Web3's Bridge Problem

Blockchain Bridges and why they keep getting hacked

Author

Sunny Dasgupta
August 04, 2022

Another week... another hack.

This time it was the Nomad bridge which was hacked for almost $200 million, making it the fifth largest crypto hack of all time. I'm sure it'll be superseded by even bigger and better hacks soon.

But there's a twist to this one.

There were no actual group of hackers taking part in this hack. It was just random people acting together. Initially, one person found a loophole in a Nomad smart contract, but they didn't know how to drain all the money in one go so they used multiple transactions. Other people started noticing these transactions and realised that they could do the same thing. All they did was copy the previous transactions, and input their address so the funds would go to them.

Bridges have been hacked left, right and centre in recent months. Whether it be Axie Infinity, Ronin or now Nomad, there is always news of a bridge getting hacked. So it's worth discussing what they are and why they are a point of weakness.

Bridges

Bridges are used to connect two different blockchain networks. Let's say you have some assets on the Ethereum network but you would like to trade them for something on Solana. You'd need to use a bridge to do this. First, you would use a bridge to transfer your asset from the Ethereum network to the Solana network. Once it is on the Solana network, you would be able to trade it.

Why so weak?

As stories like these keep popping up, Vitalik's post about the fundamental weaknesses of bridges is worth going back to. It's quite heavy reading for a reddit post, so here's the summary:

  • Many people think that after a 51% attack (where a hacker takes over more than 50% of a blockchain network), the entire network breaks. Vitalik disagrees with this.

  • He says that if Ethereum succumbs to a 51% attack and you have 100 ETH in your wallet, the hacker cannot propose a block that takes away your 100 ETH, because it goes against protocol rules.

  • However, in the case of a bridge - the two networks on either side of a bridge will have different rules and standards.

  • So if there is a bridge between Ethereum and Network X, the Ethereum network has no way of verifying transactions that took place on the Network X side of the bridge.

  • If I can hack Network X and I then tell the Ethereum side of the bridge that I now have $100 million in my wallet, the Ethereum side will accept this and allow me to cash out.

  • In this way, I can hack one side of a bridge and cash out on the other side.

  • If you had 100 ETH on that bridge and the bridge got hacked, your 100 ETH is no longer safe because the attacker can drain money out of the bridge.

  • The problem gets worse when you add more blockchain networks into the mix

  • If you have 100 chains with bridges to each other, a 51% attack on even one of those chains risks contagion that could spread to all 100 chains

There are many very smart people trying to figure out workarounds and solutions to these current problems so we can hope for some progress on this front since this is such an important issue.

But Vitalk believes that the future of web3 is a bunch of completely independent chains, with no bridging between them. We'll round off this post the best way we can - by quoting the great man himself:

"The fundamental security limits of bridges are actually a key reason why while I am optimistic about a multi-chain blockchain ecosystem (there really are a few separate communities with different values and it's better for them to live separately than all fight over influence on the same thing), I am pessimistic about cross-chain applications."