After Latest Crypto Bridge Hack, Industry Participants Call for Tightened Security

Please fol­low and like us:
Pin Share

  • Bridge pro­to­cols are pop­u­lar tar­gets for hack­ers as the blockchain-to-blockchain solu­tions grow in pop­u­lar­i­ty and usage
  • Web3-ori­ent­ed pro­to­cols may need to begin deploy­ing tried-and-true Web2 cyber­se­cu­ri­ty mea­sures, a spe­cial­ist told Blockworks

In 2022’s lat­est hack of a cryp­to bridge, Nomad lost a sub­stan­tial sum in a hack made pos­si­ble by a rou­tine upgrade that allowed nefar­i­ous actors to skip ver­i­fi­ca­tion mes­sages and steal more than $190 mil­lion

Cryp­to bridges enable trans­ac­tions between dif­fer­ent blockchains with­out a third-par­ty to facil­i­tate the exchange. The Nomad hack is now the third-largest bridge hack this year behind Worm­hole, where hack­ers drained $325 mil­lion in Feb­ru­ary, and Ronin, where $625 mil­lion was stolen from its blockchain in March.

The Nomad hack was an imple­men­ta­tion bug that didn’t stem from trans­ac­tions going awry, said Dmitriy Beren­zon, a research part­ner from ear­ly-stage token fund 1KX.

“The attack didn’t come from trans­ac­tions that went over the bridge, it’s an exploit of the con­tracts on Ethereum — it’s more issues in the code itself, rather than the the­o­ret­i­cal secu­ri­ty mod­el,” Beren­zon told Block­works. “This is unlike the oth­er hacks we’ve seen where the actu­al Root of Trust (RoT) is compromised.”

Cryp­to­graph­ic sys­tems depend on RoT to secure oper­a­tions. A com­pro­mised RoT implies that the keys to encrypt and decrypt data on the hard­ware are broken.

Blockchain bridges have become pop­u­lar tar­gets for cryp­to-savvy hack­ers, name­ly because of the com­plex­i­ty of their under­ly­ing smart con­tracts. Such vul­ner­a­bil­i­ties have drawn crit­i­cism from the likes of Ethereum founder Vita­lik Buterin who pre­vi­ous­ly said bridges have “fun­da­men­tal secu­ri­ty lim­its” that make him pes­simistic about ​​cross-chain applications.

“The scari­est part about bridged assets is the domi­no effects in the unhap­py case,” Beren­zon said. “Assets are used and inte­grat­ed into dif­fer­ent pro­to­cols, and if there is an issue with one bridge, it can get wrapped into anoth­er bridge — so, you have a cas­cad­ing sys­temic risk that is poten­tial­ly hard to unwind.”

An exam­ple of asset inte­gra­tion would be if you had ether that you want to switch to Poly­gon to lever­age its cheap­er gas fees — you would send your ETH to a bridge address on an Ethereum blockchain. Once your deposit is received, your ETH will become “wrapped,” mak­ing it com­pat­i­ble with Poly­gon and eas­i­er for you to per­form trans­ac­tions on the layer‑2 network. 

It’s impos­si­ble to mit­i­gate risk com­plete­ly, Beren­zon said — but min­i­miz­ing loop­holes as bridges grow in usage is paramount. 

Hugh Brooks, a prod­uct direc­tor at blockchain secu­ri­ty firm Cer­tiK, said bridges are going to take on an increas­ing­ly larg­er role as devel­op­ers, envi­sion­ing a mul­ti­chain future, are no longer con­tent to build on a sin­gle blockchain.

Rather, Brooks said, the Web3 ecosys­tem ought to benign­ly deploy Web2 cyber­se­cu­ri­ty attitudes.

“We need to have a full secu­ri­ty mind­set and to be test­ing at each step of the way,” Brooks told Block­works. “If [Nomad] had a response team in place to respond to the hacks, they might have been able to shut it down or exe­cute a hack them­selves to pre­vent oth­ers from tak­ing that mon­ey. Although there were white hack­ers who did inter­vene, you’re not always going to be able to rely on the com­mu­ni­ty for these kinds of incidents.” 


Get the day’s top cryp­to news and insights deliv­ered to your inbox every evening. Sub­scribe to Block­works’ free newslet­ter now.


  • Bessie Liu

    Block­works

    Reporter

    Bessie is a New York based cryp­to reporter who pre­vi­ous­ly worked as a tech jour­nal­ist for The Org. She com­plet­ed her master’s degree in jour­nal­ism at New York Uni­ver­si­ty after work­ing as a man­age­ment con­sul­tant for over two years. Bessie is orig­i­nal­ly from Mel­bourne, Australia. 

    You can con­tact Bessie at [email pro­tect­ed]

Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published. Required fields are marked *