Over $2 Billion Stolen This Year In Blockchain Bridge Hacks Expose DeFi’s Achilles Heel

If 2018 was the Year of the Hack for centralized crypto exchanges, decentralized blockchain bridges seem destined to win that honor this year.

Over $1.9 billion was stolen in cross-chain hacks in the first half of 2022, according to a new blog post by crypto analytic firm Chainalysis.

Cross-chain bridges have come under fire in recent weeks for their vulnerability. At their core, bridges allow users to exchange one token for another, say BNB
(Binance’s token) for ethereum; they are the key to expanding operability across blockchains.

“Having that interoperability is crucial,” says Kim Grauer, head of research at Chainalysis.

But in order to function, bridges must hold large amounts of both tokens. Such liquidity pools make them enticing to hackers. Bridges “allow for blockchains to talk,” says Grauer. “But we’ve also created these honey pots for malicious actors.”

“Regardless of how those funds are stored–locked up in a smart contract or with a centralized custodian–that storage point becomes a target,” she adds.

Their vulnerability may also be a result of DeFi growing too much, too fast. Cross-chain bridges, says Amit Dar, senior director of strategy at cybersecurity firm Active Fence, are “kind of afterthoughts.”

“Effective bridge design is still an unresolved technical challenge, with many new models being developed and tested,” adds Grauer.

Still, the bridges have become staples of decentralized finance, and as long as they remain vulnerable, hacks will also be commonplace.

“The promise of DeFi was that we could have trustless finance,” says Sam William, CEO of Arweave
, a blockchain start-up behind the permaweb which aims to preserve Internet content. “But instead people have ended up trusting the marketing and subsequently trusting the code without verifying it.”

As DeFi grows, this “painful lesson,” as Grauer puts it, is costing users unprecedented amounts of money. Thefts in the first half of this year were up 58% from the corresponding 2021 period. “This trend doesn’t appear set to reverse anytime soon,” adds the report. Indeed, $190 million was hacked from blockchain bridge Nomad at the beginning of August, after the report’s close date.

According to Chainalysis’ mid-year crypto crime update, most of the cross-chain hacks this year have stemmed from code exploits. Bridges, like all DeFi applications and uses, are open-source projects built by developers and modified by programmers. Bridges’ entire codes are available on GitHub, a hosting service for open code where anyone can inspect them for vulnerabilities.

Defenders of open source label this as the key to community and decentralization. But it is a double-edged sword. Just as developers, users and communities have eyes on the code, so do malicious actors. They can easily see bugs or faults and use those to exploit the bridge itself. An earlier report by Chainalysis found that code exploits accounted for nearly 50% of the value stolen from DeFi in the first quarter of the year. Chainalysis told Forbes it does not yet have the data for Q2.

Code exploits also account for some of the largest blockchain bridge hacks of the year, ensnaring Ronin, Wormhole, Harmony

and now Nomad. These hacks all suffered from exploits in which gaps in the code led to compromised validator nodes approving the thefts.

Hackers, says Williams, are finding the faults in the software that are widely deployable across every node. Blockchains rely on a series of computers known as nodes to verify and validate the history of transactions. When a bug or gap in the code is found by hackers, they can utilize the bug to change certain functions on every node.

According to a Twitter thread by samczsun, research partner and head of security at crypto research firm Paradigm, the Nomad hack originated from a faulty update. The blockchain bridge held $197 million worth of cryptocurrencies before the hack .

A routine upgrade set the code to automatically approve every message, and thus every transaction. Hackers then didn’t need to change any of the code, they simply had to find a transaction that had already worked, replace the address and re-broadcast the information to steal the funds.

“Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all,” he tweeted.

So where does DeFi go from here? Mimi Idada, founding partner at Open Web Collective, a blockchain incubator and venture fund, suggests that blockchain bridges use the open source to their advantage. “So here’s a beautiful story in which we have some black hats that are doing some malicious activity,” she says. “But when we get a sense of it, and when we know what’s happening, we can actually [enlist] our community, the other developers, to help pull some of that money before everything gets drained.”

Indeed, in the case of Nomad white hats, or hackers with good intentions, used the same method as the thieves to return some of the funds to the bridge. Though Nomad only currently holds $90,000 in cryptocurrencies, over $36 million has been sent to the blockchain bridge’s recovery wallet address, according to data from Etherscan.io. Nomad also offered a 10% bounty to anyone returning at least 90% of the funds.

Regardless of the benevolent hackers, Grauer says continued attacks are going to force DeFi “to hit a higher bar in terms of security.”

“God knows how many bugs there are in the code that aren’t parsed over by the entire potential population every moment,” she says.

This news is republished from another source. You can check the original article here

Be the first to comment

Leave a Reply

Your email address will not be published.
