(Reuters) — Another day, another hack and another burned blockchain bridge.
When thieves stole around $190 million from US crypto firm Nomad last week, it was the seventh hack of 2022 targeting an increasingly important cog in the crypto machine: the chain’s “bridges”. Blockchain – strings of code that help move crypto coins between different applications.
Hackers have stolen around $1.2 billion worth of crypto from bridges so far this year, according to data from London-based blockchain analytics firm Elliptic, already more than double that. of last year’s total.
“It’s a war where the cybersecurity company or the project cannot win,” said Ronghui Hu, a computer science professor at Columbia University in New York and co-founder of the cybersecurity company. CertiK.
“We have to protect so many projects. For them (hackers), when they look at a project and there is no bug, they can just move on to the next one, until they find a point weak.”
Currently, most digital tokens operate on their own unique blockchain, essentially a public digital ledger that records cryptographic transactions. This risks siloing projects using these parts, reducing their prospects for large-scale use.
Blockchain bridges aim to break down these walls. Backers say they will play a fundamental role in “Web3” – the much-hyped vision of a digital future where crypto is intertwined with online life and commerce.
Yet bridges can be the weakest link.
The Nomad hack was the eighth largest crypto heist on record. Other bridge thefts this year include a $615 million heist in Ronin, used in a popular online game, and a $320 million theft in Wormhole, used in so-called decentralized financial applications.
“Blockchain bridges are the most fertile ground for new vulnerabilities,” said Steve Bassi, co-founder and CEO of malware detector PolySwarm.
Nomad and other companies that make blockchain bridge software have attracted support.
Just five days before its hack, San Francisco-based Nomad said it had raised $22.4 million from investors including major exchange Coinbase Global. Nomad CEO and co-founder Pranay Mohan called its security model “the gold standard”.
Nomad did not respond to requests for comment.
He said he was working with law enforcement and a blockchain analytics firm to track the stolen funds. Late last week, it announced a bounty of up to 10% for returning funds hacked from the bridge. He said on Saturday he had recovered more than $32 million in funds hacked so far.
“The most important thing in crypto is community, and our number one goal is to restore bridged user funds,” Mohan said. “We will treat any party that returns 90% or more of mined funds as white hats. We will not sue white hats,” he said, referring to so-called ethical hackers.
Several cybersecurity and blockchain experts told Reuters that the complexity of bridges means they can represent an Achilles’ heel for projects and applications that use them.
“One of the reasons hackers have targeted these cross-chain bridges lately is the immense technical sophistication involved in creating these types of services,” said Ganesh Swami, CEO of blockchain data company Covalent. in Vancouver, which had stored crypto on Nomad. bridge when it was hacked.
For example, some bridges create versions of crypto coins that make them compatible with different blockchains, keeping the original coins in reserve. Others rely on smart contracts, complex clauses that automatically execute transactions.
The code involved in all of this may contain bugs or other flaws, potentially leaving the door ajar for hackers.
So how best to solve the problem?
Some experts say smart contract audits could help guard against cyber theft, as well as “bounty” programs that encourage open source reviews of smart contract code.
Others are calling for less concentration of control of bridges by individual companies, which they say could strengthen the code’s resilience and transparency.
“Cross-chain bridges are an attractive target for hackers because they often leverage centralized infrastructure, most of which locks down assets,” said Victor Young, founder and chief architect of US blockchain company Analog.