Build Bridges — Don’t Burn Them: Crypto Cross-Chain-Bridge Attacks Are On The Rise
Cybersecurity Ninja from MetaBlaze discusses the growing threats in this new world of Web 3. Cross-chain bridge attacks are responsible for $2 billion worth or damages, totaling 69% of all cryptocurrency theft in 2022. Blockchain bridges connect different blockchains together while allowing users to transfer assets between different blockchains.
Cryptocurrency cross-chain bridges have been a helpful advancement in the world of crypto. They are used to exchange information, cryptocurrencies, and other non-fungible tokens from one blockchain to another. However, with the pros, comes some cons; these bridges have become a lucrative target for cybercriminals.
So far this year, bridge attacks have resulted in almost $2 Billion stolen. In 2022, some of the most notable attacks have been Meter Passport for $4.4 Million, Harmony Horizon for $100 million, Nomad for $190 million, Wormhole for $326 million, and Axie Ronin for $625 million.
A crypto bridge is a way to connect two blockchains. This lets people send cryptocurrencies from one chain to the other. The chains may have different rules, but bridges make it so both sides can work together. For many people in the crypto world, the only reason to cash out of one currency is to invest in another. With a cross-chain-bridge, you can do this seamlessly.
While a bridge may vary in its design, the overall process is typically the same. If someone owns Ethereum (ETH), which is on the Ethereum blockchain (ERC20) and would like to exchange these assets for an equivalent amount of funds on the Solana blockchain then the user would send their ETH to a cross-chain-bridge. Then, the funds would be held as collateral in a smart contract. The user would then be given a form of ETH that exists on the Solana blockchain. These tokens are backed by the collateral which is still held in the smart contract.
The fact that all the currency exchanged over blockchain bridges is held in one location makes it a desirable target for criminals. They know that this is where they can find a lot of money. However, because the concept is new, the bridge designs are not perfect. The best practices have yet to be defined by the industry, and there are few true experts when it comes to securing such protocols.
Many of these exploits have been the result of coding flaws. These flaws are not necessarily easy to find as an attacker or as the designer of such programs. There is some interesting discussion happening in the crypto community over who the actors behind these hacks might be. For example, Harmony Horizon offered a $10 million bounty to individuals who could provide information about attackers behind the $100 million exploit earlier this year. However, because of the large amount of money being stolen, it would be difficult to launder such funds. This has many people who follow these events believing that the attacks are carried out by Nation States.
The FBI was able to connect a North Korean hacking group known as Lazarus to the theft of $625 million from the Axie Ronin bridge. The US Department of Treasury found that this group had been using a crypto wallet to launder the money from the heist. In response, the Treasury Department imposed sanctions on the wallet in April of 2022. A spokesperson from the Treasury department warned anyone who may transact with this wallet, stating: “Identification of the wallet will make clear to other VC actors that by transacting with it, they risk exposure to US sanctions.” This demonstrates Treasury’s commitment to use all available authorities to disrupt malicious cyber actors and block ill-gotten criminal proceeds,” the spokesperson went on to say that “There may be mandatory secondary sanctions requirements on persons who knowingly, directly or indirectly, engage in money laundering, the counterfeiting of goods or currency, bulk cash smuggling, or narcotics trafficking that supports the government of North Korea or any senior official or person acting for or on behalf of that Government.” Read more here
In order to stay safe, Code Audits of Smart Contracts and Cross-Chain-Bridges bridges will need to get more and more scrupulous. Security strategies need to keep evolving in order to stay ahead of bad actors. As with all important programs, regular penetration testing should be a high priority for companies. Blockchain security companies like CertiK are leading the way when it comes to securing the new & fast-evolving Web3 World.
For more recent references on related attacks:
- https://www.coindesk.com/tech/2022/06/30/harmony-horizon-exploit-linked-to-north-korea-10m-bounty-offered-in-global-manhunt/
- https://cointelegraph.com/news/latest-defi-bridge-exploit-results-in-4-4m-losses-for-meter
- https://news.bitcoin.com/hacker-siphons-80-million-from-qubit-cross-chain-bridge-largest-defi-exploit-of-2022-to-date/
- https://cointelegraph.com/news/axie-infinity-s-ronin-bridge-hacked-for-over-600m
- https://www.coindesk.com/tech/2022/02/02/blockchain-bridge-wormhole-suffers-possible-exploit-worth-over-250m/