• Hacken
  • Blog
  • Discover
  • Cross-Chain Interoperability and Security – Executive Summary of Coinchange Report

Cross-Chain Interoperability and Security – Executive Summary of Coinchange Report

6 minutes

Cross-chain bridges—applications allowing the exchange of value across parallel blockchains—present a challenge for blockchains since they need to be able to trust and validate external information. Chainalysis data has revealed that bridge hacks account for a staggering 69% of the total funds stolen in the DeFi space in the past two years, heightening the need for robust cross-chain security.

To tackle this issue, Coinchange, together with LI.FI and Hacken jointly produced a report on “Crosschain Interoperability and Security.” The comprehensive research highlights the importance of interoperability in the blockchain ecosystem, identifies challenges, and offers expert solutions. Here, we present a snapshot of the main findings.

See the full Crosschain Interoperability and Security report.

Importance of interoperability for the blockchain ecosystem

Blockchain interoperability has become essential in the ecosystem as more blockchains are developed with varying designs, coding languages, and consensus mechanisms. Without it, the exchange of value between different blockchains is complex, and the liquidity of assets is fragmented. Interoperability is crucial in realizing the full potential of blockchain technology, as it allows for the seamless movement of data and assets between blockchains, increasing interconnectedness and enhancing the liquidity of assets.

Defining cross-chain interoperability

Cross-chain interoperability refers to the ability of different blockchains to communicate and exchange value with one another. It involves building bridges between other blockchains to allow for the seamless movement of assets and data between them. These bridges act as rules-based protocols, fundamental for scaling solutions, and use messaging infrastructures to ensure secure communication between different blockchains.

There are several approaches to making blockchains interoperable:

  1. Interoperability protocols. These are protocols designed to facilitate communication and value transfer between different blockchains. Examples include Polkadot, Cosmos, and Aion.
  2. Sidechains. These are separate blockchains connected to the main blockchain, enabling transactions to occur on a separate chain with the same asset. Examples include RSK, a sidechain of Bitcoin, and Plasma, a sidechain of Ethereum.
  3. Atomic Swaps. These allow for exchanging one cryptocurrency for another without an intermediary, enabling cross-chain trades. Examples include the Lightning Network, used for atomic swaps on Bitcoin.
  4. Cross-Chain Bridges. These are built to connect different blockchains and enable the transfer of assets and data between them. Examples include Wormhole, which was chosen by Uniswap for cross-chain governance messaging between Ethereum and Binance Smart Chain.

Cross-chain bridges concept overview

In the context of blockchain technology, a bridge is an application built on top of a messaging protocol that facilitates interoperability between different blockchains. It is an interface that connects two or more blockchain networks, allowing the transfer of assets and data between them.

There are different types of bridges. And here’s a suggested structure for bridge categorization:

Messaging infrastructure in bridges. At every bridge’s core is a messaging infrastructure that sends data across chains, facilitating various transfers (e.g., LayerZero, Axelar, Wormhole, CCIP).

Types of bridges. Bridges can be classified into various types based on their applications or utility, such as token bridges, NFT bridges, governance bridges, lending bridges, and ENS bridges. They can also be categorized based on how cross-chain messages are validated, which can be done in a decentralized, centralized, or hybrid way.

Bridge aggregators. Bridge aggregators are platforms that combine multiple bridges to provide users with the most efficient option for cross-chain asset transfers and exchanges, considering factors like cost, speed, slippage, and security. Bridge aggregators work similarly to Decentralized Exchange (DEX) aggregators.

Main reasons for bridge hacks

The increasing use of decentralized finance (DeFi), and the growing popularity of Ethereum’s Layer-2 ecosystem are making bridge hacks more frequent. These bridges connect different blockchains and Layer-2 solutions, each having different technologies, and connect many blockchains simultaneously, exposing them to more attack vectors. Furthermore, with the increasing use of DeFi, bridges are moving larger amounts of value, making them more attractive to hackers. Bridge security has three pillars: economic security, implementation security, and environmental security.

3 pillars of bridge security (and how they can be compromised)

Economic Security depends on the cost to gain control over the majority of validators, with the most common way to compromise economic security being to steal the private keys of validators. Natively verified bridges offer the best economic security, while externally verified bridges offer the lowest.

Implementation Security concerns the system’s complexity and the risk vectors that can compromise bridge security. Smart contract vulnerabilities and the compromise of RPC endpoints are the most common ways to compromise implementation security. Bridges need to be audited by multiple third parties to minimize the risk of security breaches.

Environment Security involves the integrity of the environment in which the bridge operates, such as the security of the nodes on which the bridge runs. Bridges need bug bounty programs to minimize the risk of security breaches. The security of the bridge’s nodes is crucial for environmental security. Multiple third-party audits are also necessary for environmental security.

Major causes of bridge hacks in recent years

Cross-Chain Interoperability Report analyzes the top 5 most expensive bridge exploits and answers two critical questions for each exploit: why it happened and at which security pillar.

  1. Axie Infinity Ronin bridge hack. The attackers stole around $624 million due to compromised private keys. The risk pillar compromised was ‘Economic Security.’
  2. Wormhole token bridge hack. The attacker exploited a deprecated, insecure function to bypass signature verification. The risk pillar compromised was ‘Implementation Security.’
  3. Nomad bridge hack. Multiple individuals used an error in an update to drain over $190 million in value. The risk pillar compromised was ‘Implementation Security.’
  4. Horizon bridge exploit. The attackers compromised at least two of the four private keys used by the bridge validators to gain control over the bridge validation process. The risk pillar compromised was ‘Economic Security.’
  5. BSC Token-Hub bridge hack. The attackers exploited a vulnerability in the underlying code by forging a Merkle proof for a specific block. The risk pillar compromised was ‘Implementation Security.’

Mitigating bridge risks

While it’s best to be proactive than reactive, the experts believe in a complex approach to mitigating bridge risks, including adopting measures for threat mitigation, threat response, and risk assessment.

Threat mitigation measures. The report recommends the following actions:

  • smart contract best practices
  • code testing and audits
  • regular security updates
  • monitoring for real-time detection of threats
  • trusting technology, not third parties
  • preventing contamination (horizontal scaling) by using Hub and Spoke model
  • implementing Pre-Crime (Layer Zero) by checking messages against invariants
  • making messaging layer upgrades optional
  • open sourcing the codebase and offering bug bounties

Threat response plan. A good threat response plan should include a faster response time once the attack has begun. It should comprise challenge windows of sufficient duration for the team to take the necessary action. Risk identification with continuous monitoring systems like Extractor is also helpful for hack awareness.

Risk assessment framework for bridge security. Experts believe hacks can still occur, so having a threat response plan is instrumental. The report also recommends having a standardized Risk Assessment Framework to help users select the appropriate bridge for their transaction size and security needs. The report reviews three variants and settles on Coinchange Bridge Risk Assessment Framework which is the fourth DeFi Risk Assessment Frameworks that Coinchange has created to assess  DEXes, Money Market protocols,Blockchains and Bridge risks. This framework comprises two parts: Data Gathering with 25 questions and 10 questions exclusively shared for the Risk Scoring ofOperational Risk, Governance Risk, Smart Contract Risk, and Liquidity Risk.

Conclusions

Cross-chain interoperability is crucial for the blockchain ecosystem. It allows for the seamless movement of assets and data between different blockchains, enhancing interconnectedness and increasing the liquidity of assets. Several approaches, such as interoperability protocols, sidechains, atomic swaps, and cross-chain bridges, achieve interoperability between blockchains.

Over the past two years, 70% of the value lost in DeFi was stolen in bridges. The industry needs a better solution for understanding and mitigating the risks. 

The future of bridge security and cross-chain interoperability is yet to be determined. However,  the effort to get to more secure interoperability is ongoing, and it’s collaborative. Coinchange has gathered prominent interoperability, enterprise, and security players to build the most secure version of the interoperability space.

See the full Crosschain Interoperability and Security report.

Subscribe
to our newsletter

Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.

Speaker Img

Table of contents

Tell us about your project

Follow Us

Read next:

More related

Trusted Web3 Security Partner