Back in March 2022, the cryptocurrency network Ronin revealed it had fallen victim to one of the biggest hacks of all time, suffering a breach that allowed attackers to steal more than $540 million worth of Ethereum and USD coins. The incident saw hackers exploit a vulnerability in a service known as the Ronin Bridge. It’s one of a number of successful attacks on “blockchain bridges” recently that have drawn attention to their inherent security inefficiencies.
Blockchain bridges, sometimes called network bridges, are services that make it possible for crypto holders to move their digital assets from one blockchain to another. They provide an important role, because cryptocurrencies are often siloed and lack interoperability, meaning you can send Bitcoin to an Ethereum wallet address, for example. Because of this siloed nature, bridges have emerged as a key mechanism within the crypto economy.
Bridge services don’t actually transfer one kind of digital asset to another chain. Rather, what they do is “wrap” cryptocurrency tokens in order to convert them into a new asset on the other chain. So if a user wants to bridge Bitcoin to Solana, the bridge will essentially freeze the original BTC by locking it in a wallet address, before spitting out what’s known as wrapped BTC (WBTC) that can be used on the second chain. It can be thought of as a kind of gift card that provides the exact same monetary value, which can only be used in a specific store.
Due to the way they work, bridges therefore hold significant reserves of cryptocurrency tokens that are locked in smart contracts, and those reserves make them especially attractive to hackers.
As crypto stalwarts know only too well, any value that’s held on-chain is subject to attack at any time of the day. The internet never goes offline, meaning the tokens held by any bridge can always be accessed.
The attack on the Ronin Network was one of the biggest-ever DeFi heists in terms of dollar value. Ronin is an Ethereum sidechain that enables cheaper transactions at much faster speeds than the main network. It was the bridge of choice for the popular “play-to-earn” cryptocurrency game Axie Infinity, meaning it constantly processed millions of dollars in crypto and stablecoins.
Sidechains are a blockchain scaling solution that require a bridge to connect to other chains. With Ronin, users are able to lock up their ETH and mint wrapped ETH on alternative networks. Transactions are processed and approved via a Proof of Authority consensus algorithm. With this model, 5 out of 9 validators must agree on a transaction for consensus to be achieved. However, four of Ronin’s validators were operated by one company – Sky Mavis, the developer of Ronin.
It was a heavily centralized setup that resulted from the Axie Dao’s decision to set up a gas-free RPC node in November 2021 to try and fix network congestion. The DAO allowlisted Sky Mavis keys to sign transactions on its behalf. It was only supposed to be a temporary arrangement, but the allow list was never revoked. This created an opening for the attackers – said to be the North Korea-sponsored Lazarus Group – which used social engineering techniques to compromise Sky Mavis’s four keys. The hackers then discovered a vulnerability in the RPC’s code, giving it control of a fifth validator and allowing it to make an illicit withdrawal.
The main issue was that Ronin’s multi-signature system for signing off on transactions was compromised due to a lack of decentralization. It illustrates the weakness of security mechanisms where the majority of governance is concentrated in the hands of a single entity.
The Ronin hack was not a one-off, but rather just the latest in a string of high-profile attacks on blockchain bridges that have resulted in millions of dollars worth of value being lost. One month earlier, attackers successfully made off with around $80 million worth of Ethereum following an attack on the Qubit Bridge.
It’s a service operated by the Qubit Finance platform, which enables users to lend and borrow digital assets across the Ethereum and Binance Smart Chain networks. For instance, it makes it possible to deposit an ERC-20 token and receive a BEP-20 coin in exchange, which can then be used on the Binance chain.
Qubit Bridge was hacked due to what was said to be a “logical error” within its smart contract’s code. The vulnerability enabled the hacker to manipulate the bridge using malicious data, so he or she could withdraw BSC tokens without making any deposit on Ethereum. An autopsy of the attack found that the QBridge smart contract did not properly verify that the required amount of ETH was locked. Instead, the hacker was able to show fake proof of a non-existent deposit.
The incident served to highlight how smart contract vulnerabilities remain a persistent problem in DeFi, and especially for blockchain bridges. The vast majority of bridge attacks target bugs in smart contracts, which are automated contracts that self-execute when certain conditions are met.
Crypto platforms have been subject to an endless stream of attacks ever since the nascent industry started becoming popular. Adherents of DeFi say it can provide a more accessible and equitable alternative to traditional financial services, but as the space has evolved it has been subjected to what is essentially a trial by fire. Attacks on bridges have become as commonplace as cryptocurrency exchange and DeFi protocol heists. The issue is that bridges, like exchanges and protocols, are high-stakes platforms that hold enormous amounts of value and any one of them could be vulnerable to bugs in their underlying code.
There’s a widespread belief that crypto and DeFi will never achieve widespread adoption without a proper solution to the risk of attacks. The vast majority of the world’s value is held by institutional investors, such as investment banks and big hedge funds. Such organizations prioritize compliance and the safety of their funds above whatever potential profits could be had. So DeFi and crypto is unlikely to become much more than a niche investment industry until its security problems can be resolved.
Bridge security is of special importance. The siloed nature of blockchains is a severe handicap that limits the potential reach of any decentralized application. A dApp built on Ethereum cannot talk to others based on different blockchains. It cannot transact with Bitcoin, the world’s most valuable and widely used cryptocurrency, meaning BTC holders have no way to interact with the DeFi ecosystem. If crypto is ever going to become ubiquitous, users must have a safe way to communicate with different chains.
The good news is that there are those in the industry who recognize the importance of secure blockchain connectivity. One exciting prospect is AllianceBlock’s highly promising AllianceBridge, which supports major networks including Ethereum, Binance Smart Chain, Avalanche, Polygon, Arbirtrum, Optimism and Energy Web with a unique infrastructure that’s more decentralized and delivers faster and safer performance.
Unlike centralized bridges, which rely on a single or just a few entities to verify that transactions are legitimate, decentralized bridges are based on the same principles as blockchain itself. There are multiple operators that utilize well structured consensus mechanisms to establish the validity of transactions. AllianceBridge is a decentralized bridge that has developed a unique method to ensure consensus is reached.
As with others, AllianceBridge locks the tokens it receives into a smart contract and then issues wrapped tokens on the target blockchain. Those wrapped tokens will exist on the second chain until such time as the user decides to redeem them on the original network. At that point, the wrapped tokens are burned, meaning they cease to exist, while the original tokens on the native chain are unlocked.
Where AllianceBridge differs is that it employs an EVM-compatible network of bridge operators. In addition, it leverages the robust, third-party Hedera Hashgraph Consensus Service that’s powered by an innovative “gossip-about-gossip” consensus algorithm.
Using the HCS service, blockchain applications and networks can submit messages to the Hedera public ledger, where they are time-stamped and ordered with full transparency. This makes it possible for AllianceBridge to reach consensus without maintaining synchronization between its bridge operators. This means faster performance with a high degree of decentralization, while HCS provides an extra layer of trust that makes the bridge more secure.
AllianceBridge’s smart contracts, which are used to lock the original assets and mint and burn wrapped tokens, provide even more reassurance. The entire smart contract codebase was written to resonate with the EIP-2535 standard and has been fully audited by Omniscia. During the audit, Omniscia pointed out a number of potential problems that were promptly fixed by AllianceBlock before the code went live.
The security and reliability of AllianceBridge has played a key role in expanding the utility of AllianceBlock’s suite of DeFi offerings, including DeFi Terminal, which provides an easy way for projects to launch liquidity mining and staking campaigns across multiple supported networks and dApps. With its secure blockchain interoperability protocol, AllianceBlock is building the robust foundation that a rich, interconnected Web3 ecosystem needs in order to grow and evolve.
– Advertisement –