Blockchains Have a “Bridge” Problem and Hackers Know It

- Advertisement -


This week Ronin cryptocurrency network disclosed a hack in which the attackers escaped with $540 million worth of Ethereum and the USDC stablecoin. The incident, which is one of the biggest heists in the history of cryptocurrencies, specifically resulted in the siphoning of funds from a service known as Ronin Bridge. Successful attacks on “blockchain bridges” have become more and more frequent in the last couple of years, and the situation with Ronin is a stark reminder of the urgency of the problem.

- Advertisement -

Blockchain bridges, also known as network bridges, are applications that allow people to move digital assets from one blockchain to another. Cryptocurrencies tend to be siled and cannot interact with each other – you can’t transact on the bitcoin chain using Dogecoins – so “bridges” have become an essential mechanism, almost a missing link in the cryptocurrency economy.

- Advertisement -

Bridge services wrap cryptocurrencies to convert one type of coin to another. So if you go to the bridge to use another currency like bitcoin (BTC), the bridge will give out wrapped bitcoins (WBTC). It is similar to a gift card or check that represents stored value in a flexible alternative format. Bridges need a reserve of crypto coins to guarantee all those wrapped coins, and this find is a prime target for hackers.

“Any capital on the network is under attack 24 hours a day, 7 days a week, 365 days a week, so bridges will always be a popular target,” says James Prestwich, who studies and develops internetwork communication protocols. “Bridges will continue to grow because people will always want to be able to join new ecosystems. Over time, we will become professionals, develop best practices, and there will be more people able to create and analyze intermediate code. The bridges are quite new, so there are very few specialists.”

- Advertisement -

In addition to the Ronin heist, in late January, attackers stole about $80 million worth of cryptocurrencies from Qubit Bridge, which is approximately $320 million. from the bridge over the wormhole in early February and a few days later on Meter.io Bridge for $4.2 million. Notably, around $611 million worth of cryptocurrencies were stolen from the Poly Network Bridge last August before an attacker returned the funds a few days later. In all of these attacks, hackers exploited software vulnerabilities to steal funds, but the Ronin Bridge attack had another weakness.

Ronin was created by Sky Mavis, a Vietnamese company developing a popular NFT-based video game. Axi Infinity. In the case of this bridge breach, it appears that the attackers used social engineering to gain access to the private encryption keys used to verify transactions on the network. And the way these keys were configured to validate transactions was not as strict as possible, allowing attackers to approve their malicious withdrawals.

“As we have seen, Ronin is not immune to exploitation and this attack has reinforced the importance of prioritizing security, remaining vigilant and mitigating all threats,” the company wrote in its initial statement on the incident on Tuesday.

Ronin discovered the breach the same day, but the platform’s “validation nodes” were compromised on March 23rd. The attackers stole 173,600 Ethereum and $25.5 million. Since then, Ronin Bridge has been down and users cannot transact on the platform.

“This hack is so worrisome because it seems like the team didn’t follow commonly known basic security practices,” says Prestwich. “The hack went undetected for days, meaning the team had no basic monitoring of their system — standard security practices would include automatic email and SMS alerts for abnormal events or large fund movements.”

The Ronin hack may represent an evolution of bridge hacks given that it focused on a traditional social engineering attack and exploited security design issues rather than a specific software vulnerability as in most other bridge hacks. In particular, other attacks target bugs in how bridges implement smart contracts, small blockchain programs that are designed to run at specific times under specific conditions — essentially a contract that executes on its own. But social engineering to take over privileged target accounts is also a classic attacker strategy that is widely used, including in decentralized finance.

“Social engineering and related private key compromises have always been a vector of attacks on DeFi platforms in general, not just bridges,” says Arda Akartuna, crypto threat analyst at blockchain analytics and compliance firm Elliptic. “However, they were observed relatively less frequently than code exploits. There is no reason to believe that social engineering exploits are becoming more popular, although the success of the Ronin incident may inspire other hackers.”

Cryptocurrency platforms and the decentralized finance movement in general have faced security issues as the underlying technologies evolve and evolve. And the services that come together to form the backbone of this new financial ecosystem are being tested by fire as the cryptocurrency gold rush ends. Bridge attacks may be new cryptocurrency exchange hackbut they share the same problems: high-stakes platforms that hold vast amounts of value are rapidly merging to meet new needs.

Akartuna notes that better protection of bridges will require more control and auditing of complex platform code. The services that link the esoteric platforms together cannot simply be put together without careful and constant review.

But he adds that some of the bridge’s security problems actually come from outside sources.

“In some cases, bridges are dealing with lesser-known or obscure blockchains where security auditing has not yet become widespread,” Akartuna says. “This means that the likelihood of unpatched vulnerabilities in their protocols is higher compared to DeFi platforms that run exclusively on more established blockchains.”

For now, researchers are warning that blockchain bridge hacks will continue.


More Great WIRED Stories

.


Credit: www.wired.com /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox