Blockchain analytics firm Chainalysis says cross-chain bridges that allow transfer of assets between independent blockchains are among the highest risk protocols in the blockchain industry for scams and bad actors.
Chainalysis in a new report estimates that US$2 billion worth of cryptocurrency has been stolen from cross-chain bridges across 13 attacks so far this year, accounting for 69% of all stolen funds during that time.
This includes last week’s US$191 million hack of cross-chain bridge Nomad, which was attacked from more than 300 addresses that exploited a software update on the protocol.
“We’ve been looking at these bridges as a point of vulnerability for quite a while,” said Erin Plante, senior director of investigations at Chainalysis, in an interview with Forkast. The Nomad exploit placed additional scrutiny on these bridges that were already under examination, she said.
Cross-chain bridges were once considered the solution to interoperability between blockchains in the crypto industry, but as the protocols continue to seem vulnerable to hacks and attacks that view is beginning to change.
“[Cross-chain bridges] are proving to be an attractive target for hackers because they’re a single point where funds move together and they have to be backed by other assets,” said Plante, likening the storage of funds on these protocols to that of a bank — a centralized storage facility that is a high-value target for bad actors.
In the spirit of decentralized finance (DeFi), much of the code underwriting these protocols is open-source or made publicly available. This helps build trust within communities, but also opens the door for bad actors to scour the code for vulnerabilities — which is what happened with the Nomad hack, Plante said.
“There is a need for the community to come together and look at code in a way that allows it to be audited and allows it to be protected from these vulnerabilities,” said Plante, explaining more third-party auditing of code needs to be completed before releasing projects.
While the Nomad hack exploited a software update, there are other methods for hacking these protocols.
Bad apples
In March, US$620 million was stolen from the Ethereum sidechain Ronin, the network that the play-to-earn giant Axie Infinity runs off, while more recently US$100 million was hacked from Harmony Protocol’s Horizon cross-chain bridge.
It is believed that the North Korean state-backed Lazarus Group was responsible for both attacks, which Plante said were carried out with simple phishing attacks, gaining access to user passwords and private keys.
Chainalysis estimates that state-backed North Korean hackers are responsible for more than US$1 billion worth of cryptocurrency stolen from bridges and other DeFi protocols this year.
The frequency and value of these hacks are shining a spotlight on the vulnerabilities, Plante said, but that needs to be followed by actions to protect investors.
This will include cooperation among nations to impose stricter sanctions on rogue states as well as global financial institutions to be more aware of their role in addressing downstream money laundering, Plante said.
“I expect we’re going to see a period of time where it gets worse,” she said. “There’s a lot of focus on this issue right now, which is good, and we need that focus. But there is a lot of work to do.”