Half of all DeFi exploits are cross-bridge hacks

According to a new report by crypto data aggregator Token Terminal, approximately 50% of exploits in decentralized finance, or DeFi, occur on cross-chain bridges. In two years’ time, more than $2.5 billion has been stolen by hackers via exploiting vulnerabilities on cross-chain bridges. The amount is enormous in comparison to other security breaches, such as DeFi lending hacks ($718 million) and decentralized exchange exploits ($362 million) in that period. 

Cross-chain bridges, which allow users to port digital assets from one chain to another, are known for their ability to solve multichain scaling issues. However, the complexity in building and subsequently auditing them, combined with massive amounts of funds locked in their smart contracts, has attracted much attention from hackers.

Immunefi CEO and security expert Mitchell Amador explained that some developers in the DeFi space are simply lacking the necessary knowledge to secure such complex mechanisms:

“Many developers launch projects by simply copying and pasting code from other projects. When one of these projects has a vulnerability, others usually have that vulnerability as well. Open source smart contracts, being visible and accessible to all, can easily attract blackhats who study them, discover where they’re vulnerable, and exploit them.”

It also appears that the vast majority of cross-change exploits that have happened thus far took place on Ethereum Virtual Machine (EVM) blockchains. This includes this year’s most serious incidents, such as the Axie Infinity Ronin bridge hack, the Wormhole token bridge hack and the Nomad bridge hack.

Meanwhile, cross-chain bridges based on the Cosmos Inter-Blockchain Communications (IBC) protocol, which has surpassed $1 billion in total value locked, have largely avoided the spearhead of the attacks. Although, last week, Cosmos co-founder Ethan Buchman said that a major security vulnerability was discovered on IBC after security audits. The exploit has been patched and no funds were lost as a result of the incident.