As the world moves towards a multi-chain future, token bridges remain vulnerable to hacks. In 2022, over $2 billion in assets were stolen from token bridge exploits, which could have been avoided with the right security measures. By examining some of the attacks of 2022, we can better understand the flaws in the system and the security measures that exist or are being developed to protect against them.
Martin Köppelmann, co-founder of Gnosis, said, “Hackers in the biggest bridge exploit of 2022 relied on similar methods to siphon funds.” The blockchain of the high-profile crypto game Axie Infinity was hacked with a phishing scheme that involved fake LinkedIn job offers. Sky Mavis, the game’s developer, said its employees were targeted with fake job offers and even asked to appear for multiple rounds of job interviews. When the employees took the bait, hackers accessed their systems and made off with $625 million from the Sky Mavis’ Ronin Network.
In September 2022, Wintermute, an algorithmic market maker, was hacked for $160 million, likely due to a weakness in private keys generated by the Profanity app. The hot wallet’s private key was exploited and used to drain the funds. Reports said flaws were previously detected in Profanity’s addresses, but the company didn’t take these reports seriously. A similar reason was reported behind the hack of Slope, resulting in a loss of $6 million for the company.
Smart contracts are programs stored in a blockchain set to trigger when certain predetermined conditions are met. In the case of Nomad, hackers were able to drain nearly $200 million from the bridge by discovering a misconfiguration in the primary smart contract which allowed anyone with a basic understanding of the code to withdraw funds.
Bridge standards are sets of rules that define how different blockchain networks can communicate with each other. By using multiple bridge standards at the same time, developers can offset weaknesses displayed in one protocol with the use of another protocol. Multi-sig technology, a committee bridge standard, and Zero Knowledge (ZK) are cryptographic standards that could be used in combination to add additional layers of security.
Optimistic bridges assume that each transaction is valid and then incentivize additional participants to point out fraudulent transactions for a reward. The funds are only cleared after this challenge period has lapsed. This means that optimistic bridges are game-theoretically secure, but not mathematically secure.
When all is said and done, the best security is achieved by using a combination of standards. This way, if one bridge implementation experiences a bug or a security weakness, the other standards can still protect the network. As Köppelmann said, “Bridges are necessary to provide unfettered access to our multi-chain world, but we have to fortify these bridges in inventive ways to reduce points of attack.”