Cross-chain Bridging is Broken – But We Know How to Fix It
Kadan Stadelmann is Chief Technology Officer (CTO) of Komodo (KMD), an open-source decentralized blockchain and a major player in blockchain interoperability and atomic swap technology.
__________
2022 has shed light on issues in cross-chain bridge architecture
As of August 2022, there has been a total of $2 billion in crypto losses, with 69% of stolen crypto funds coming from hacking protocols bridging different blockchains.
The Cross-Chain Token Bridge nomadlost $190 million a few weeks ago to an exploit and Layer 1 blockchain bridging protocol harmony horizon lost $100 million after a hack in June.
earlier this year, ronin Lost $650 million and wormhole Lost $325 million. The wormhole hack was caused by a fake deposit exploit. Attackers initiated a fake deposit and spoofed the validators to approve a withdrawal of the same amount.
What do these hacks have in common? These bridge any Automated Market Maker Technologies (AMMs) used. Here are three ways we can make cross-chain bridges more secure.
Step 1: Use peer-to-peer bridges instead of AMMs
The major hacks mentioned above could have been avoided if peer-to-peer (P2P) powered bridges were used instead of AMMs, and here’s why. P2P brides don’t rely on complex smart contracts or cash pools. They use atomic swaps and order books, making cross-chain swaps fully trustworthy and decentralized with no intermediaries possible. Swaps are called “atomic” because on each order, either the trade will complete and two users exchange funds, or the trade will not complete and the original funds will be redistributed to the two users.
AMMs use liquidity pools, which are essentially centralized pots of money that depend on smart contracts. The pools are the vulnerable element that can be hacked or rugpulled. P2P bridges do not use pools, which means user funds are never vulnerable to these types of exploits.
Step 2: Pay attention to the number of validators for AMM bridges
If an AMM bridge needs to be used instead of a P2P platform, users should use an AMM bridge with a higher number of validators.
A small group of verifiers makes it easy for hackers to target them. The more validators there are for a bridge, the more decentralized and secure it is.
With the Ronin hack, hackers were able to take control of five out of nine validators. The attacker only had to hack one person to get four validators from that device and then hack Ax DAO to get the 5th validator. Requiring only a few signatures promises little security, since there are not enough validators to ensure that the integrity of bridge transactions remains intact.
We need more validators on AMM bridges. Using a multi-signature wallet is crucial, but it doesn’t matter if an attacker only needs to exploit two or three wallets.
Case in point, the Horizon Bridge attacker allegedly took control of the multi-signature wallet deployed in Harmony’s Bridge. Because the bridge was a two-of-five multi-signature scheme, anyone with access to private keys for two of those addresses could take control of the bridge.
Step 3 – Use bridges that have received professional audits
Project developers should take extra precautions and conduct audits before deploying a bridge. Developers can use real-time threat monitoring solutions to stop or at least mitigate the impact of hacks. Audit firms also guide developers in the right direction and advise on what changes need to be made before applications are deployed. Before deploying new smart contracts, it is important to test them in combat and be aware of different attack vectors.
Users should research and control their funds using only bridges that have been audited by credible companies and read through the audit reports to identify problems on the bridge that have been noticed and resolved.
Audit firms typically review the project’s smart contract, which contains the contract’s code that interacts with a blockchain and cryptocurrency, to find the most glaring flaws. They pay particular attention to the stability and efficiency of the contract. Auditors can also view the project team’s financial records, including cryptocurrency trading history, bank statements, credit card payments, loan payments, college tuition, and insurance payments.
The goal is to increase the security, privacy and usability of the blockchain ecosystems.
Practice digital security
There are five best practices anyone can use to improve their digital security.
- Periodically erase your devices or switch to a new device.
- Use cutting-edge security like hardware wallets and two-factor authentication apps/devices.
- Isolate your device environments. Do not use the same device for work, e.g. B. to download files from financial apps.
- If you have enough technical expertise, always validate every file or crypto transaction.
- If you’re not an expert, hire a whitehat hacker who is.
Weaken the power of the hacker
The main security measures that users should follow is to know the type of bridge you are trading on and if possible to use P2P bridges over AMMs. If using an AMM bridge, research the number of validators required to secure a transaction before trusting the bridge and seek professional audits.
In 2020, just two years ago there was around $4 billion in crypto, now there is around $1 trillion worth of all cryptocurrencies in existence.
We will continue to see more money circulating through the crypto ecosystem, so it is important to put security protocols in place for users to actively protect their funds. This will allow the blockchain industry to have a solid foundation to build on for years to come.
____
Learn more:
– Growth in digital asset trading puts spotlight on Blockchain Bridge security risks
– The future of Web3 will be multichain and chainless at the same time
– A multichain world is key to the success of Web 3.0 and the Metaverse
– Multi-Chain Future Brings Multiple Competitors to Bitcoin & Ethereum – Analysts
– Rainbow Bridge resists another hack, attacker loses ETH 5
– Kyber Network token surges from $265,000 despite exploit, team commended for quick action
– Main types of the most popular hacking attacks during IDO
– Another DeFi exploit, GameFi rug pull and an accidentally closed exchange – Beware of risks in crypto