Bridge Security in Blockchain | QuillAudits
Table of Content:
- What is Blockchain Bridge?
- Why do we need Bridges?
- How does a bridge work?
- How Bridges are Hacked.
- Top Bridge hacks-2022.
- Securing Bridges.
What is a Blockchain Bridge?
Cross-chain bridge is a technology that allows communication between two separate blockchain networks like transferring and swapping assets, calling functions in contracts from other blockchains, and more. In other words, bridges allow users to transfer their assets from one network to another. For example, Basically, if you have bitcoin but want to spend it like Ethereum, you can do that through the bridge.
Basically, Bridges are of two types:
- Custodial or Centralized Bridge.
- Non-custodial or Decentralized Bridge.
In this blog we will be talking about Non-Custodial bridges that operate in a decentralized manner, relying on smart contracts to manage the crypto locking and minting processes, removing the need to trust a bridge operator.
Why do we need Bridges?
The inability to work together is one of the biggest problems of blockchain. Each blockchain is limited by the walls of its own domain. This can lead to blockage or high transaction costs. Blockchain bridges provide solutions for this problem by enabling data exchange, smart contracts, token transfers, and instructions between two independent platforms and other feedback.
- Efficiency. Users can make and receive micro-transfer quickly and without paying high transaction fees, enabling better gaming and eCommerce experiences. For Example, User can bridge their token from Ethereum to Polygon so as to enjoy much lower transaction fees.
- Cross-chain collateral. Bridges enable users to transfer digital assets from a blockchain that holds significant value but few dapps of its own, such as Bitcoin, to one that has a developed DeFi ecosystem, like Ethereum, and a need for additional liquidity.
- Access to Other Chain DeFi Products: Bridge helps the user to use the DeFi products which aren’t available in the Native chain. For example, let’s assume there is XYZ Project on Polygon that provides 20% APY on USDC, but the user has assets in the Ethereum chain, In this case, the user can bridge tokens to enjoy benefits.
- Scalability: Bridges designed for high transaction volumes enable greater scalability, without forcing developers and users to give up the liquidity and network effect of the original chains. This is particularly important as congestion issues persist on Ethereum ahead of the full rollout of Ethereum 2.0.
How do Bridges work?
Sending assets to Another Chain:
Let’s take an example where Alice wants to transfer 100 USDC from Ethereum Network to Polygon Network.
- Alice deposits 100 USDC to the Bridge contract on Ethereum.
- The USDC Token is then locked in the Bridge contract, and the Bridge contract communicates to another Bridge contract on Polygon Network.
- The Bridge contract on Polygon Network Network mints 100 USDC(wrapped version) in Polygon Chain and transfers to Alice’s account on Polygon Chain. In this way, Alice successfully transfers 100 USDC from Ethereum Chain to Polygon Chain.
Withdrawing assets back to the Original Chain:
The above example shows how Alice transferred 100 USDC from Ethereum Network to Polygon Network. Now, Alice wants to withdraw it back to Ethereum Network.
- Alice sends 100 USDC to the Bridge contract in Polygon Network, here the bridge burns the tokens and communicates to the bridge contract on Ethereum Chain.
- The Bridge contract verifies the withdrawal transaction. Then the contract unlocks the USDC tokens, which were at first deposited by Alice, and finally transfer back the tokens to Alice’s address on Ethereum.
How Bridges are Hacked?
- Fake Events: Often, a cross-chain bridge will monitor for deposit events on one blockchain to initiate a transfer to the other. If an attacker can generate a deposit event without making a real deposit or by depositing with a valueless token, then they can withdraw value from the bridge at the other end.
- Message Verification Bug: Cross-chain bridges perform validation of a deposit or withdrawal before actually performing any transfers. There have been many instances in the past where lack of proper validation of signature leads to millions of dollars hacks. Recently BSC chain was attacked because of a similar bug and a total of 576 Million was withdrawn by hackers.
- Lack of cross-contract access control in blockchain bridges: It is important to have access control validations on critical functions that execute actions like modifying the owner, transfer of funds and tokens, pausing and unpausing the contracts, etc.
- Validator Takeover: Some cross-chain bridges have a set of validators that vote whether or not to approve a particular transfer. If the attacker controls most of these validators, they can approve fake and malicious transfers. This is what happened to these validators in the Ronin Network hack, where the attacker took over 5 of the bridge’s 9 validators.
- Admin Private Key Leak: If the admin key of the smart contract is leaked, all the funds and operation of the smart contract will be at great risk. Recently, the Harmony bridge was exploited via the theft of two private keys. The attack resulted in a theft of roughly $100 million in various cryptocurrencies.
Top Bridge Hacks — 2022:
1. BSC Bridge: $568M:
On 7th October 2022, an exploit was affecting the native cross-chain bridge called “BSC Token Hub”. The bug was in the proof verifier of the bridge. A total of 2 million BNB was withdrawn and Binance temporarily paused BSC Network to prevent further damages. Funds taken off BSC are estimated between $100M — $110M.
Further Reads: https://blog.quillhash.com/2022/10/11/the-million-dollars-bsc-token-hub-bridge-hack-analysis/
2. Nomad attacks: $200M:
Back in August, hackers exploited Nomad to steal around $200 million. The main cause of the attack was that Nomad’s smart contract failed to properly validate the input of the transaction.
Further Reads: https://sm4rty.medium.com/nomad-bridges-200-million-exploit-postmortem-9d1cd83db1f7
3. Harmony Bridge: $100M:
On June 2022, The Harmony Horizon bridge was exploited via the theft of two private keys. The attack resulted in a theft of roughly $100 million in various cryptocurrencies, including Wrapped Ethereum (WETH), AAVE, SUSHI, DAI, Tether (USDT), and USD Coin (USDC). The attacker then used Tornado Cash to launder many of the stolen tokens.
Further Reads: https://medium.com/harmony-one/harmonys-horizon-bridge-hack-1e8d283b6d66
4. Ronin Bridge: $600M:
In March 2022, a huge hack was carried out at Ronin Network, the Ethereum-based sidechain for the well-known cryptocurrency game Axie Infinity. The attackers stole approximately 173,600 ETH and 25.5 million USDC for a total value of approximately $624 million.
The attacker allegedly used hacked private keys to fabricate bogus withdrawals from the Ronin bridge contract in two transactions.
Further Reads: https://blog.chainalysis.com/reports/axie-infinity-ronin-bridge-dprk-hack-seizure
5. Poly Network: $600M
On 10th August 2021, Poly Network suffered from a hack that caused a loss of over 600 million dollars. The hack happened across multiple blockchains including Ethereum, Binance Smart Chain, and Polygon. This is the largest crypto hack yet.
Further Reads: https://mudit.blog/poly-network-largest-crypto-hack/
6. Wormhole Bridge Hack: $320M
On February 2nd, 2022, Wormhole Bridge was hacked for 120,000 wETH worth $320M. The hacker exploited the vulnerability in the smart contract and minted new tokens. After the hack, The Wormhole network was taken down to patch the vulnerability.
Further Reads: https://rekt.news/wormhole-rekt/
Securing Cross-Chain Bridges:
With all these significant hacks happening so frequently and in such a close amount of time, it should be obvious that security is urgently needed. Once something is on the blockchain, it is permanent and accessible to anyone. So if there’s a flaw in the bridge, you can guarantee that the hackers will exploit it.
These Projects should focus more on security to minimize the risk of being exploited. It can be done through:
- Security Audits: Performing Security audits of these Smart Contracts can minimize the risk of being exploited. We at Quillaudits, scan for vulnerabilities present in the system by running various test cases. We also conduct manual testing to verify the code for its intended use case.
- Bug bounty Program: Projects can host their own bug bounty program or integrate with Bug Bounty Platforms like Immunefi or Hackerone. It adds an extra layer of security for the projects.
- Insurances: An insurance fund would greatly help alleviate damages in the event of an exploit and could set users’ minds at ease knowing that they have coverage.
References:
https://cryptonews.net/news/security/14076221/
https://ethereum.org/en/bridges/
Bridge Projects Secured by QuillAudits:
Web3 security- Need of the hour
Why QuillAudits For Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.
Want more Such Security Blogs & Reports?
Connect with QuillAudits on :
Linkedin | Twitter | Website | Newsletter | Discord | Telegram
Partner with QuillAudits :
- Affiliate program ( Refer and secure web3 )
- QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )