• Hacken
  • Blog
  • Discover
  • Cross-Chain Bridge Security

Cross-Chain Bridge Security

6 minutes

By Malanii Oleh

Currently, there are over 1000 different blockchains, some are simple Ethereum forks, others are designed as a standalone blockchain platform with a unique consensus model and other features. In the meantime, core values haven’t changed under the sun.

An intuitive user experience is what everyone wants. If you hold ETH tokens, you would like to have the option of swapping them to SOL, BTC, HAI or any other coin with your eyes shut. Transferring valuable assets between two blockchains, such as Binance Smart Chain and Polygon PoS, should be as easy as covering USD to EUR.

After all, who would be willing to spend time guessing how a product works if it’s so different from other products of its kind? Friction-full customer journeys should be a relic of the past, making interoperability between networks an inevitable necessity. On the other hand, we have valid criticism against the idea of a blockchain bridge:

  1. the likes of Vitalik Buterin and others spoke against or are cautious about multi-chain transactions;
  2. some of the largest crypto hacks happened with cross-chain bridges
  3. users have to pay high transaction fees;
  4. developer tools are non-unified and make its harder to achieve resistance.

Obviously, cross-chain bridges are the weakest points in the whole ecosystem. However, they let various blockchains share data, transfer assets, and access contracts from other blockchains. Cross-chain capabilities facilitate large-scale adoption of crypto. One may even argue that having a single point for multiple chains will lead to the creation of one blockchain accessible to all. In the worst-case scenario, lessons learned though the failures of cross-chain or multi-chain functionality will improve blockchain technology. Thus, propelling Web3 into a more secure place. 

How Cross-Chain Bridges Work

Any given cross-chain bridge is a dApp that allows users to move assets between blockchains. 

As a rule, it locks or burns tokens on the source chain using a vault smart contract and then unlocks or mints a representation of these tokens via a peg smart contract on the destination chain. A set of “guardians” are monitoring the whole process, ensuring that the required amount of tokens gets released in the destination blockchain. 

Attackers are looking for loopholes in the aforementioned elements. After discovering these bugs, hackers can use them to withdraw funds from either side of the bridge without putting anything in the source chain. 

Security Risks & Dangers Of Crypto Bridges

Hacks of bridges account for more than 50% of in total value lost in DeFI. To date, hackers stole $2.53 billion from decentralized applications that enable cross-chain transactions. Different chains use different blockchain technology, but there are certain similarities. We see private key compromises and smart contract exploits.

If we’re talking about connecting multiple blockchains with a bridge, the danger of potential exploits gets exponentially higher as attack vectors multiply. If 50 blockchain networks get connected via a bridge and only one chain gets 51% attacked, the safety of 49 other platforms will be compromised as well. 

What’s so difficult about creating bridges between blockchains? In layman’s terms, different crypto tokens can’t be compared to different units of money. Not only are they written in different coding languages, but they also exist in different virtual environments.

Building the logic for connecting them is far from easy. It’s actually extremely difficult especially when the task is to enable the conversion conversion between multiple crypto tokens. We don’t have a universal compiler (like Babel in the JavaScript programming language) that would automatically convert code from the source chain into a version that could be run on a qualitatively different blockchain network.

Besides, blockchain bridges are a relatively recent invention, and there aren’t many professional programmers who are good enough at writing and analyzing bridge code. It will take time to develop best practices related to cross-chain bridges, and the crypto industry will have to wait. More hacks will follow, but they will not be able to make things worse for the future of web3.0.  

Most Common Cross-Chain Bridge Hacks

The recent stats on cross-chain bridges are sensational as the hacks related to these dApps constitute 69% of all stolen crypto funds in 2022. After a thorough analysis, the following types of crypto bridge hacks have been determined:

False Deposit Events

The Qubit hack, on Jan. 28, 2022, nearly $80 million stolen

These hacks are doable when it comes to the bridges that allow the transfer to another blockchain after monitoring deposit events on the source blockchain. An attacker can find a way to create a deposit event while making no real deposit. Alternatively, they can make a deposit using a valueless token.

Fake Deposits

The Wormhole protocol hack, on Feb. 2, 2022, around $325 million stolen.

The deposit validation process can sometimes be outsmarted. A cybercriminal can take advantage of the code flaws and make a fake deposit that will be erroneously seen by the system as a real one. 

Validator Takeover

The Ronin Network hack, March 2022, approx. $600 million in ETH and USDC bagged.

There are bridges that are equipped with validators whose votes decide whether a transfer in question should be approved or not. If the cybercriminal gains control over the majority of these network nodes, malicious transfers can be approved.

The Ronin example is also important because it showcases the failure of event response. The team took six days to notice the exploit of a validation mechanism. Cross-chain bridges and other Web3 apps powered by smart contracts need an ongoing monitoring tool like Hacken Extractor to spot malicious data and breaches in real-time.

Smart contract security is only the beginning for bridges

It’s inevitable that cross-chain bridges will remain sought-after targets among cyber attackers for quite a while. The crypto industry is going to be shaken by big exploits over and over again. Even if every platform in the crypto world starts taking security seriously, we’ll still have scammers stealing private keys with phishing. Hopefully, one fine day cross-chain bridges will be much more secure than they are now. Users will be able to sign transactions without compromising their keys and networks won’t suffer data breaches.

For now, the rule of thumb when launching a new crypto bridge is to double-verify the code of smart contracts. External code review by a credible professional auditor will help you with this task. It prevents the product from doing a belly flop due to basic code errors, flawed contract logic, or wrong calculations. Another sound idea is to check if your bridge connects to an audited protocol.

Date security and integrity of private keys can be achieved by adopting best security practices, such as penetration testing for web and mobile app, API connections, and networks. There’s no better solution for data integrity than penetration testing, and Hacken is a recognized leader in this category.

dApp audit is essential for cross-chain bridge security. Every bridge is a decentralized application. It uses the off-chain component to make computations or store data separate to a smart contract code. dApp Audit by Hacken will make sure that your cross-chain bridge is connected to the blockchain as intended.

Moreover, if you want a cheap option and effective cross-chain security be sure to run an active bug bounty. A bug bounty program by HackenProof connects your system to hundreds of external security researchers who report bugs for rewards. The Triage Team verifies every report for scope and severity, so you only pay for valid bugs. As a crowdsourced measure, bug bounty program lets you engage your community in product development.

to our newsletter

Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiast.в

Speaker Img

Table of contents

Tell us about your project

Follow Us

Read next:

More related
  • Blog image
    Best Practices For Secure MetaMask Snaps Development

    10 min read


  • Blog image
  • Blog image
More related →

Trusted Web3 Security Partner