· Follow
5 min read · Mar 6, 2024
--
In our previous article, we explored the prevalent bridge designs and guidance on selecting the most suitable bridge for a specific purpose.
Despite the benefits that Cross-Chain Bridges bring in order to solve the interoperability challenge of the blockchain space, it faces its own challenges particularly the risks that they’re associated with.
Bridges are attractive targets for hackers because most often there is a single storage point where assets are held. This vulnerability stems from the design of some commonly used bridge architectures, such as the lock and mint design, where assets are locked within a smart contract to mint tokens on the destination chain.
In addition, the bridging process often involves burning and minting of tokens which presents another vulnerable point of attack for hackers.
1. Smart Contract Risks
Similar to other Dapps, Cross-Chain Bridges are also exposed to smart contract risks.
As mentioned above, the locked assets on bridges’ smart contracts undoubtedly appear to be honeypots for hackers. If a smart contract is poorly coded or has not undergo vigorous audits, there will be a higher chance of having loopholes that hackers could exploit. For example, the Nomad bridge suffered a hack in August 2022 resulting to an estimated loss of $22 million due to a loophole in its smart contract, allowing the attacker to drain the locked assets.
2. Centralisation
In the last article, we discussed the three key components of a Cross-Chain bridge (ie. source chain, destination chain and the middleman). The middleman is the component that fundamentally separates bridges on its operation mode and whether it is centralised or decentralised.
When the middleman is centralised, it implies that there is a single entity or a small group of administrators. These administrators are responsible in holding of the assets deposited on the source blockchain and managing the burning and minting of tokens.
This imposes a potential threat to users’ funds as the administrators or insiders can steal the funds in custody or mint new tokens without deposits.
One way to make it less centralised is by using a group of trusted relayers to be the administrators, thereby distributing responsibilities. Additionally, these relayers are required to stake tokens before they can become relayers. If they engage in malicious activities they face the risk of having their tokens slashed as a consequence.
3. Poor Liquidity
We covered the liquidity pool bridge design last time, where the bridge owns native token pools on chain A and chain B, thereby enabling users to receive tokens on destination chain without the use of wrapped tokens.
However, the bridge has to ensure that there is sufficient liquidity on both source and destination chain for a seamless bridging experience for users.
This is more challenging for decentralised bridges as users typically have lower incentives to have their funds locked on blockchains. Consequently, users may find swapping assets difficult which undermines the usefulness of bridges.
4. Compromised Private key
Private keys are cryptographic keys that grant control and ownership of tokens, if keys of bridges are not adequately protected, it may potentially lead to theft of assets.
In June 2022, the Harmony Horizon bridge experienced the compromising of private keys resulting to $100 million worth of assets stolen.
The bridge has 5 validators however it uses a 2 out of 5 validation scheme, which means hackers only have to gain access of 2 validators to approve malicious transactions. During the event, the hacker was able to decrypt private keys of two validators, hence performing malicious action extracting $100 million from the bridge.
After the attack, the multi-signature scheme has been updated to requiring approval to 4/5 instead of 2/5 validators.
Another hack that is similar in nature is was one of the largest Defi hack, the victim Ronin Network lost approximately $624 million from the exploit where the attacker gained control of 5 out of 9 of the validators to generate signature to authorise two transactions draining 173,600 ETH and $25.5 million USDC from the bridge.
5. Validator Exploits
In February 2022, there was an staggering exploit which cost the Wormhole bridge $321 million. The wormhole bridge is a bridge that connects Ethereum and Solana.
We mentioned about the administrators who are responsible of minting and wrapping tokens. In this event, the hacker was able to mint 120,000 Ether on Solana without depositing to Ethereum.
MES Protocol’s Cross-Chain Bridge adopts the liquidity pool model design. By omitting the lock and mint mechanism, it abstracts out threats like stolen locked assets and minting token without depositing, leading to a result where traders of MES are exposed to less risks.
The equivalent of locked assets in MES would be the assets deposited into liquidity pools, which means liquidity providers are exposed to the smart contract risks mentioned.
To address that, MES has implemented according security measures — Permissionless Withdrawal.
The model used to enable that is called Validium model, which introduces a Merkle Tree design that allows users to submit a state root to withdraw funds from the smart contract, even in the case where all operators of MES are down.
2022 was the biggest year of crypto theft with over $3.7 billion of crypto stolen. Notably, approximately $2 billion of the amount was derived from Cross-chain bridges hacks.
In 2023, the overall value of crypto exploits dropped for more than 50% to around $1.7 billion. Within that figure, Cross-chain bridges contributed reduced to around $200 million (Multichain $125 million, Orbit chain $81 million).
However, the decline does not necessarily indicate enhanced security, instead it could be attributed to the decline in attacks.
While Cross-Chain Bridges bring interoperability and connect siloed blockchains to form a network, they also present its own set of challenges such as increasing centralisation, liquidity issues, smart contract vulnerabilities and security risks.
For cross-chain bridges to effectively serve the growing demand for bridging needs in the future, especially as the number of bridges, blockchains, and ecosystems increase, they should prioritise and invest in improving security. Enhancing security measures is paramount to ensure the safety of users’ assets and maintain trust in the bridging infrastructure.
MES Protocol
Multichain Exchange Solution.
Website: https://mesprotocol.com
Discord: https://discord.gg/bFMyrvjkrm
Twitter: https://www.twitter.com/mesprotocol
Medium: https://medium.com/@mesprotocol
Telegram: https://t.me/mesprotocol
Youtube: https://www.youtube.com/@mes_protocol
