Learn Center
Crypto Next Level
Crypto Bridge Hacks 101: Types and Causes
Crypto Bridge Hacks 101: Types and Causes
Crypto bridges were originally intended to make sending tokens between blockchains seamless and safe. While bridges are essential for cross-chain communication, they’ve become a significant concern in Web3. In early 2020, hackers were able to drain billions of dollars from multiple cross-chain bridges. The blockchain research firm Chainalysis estimates that crypto bridge hacks now account for about 70% of the total cyberattacks in the blockchain industry.
If you’re considering sending digital funds on a multi-chain bridge, here’s what you need to know about the security concerns with these protocols.
Explaining cross-chain crypto bridges
Cross-chain bridges are programs that can send cryptocurrencies between at least two blockchains. The purpose of a token bridge is to make it possible for people to transfer assets from one blockchain to another, as different dApps (decentralized applications) may require users to interact with different blockchains.
As it stands today, separate blockchains can't communicate with each other. While sending funds within a blockchain's ecosystem is easy, developers have struggled to find secure ways to get different networks to interact with each other. Many in the crypto industry have labeled this issue the "interoperability problem."
For example, it's easy for you to use ETH to pay transactions on Ethereum's dApps like Uniswap and Aave. However, you still can't use their Ethereum-based assets on a competing blockchain like Solana. This means if you only had ETH in your crypto wallet, there's no way you could start using a Solana dApp. Instead, you’d have to visit a centralized crypto exchange (CEX), buy Solana's SOL tokens, and send them to a Solana-compatible wallet.
Ideally, bridges would eliminate all these extra steps. In the example above, you could leverage a multi-chain bridge like Wormhole or Allbridge that links Ethereum to Solana and send the ETH to the Solana blockchain.
Most crypto bridges will lock your initial funds in the protocol and issue a new token on the target chain. However, the cryptocurrency you'll receive in the new blockchain will be a "wrapped" version of the original. For instance, when you send ETH to Solana on a bridge, you’ll receive the token "wrapped ETH."
Wrapped tokens have the same market value as the underlying asset, but they're a synthetic version of the original token. Wrapped tokens allow people to use cryptocurrencies on non-native blockchains, thus increasing liquidity throughout Web3.
Supporters of cross-chain bridges are hopeful this technology will improve the transfer of digital assets in DeFi (decentralized finance). While this may not make cryptocurrencies as liquid as fiat currencies, it can enhance the flow of digital funds between dApps and promote collaboration in the crypto space.
Types of crypto bridges
Cross-chain bridges can be divided into trusted bridges versus trustless bridges. Knowing which bridge you're using will help you understand who (if anyone) is watching over your funds.
Trusted bridges
Trusted bridges are sometimes called "custodial bridges" because a protocol's leaders directly custody each user's crypto. When you lock the crypto you want to move on a trust token bridge, the company in charge of the bridge is responsible for overseeing these digital assets.
The downside of using a trust-based bridge is that users need to forfeit their digital assets to a third party. Also, since trusted bridges have a clear central custodian, it can make them an easier target for hackers.
A prime example of a trust-based bridge is the Binance Bridge. As the name suggests, the crypto exchange Binance has complete control over its proprietary crypto bridge. Users should feel comfortable that Binance won't suddenly freeze their funds, go bankrupt, or suffer a hack.
The Avalanche Bridge is another prominent trust-based bridge in DeFi. In this case, the New York-based company Ava Labs watches over crypto bridge transfers.
Trustless bridges
On trustless bridges, users don't have to worry about a third-party risk from a centralized organization. Instead of manually monitoring crypto transfers, trustless bridges rely on autonomous smart contracts to fulfill transfer requests.
The benefit of using smart contracts is that trustless bridges give users greater control over their crypto. Users don't have to worry about a central company mishandling or making off with their funds.
However, trustless bridges are still highly experimental. Even diligent blockchain coders have had trouble writing bug-free smart contract codes. If hackers exploit a trustless bridge's algorithms, users will lose all their crypto. In contrast, when using trusted bridges, there's a chance the custodian can distribute insurance funds during a cyberattack.
Ethereum's layer-2 scaling solution Arbitrum has a native trustless bridge where users can transfer digital assets between the two chains. The competing smart contract blockchain Polkadot also has a trustless "Snowbridge" that helps users transfer tokens between Polkadot and Ethereum.
Why are crypto bridge hacks so common?
Cross-chain bridges are some of the most lucrative and vulnerable protocols in DeFi. Although these bridges serve "decentralized" finance, they’re the central hubs for crypto transfers. Since users need to lock their initial tokens on a bridge to mint wrapped tokens on another chain, there's always a lot of crypto in these protocols. Hackers that successfully break into a bridge can steal millions, if not billions!
Not only are bridges a profitable target, but they also tend to have many weak spots. Cross-chain bridges aren't as battle-tested as blockchains like Bitcoin (BTC). Bridge developers still haven't perfected the code for linking two blockchains. If hackers have experience with blockchain coding, there's a chance they can find vulnerabilities in a bridge's smart contracts.
Additionally, some bridge projects make their codes open source to promote transparency. Open-source codes help build trust and make it easier for malicious actors to review, copy, or manipulate a bridge's software.
Lastly, since DeFi is largely unregulated and doesn't require KYC (know-your-customer) documents, it's easier for bridge hackers to avoid legal repercussions. Even if authorities track down a hacker, there's no clear regulatory framework to deal with cross-chain bridge hacks.
Are crypto bridges safe?
Nobody denies that cross-chain bridges have many unaddressed security risks. Crypto traders understand that cross-chain bridges are a new technology and a prime target for hackers.
While this doesn't mean every cross-chain bridge is "unsafe," they’re one of the most vulnerable parts of the Web3 ecosystem. It's critical for people interested in cross-chain bridges to do plenty of research on whatever protocol they're using.
If you’re planning to use a cross-chain bridge, first find out how long a bridge has been operational and whether it has a history of hacks. Ideally, your bridge should have a third-party audit that verifies the code’s security. You should also review transparent information on your bridge's leadership and security procedures.
Remember that hackers have broken into dozens of high-profile trustless and trusted bridges. For instance, the successful layer-2 blockchain Polygon nearly lost $850 million due to a bug in its Plasma Bridge to Ethereum. Luckily for Polygon's developers, the "whitehat hacker" that discovered this flaw immediately reported it to the team and accepted a bug bounty of $2 million.
Hopefully, as blockchain developers review common security flaws, they’ll learn how to code impenetrable bridges. Until then, Web3 users must be cautious when using bridges.
Recent crypto bridge hacks
Unfortunately, there's no shortage of crypto bridge hacks. Here are a few of the significant examples of cross-chain bridge attacks:
- Nomad Bridge hack: In August 2022, the cross-chain bridge Nomad reported a hack valued at around $200 million. Reports suggest hackers took advantage of a code vulnerability after the Nomad team modified its smart contracts. Hackers created false crypto transactions to drain funds from Nomad's reserves.
- Harmony Horizon Bridge hack: Another major bridge hack in 2022 took place on the Horizon Bridge between the Harmony blockchain, Ethereum, and the BNB Smart Chain. In June, the Harmony team announced that hackers broke into this bridge and made off with about $100 million in crypto.
Reports suggest the hackers compromised two of the four validators on the Horizon Bridge's multi-signature wallet. With this data, hackers were able to easily withdraw crypto from the bridge.
- "Axie" weakness in Ronin Bridge: In 2021, the gaming studio Sky Mavis decided to move its play-to-earn game "Axie Infinity" from the main Ethereum chain to its Ronin sidechain. Players could use an Ethereum-to-Ronin bridge to transfer tokens between these chains.
The Ronin Bridge had only nine validators on the network, four of which were Sky Mavis executives. In 2022, hackers accessed five of these validators, allowing them to approve withdrawals from the Ronin Bridge. It's estimated the Ronin hackers stole roughly $625 million in crypto.
Wrapping up
Bridges have the potential to promote blockchain interoperability and increase liquidity in DeFi. However, creating secure cross-chain bridges remains a challenging task in the crypto industry. Crypto bridge hacks are far too common, and many Web3 users fear using bridges after hearing about million-dollar exploits.
Although bridges are a valuable tool in DeFi, users must be careful before entrusting their crypto to these protocols. At Worldcoin, we encourage everyone to explore the Web3 ecosystem and the cryptocurrency market as a whole. We aim to put a free share of our crypto in every individual’s hands. Subscribe to our blog to learn more about buying and storing cryptocurrencies.