THIS WEEK, THE cryptocurrency network Ronin disclosed a breach in which attackers made off with $540 million worth of Ethereum and USDC stablecoin. The incident, which is one of the biggest heists in the history of cryptocurrency, specifically siphoned funds from a service known as the Ronin Bridge. Successful attacks on “blockchain bridges” have become increasingly common over the past couple of years, and the situation with Ronin is a prominent reminder of the urgency of the problem.
Blockchain bridges, also known as network bridges, are applications that allow people to move digital assets from one blockchain to another. Cryptocurrencies are typically siloed and can’t interoperate—you can’t do a transaction on the Bitcoin blockchain using Dogecoins—so “bridges” have become a crucial mechanism, almost a missing link, in the cryptocurrency economy.
Bridge services “wrap” cryptocurrency to convert one type of coin into another. So if you go to a bridge to use another currency, like Bitcoin (BTC), the bridge will spit out wrapped bitcoins (WBTC). It’s like a gift card or a check that represents stored value in a flexible alternative format. Bridges need a reserve of cryptocurrency coins to underwrite all those wrapped coins, and that trove is a major target for hackers.
“Any capital on-chain is subject to attack 24/7/365, so bridges will always be a popular target,” says James Prestwich, who studies and develops cross-chain communication protocols. “Bridges will continue to grow because people will always want the opportunity to join new ecosystems. Over time, we’ll professionalize, develop best practices, and there will be more people capable of building and analyzing bridge code. Bridges are new enough that there are very few experts.”
In addition to the Ronin heist, attackers stole about $80 million worth of cryptocurrency from Qubit Bridge at the end of January, roughly $320 million worth from Wormhole Bridge at the beginning of February, and $4.2 million worth days later from Meter.io Bridge. Memorably, the Poly Network bridge had about $611 million worth of cryptocurrency stolen last August, before the attacker gave the funds back a few days later. In all of these attacks, hackers exploited software vulnerabilities to drain funds, but the Ronin Bridge attack had a different weak point.
Ronin was created by the Vietnamese company Sky Mavis, which develops the popular NFT-based video game Axie Infinity. In the case of this bridge hack, it seems attackers used social engineering to trick their way into accessing the private encryption keys used to verify transactions on the network. And the way these keys were set up to validate transactions was not maximally rigorous, allowing attackers to approve their malicious withdrawals.
“As we’ve witnessed, Ronin is not immune to exploitation, and this attack has reinforced the importance of prioritizing security, remaining vigilant, and mitigating all threats,” the company wrote in its initial statement about the incident on Tuesday.
Ronin discovered the breach that day, but the platform’s “validator nodes” had been compromised on March 23. Attackers stole 173,600 Ethereum and 25.5 million USDC. Ronin Bridge has been down ever since, and users can’t carry out transactions on the platform.
“This hack is so concerning because it appears that the team failed to follow well-known basic security practices,” Prestwich says. “The hack went unnoticed for several days, which implies the team did not have basic monitoring of their system—standard security practices would have automatic email and SMS alerts for abnormal events or large movements of funds.”
The Ronin breach may represent an evolution of bridge hacks, given that it focused on a traditional social engineering attack and exploited security design issues rather than a specific software vulnerability, as in most other bridge hacks. In particular, other attacks have targeted bugs in how bridges implement “smart contracts,” little blockchain programs that are designed to run at certain times under specific conditions—essentially, a contract that executes itself. But social engineering to take over privileged target accounts is also a classic attacker strategy that has been used widely, including in decentralized finance.
“Social engineering and associated private key compromises have always been a vector of attack on DeFi platforms in general, not just bridges,“ says Arda Akartuna, a cryptocurrency threat analyst at the blockchain analytics and compliance firm Elliptic. “They have, however, been observed comparatively less often than code exploits. There is nothing to suggest that social engineering-based exploits are becoming more popular, though the success of the Ronin incident has the potential to inspire other hackers.”
Cryptocurrency platforms, and the decentralized finance movement in general, have been plagued by security issues as the underpinning technologies evolve and mature. And the services that are coalescing to form the backbone of this new financial ecosystem are experiencing a trial by fire as the cryptocurrency gold rush plays out. Bridge attacks may be the new cryptocurrency exchange hacks, but they prey on the same issues, with high-stakes platforms that store massive amounts of value being thrown together quickly to meet new demands.
Akartuna notes that better securing bridges will involve more oversight and audit of the platforms’ complex code. Services that liaise between already esoteric platforms can’t just be thrown together without extensive and continuous vetting.
But he adds that some bridge security issues actually have an underlying, external source.
“In some cases, bridges deal with lesser-known or more obscure blockchains where security auditing is not as yet widespread,” Akartuna says. “This means that the likelihood of there being unpatched security vulnerabilities in their protocols is greater in comparison to DeFi platforms operating solely on more well-known blockchains.”
For now, researchers warn, the blockchain bridge hacks are going to keep on coming.
Visit https://mightyblock.co/mighty-blog/ for more web3 news