Bridges are more vulnerable to hackers in the transition towards a multi-chain future than cryptocurrency networks. Over 2 billion dollars in assets were stolen by token bridge exploits alone in 2022. It’s even worse that all of these hacks could have been prevented by implementing multiple security measures.

By examining the attacks of 2022, we can better grasp some of the flaws that are present in the system as well as the security measures which exist or are currently being developed to combat them.

Social engineering

Security breaches are most often caused by social engineering attacks. Social engineering attacks are the most common form of security breaches.

Martin Koppelmann, co-founder of Gnosis.

The biggest bridge scam of 2022 used similar methods to steal funds. Hackers used a phishing scam to hack the blockchain of Axie Infinity, a high-profile cryptogame.

Sky Mavis said that its employees had been targeted with fake offers of employment and were even required to attend multiple rounds. Hackers accessed the Sky Mavis Ronin Network’s systems after the employees fell for the ruse. They stole $625 million. Sky Mavis revealed that it was the victim of spear-phishing during a postmortem review of what went wrong.

Compromised private keys

Wintermute (an algorithmic market maker) was hacked in September 2022 for $160,000,000, most likely because of a vulnerability in the private keys generated by Profanity.

The hot wallet private key was used to drain funds. Reports claimed that vulnerabilities were detected previously in Profanity addresses. However, the company did not take these reports serious.

The hacking of Slope was also attributed to a similar reason, which resulted in a $6 million loss for the company.

Smart contract bugs

Smart contracts are stored programs in a blockchain that are set to activate when certain predetermined criteria are met. It’s the confirmation that a website receives after you add an item to your shopping basket and pay for it. Hackers can use a bug in a contract to trigger an illegitimate transfer of funds between blockchains.

Hackers were able, in the case of Nomad to drain almost $200 million by finding a mistake in the primary smart contracts which allowed anyone who had a basic understanding to withdraw funds.

It’s alarming that hackers were able to exploit these security flaws and bugs so easily. But what’s even more disturbing is that ‘trusted systems’ that people did not think of using were also so easily exploitable.

Multiple security measures is the solution

Bridge standards are rules that describe how different blockchain networks communicate with one another, in this instance, via a cross-chain interface. Some of these protocols are vulnerable to exploitation. However, when combined, they provide additional security.

Developers can counteract weaknesses in one protocol by using another protocol. We’ll look at some cryptographic standard that can be combined to provide additional layers of protection.

Multi-signature and committee

Before a transaction is executed, the technology uses multiple signatures or approvals. It can be used to prevent unauthorised access to networks, and ensure that there is no one party in control.

The committee bridge standard is a set of standards that uses a group or committee of trusted entities to manage the security for a bridge. The members are responsible for the approval and oversight of network transactions. When multiple organizations need to share a network, committees can be beneficial.

Zero Knowledge

Zero Knowledge (ZK), a cryptographic method, allows two parties exchange information without revealing any information other than what is required.

By integrating ZK models, developers can use light clients to verify transactions on-chain. It is possible to perform this verification using light clients on-chain by using Zero Knowledge Proof Systems and the “Succinctness” property of a ZK SNARK. For maximum security it is possible to verify state transitions as well as consensus on the chain, just like running a full-node.

On-chain light clients use ZKP to verify that the state is valid. The target chain can verify the proof without knowing the state of the original chain. On-chain light clients are a great way to increase the security and scalability for blockchains. The target chain will be more confident in the accuracy of the state of source chain by verifying it on the target blockchain. It can be used to help prevent fraud, and other malicious activity while scaling the network. ZK, for example, can be used as a way to prove that the owner of the wallet has authorized a transaction without divulging the private key.

Optimistic

Some bridges take an “optimistic” approach to verifying transactions. Instead of immediately verifying every transaction on the blockchain target, optimistic bridges assume each transaction to be valid and reward additional participants for reporting fraudulent transactions. After the challenge period, funds are cleared. The optimistic bridges, therefore, are mathematically safe but not game-theoretically. They rely on third party attention. This is all abstracted from the user by additional liquidity providers, who independently verify the validity of the bridge claims. They then make the funds available immediately on the other chain for a small fee.

Bridges that are optimistic can be very secure, even if they don’t verify every transaction immediately. They use the “challenge-and-dispute” method. If a user feels that a transaction was processed incorrectly, he or she can dispute the transaction. The bridge will then investigate.

The challenges of multiple bridge standards

The best security can be achieved using a combo of standards. If one standard has a bug, or is a security vulnerability, then the other standards will still be able to protect the network.

Note that bridges are still dependent on the networks they connect. A bridge is only as secure as the networks that it connects.

Accessing the multi-chain universe securely

We need bridges to allow unfettered access into our multi-chained world. But we must fortify them in innovative ways to reduce the points of attack. Blockchain technology was designed to enable strangers to make direct and immutable decisions. The more we use the network at our disposal, the stronger our bridges become.

Jeanhee Kim & David Z. Morris edited the book.