What Are Blockchain Bridges and Why Do They Keep Getting Hacked?

This week, the cryptocurrency community Ronin disclosed a breach through which attackers made off with $540 million value of Ethereum and USDC stablecoin. The incident, which is without doubt one of the greatest heists within the historical past of cryptocurrency, particularly siphoned funds from a service generally known as the Ronin Bridge. Profitable assaults on “blockchain bridges” have turn into more and more frequent over the previous couple of years, and the scenario with Ronin is a distinguished reminder of the urgency of the issue. 

Blockchain bridges, also referred to as community bridges, are purposes that enable folks to maneuver digital property from one blockchain to a different. Cryptocurrencies are sometimes siloed and might’t interoperate—you possibly can’t do a transaction on the Bitcoin blockchain utilizing Dogecoins—so “bridges” have turn into an important mechanism, virtually a lacking hyperlink, within the cryptocurrency financial system. 

Bridge providers “wrap” cryptocurrency to transform one kind of coin into one other. So should you go to a bridge to make use of one other foreign money, like Bitcoin (BTC), the bridge will spit out wrapped bitcoins (WBTC). It is like a present card or a examine that represents saved worth in a versatile various format. Bridges want a reserve of cryptocurrency cash to underwrite all these wrapped cash, and that trove is a significant goal for hackers.

“Any capital on-chain is topic to assault 24/7/365, so bridges will at all times be a well-liked goal,” says James Prestwich, who research and develops cross-chain communication protocols. “Bridges will proceed to develop as a result of folks will at all times need the chance to affix new ecosystems. Over time, we’ll professionalize, develop finest practices, and there will probably be extra folks able to constructing and analyzing bridge code. Bridges are new sufficient that there are only a few specialists.”

Along with the Ronin heist, attackers stole about $80 million value of cryptocurrency from Qubit Bridge on the finish of January, roughly $320 million value from Wormhole Bridge in the beginning of February, and $4.2 million value days later from Meter.io Bridge. Memorably, the Poly Community bridge had about $611 million value of cryptocurrency stolen final August, earlier than the attacker gave the funds back a couple of days later. In all of those assaults, hackers exploited software program vulnerabilities to empty funds, however the Ronin Bridge assault had a unique weak level.

Ronin was created by the Vietnamese firm Sky Mavis, which develops the favored NFT-based online game Axie Infinity. Within the case of this bridge hack, it appears attackers used social engineering to trick their approach into accessing the personal encryption keys used to confirm transactions on the community. And the best way these keys have been set as much as validate transactions was not maximally rigorous, permitting attackers to approve their malicious withdrawals.

“As we’ve witnessed, Ronin is just not proof against exploitation, and this assault has strengthened the significance of prioritizing safety, remaining vigilant, and mitigating all threats,” the corporate wrote in its preliminary assertion concerning the incident on Tuesday. 

Ronin found the breach that day, however the platform’s “validator nodes” had been compromised on March 23. Attackers stole 173,600 Ethereum and 25.5 million USDC. Ronin Bridge has been down ever since, and customers cannot perform transactions on the platform.