This chart taken on May 23, 2022 shows representations of cryptocurrencies Bitcoin, Ethereum, and Dash under water. REUTERS/Dado Ruvic/Illustration
Sign up now for unlimited free access to Reuters.com
Aug 9 (Reuters) – Another day, another hack – and another blockchain bridge burned.
When thieves stole $190 million from US crypto firm Nomad last week, the seventh hack of 2022 targeted an increasingly important cog in the crypto machine: Blockchain “bridges” — strings of code that help move crypto currencies between different applications. read more
So far this year, hackers have stolen about $1.2 billion worth of crypto from bridges, according to data from London-based blockchain analytics firm Elliptic, more than double last year’s total.
Sign up now for unlimited free access to Reuters.com
“It’s a battle that no single cybersecurity company or program can win,” said Ronggui Hu, a computer science professor at Columbia University in New York and co-founder of cybersecurity firm CertiK.
“We have to protect many projects. For them (hackers) when they see a project and there are no bugs, they can move on to the next project until they find a weak point.”
Currently, most digital tokens run on their own unique blockchain, essentially a public digital ledger that records crypto transactions. This causes projects using these coins to become siloed, reducing their chances for wider use.
Blockchain bridges aim to tear down these walls. Proponents say it plays a fundamental role in “Web3” — a more exciting vision of a digital future where crypto is connected to online life and commerce.
Yet bridges can be the weakest link.
The Nomad hack is the eighth largest crypto heist on record. Other thefts from Bridges this year include the $615 million theft of Ronin, which was used in a popular online game, and the $320 million theft of Wormhole, a so-called decentralized finance app. read more
“Blockchain bridges are very fertile ground for new vulnerabilities,” said Steve Bassey, co-founder and CEO of malware detector Poliswarm.
Achilles full
Nomad and other companies developing blockchain bridge software have attracted support.
Five days before the hack, San Francisco-based Nomad said it had raised $22.4 million from investors including major exchange Coinbase Global. (COIN.O). Nomad CEO and co-founder Pranai Mohan calls its security model the “gold standard.”
Nomad did not respond to requests for comment.
It said it is working with law enforcement agencies and a blockchain analytics firm to track the stolen funds. Late last week, Bridge announced a reward of up to 10% for those who withdraw hacked funds. Saturday said it has recovered $32 million in hacked funds so far.
“The most important thing in crypto is community, and our first goal is to recover bridged user funds,” Mohan said. “We will consider any party that returns 90% or more of exploited funds as white hats. We will not prosecute white hats,” he said, referring to so-called ethical hackers.
Several cybersecurity and blockchain experts told Reuters that the complexity of bridges represented an Achilles’ heel for projects and applications that used them.
“One of the reasons hackers have targeted these cross-chain bridges of late is because of the immense technical sophistication involved in building these types of services,” said Ganesh Swamy, CEO of Vancouver-based blockchain data firm Covalent, which stores some crypto on Nomads. When the bridge was cut.
For example, some bridges create versions of crypto coins that are compatible with different blockchains, keeping the original coins in reserve. Others are smart contracts, which automatically execute complex contracts.
The code in all of these can contain bugs or other flaws, leaving the door open to hackers.
Error credits
So how to solve the problem?
Some experts say that audits of smart contracts can help protect against cyber-piracy, as well as “bug bounty” programs that encourage open-source reviews of smart contract code.
Others are calling for less concentration in control of bridges by individual companies, which they say will improve code resilience and transparency.
“Cross-chain bridges are an attractive target for hackers because they often use a centralized infrastructure, most of which lock down assets,” said Victor Young, founder and chief architect of American blockchain company Analogue.
Sign up now for unlimited free access to Reuters.com
Reporting by Tom Wilson in London and Medha Singh in Bangalore; Editing by Pravin sir
Our Standards: Thomson Reuters Trust Principles.
The views expressed are those of the author. They do not reflect the views of Reuters News, which is committed to integrity, independence and freedom from bias under the Principles of Trust.
