When thieves stole around $ 190 million from US crypto firm Nomad last week, it was the seventh hack of 2022 that targeted an increasingly important cog in the cryptographic machine: “Bridges.” .
Since the beginning of the year, hackers have stolen around $ 1.2 billion worth of cryptocurrency from bridges, according to data from London-based blockchain analytics firm Elliptic, which is already more than double the total. Last year.
“This is a war in which the cybersecurity company or the project cannot win,” said Ronghui Hu, a professor of computer science at Columbia University in New York and co-founder of the cybersecurity company CertiK.
“Nous devons protéger tellement de projets. Pour eux (les pirates), lorsqu’ils examinent un projet et qu’il n’y a pas de bogue, ils peuvent simplement passer au suivant, jusqu’à ce qu’ils trouvent un point weak.”
Currently, most digital tokens run on their own unique blockchain, essentially a public digital ledger that records cryptographic transactions. This risks isolating projects that use these parts, reducing their prospects for large-scale use.
Blockchain bridges aim to break down these walls. Its supporters say they will play a pivotal role in “Web3,” the much publicized vision of a digital future where cryptocurrency is integrated into life and online commerce.
Yet bridges may be the weakest link.
The Nomad hack was the eighth largest cryptocurrency theft on record. Other bridge thefts this year include a $ 615 million theft from Ronin, used in a popular online game, and a $ 320 million theft from Wormhole, used in so-called decentralized financial applications.
“Blockchain bridges are the most fertile ground for new vulnerabilities,” said Steve Bassi, co-founder and CEO of PolySwarm, a malware detector.
Nomad and other blockchain bridge software companies have attracted support.
Just five days before being hacked, San Francisco-based Nomad said it raised $ 22.4 million from investors including leading exchange Coinbase Global. Nomad CEO and co-founder Pranay Mohan called his security model a “gold standard”.
Nomad did not respond to requests for comment.
The company said it was working with law enforcement and a blockchain analytics firm to track down the stolen funds. At the end of last week, it announced a bounty of up to 10% for the return of hacked funds to the bridge. Saturday said it has recovered more than $ 32 million in hacked funds so far.
“The most important thing in cryptocurrencies is the community and our number one goal is to restore the funds of compromised users,” Mohan said. “We will treat any part that returns 90% or more of the mined funds as white hats. We will not prosecute white hats,” he added, referring to so-called ethical hackers.
Several cybersecurity and blockchain experts told Reuters that the complexity of bridges means they can be an Achilles’ heel for the projects and applications that use them.
“One of the reasons hackers have been targeting these cross-chain bridges lately is the immense technical sophistication involved in creating these kinds of services,” said Ganesh Swami, CEO of Vancouver-based blockchain data company Covalent. . , which had some cryptocurrencies stored on The Nomads Bridge when it was hacked.
For example, some bridges create versions of cryptocurrencies that make them compatible with different blockchains, while keeping the original coins in reserve. Others rely on smart contracts, complex agreements that transact automatically.
The code involved in all of these can contain bugs or other flaws, potentially leaving the door ajar for hackers.
So what’s the best way to tackle the problem?
Some experts say smart contract audits could help protect against cyber theft, along with “bug bounty” programs that encourage open source code reviews of smart contracts.
Others are calling for less concentration of individual companies’ control of bridges, which they believe could enhance the resilience and transparency of the code.
“Cross-chain bridges are an attractive target for hackers because they often rely on centralized infrastructures, most of which block resources,” said Victor Young, founder and chief architect of US blockchain firm Analog. .