If 2018 was the Year of the Hack for centralized crypto exchanges, 2019 seems to be the Year of the Hack for decentralized blockchain bridges.
A new blog post from the crypto analytics firm Chainalysis says that cross-chain hacks stole more than $1.9 billion in the first half of 2022.
Cross-chain bridges have been getting a lot of bad press in the past few weeks because of how weak they are. At their core, bridges let users trade one token for another, like BNB BNB (Binance's token) for ethereum. Bridges are the key to making more blockchains work together.
"It's very important to have that interoperability," says Kim Grauer, who is in charge of research at Chainalysis.
But for bridges to work, they need to hold a lot of both types of tokens. Because they have so much money, hackers are drawn to them. Grauer says that bridges "let blockchains talk to each other." "But we've also made these traps for bad people to fall into."
"That storage point becomes a target," she says. "It doesn't matter if the funds are locked up in a smart contract or with a central custodian."
Their weakness could also be because DeFi is growing too quickly and too much. Amit Dar, who is the senior director of strategy at the cybersecurity company Active Fence, says that cross-chain bridges are "kind of an afterthought."
"Effective bridge design is still a technical problem that hasn't been solved," Grauer says. "Many new models are being made and tested."
Still, the bridges have become important parts of decentralized finance, and as long as they are vulnerable, hacks will also be common.
"The promise of DeFi was that we could have trustless finance," says Sam William, CEO of Arweave AR, a blockchain start-up behind the permaweb, which aims to save Internet content. "But instead, people have trusted the marketing and, after that, the code without checking it."
As DeFi grows, what Grauer calls this "painful lesson" is costing users more money than ever before. In the first half of this year, there were 58% more thefts than in the same half of 2021. "This trend doesn't look like it will change any time soon," the report says. In fact, the blockchain bridge Nomad had $190 million stolen from it at the beginning of August, after the deadline for the report.
Chainalysis's mid-year crypto crime update says that most cross-chain hacks this year have been caused by bugs in the code. Like all DeFi apps and uses, bridges are open-source projects made by developers and changed by programmers. The whole code for Bridges is available on GitHub, a service that hosts open code and lets anyone check it for flaws.
Open source supporters say that this is the key to building a community and getting rid of centralized power. But it has two sides to it. Evil people also look at the code, just like developers, users, and communities do. They can easily find bugs or flaws and use them to take advantage of the bridge. In an earlier report, Chainalysis found that nearly half of the value stolen from DeFi in the first quarter of the year was due to code exploits. Forbes was told by Chainalysis that the company does not yet have the data for Q2.
Some of the biggest blockchain bridge hacks of the year have also been caused by code exploits. These include Ronin, Wormhole, Harmony HARMONY ONE, and now Nomad. All of these hacks were made possible by exploits that used holes in the code to get validator nodes to approve the thefts.
Williams says that hackers are finding flaws in the software that can be used on every node. The history of transactions in a blockchain is checked and confirmed by a group of computers called "nodes." When hackers find a bug or hole in the code, they can use it to change some functions on every node.
The Nomad hack was caused by a bad update, according to a Twitter thread by samczsun, a research partner and head of security at the crypto research firm Paradigm. Before the hack, the blockchain bridge held cryptocurrencies worth $197 million.
During a routine update, the code was changed so that every message, and thus every transaction, would be automatically approved. Then, hackers didn't have to change any of the code. All they had to do was find a transaction that had already worked, change the address, and rebroadcast the information to steal the money.
"Attackers took advantage of this to copy and paste transactions and quickly drained the bridge in a mad scramble," he wrote on Twitter.
So what comes next for DeFi? Mimi Idada, a founding partner at Open Web Collective, a blockchain incubator and venture fund, says that blockchain bridges should take advantage of the open source. "So, here's a beautiful story about some bad guys in black hats who are up to no good," she says. "But when we get a sense of it and know what's going on, we can actually ask our community, the other developers, to help us get some of that money back before it's all gone." In the case of Nomad, hackers with good intentions used the same method as the thieves to return some of the money to the bridge. Etherscan.io data shows that over $36 million has been sent to the blockchain bridge's recovery wallet address, even though Nomad only has $90,000.00 in cryptocurrencies right now. Nomad also put up a 10% reward for anyone who brought back at least 90% of the money.
Grauer says that more attacks will force DeFi to "raise the bar" in terms of security, even if the hackers are good.
She says, "God knows how many bugs are in the code that aren't checked by the whole possible population every second."