. At that point, the wrapped tokens are burned, meaning they cease to exist, while the original tokens on the original chain are unlocked.
Where AllianceBridge stands out is that it uses an EVM-compliant network of bridge operators. In addition, it utilizes the robust third party Hedera Hashgraph Consensus Service which is driven by an innovative “gossip about gossip” consensus algorithm.
Using the HCS service, blockchain applications and networks can send messages to the Hedera public ledger, where they are time-stamped and ordered with full transparency. This allows the AllianceBridge to reach consensus without maintaining synchronization between the bridge operators. This means faster performance with a high degree of decentralization, while HCS provides an extra layer of trust that makes the bridge more secure.
AllianceBridge’s smart contracts, which are used to lock the original assets and create and burn wrapped tokens, provide even more peace of mind. The entire smart contract codebase was written to resonate with the EIP-2535 standard and has been completely revised by Omniscia. During the audit, Omniscia pointed out a number of potential issues that were quickly addressed by AllianceBlock before the code was published.
The security and reliability of AllianceBridge has played a key role in expanding the utility of AllianceBlock’s suite of DeFi offerings, including DeFi terminal, which provides an easy way for projects to launch liquidity mining and staking campaigns across multiple supported networks and dApps. With its secure blockchain interoperability protocol, AllianceBlock builds the robust foundation that a rich, interconnected Web3 ecosystem needs to grow and develop.
– Advertisement –