Cryptoverse: Blockchain bridges into troubled waters


Representations of Bitcoin, Ethereum and Dash cryptocurrencies are submerged in water in this illustration taken May 23, 2022. REUTERS/Dado Ruvic/Illustration

Sign up now for FREE unlimited access to Reuters.com

Aug. 9 (Reuters) – Another day, another hack – and another blockchain bridge burned.

When thieves stole about $190 million from US crypto firm Nomad last week, it was the seventh hack of 2022 targeting an increasingly important cog in the crypto machine: blockchain “bridges” — strings of code that help move crypto coins between different apps. Read more

Hackers have stolen about $1.2 billion worth of cryptocurrency from bridges so far this year, data from London-based blockchain analytics firm Elliptic shows, already more than double last year.

Sign up now for FREE unlimited access to Reuters.com

“This is a war where the cybersecurity firm or project cannot be the winner,” said Rongwei Hu, a computer science professor at New York’s Columbia University and co-founder of cybersecurity firm CertiK.

“We have so many projects to protect. For them (hackers), when they look at one project and there are no bugs, they can just move on to the next one until they find a weak point.”

Currently, most digital tokens run on their own unique blockchain, essentially a public digital ledger that records crypto transactions. This risks projects using these coins becoming isolated, reducing their prospects for widespread use.

Blockchain bridges aim to break down these walls. Backers say they will play a major role in “Web3,” the much-touted vision of a digital future where crypto is woven into online life and commerce.

Yet bridges can be the weakest link.

The Nomad hack was the eighth largest crypto theft in history. Other bridge thefts this year include the $615 million theft in Ronin, used in a popular online game, and the $320 million theft in Wormhole, used in so-called decentralized finance applications. Read more

“Blockchain bridges are the most fertile ground for new vulnerabilities,” said Steve Bassey, co-founder and CEO of malware detector PolySwarm.

ACHILLES TOTAL

Nomad and other companies making blockchain bridging software have attracted support.

Just five days before it was hacked, San Francisco-based Nomad said it had raised $22.4 million from investors, including major exchange Coinbase Global ( COIN.O ). Nomad CEO and co-founder Pranai Mohan called its security model the “gold standard.”

Nomad did not respond to requests for comment.

He said he is working with law enforcement and a blockchain analytics firm to trace the stolen funds. Late last week, he announced a reward of up to 10% to return funds hacked from the bridge. On Saturday, it said it had so far recovered more than $32 million of the hacked funds.

“The most important thing in crypto is community, and our number one goal is bridging user funds,” Mohan said. “We will treat any country that returns 90% or more of the exploited funds as white hats. We will not go after white hats,” he said, referring to so-called ethical hackers.

Several cybersecurity and blockchain experts told Reuters that the complexity of bridges means they can be an Achilles’ heel for projects and applications that use them.

“The reason hackers have targeted these cross-chain bridges recently is because of the enormous technical complexity involved in creating these kinds of services,” said Ganesh Swamy, CEO of blockchain data firm Covalent in Vancouver, which had some cryptocurrencies stored on Nomad’s bridge when it was hacked.

For example, some bridges create versions of crypto coins that make them compatible with different blockchains while keeping the original coins in reserve. Others rely on smart contracts, complex agreements that execute transactions automatically.

The code included in all of this can contain bugs or other flaws, potentially leaving the door open to hackers.

BUGS

So how do we best deal with the problem?

Some experts say smart contract audits can help protect against cyber theft, as can “bug bounty” programs that incentivize open-source reviews of smart contract code.

Others are calling for less concentration of bridge control by individual companies, something they say could improve code resiliency and transparency.

“Cross-chain bridges are an attractive target for hackers because they often use centralized infrastructure, most of which lock down assets,” said Victor Young, founder and chief architect at US blockchain firm Analog.

Sign up now for FREE unlimited access to Reuters.com

Reporting by Tom Wilson in London and Medha Singh in Bengaluru; Editing by Pravin Char

Our standards: The Thomson Reuters Trust Principles.

The opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence and freedom from bias.

Share is Love^^