- >News
- >Why Are Cross-Chain Cryptocurrency Bridges So Vulnerable to Attack?
Why Are Cross-Chain Cryptocurrency Bridges So Vulnerable to Attack?
Vitalik Buterin predicted last week’s $625 million Ronin hack. Okay, he didn’t really, but the Ethereum founder laid out fundamental concerns regarding the security of cross-chain bridges in a Reddit post from January, arguing that they remain inherently vulnerable to attacks.
While the particular weakness he outlined wasn’t exploited in the Ronin incident, his cautious views were nonetheless vindicated, if only because Ronin’s vulnerabilities ended up becoming the vulnerabilities of other platforms.
And in fact, it’s not easy to find other examples supporting Buterin’s pessimistic view of cross-chain security, with the $300 million Wormhole hack from earlier in the year also causing damage to the chains it connected. The semi-regularity of bridge hacks now begs the question of why cross-chain platforms are apparently more vulnerable than the layer-one blockchains they connect.
Cross-chain bridges are inherently vulnerable for two main reasons.
Firstly, bridges simply increase the attack surface available to would-be hackers, adding a complexity to the cryptocurrency ecosystem that widens the scope of exploits.
Secondly, many are built in a fundamentally different way from the blockchains they bridge, with the lack of a bigger development community meaning that code isn’t scoured as widely and as carefully for potential bugs.
On top of this, as Buterin pointed out, they increase overall risk for the cryptocurrency ecosystem as a whole, since they risk spreading the vulnerability (or vulnerabilities) of one platform to numerous others.
The Ronin Hack: What Happened and Why It’s a Perfect Example of Cross-Chain Security Concerns
The recent Ronin hack was the result of a combination of factors, some of which were unfortunate, and some of which speak to the inherent weaknesses of cross-chain bridges.
The unfortunate element is that the hackers appeared to have pulled off some good-ol’ fashioned social engineering. In other words, they successfully phished someone involved with Ronin for private encryption keys used to validate transactions on the bridge.
Source: Twitter
However, despite the element of “human error” and bad luck involved in the attack, Ronin’s architecture made it easier for the hackers to validate fraudulent transactions once they had obtained the private key.
Most fatally, Ronin operated using only nine (yes: 9) validator nodes, with transactions approved whenever at least five of these nodes signed them. Thanks to the earlier phishing attack, the hackers were able to gain control of four Sky Mavis validators and one third-party validator run by Axie DAO. That the attackers could gain control of the latter resulted from the fact that Axie DAO had, in November, “allowlisted” Sky Mavis validators to sign transactions on its behalf. So all the cybercriminals needed to do, actually, was gain control of the four validators controlled by Sky Mavis, the company behind Ronin and Axie Infinity (which Ronin bridges to Ethereum).
This was basically all the hackers needed to do. It’s arguably shocking that the hack was so easy, yet what’s also shocking is that, despite actually occuring in December, Sky Mavis didn’t become aware of what had happened and was happening until late March. This arguably illustrates how bridges are almost secondary concerns within the cryptocurrency ecosystem, afterthoughts that receive substantial attention only when they cause problems.
It’s also worth pointing out that, in a follow-up tweet, Ronin acknowledged that having so few validators for Ronin was a big mistake. Indeed, it tweeted that the “root cause of our attack was the small validator set which made it much easier to compromise the network.”
Source: Twitter
This serves as an almost paradigmatic example of why cross-chain bridges are more vulnerable to attacks than the layer-one blockchains they connect. That is, they are much less decentralized, and they benefit from much less auditing and monitoring. Together, these two failings mean that whenever a hacker wants to steal, say, some ethereum, they’re probably much better off looking at a bridge rather than at Ethereum itself.
Hacking Bridges is the New Black
This account is supported by other cross-chain bridge hacks. For example, the Wormhole exploit from earlier this year resulted from a bug/coding loophole that allowed hackers to create a fake signature set, which in turn allowed them to sign transactions minting some 120,000 ETH. The hack was obviously a little more complicated than this, but the point is that the attackers were able to identify a gap in Wormhole’s design that hadn’t been picked up by the bridge’s developers.
And why hadn’t Wormhole’s developers noticed the flaw and done something about it? Well, it’s interesting to note — and perhaps not at all surprising — that in contrast to, say, Solana and Ethereum, not that many developers work on Wormhole. Its GitHub page currently records 1,756 commits and 33 contributors, while the figures are 18,257 and 312 for Solana. As for Ethereum, it counts over 250 different GitHub repositories: the biggest, Solidity (its programming language), has 22,089 commits and 476 contributors, while the third-biggest, Go Ethereum (an implementation of Ethereum), has 13,243 commits and 729 contributors.
Basically, the number of developers working on Ethereum as a whole is large, which accounts for why it, unlike the many bridges attached to it, hasn’t suffered a really significant hack. The opposite applies to Wormhole and Ronin, as well as the other bridges that have been hacked in recent memory, including Qubit, Poly Network, and Meter.io Bridge. These are relatively small operations, yet because they offer an entrypoint into the wider cryptocurrency ecosystem, they all have large dollar values hanging over their figurative heads as far as hackers are concerned.
This latter point is important in understanding why bridges are disproportionately targeted by cybercriminals. They basically have a very high payoff-to-hacking difficulty ratio, meaning that they’re easier than most layer-one blockchains to hack but still offer a route to stealing big money.
Will Bridges Ever Improve?
While it’s arguable that things may always stay this way, at least some cross-chain bridges are making efforts to improve their security practices. Wormhole, for instance, launched a bug bounty program soon after its hack came to light, while Poly Network did exactly the same in August. Some of these programs are better than others, however, because while Wormhole’s program seems relatively open-ended, Poly Network’s has a total bounty fund of only $500,000. It’s therefore possible that we’ll continue seeing issues in some of the smaller, less well-funded and well-supported bridges.
And more generally, it’s worth revisiting Vitalik Buterin’s argument cited above, and consider his central point that bridges expose relatively secure platforms — and (most importantly) their native tokens — to the vulnerabilities of those that are less secure. This is the fundamental issue with cross-chain bridges, and it’s not one that’s going away. So even if some of the better bridges may improve their security practices in the coming months, expect cross-chain bridge hacks to continue on a semi-regular basis for the foreseeable future.
