Hackers stole $1.4 billion this year using crypto bridges

Mining the world’s second most valuable cryptocurrency at Evobits IT SRL An engineer inspects AMD graphics processing units (GPUs) from Sapphire Technology Ltd. at the Evobits crypto farm in Cluj-Napoca, Romania, on Wednesday, January 22, 2021. The worlds second most valuable cryptocurrency, Ethereum, has risen 75% this year, overtaking its biggest rival Bitcoin. Photographer: Akos Stiller/Bloomberg via Getty Images

Photographer: Akos Stiller/Bloomberg via Getty Images

Crypto investors have been hit hard this year by hacks and scams. One reason is that cybercriminals have found a particularly useful way to reach them: bridges.

Blockchain bridges, which thinly connect networks to enable rapid exchanges of tokens, are gaining popularity as a way for crypto users to transact. But by using them, crypto enthusiasts are bypassing a centralized exchange and using a system that is largely unprotected.

A total of around $1.4 billion has been lost to breaches on these cross-chain bridges since the start of the year, according to figures from blockchain analytics firm Chainalysis. The biggest single event was a record $615 million snatch from Ronin, a bridge supporting the popular non-fungible token game Axie Infinity, which allows users to earn money by playing.

There was also the $320 million stolen from Wormhole, a crypto bridge backed by Wall Street high-frequency trading firm Jump Trading. In June, Harmony’s Horizon Bridge suffered a $100 million attack. And last week, nearly $200 million was seized by hackers in a breach targeting Nomad.

“Blockchain bridges have become the low-hanging fruit for cybercriminals, with billions of dollars of crypto assets locked within them,” said blockchain analytics firm co-founder and chief scientist Tom Robinson. Elliptical, in an interview. “These bridges have been hacked by hackers in a variety of ways, suggesting that their level of security has not kept pace with the value of the assets they hold.”

Bridge exploits are happening at a striking rate, given that it is such a new phenomenon. According to data from Chainalysis, the amount stolen in bridge robberies represents 69% of the funds stolen in crypto-related hacks so far in 2022.

How Bridges Work

A bridge is software that allows someone to send tokens from a blockchain network and receive them on a separate chain. Blockchains are the distributed ledger systems that underpin various cryptocurrencies.

When exchanging a token from one chain to another – such as when sending ether from ethereum to the solana network – an investor deposits the tokens into a smart contract, a piece of code on the blockchain which allows agreements to run automatically without human intervention.

This crypto is then “minted” on a new blockchain in the form of a so-called wrapped token, which represents a claim on the original ether coins. The token can then be traded on a new network. This can be useful for investors using Ethereum, which has become notorious for its sudden spikes in fees and longer wait times when the network is busy.

“They usually hold huge sums of money,” said Adrian Hetman, technical lead at crypto security firm Immunefi. “These sums of money and the amount of traffic passing through the bridges is a very attractive point of attack.”

why they are attacked

The vulnerability of bridges can be attributed in part to sloppy engineering.

The Harmony Horizon Bridge hack, for example, was possible due to the limited number of validators needed to approve transactions. The hackers only had to compromise two accounts out of a total of five to obtain the passwords needed to withdraw funds.

A similar situation happened with Ronin. Hackers only had to convince five out of nine validators on the network to hand over their private keys to access the cryptography locked inside the system.

In Nomad’s case, the deck was much easier for hackers to manipulate. The attackers were able to enter any value into the system and then withdraw funds, even if there were not enough assets deposited in the bridge. They needed no programming skills, and their exploits caused copycats to pile up, leading to the eighth-largest crypto theft of all time, according to Elliptic.

Nomad offers hackers a bounty of up to 10% to recover user funds and says it will refrain from suing hackers who return 90% of the assets they have taken.

Nomad told CNBC that he is “committed to keeping his community informed as they learn more” and “appreciates everyone who acted quickly to protect the funds.”

Why they are important

Bridges are an essential tool in the decentralized finance (DeFi) industry, which is the crypto alternative to the banking system.

With DeFi, instead of centralized players calling the shots, money exchanges are handled by a programmable piece of code called a smart contract. This contract is written on a public blockchain, like Ethereum or Solana, and it executes when certain conditions are met, eliminating the need for a central middleman.

“We can’t just move these assets,” Hetman said. “That’s why we need blockchain bridges.”

As the DeFi space continues to evolve, developers will need to make blockchains interoperable to ensure that assets and data can flow smoothly between networks.

“Without them, assets are locked to native chains,” said Auston Bunsen, co-founder of QuikNode, which provides blockchain infrastructure for developers and enterprises.

But they are risky.

“They are effectively ungoverned,” said David Carlisle, regulatory affairs manager at Elliptic. They are “highly vulnerable to hacks or being used in crimes like money laundering”.

Criminals have transferred at least $540 million in ill-gotten gains through a bridge called RenBridge since 2020, according to new research provided by Elliptic to CNBC.

“A major question is whether bridges will be subject to regulation, as they act much like crypto exchanges, which are already regulated,” Carlisle said.

This week, the US Treasury Department’s Office of Foreign Assets Control, or OFAC, announced sanctions against Tornado Cash, a popular cryptocurrency mixer, banning Americans from using the service. Mixers are tools that mix a user’s tokens with a pool of other funds to conceal the identity of the individuals and entities involved.

Carlisle said it was becoming clear that “US regulators are poised to crack down on DeFi services that facilitate illicit activity.”

LOOK: Immunefi’s Adrian Hetman explains how hackers stole $200 million

cnbc Business

Not all news on the site expresses the point of view of the site, but we transmit this news automatically and translate it through programmatic technology on the site and not from a human editor.
Back to top button