The recent growth of Decentralized Applications has increased the need for cheaper and faster transactions that led to a proliferation of bridges with weak security measures.
More robust security measures in this type of platform are needed, and this is where CyVers will act as your last line of defense!
Many blockchain networks and cryptocurrencies use different blockchain technologies, including Bitcoin, Ethereum, Avalanche, Polygon, Solana, and Arbitrum.
Therefore, enabling interoperability and exchange across various blockchain networks is an area where cross-chain bridges -- sometimes also referred to as blockchain bridges -- play an increasingly important role.
What is a cross-chain bridge?A cross-chain bridge enables exchanging information, cryptocurrency, or NFTs from one blockchain network to another. It allows the flow of data and tokens across what would otherwise be siloed sets of data on different blockchains.There are many established ways for individuals and businesses to exchange money with fiat currency, creating a globally available and interoperable financial payments system. Those systems include financial institutions, banks, and credit cards that handle foreign exchange. In the world of blockchains, a cross-chain bridge serves a somewhat similar purpose.Exchange across different blockchains for cryptocurrency is possible without a cross-chain bridge, but it is expensive and time-consuming. Without using a cross-chain bridge, users must first convert a cryptocurrency token into a fiat currency, often involving fees. They then use the currency to get the other desired type of cryptocurrency, incurring more fees and taking time.One characteristic of a cross-chain bridge is that it enables users to exchange one cryptocurrency for another without first changing it to fiat currency. Cross-chain bridges aren't limited to just cryptocurrency value transfer either. An effective cross-chain bridge can also enable the transfer of smart contracts and NFTs from one blockchain environment to another.
There are several approaches to enabling transfers with a cross-chain bridge.
The cross-chain bridge provider platform usually (1) encapsulates the value of one token from a specific blockchain network (Bitcoin) inside another token (WBTC).Wrapped tokens are typically based on the ERC-20 technical specification for an Ethereum network. (2) Another approach to enabling cross-chain bridge transfers is using a liquidity pool. With a liquidity pool, a cross-chain bridge provider holds inventory -- or pools -- of various coins where one can be exchanged for another.The problem with many bridges is that they require users to place trust in a centralized operator or a small number of federated operators, which undermines the security assumptions of decentralization. Most bridges lock tokens on the source blockchain and mint new “wrapped” tokens on the destination blockchain. The original locked tokens remain locked as collateral until the tokens return in a reverse operation when the wrapped tokens are “burned,” and the locked tokens are released. The pools of locked tokens represent a honey pot for any hacker, and, when compromised, the value of any unbacked wrapped tokens on the destination chain is at risk.There are two categories of bridges from a security standpoint: trusted and trustless.Trusted bridges are platforms that rely on a third party to validate transactions but, more importantly, to act as custodians of the bridged assets. Most blockchain-specific bridges like the Binance Bridge, Polygon POS Bridge, WBTC Bridge, and Avalanche Bridge are "trusted bridges."Conversely, platforms that rely purely on smart contracts and algorithms to custody assets are trustless bridges. The security factor in trustless bridges pertains to the underlying network where the bridge locks the assets. Solana's Wormhole, Polkadot's Snow Bridge, Cosmos IBC, and platforms like Hop, Connext, and Celer are "trustless" bridges. At first glance, it might look like trustless bridges offer a more secure option for transferring assets between blockchains. However, both trusted and trustless bridges face different challenges. A trusted bridge example: The Ronin hack.The Ronin bridge operates as a centralized trusted platform that uses a multisig wallet to the custody of the bridged assets. In short, a multisig wallet is an address that requires two or more cryptographic signatures to approve a transaction.Different parties control signatures. In the case of Ronin, four signatures were held by one team alone, creating a single point of failure. However, after the hacker managed to control the four signatures at once, he only needed one more to approve the withdrawal of assets. On March 23, 2022, the attacker gained control over the Axie DAO's signature, the final piece required to complete the attack. As a result, 173,600 ETH and 25.5 million USDC were drained from Ronin's custodian contract in two different transactions in the second-largest crypto attack ever. While centralization presents a fundamental flaw, trustless bridges are prone to exploits due to bugs and vulnerabilities in their software and coding.
Both trusted and trustless bridges, the two approaches to custody-bridged assets, are prone to fundamental and technical weaknesses. Still, there are ways to prevent and diminish the impact caused by malicious attackers targeting blockchain bridges. In the case of trusted bridges, it is clear that increasing the ratio of signers required is needed while also keeping multisigs distributed into different wallets. And even though trustless bridges remove the risks related to centralization, bugs and other technical constraints present risky situations, as shown by the Solana Wormhole or the Qubit Finance exploits. Thus, it is necessary to implement off-chain actions to protect cross-chain platforms as much as possible.Cooperation between protocols is needed.
Likewise, coordination with chain analytics platforms and centralized exchanges (CEXs) should help trace and flag stolen tokens.
Audits and bug bounties are another way of improving the health of any Web3 platform, including bridges. In addition, certified organizations like Certik, Chainsafe, Blocksec, and several others help make Web3 interactions safer.
All active bridges should be audited by at least one certified organization.
While improvement is a work in progress, protecting your organization with our last line of defense can only save your assets and company!
Check out how!